Pratum Blog

A thorough penetration testing campaign involves social engineering, vulnerability scanning, and the manual hacking of computer systems, networks, and web applications. This overview shows how a professional team uses multiple types of penetration testing to exploit a variety of attack vectors, just as a real hacker would.

Social Engineering: Hacking Humans

  • Phishing
    Penetration testers craft emails that seem to be from a trusted source and invite recipients to either supply their login credentials or click on a malicious link or attachment.
  • Pretexting
    Penetration testers call targeted people and ask for sensitive information such as login credentials or fool the user into performing a malicious action. Callers frequently impersonate a Call Center rep or a fellow employee from another division.
  • Facility Access
    Old-fashioned physical intrusion still plays a role. Penetration testers may slide through an open door in a group of employees. Or they may look for vulnerable entrances such as loading docks, maintenance entrances or designated smoking areas. Testers sometimes pose as maintenance workers and talk their way into sensitive parts of the facility.
  • Dumpster Diving
    Just like real hackers, testers know they often can find sensitive information in the trash. This might include credit card receipts, travel information, network diagrams, device inventories with IP addresses, contact lists, and more.

Vulnerability Scanning: Discovering Weaknesses

Automated tools seek known security vulnerabilities in your systems such as unpatched software or open ports. The scans reveal risks that may directly impact your organization and point penetration testers to areas they can try to exploit.

Penetration Testing: Manually Exploiting Vulnerabilities

  • Network & Infrastructure
    Infrastructure penetration testing identifies security weaknesses within your network. Testers look for flaws such as outdated software, missing patches, improper security configurations, weak communication algorithms, command injection, etc. Infrastructure penetration tests often include testing of firewalls, switches, virtual and physical servers, and workstations.
  • Wireless Penetration Testing
    Hackers can leverage wireless capabilities to infiltrate an organization’s secured environment, even if some access and physical security controls are in place. Pen testers map access points in the wireless landscape and gain access to the wireless network. Then they attempt to exploit weaknesses in the network to gain access to privileged areas and demonstrate the potential impact of a wireless network breach
  • Web Applications
    Web applications often process and/or store sensitive information including credit card data, personally identifiable information (PII), and proprietary data. And web apps are frequently vulnerable due to their complexity and rapid development cycles. That’s why about 40% of all breaches involve web apps. And that’s why a well-rounded pen test includes any web apps the company uses.

Red Teaming: Emulating Advanced Threats

Here, penetration testers take a more adversarial approach as they go after specific targets. This type of advanced, focused test emulates Tactics, Techniques and Procedures (TTPs) of mature threat actors. The Red Team attempts to remain invisible to the systems’ defenders (known as the Blue Team).

To learn more about Pratum's penetration testing services, contact us today.

SOC 2 Report on white background with SOC 2 overlaid

SOC 2® reports are probably coming up in a lot of conversations among your industry peers and key partners. But do you need to get a SOC 2® report? The process represents a significant investment of both money and time (about 18 months to complete a typical SOC 2® Type II reporting process). As you weigh whether the investment is worth it for your business today and in the future, consider these factors. (And if you need a summary of how SOC 2® works, jump to the bottom of this post.)

Why You May Need a SOC 2® Report

  • Retain/create opportunities with larger clients – Many big companies have strengthened their cybersecurity programs by dramatically tightening requirements for their third-party vendors. If you can’t produce proof that you have a mature security program, you may lose deals or never even get invited to bid. We’ve heard many stories about companies that caught their big break with a large client because they had a SOC 2® report ready to go while their competitors scrambled to satisfy the customer’s requests. That’s why many firms have recognized that SOC 2® gives them a competitive advantage.
  • Efficiently answer clients’ security questions – Many organizations have found themselves overwhelmed with constant security questionnaires from clients and partners doing their due diligence on the companies they rely upon. In many cases, you can avoid wading through dozens of custom client questions by giving them a copy of your SOC 2® report. After a few of those situations, the SOC 2® process pays for itself in terms of time savings for your staff.
  • Improve your overall security – Don’t overlook the core purpose of the SOC 2® process: improving how you handle data security. During the prep process, you’ll surely clean up a lot of your controls and processes—and probably find some surprises in the way your team is doing things. During the process, you may be notified of additional ways you can make improvements. All of those improvements mean you should experience fewer business interruptions and costs from data breaches. Again, the SOC 2® process will probably pay for itself by helping you avoid costly incidents.
  • Accelerate your progress on compliance requirements –SOC 2®’s requirements overlap with standards and frameworks such as HIPAA and ISO 27001. That means going through the SOC 2® process will also help you take big steps toward meeting other compliance requirements you may have.
  • Increased operational efficiency – During the process, you’ll uncover areas where you can improve things like how you share information, how you process change requests, etc. So while a SOC 2® report focuses on security, pursuing it will help tune your overall operations.
  • Secure better cybersecurity insurance rates – Insurance rates have skyrocketed in the last year as insurance companies try to get a handle on all the ransomware claims they’ve been paying out. To get the best available premiums, you’ll have to demonstrate the maturity of your program. A SOC 2® report can help make that case.

