Insights
J.S. Held Releases Insights on Risks & Opportunities Expected to Impact Organizations in 2025
Read MoreAn IT administrator recently vented his frustration about having to conduct a penetration test.
He wanted an in-depth assessment of his system to make sure his network was operating with a low risk profile, all while still making all the required services available to his users.
His firm has cloud services, several sensitive databases, internal and external networks, not to mention multiple operating systems (the designers “demanded” Apple products).
The idea was to contact a few reputable penetration experts and see what they recommended.
“I contacted three firms, and each came back different propositions. One of them thought a penetration test was just running a few auto scans that spit out an auto report. I’m guessing I’m the one who will have to sort through the findings? And then they guaranteed it would be a cheaper option.”
“I told them that I don’t want cheap. I want an expert to help me reduce my attack surface!”
There has certainly been an up-shift in the demand for penetration testing over the last decade. It’s perhaps not surprising, considering the many regulatory bodies and cybersecurity experts recommending (and sometimes demanding) regularly performed penetration tests on systems.
With demand being up, we see new service providers enter the market, and while the services use the same terminology, the quality and price of service vary wildly.
If you are interested in assessing or reducing your attack surface, penetration tests are certainly an important component of your IT security policy.
Here is some key information to assist you in your search for a penetration test that is right for you.
Vulnerability scans and penetration tests are different, though the terms are used interchangeably by some newcomers.
A vulnerability scan is a largely automated process that scans your systems for thousands of vulnerabilities that may be weakening your defenses. You get a list of the vulnerabilities that were found on the system, and some scanning solutions will also provide remediation steps.
A penetration test may use vulnerability scans as part of its toolkit, but it also includes trained experts whose job it is to try to gain unauthorized access to your network, beelining to the sensitive data or files by bypassing existing security defenses. The idea is to mimic an attack agent, so that defenses can be properly hardened if found to be exploitable in a real scenario.
Some penetration tests might make use of social engineering tactics to get login details from employees, making use of corporate Wi-Fi to access unauthorized accounts, as well as taking advantage of vulnerabilities lurking on the system.
White hat testing is where the penetration testers are given a lot of information about the environment they will be testing. This allows tests to be tailored to specific problem areas. It often allows for less disruptive remediation because the testers have a clear understanding of the business objectives, policies, services, and processes. While resources are required to get familiar with the systems, the testing can be more efficient.
Black hat testing is where little to no background information is provided to the penetration testing team. They act as true attack agents targeting a system and start off effectively blind. The task is to find a route into unauthorized and/or sensitive locations on the system.
Proper black hat testing is difficult to budget ahead of time unless you provide a time limit on the testing, with the understanding that the testers might not have been able to discover weaknesses within the allocated time frame. While no resources are spent getting to know your system prior to the testing, tests take longer as the testers are learning about the environment as they test.
Grey hat testing is literally between the two. Here, testers are provided with some, but not all, information prior to testing.
Penetration testing as a commodity -- a one-size-fits-all concept -- is ridiculous. It is the same as saying we will secure your estate for a flat fee, no matter the size, location, the number of properties, or number of entry points.
Here are the main areas that will impact the cost:
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
The consequences of greenhushing as they relate to litigation, reputational risks, and progress toward global sustainability goals....
This article examines how to limit the digital risk and liability while protecting data privacy and looks back at previous data privacy predictions....
J.S. Held’s Global Risk Report explores the most influential topics presenting global business risk and opportunity to help clients anticipate, adapt, and advance in 2025. ...