By: Anas Sabbar

Penetration testing is an important part of a security team's threat and vulnerability management capability. Many risks and security managers rely on penetration testing as an independent verification mechanism to assess their controls and their organization's IT environment.

The results of these tests are used for several purposes, for example:

• to help develop risk and security management improvement programs (if the manager is new to the company, for example);
• to validate the effectiveness of safety capabilities and controls (using a red team exercise, for example);
• as part of ongoing vulnerability and threat management activities (e.g., assessing platforms and applications supporting critical new initiatives).

For some companies, such testing is mandatory, for example, to meet the requirements of the Payment Card Industry Data Security Standard.

Other organizations may require penetration testing to comply with a specific information security management standard, such as the National Institute of Standards and Technology (NIST) or Center for Internet Security (CIS) standards.

Penetration testing can encompass a wide range of activities and outcomes. Clients typically focus on testing external and internal networks, as well as critical internal and external web applications.

More recently, wireless network testing has become more common, sometimes to meet regulatory requirements such as the payment card industry's data security standard, as well as physical testing, depending on the enterprise vertical (e.g., utilities or retail). Specific phishing and social engineering tests are sometimes performed.

Red team testing is gaining visibility in the marketplace, which only confuses buyers.

Why the confusion? Because red team testing sounds very similar to what may be marketed as "advanced" network penetration testing, but also because some vendors are adopting this term to differentiate themselves in the marketplace.

The reality is that the Red Team principle is similar, yet different from traditional network penetration testing. Some vendors legitimately offer either or both types of testing, while others only do network penetration testing and abuse the term "red team."

Penetration testing goes beyond vulnerability scanning to use multi-stage, multi-vector attack scenarios that first find vulnerabilities and then attempt to exploit them to penetrate deeper into the enterprise infrastructure.

The red team principle can be broken down into several styles that include more advanced penetration testing at one end of the spectrum to a war game exercise where attacks on an enterprise and its security defenses by adversaries are emulated by testers. Features that differentiate these tests include longer engagement times (weeks instead of days), fewer limitations around particular attack vectors (web apps, phishing, voice phishing, physical), the weapons used (new malicious code exploiting a security hole or custom malware and implants), and an increased effort to avoid detection. This can include black box and gray box penetration testing. These characteristics are also reflected in the price, as these tests impose an additional cost due to the length of the engagement, the preparation required and the expertise employed.

Selecting a penetration testing provider can be a daunting challenge due to the large number of companies offering these services. A Google search of "penetration testing" reveals hundreds of service providers that vary in many ways, such as company size (and staffing), geographic location, years of experience, and reputation.

For example, providers range from large consulting firms with offices around the world to regional providers of customized security services to individuals working from home. The experience of testers ranges from veterans who have performed hundreds of penetration tests to recently certified individuals who have decided to start a penetration testing business.

It is important to note that greater size or global brand recognition does not necessarily equate to better results when it comes to penetration testing.

In addition, years of experience are not necessarily a good indicator for emerging technologies (such as cloud computing environments) or use cases where niche expertise is required (e.g., testing of SCADA environments or industrial control systems).

Tester experience is therefore a key factor.

New approaches to penetration testing have also appeared on the market.

For black-box testing, crowdsourcing options have been developed on the market. These tests are delivered by vendors who act as the contracted penetration test provider and submit the work to approved testers once the buyer has registered the type of test required.

These vendors' platforms aim to optimize penetration testers' time by automating much of the project management and information-gathering activities, giving testers more time to perform the tests; they also provide buyers with a larger pool of testers. They can also shorten the time it takes a buyer to identify and schedule a test, which has become a problematic aspect for penetration test buyers.

The time it takes to schedule a test with penetration testing providers can be as long as 10 business days or more. In some cases, it may not even be possible to schedule a test for several weeks, depending on how busy the provider is at the time the test is required.

Attack and security breach simulation tools and automated penetration testing tools are available.

Attack simulation and security breach tools are intended to provide real-time monitoring and assessment of the attack surface of an organization's IT environment. These tools highlight the highest risk resources that could be compromised by an attacker and then exploited to move laterally within an enterprise's network. There are also tools that attempt to fully automate a human penetration tester by using a toolkit and a set of attack techniques and tactics to perform a network penetration test.

For testing web and mobile applications, there are now bug bounty programs (both private or closed and open to public models). Bug bounties are different in that you, the customer, only pay for confirmed issues or vulnerabilities that are found, not for hours spent on a target.

This is also done in a crowdsourcing model, so instead of a single consultant, there may be dozens of people working on your test target.