Why choose us for
We believe that we exist to secure the connected and grant the opportunity of a better online life. Penetration testing helps you achieve that.
We demonstrate this in the way we conduct our Penetration Testing. Just running a bunch of scripts from a Kali installed laptop is not pentesting. We us experience, skill, research and human intuition to provide the best penetration testing on the market.
What is Penetration Testing
Penetration Testing is also known as pen testing or ethical hacking. It is the systematic process of discovering security weaknesses within people, process and technology.
During a penetration test, the attackers, played by the penetration testers, act on your behalf to find and test security weaknesses. The weaknesses criminals or people with malicious intent could exploit. We do this following a methodology. The best way to think of a methodology is to think of it as a recipe book, and it is the guide that is at the centre of everything we do on penetration tests. Our methodology is based on the Penetration Testing Execution Standard, and this is supplemented for Web Applications with the OWASP testing Guidelines v4. There are seven steps to any penetration test in our methodology:
Pre-Engagement: This is one of the most critical steps in ensuring success in your penetration test. The Pre-Engagement is where we work together to define the scope, and the goal of the test rigorously. We do this through a scoping call, and you can book these online at a time and date convenient to you.
Intelligence Gathering: During the intelligence gather phase, we will review any documents or information you have provided us. We will then scour the internet, and to an extent, the dark webs, to identify any further information or data that could be beneficial to your test. The typical documentation we are looking for includes system architecture, data flow, infrastructure, concepts, password hashes, names, identities etc.
Reconnaissance: The reconnaissance phase builds on the Intelligence Gathering stage through the use of active, in-depth technical review of the scoped environment. We will delve into each of the systems/applications in scope to identify the component structure.
Vulnerability Analysis: This part of the penetration test is one of the most time-consuming. Vulnerability Analysis starts with a series of reviews of the scoped environment using vulnerability scanning tools. These identify known vulnerabilities. Every one of these is then manually reviewed and validated. Once the automated scans are complete and the vulnerabilities confirmed, the tester then moves on to attempting to find unknown vulnerabilities manually. With Web Application testing, the bulk of the time is spent in manual vulnerability analysis.
Exploitation: The exploitation phase is where we take all the vulnerabilities we have identified and use them to try and reach the goal set out in the Pre-Engagement step. We review each of the vulnerabilities, identify any exploits available for use and perform exploitation in a safe and controlled manner. In Web Application testing this might lead us to bypass authentication controls or hop to other user accounts. In Infrastructure testing, this might result in the tester being able to sniff passwords on the network or gain access to a server. The goal of exploitation is to work towards achieving the objectives of the test incrementally. Once a successful, the process restarts at Intelligence Gathering within the context of the exploited system or application.
Post Exploitation: During the post-exploitation aspect of the testing, the tester will be analysing all of the gathered data and the results of individual tests. The analysis includes categorising the detected vulnerabilities and prioritising them per the business and technical context. It is during this step that further testing needs are identified, and the tester will loop back and test or retest specific areas so that complete scope coverage is assured.
Conclusion and Summary: The very last stage of the penetration test is the summarisation of the testing and the drawing of a conclusion.
At the end of every engagement is a test report. The report details what was done, what was found, and what should be fixed. These may be:
- Inadequate or improper configuration settings
- Known or previously unknown software or hardware flaws
- Operational gaps within business processes or technical controls.
Our testers are security professionals who spend 25% of their year researching new techniques, understanding the latest attacks and keeping up their professional qualifications. They use their skills honed within this time to mimic the methods used by criminals. They do this without causing you damage.
Book a Scoping Call
Need a scoping call to help nail down that penetration testing scope?
Simply use the calendar on the right to select the date and time that best suits you. Let us know the best phone number to reach you and a short description of what you are looking to have tested and the team will call you on the date and time you have specified.
It couldn’t be simpler than that.
WHY IS IT IMPORTANT
In today’s compliance and regulation driven world, Penetration Testing is crucial. In fact, it is required by the European Union’s General Data Protection Regulation and the UK Data Protection Act.
Carrying out regular testing helps identify exploitable vulnerabilities in your technical systems and software. This is essential to maintaining your businesses security. Automated services such as vulnerability assessments can give you valuable information about any known vulnerabilities. They cannot give you a full understanding of the security issues that may be present. Only penetration testing, performed by a qualified competent penetration tester can do that.
