Q1: What is a penetration test?
A: A penetration test is a real-world, simulated attack conducted by experienced, qualified and certified engineers using manual exploitation in addition to automated and directed tools. Although largely determined by the experience and certifications of the engineer performing the test, penetration testing is an art. Quality testers such as we have at WebCheck intuitively know where to poke, prod, and “peel the onion layers” to find vulnerabilities.
Q2: What is the difference between a penetration test and a vulnerability scan?
A: The simplest answer is that vulnerability scans are automated and penetration tests use guided expertise and much manual testing, especially on web applications where typically the tester can authenticate into the application, test multiple roles for leaks and permissioning errors. Think of a scan as a wrench in a master mechanic’s toolkit – it’s just a tool. While a good and necessary tool, a vulnerability scan is sometimes all you need for now but is only one component of a full penetration test. Vulnerability scans are also common for generating false positives, or a failing result which may not be a true concern. Full penetration testing validates the false positives. As also indicated above, full penetration testing uses the engineer’s manual exploitation knowledge and techniques. Anyone can run a vulnerability scan too. Certified engineers perform penetration tests.
Q3: What is the difference between a web application test and a penetration test?
A: A web application test is a type of penetration testing which focuses on a specific application deployed on the Internet or internally, and which typically uses considerable expertise to find all sorts of injection and code deployment errors. Vulnerability scans can sometimes find first layer errors of this nature, but only an authenticated penetration test will allow the tester to “peel the onion” and find all layers of concern within the application which should be fixed. Web application testing is as much an art as a skill, and a skilled engineer (such as those employed by WebCheck) have been able to find ways to download databases, break out of permission roles to access data which that particular role should not, or other issues which are very serious. Note: They don’t actually exfiltrate data or “break” things, but exploit these attack vectors to a reasonable point and document them professionally such that the client can remediate.
Q4: If I pass my web app or infrastructure penetration test, am I safe or can I still be hacked?
A: Anything can be hacked and there are no guarantees. For that reason WebCheck has partnered with Hatch Insurance, the finest cyber insurer in the US, who offers quality cyber policies at discounted rates for those engaging in penetration testing (Contact Hatch Insurance). However the difference between organizations that frequently have 3rd party tests performed and those that don’t is the concept of low hanging fruit. If I’m hacker running vulnerability scans on banks of IPs in a business area, I will most likely first target those with easy vulnerabilities vs. those that will take weeks or months of reconnaissance and research. Most of the stupid data leaks of the past decade were due to server misconfigurations, outdated and vulnerable software and operating systems, or SQL injection and other code errors – all of which are discovered by proper penetration testing.
Q5: What if the penetration tester finds serious problems during testing?
A: The quality deliverable from WebCheck penetration testing is a comprehensive and professional report documenting all errors and recommendations for remediation. However when serious vulnerabilities are discovered by the engineer, the client is notified immediately in order to begin remediation. We don’t want anyone driving with their car door open or their seatbelt undone, so prompt client communication is a key component of a quality penetration test.
Q6: What is the difference between internal and external penetration testing?
A: External testing focuses on only those IP addresses and/or URL’s which are visible from the Internet and public facing. This might include websites, firewalls, load balancers, and all services which have a public IP address and through which services are broadcast. Internal testing is conducted “behind the firewall” either physically or virtually with a special box or VPN connection. This allows the tester to test and check vulnerabilities and configurations which might not be immediately visible from the outside. Internal testing can be important also to keep employees from accessing data they’re not intended to see, internal bad actors from inflicting damage, or to harden the environment such that should a bad actor get through the perimeter defenses, it would not be easy to navigate and access data internally.