What is Penetration Testing and How does Computer One do it?

What is Penetration Testing and How Much does it Cost?

Penetration testing is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

Penetration testing can be performed with automated software or conducted manually.

Although the main objective of penetration testing is to identify security weaknesses, it can be used to test your organisation’s security policy, your compliance with mandated protocols, employees’ general security awareness and the IT department’s ability to identify and respond to security incidents.

At the end of the test a comprehensive report detailing the methods of attack and the findings is presented to management in both written form and a workshop.

If detected, serious vulnerabilities are added to the organisation’s Risk Register and a Remediation Plan is proposed that addresses the risks in order of priority.

It’s important to note that under our definition, Penetration Testing does not include Red and Blue Team testing, which involves compromising employees and other systems with in-person exploit techniques. In Penetration testing we stay at arm’s length from your employees and instead concentrate only on system weaknesses, although we do include phishing attempts as part of the methodology in a manual test.

How does Computer One conduct penetration testing?

Broadly, we deliver two types of pen test: Automated, where we scan a network for known vulnerabilities and analyse how they might be chained together to execute a successful exploit, and Manual, where we take the automated scan and attempt to attack the network from inside or outside the organisation. (Outside the network simulates a motivated external party, while inside the network simulates a disgruntled employee).

Each penetration test begins with a clearly defined scope that defines the networks, systems and locations we will test, and the methods that we will use. Limiting the scope of the test helps focus attackers and defenders on the systems the organisation controls.

How often you should perform penetration testing?

Ideally, your organisation should perform penetration testing once a year. Why? Because your network attack surface changes every year, new attack methods are added to the attackers’ arsenal and new, uneducated staff are exposed to attack. Leaving it more than 12 months means some aspects of your network can be considered positively ancient by the time they are next tested.

You may also consider conducting a penetration test when:

  • Your organisation adds new network infrastructure or applications;
  • makes significant upgrades or modifications to its applications or infrastructure;
  • establishes offices in new locations; or
  • modifies end-user policies.

How much does penetration testing cost?

Each project is tailored to the organisation being tested, but as a general guide, an Automated test with comprehensive analysis of the results and a detailed list of security recommendations will cost between $5,000 and $15,000.

A Manual test where a Computer One team tries to use the information gathered about your organisation to infiltrate your network will cost between $10,000 and $20,000. This is the most comprehensive test you can undergo apart from the real thing as our team will think and act like attackers on your network, without doing any damage, of course.

Penetration test strategies

Here is a list of the penetration test strategies used by Computer One:

  • Targeted testing is performed by your IT team and our penetration testing team working in partnership. It’s also referred-to as the “lights turned on” approach because everyone has visibility into the testing carried out.
  • External testing targets your externally visible servers or devices including domain name servers, email servers, web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access. We perform this kind of test either with system knowledge supplied by your IT team or blind where our team is given only the name of your company and no prior knowledge. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
  • Internal testing mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
  • Double-blind testing takes the blind test and extends it inside the organisation. In this type of pen test, only one or two people within your organisation might be aware a test is being conducted. Double-blind tests can be useful for testing a company’s security monitoring and response procedures but must be carefully controlled so that the test doesn’t get out of hand!

Using these different strategies places emphasis on separate parts of the security apparatus.

Why is it important?

If you have never had a penetration test before, then the fact is that you are flying somewhat blind, unaware of the potential holes in your network that could let an attacker steal secrets or compromise assets. Even just the reputational damage caused by having to issue a breach notice to your staff or clients can far outweigh the cost of the test process and potential remediation activity.

If you have had a test in the past then subsequent tests act as a kind of insurance policy, ensuring no new gaps have been detected while existing gaps have been closed off. Each new test extends the sense of confidence that you can have in the security of your information.

What security holes might a test uncover in your network?

Call us on 1300 667 871 or fill in the form on this page to talk about penetration testing for your organisation.