To ensure you are adamantly protected, you should regularly conduct testing:
- Identify security flaws so that you can resolve them or put in place compensating controls;
- Ensure that your current protective controls remain effective;
- Test new software and systems for security weaknesses;
- Identify new, possibly previously unknown, vulnerabilities in present software and systems;
- Support the businesses compliance with the EU GDPR and the UK DPA, as well as other privacy laws or regulations;
- Enable your compliance with technical standards such as the PCI DSS or UKGS RTS; and
- Assure customers and stakeholders that you are ensuring data and systems security.
Frequently Asked Questions
A penetration test, also known as a “pen test” is a method for evaluating the effectiveness of your security controls. Penetration Testing is performed under controlled conditions, simulating scenarios in a manner that is very close to what a real attacker would attempt.
The difference between a vulnerability scan and a penetration test is that a penetration test uses any gaps are identified in a security control to further an attack. It allows the penetration test to determine how an attacker would escalate access to sensitive information assets, confidential information, personally identifiable information (PII), financial data, intellectual property or any other sensitive information.
Penetration testing utilises multiple tools and techniques as well as the knowledge of a highly skilled penetration tester. The test is guided by a structured and repeatable methodology which, in our case, this is the Penetration Testing Executing Standard along with our internal methodology. It results in a report that will contain detailed findings and recommendations that allow you to implement countermeasures and improve the security posture of the environment. These improvements ultimately reduce the likelihood an attacker could gain access.
Penetration tests and automated vulnerability scans are useful tools for managing vulnerabilities. While these are different testing methods, they are complementary, and both should be in your security program.
A vulnerability scan is an automated method for testing commonly occurring network and server vulnerabilities—a vulnerability scan for vulnerabilities within its knowledgebase.
There are many vulnerability scanning tools available and the majority are easily configured by the end-user to scan for published vulnerabilities on a scheduled basis. Automated vulnerability scanners are a very cost-effective way to identify common vulnerabilities in your digital systems. These vulnerabilities are missing patches, service misconfigurations, and other known weaknesses. Vulnerability scans are not as accurate in validating the accuracy of vulnerabilities, nor do they fully determine the impact through exploitation.
Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.
Automated scanners do suffer one significant weakness. They are prone to reporting false positives and false negatives. These can waste considerable amounts of time of your technical teams.
A penetration test focuses on the environment as a whole, and a vulnerability scan will always be part of a penetration test. The penetration test starts with a reconnaissance phase, an analysis phase, a vulnerability assessment phase (where it will build on the vulnerability scan results and provide a comprehensive analysis of the overall security posture) and will then look at exploitation. Once an exploit has been successful, the whole process starts again from the point of exploitation.
While a penetration tester leverages scripts and tools, their use is limited mainly to the reconnaissance phase. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Penetration testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets.
Penetration testing is also mandated by the PCI DSS, as noted in requirement 11.3.
Penetration testing and automated vulnerability scans both serve a purpose, although for different goals. Both types of testing belong in a comprehensive vulnerability assessment and security management program.
The goals of a penetration test significant vary based on the scope of testing. Typically a penetration test is performed to validate the effectiveness of security controls designed to protect the system or assets.
A Penetration Test should always document the goals of the project. Penetration Test reports and deliverables outline the expectations, scope, requirements, resources, and results.
There are many reasons to conduct a penetration test. Some of the more common reasons why companies perform network penetration tests include:
- ensuring that relevant regulatory standards are adhered to;
- as part of regulatory requirements;
- to identify vulnerabilities inadvertently introduced during changes to the environment, such as a major upgrade or system reconfiguration;
- as part of the QA process of the Software Development Life Cycle to prevent security bugs from entering into production systems;
- as part of a customers requirement;
- to demonstrate a commitment to security to a customer perspective and provide an attestation that their assets or services are being managed securely;
- for internal due diligence as part of ongoing efforts to manage threats, vulnerabilities, and risks to an organisation;
- to assess the security controls of potential acquisition targets. Most organisations preparing to acquire an organisation seek insights into the vulnerabilities they may introduce in doing so and plan for the costs they may be incurring to remediate;
- to support a breach investigation, penetration testing may tell an organisation where the other vulnerabilities may exist in order to have a comprehensive response to the incident;
- to allow companies to proactively assess for emerging or newly discovered vulnerabilities that were not known or have not yet been widely published;
- as an aid to development teams who are writing new web applications. Many development lifecycles include penetration testing at key stages of the process. Correcting flaws are typically less costly the earlier in the development lifecycle that they are discovered. Additional testing prior to go-live on a production-ready build can identify any remaining issues that might require attention before loading users on the application.