SOC 2® Defined

Companies use the widely accepted SOC 2® compliance model to confirm that their vendors/partners handle information securely. Rather than simply trusting vendors who declare themselves secure, companies can demand a SOC 2® report as third-party proof of the vendor’s security. In a SOC 2® audit, a firm recognized by the American Institute of CPAs (AICPA) reviews a company’s controls over a specific period of time and issues an opinion on its compliance with the standard.

Companies can seek either SOC 2® Type I or Type II. Type I examines the design of controls at a specific point in time. Type II evaluates the operating effectiveness of those controls over a period of time. While a Type I report can be completed fairly quickly, a Type II audit can take up to 18 months, including the readiness and audit periods. Retaining SOC 2® validation requires repeating the audit on a regular basis (usually annually).

Pratum consultants help numerous companies each year determine whether they would benefit from a SOC 2 report and then prepare for the SOC 2 process if they move forward. To learn more about how Pratum can help simplify the journey for you, contact us today.

Cybersecurity in 60 Webinar: How to Get the Most Out of a Penetration Test Highlights

Performing regular penetration tests is an easy decision. They represent a key piece of your overall security strategy. But getting the most from your next penetration test can be more challenging as you sort through multiple questions. How do you choose the best penetration test vendor? How do you decide what to test? Why do quotes from different vendors vary so much?

All these key topics came up during Pratum’s latest Cybersecurity in 60 webinar. Pratum Senior Penetration Tester Jason Moulder and Troy University CTO Greg Price shared insights from the perspectives of a tester and a client on how to make the most of a penetration test. Here are the highlights of their conversation. To view the entire webinar, click here.

Pen Testing Client Greg Price, CTO, Troy University
Greg Price
CTO, Troy University
Pratum Senior Pen Tester Jason Moulder
Jason Moulder
Senior Penetration Tester, Pratum

Q:

What should everyone know before they start a penetration test?

Jason:

First, make sure that you’re getting an actual penetration test and not just a vulnerability scan. (This infographic shows all the elements that go into a full penetration test.)

Second, do your homework on the penetration testing company you’re thinking of using. What kind of credentials do the actual testers have? How many years of experience do they have? What are people saying about them online? You should look for a long-term partnership, not just one-and-done things.

Greg:

It seems like someone calls me every day who is hanging out their shingle as a cybersecurity expert. I’m always dubious of those claims, especially if the organization appears overnight. So the maturity of the organization we’re going to work with is of enormous interest for me.


Q:

So what’s the difference between a vuln scan and a penetration test?

Greg:

A penetration test is predicated on a vuln scan. Any penetration testing professional has to know the lay of the landscape, which is where a vuln scan comes into play by knocking on the door, running various scans to see what’s forward facing for the Internet to take a peek at it.

The penetration test provides me greater insight into those vulnerabilities. It shows where gaps are not only from a technical perspective, but from a policy perspective. It provides a practical application of how my team is working, what’s going on with our resources.

Jason:

Keep in mind that a vuln scan is only programmed to find things that are known. (Click here for a full comparison of penetration tests and vuln scans.)


Q:

How do you set effective rules of engagement for the test?

Greg:

You can get stealthy with a penetration test or get loud and bang on the doors and hope somebody’s paying attention. If the rules are not laid out clearly, those doing the work can get too noisy and too rough and disrupt the environment, and that can be an absolute disaster.

We’ve used groups in the past that completely ignored the rules of engagement. If they found something, they would take it all the way down. That’s an awful experience for an organization of any size, but especially for us with a global operation and students engaged in various educational opportunities.

