The term “penetration test” is getting some attention lately. I’ve been hearing that auditors, not necessarily state or NCUA examiners, are asking for pen test results. Pen test is one of the most overused, and as a result misunderstood, terms in the information security industry. People say pen test just as easily as they might say Windex. Non information security professionals can be guided into believing an assessment is a penetration test when it actually is not. Many times these are managers or executives who make information security decisions with incorrect information, and that in itself poses a great risk. If your information security vendor claims to have performed a pen test and only delivers scan results, they have misled you either intentionally or unintentionally. My hope is that it is the latter. So, what is the difference between a vulnerability scan and a penetration test?
A vulnerability scan identifies vulnerabilities that may be exploited to gain system access. Found vulnerabilities are based on publicly known vulnerabilities per the CVE (Common Vulnerabilities and Exposures) standard. Automated scanning tools are used and sometimes combined with manual verification of found vulnerabilities. The outcome is scan results only. Penetration testing takes the vulnerability scan much further by subjecting information systems to real-world attacks. A penetration test attempts to actually exploit the vulnerabilities found to gain system access. During this process, the tester may also uncover zero-day vulnerabilities, meaning those that are not publicly known. Zero day vulnerabilities may possibly be exploited, and doing so requires the tester to create the exploit. A penetration test is methodologically intensive requiring more time, and due to its nature, may expand in scope depending upon what is found.
Penetration testing can be done as either black, white or grey-box assessments. For a black-box assessment, the client provides no information about their network and the tester discovers devices/IPs on their own. For a white-box assessment, the client shares everything about their network with the tester. A grey-box assessment is a hybrid where the client may provide partial details about their networks. In any case it is wise for the client to identify any IPs to exclude from testing. These may be sensitive systems that are susceptible to disruption or damage during penetration testing. Penetration tests are usually defined with a set time period. The discovery of system information for grey-box and black-box assessments will consume part of that time leaving less time available for actual testing.
A big red flag is the quoted price for the penetration test. If it seems unusually attractive, more likely than not, the vendor is only running a scan. This is the idiom of “too good to be true” in action and is cause to take a closer look at the service(s) proposed.
Ultimately, penetration testing is a useful facet of a multi-layered approach to information security and should not be relied upon as the only indicator of security.