Penetration testing is an extremely disciplined process. As a responsible and leading penetration testing company, we keep all stakeholders well informed through every stage of the process. We do this through our end of day emails and check calls.
At a minimum, you should expect the following from your chosen penetration testing company:
- A well-coordinated, planned, documented and communicated approach to know what is happening and when;
- A disciplined, documented and repeatable approach used, based on an industry-accepted methodology;
- The methodology should be customised to suit your unique environment and requirement;
- A clearly defined initiation process, planning process, coordinated testing and a collaborative delivery process to ensure accurate results and a clear understanding of remediation.
The simple answer is yes, if a penetration test is not planned and coordinated, it will be disruptive. You can eliminate this risk through proper planning.
By properly planning, you can identify potential risks for disruption and work with the pentest firm to adjust the approach accordingly. Planning should be conducted in advance of any testing start date to ensure adequate time for communication to project stakeholders. Communication and monitoring should continue throughout the testing schedule.
How often testing is performed depends on a variety of factors. Determining what is appropriate includes considerations such as:
Frequency of environment changes: Tests cycles correlate with changes as they near a production-ready state.
Size of the environment: Larger environments can be tested in phases to reduce the testing effort, remediation activities, and load placed on the environment.
Budgetary factors: Testing should be scoped to focus on the most critical assets according to a timeline that is supported by the allocation of security budgets.
The frequency of the testing needs to be adjusted to meet the unique needs of the organisation, and it’s vital that those needs are understood and incorporated into the testing approach from the beginning.
Testing too infrequently allows for a window that increases an organisation’s exposure. On the other hand, if testing is done too frequently, there is inadequate time to remediate before testing resumes. Therefore it is vital to strike a balance.
Companies that recognise the importance of network penetration testing will implement testing regularly. Recurring penetration testing programs allow the schedule to be more adaptable and is better suited to consider these factors. It also allows companies to spread the tests out over a longer horizon and increase frequency to narrow the window for exposure.
The scope of a penetration test should always be customised to the client and should suit the unique nature of the business. A variety of considerations, both internal and external to an organisation, impact and guide the scope of a penetration test:
- The nature of the company and the types of products/services offered
- Compliance requirements and deadlines
- Geographic considerations
- Organisational structure
- The organisation’s strategic plans
- Customer expectations, especially when an organisation acts as a custodian of that customer’s data
- The value of the company’s assets
- Redundancy in the environment that may impact sampling thresholds
- Network segmentation and connectivity
- The age of different components of the environment
- Recent or planned changes to the environment
All of these factors need to be discussed and understood. It is vital to make sure that the scope is appropriate and to ensure that the testing is focused on the areas of the environment that warrant it.
When choosing a penetration testing provider, you should always ask about the qualifications of the testers used.
A team performs every penetration test. That team includes a dedicated project manager, a skilled and experienced test team, a resource coordinator, and a point of escalation.
The test team includes one or more individuals with in-depth experience across multiple technologies, including client platforms, server infrastructures, web application development, and networking.
The individuals on the team should hold valid certifications relevant to their role such as:
- Offensive Security Certified Professional (CISSP)
- CREST Registered Tester (CRT)
- Certified Ethical Hacker (CEH)
- Certified Information Systems Security Professional (CISSP)
- or equivalent credentials.
When a penetration test is being performed to comply with a regulatory requirement, additional experience or certification is required to ensure the approach is appropriate, and the results are presented in the correct context. For example, a penetration test performed to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement 11.3 is best delivered by individuals with OSCP or CRT credentials. Many skilled penetration testers also typically possess other technology certifications to demonstrate their knowledge and proficiency.
Once the penetration test is complete, you should receive a report detailing all of the findings, recommendations, and supporting evidence. The report should document the scope and boundaries of the engagement as well as the dates the testing performed. It also details the findings in a technical format as well as summarized for non-technical audiences.
The penetration test report should include:
- Detailed recommendations for improvements that document observed vulnerabilities;
- A discussion of the potential business impacts from identified vulnerabilities;
- Specific instructions for remediating, including instructional references where appropriate;
- Supporting evidence and examples;
- A step-by-step and screen-by-screen walkthrough demonstrating any exploits to allow an organization to understand and reproduce the scenario;
- Executive and summary reports for non-technical audiences
Frequently, a separate deliverable is needed that is suitable for consumption by third parties seeking attestation that a penetration test was performed. This is typically in the form of an Executive Summary report.
All deliverables should be of high quality and reviewed with the customer to validate the accuracy and ensure recommendations are well understood.
