Pen testing: AKA ethical hacking
Your company may have the technology in place to prevent data theft, but is it enough? How do you prove it? The most accurate way to know if you’re safe from a hacker is through live penetration testing, also called pen testing, or ethical hacking.
What is penetration testing?
To beat a hacker, you have to think like a hacker. Penetration test analysts analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors) just like a hacker would. Basically, they try to break into your company’s network to find security holes.
The Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 requires both an internal and external penetration test, so most companies regularly receive penetration tests to comply with that requirement. But penetration testing isn’t limited to the PCI DSS. Any company can request a penetration test whenever they wish to measure their business security.
The time it takes to conduct a pen test varies based on the size of a company’s network, the complexity of that network, and the individual penetration test staff members assigned. A small environment can be done in a few days, but a large environment can take several weeks.
Vulnerability scanning and penetration testing are different.Some people mistakenly believe vulnerability scanning or antivirus scans are the same as a professional penetration test. Some companies even ‘penetration testing services’ when in fact, they only offer vulnerability scanning services. As a general rule, any ‘pen test’ that is listed for less than $4,000 is probably not a real penetration test.
An external vulnerability scan is an automated, affordable, high-level test that identifies known weaknesses in network structures. Some are able to identify more than 50,000 unique external weaknesses.
Here are the two biggest differences. A vulnerability scan is automated, while a penetration test includes a live person actually digging into the complexities of your network. A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to identify, then attempt to exploit those vulnerabilities to gain access to secure systems or stored sensitive data.
How much does a pentest cost?
A high-quality, professional pentest costs between $15,000-$30,000–with everything below accounted for. As with any business service, cost varies quite a bit based on a set of variables.
The following are the most common variables to affect the cost of penetration testing services:
- Complexity: the size and complexity of your environment and network devices are probably the biggest factors of your penetration test quote. A more complex environment requires more labour to virtually walk through the network and exposed web applications looking for every possible vulnerability.
- Methodology: each pen tester has a different way they conduct their penetration test. Some use more expensive tools than others, which could increase the price. But more expensive tools could reduce the time of your test, and produce higher quality results.
- Experience: pen testers with more experience will be more expensive. Just remember, you get what you pay for. Beware of pen testers that offer prices that are too good to be true. They probably aren’t doing a thorough job. I suggest looking for penetration testers with credentials behind their name like CISSP, GIAC, CEH, or OSCP.
- Onsite: most penetration tests can be done offsite, however; in rare cases that involve very large/complex environments, an onsite visit could be required to adequately test your business security. Onsite visits are also required if you request a physical security or social engineering penetration test.
- Remediation: some pen testers include remediation assistance and/or retesting in their price. Others provide test results and disappear.
Even with pentest cost, there's no better way to test your security systems.
If you think that price is unreasonable, think of this: a hacker only needs one hole to get into your network and steal data. A pen tester works hard to find as many holes as possible that could allow you to be compromised. You are paying a professional team to manually look through the nooks and crannies of your business to determine what’s exploitable.
There is no better way to test the actual effectiveness of your security systems than borrowing the skills of an experienced penetration test team.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is VP of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live Long and prosper as you visit his other blog posts.