Jason:

That’s also an issue when it comes to automated tests like vuln scans. If the team isn’t coordinating with the client and saying what they’re going to be doing at a certain time, you can mess up all kinds of things such as rewriting databases, deleting things, and creating other unintended types of consequences.

Greg:

I don’t want a penetration test to turn into a test of my disaster recovery (DR) plan.


Q:

How do you set the proper scope for a penetration test?

Jason:

We identify components that would seriously affect you and everybody connected to you if they got compromised. I try to work with clients to keep the cost manageable while giving you what you actually need. We’ll guide you on what we see with other clients in the same industry, threat intelligence we’re getting and other things.

Greg:

As the customer, I should have some idea of where my weaknesses are, what I want to build on, where I want to strengthen the environment. If you’re not focused and looking at what’s vital to your organization, you could waste a lot of money just wandering around the edges and poking at things that are trivial. Also, be sure that you know how cloud and third-party components are managed before starting a penetration test.

So when you walk into a penetration test scoping call, you have to know what’s of great value and what needs to be protected from a corporate strategy perspective, a regulatory need, or a compliance need.

Take a good look at your DR plan. What are you looking at reconstituting if you have an enormous failure of your primary data operations? That’s probably the template for what you want to put in front of someone to do a penetration test against.


Q:

How often should you do a penetration test?

Jason:

If you have some underlying regulation that says you have to do at least two penetration tests a year, then you can’t really bypass that. But on average, if you don’t have anything really pushing you to do this more often, you should do a full penetration test at least once a year on your entire environment: external, internal, wireless.

Greg:

If you have experienced some massive shift in the infrastructure, introduced some product, exchanged some hardware, or done something else sizable, then it’s time to have someone come in and go after it and make sure it’s living up to expectations from a security perspective.


Q:

Should you tell your IT team when a penetration test is going on?

Greg:

I don’t tell anybody within my organization. I want it to be a test of our controls and tools, but I also want to see that the team reacts appropriately and that the various mechanisms we have in place for mitigation and triage are also functioning.

Jason:

I would rather see a team doing what they’re supposed to be doing. If it gets up to the CTO’s level, he can stop it there rather than going into the IR plan. We may purposefully fire off some real heavy stuff to see if we get shut down.


Q:

What’s your advice for organizations early in their security journey who might be choosing between things like a penetration test and risk assessment?

Jason:

First, make sure you’ve prepared by getting controls in place, mitigating vulnerabilities and patching software before you do a penetration test. Then you can engage a vendor to come in and do an audit or a risk assessment. When you get that report on paper, then the penetration test is there to quantify that.

Greg:

You don’t want to roll right out of the gate with having just turned on some new things and hired a couple of folks to work security and then bring in a penetration test group to examine what’s going on. That’s not going to be a good engagement for anybody. Use the penetration test as an opportunity for improvement. For me, it’s definitely a verification and validating tool.


Q:

The final report from a penetration test can be overwhelming. How do you react to findings and not take it defensively?

Jason:

We’re not trying to say you’re doing a bad job. We’re showing where you need to invest in training or shore things up. We hope that part of our result is to create a driving factor that shows your boss you need to reinvest into your overall scheme and hone the team’s skills a little more.

Greg:

I like to use the final report as a team-building exercise. We focus on the end goal of being better after we complete the exercise. If we got a report that proclaimed that we had absolutely nothing going on and everything was perfect, I would be skeptical.

Jason:

Some of the low-risk or informational findings could be the segue into a bigger finding when you chain that stuff together, and we identify that during the engagement.

Greg:

That shows the importance of people who have experience and actual experts to conduct these tests. Without that knowledge of the penetration tester to assemble those things, you may think it’s no big deal. But when it’s brought into context by people who have a lot of experience, that’s where the value really comes out in these types of examinations.


Q:

Prices on penetration tests diverge widely. What are key things to look at when comparing quotes?

Greg:

I typically look at the penetration testing team’s experience and their approach. We also review whether the tools they use are inhouse or open source or commercial.

Jason:

Take a hard look at why a lower price is lower. Sometimes we come in a lot lower than competitors because we cut out a bunch of stuff that you said you wanted, but doesn’t make sense for your objective. We want to focus in on your overall objectives and goals and why you need this penetration test to begin with. We don’t have to test everything in the environment. It's not cost-effective.


To talk with Pratum’s team about how can get the most value from your next penetration test, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.