Validating that identified vulnerabilities from a penetration test have been remediated can be performed using a variety of methods, either in-house or through a follow-up test.
Hedgehog Security offers a free retest against all vulnerabilities identified so as the identified issues are fixed; they can be independently verified as such.
Some organisations prefer to track remediation in-house and possess the resource to validate successful remediation independently; however, most seek independent validation and should have a remediation verification test performed. This is why it is critical that a penetration test be performed in a repeatable manner.
There is no need to prepare anything special for a Penetration Test.
It is important to remember that a penetration test is a point in time test against a defined scope. The test is going to assess the security posture at that particular point in time.
If patches are deployed every week on a particular day, there is no need to change this behaviour to accommodate the penetration test itself. If the results of the penetration test determine this process requires attention, then that would be the appropriate time to adjust.
You should expect to participate in preparation activities related to planning the penetration test itself to ensure the pentest is under controlled conditions. Some preparation related to positioning the tester may also be needed, specifically when testing is on-site.
We participate in the planning and coordination activities and be ensuring that we have the necessary documentation such as the in-scope IP range or domain names for testing prior to the test start date.
During onsite penetration tests, visitor access badges may be needed for the esters. Otherwise, there is not much else that is required prior to the test.
In short, yes. But there are some crucial considerations first.
The first thing to do is to find out if the third party is already having a reputable penetration test provider reviewing the website and the hosting infrastructure.
If so, due diligence is needed to validate the scope is appropriate, review the methodology, and understand if there were any findings. You should confirm when it was last tested and when it will next be tested. If there were any security vulnerabilities found that were determined to be tolerable by the hosting provider, they might not be acceptable for you. You need to take a risk led judgement on that.
If the third party is not testing the site, or if the testing is not adequate, then yes, the site needs to be tested. You may need to obtain the third party’s permission, although this is getting rarer now. Many third parties expect you to have your site tested.
If the third party doesn’t allow testing, you should strongly consider obtaining a “right to audit” clause in their contract or locate another hosting provider that accommodates the need for ongoing vulnerability management, including penetration testing.
You should evaluate all of the vulnerabilities using a risk-based approach. All of our reports list the vulnerabilities in a risk importance order. The remediation effort should follow along these lines:
All Critical risk issues: Fix as soon as possible;
All High risk issues: Fix within 30 days;
Exploitable Medium risk issues: Fix within 45 days
Exploitable Low risk and all other Medium risk issues: Fix within 90 days
The cost of penetration testing can vary a lot. A number of factors are used to determine the price. These include, but are not limited to:
- the scope of the project;
- the size of the environment;
- the number of systems/applications;
- the complexity of any web applications;
- the qualifications needed for the tester;
- if there are regulatory requirements to be met (for example, PCI-DSS);
- the frequency of testing.
It is critical to have a detailed scoping meeting to produce a very clear understanding of the needs and develop a statement of work prior to engaging any penetration test. We perform a scoping call or meeting for every piece of penetration testing work that Hedgehog is involved in. The call is with all of your key stakeholders for the test and will include any of the following people from Hedgehog:
- account manager;
- operations or resource manager;
- test team leader; and
- penetration tester performing the test.
All of our penetration tests are performed on a fixed-fee basis to eliminate any unexpected costs or unplanned expenditures. Our quoted fee includes all labour and required testing tools. The only external cost factor is travel and accommodation for onsite tests.
Adequate time should be reserved well in advance of a penetration test for planning activities. Additional time should be allocated after testing for report development and subsequent review meetings including remediation discussions. The entire effort varies greatly based on the size and complexity of the penetration test. The larger or more complex the environment is, the more effort is required. The duration of the test, however, is very controllable. The duration of the test should be compressed to ensure a good, representative view of the environment at a given point in time.
Generally speaking, four to six weeks is a good estimate for the duration of the entire engagement from planning through final delivery. The actual test itself typically varies depending on the size of the environment.
It is generally not a good idea to send a full penetration test report outside of your company. The report contains extremely sensitive information that is highly confidential and should only be made available to trusted internal resources on a “need-to-know” basis. A penetration test report can be a roadmap to your vulnerabilities and in the wrong hands provides a very unique view and guide to breaking into the business.
We can provide, on request, a summary version of the report that details scope, approach, qualifications and categorical results. This summary report is designed for you to share. It is common to include summary remediation plans if applicable but ultimately, the third party needs to receive documentation that gives them comfort that there is a mature, ongoing testing program that is proactively assessing the environment, and that key findings are being appropriately addressed.