Pen Testing (ethical hacking) FAQs
What is Pen Testing?
ANS: Penetration Testing, otherwise known as Ethical Hacking is a proactive test carried out on a systems, application, (a person – social engineering), networks and web applications to determine how secure the system actually is and to test the security and compliance controls that are in place to prevent data breach.
Is it really done in the same way a real hacker/attacker would do it?
ANS: Yes and No!
Yes – depending on the requirements of the company and the level of realistic downtime they are willing to accept. If the company wants to see and experience the same impact to really prove that they are vulnerable (not many companies will go for this option). Some companies are happy to provide a secondary replica of a system to be tested 100% in the manner of a real hacker to see how far and how much of a damage and information security breach they can perform. Most company will be satisfied with the list of vulnerabilities identified and develop an action.
No – because depending on the system and how critical it is for the operation of the business, some business will not allow the Penetration Tester to compromise the target. They rather the Tester demonstrate and present evidence to show that the system can be compromised if certain conditions and actions were to be taken.
Do you need permission to perform the testing?
ANS: Yes. However, most hackers don’t! Normally a due diligence process is undertaken prior to the approval for testing takes place. This can include compliance officers, Lawyers, 3rd parties and other stakeholders to ensure that all parties know what their liabilities are (if any) and what the scope and expectation of the testing output will be.
What are the pre-requisites to engage your services?
ANS:
- List of IP addresses, IP ranges that require testing and authentication credentials.
- Access to all in-scope internal VLANs and network segments from a single location, where testing can be carried out.
- Signed security test authorisation form.
What are different types of penetration testing that can be done?
ANS: Penetration Testing can be done on: Firewalls, Web application, Network infrastructure/devices, software applications, source code and the ‘human’ – Hacking the human.
Why would business want to hacking into their own systems and what are the benefits of doing this?
ANS:
- Provides assurance that security controls are in place at the network levels that are adequate with regards to addressing real world threats.
- The rapid identification and resolution of unknown threats and attack vectors.
- Our network security assessment services are designed to emulate real world attacks rather than a checklist based approach to risk.
What are the deliverables from the penetration testing?
ANS: Whether it’s a network infrastructure testing, web application testing, below are some of the typical deliverables you as a client will receive:
- Network infrastructure penetration test, including report writing and research.
- Comprehensive clear report detailing all discovered vulnerabilities, exploits and remediation steps.
- Provides assurance that security controls are in place at the application code level that are adequate with regards to addressing real world threats.
- The rapid identification and resolution of unknown threats and attack vectors.
- Application security assessment services are designed to emulate real world attacks rather than a checklist based approach to risk.
- Security Aware only use highly experienced security testers that have been performing security assessments for over ten years.
Is it legal?
ANS: Yes it is legal if it is done ethically – i.e. with the explicit permission for the owner of the target system and or asset.
What if I found a lot of vulnerabilities in my systems and I cannot fix them, would I be at risk of an attack?
ANS: Yes. You will need to work with your IT department or IT Support Company to remediate the risks associated with the vulnerabilities found. In some cases they are more than willing to help. It is important that you work with all stakeholders involved to help you mitigate your risk exposure.
How do I deal with vulnerabilities?
ANS: Depending on the type of vulnerability in question, there are various approaches and techniques you can employ to deal with these. Most vulnerabilities are derived from software configurations and unpatched systems. It is recommended that where applicable, you update/install patches to systems with the newest version of the firmware/software. Most vendors and manufactures provide releases of new patches to fix bugs and security holes in their application.
How much does it cost?
ANS: It depends on your scope and what you want to test. It could be the most critical systems, it could be your firewall, your web application, your source code or your employee. You need to decide on what is important to your business and do your risk assessment to determine if you can continue to operate if that system or asset were to be compromised by hackers and controlled by them. If your business were to be impacted significantly and seize its core functions that will result in downtime and disruption to clients, then you will need to include that in your risk assessment and priority for testing so that you can harden the system against attacks.