Cybersecurity is a mix between policies, practices and the technical controls that an organization puts into place to protect itself. Penetration testing (aka “pentesting”, “attack & penetration testing”, “A&P testing”) focuses on the technical controls within an organization’s environment.
When it comes to an organization’s environment, even small, non-complex organizations can easily end up with a complex IT environment. Between systems that are on-premise, to cloud-based applications or even entire environments that are hosted in-the-cloud, Work from Home (WFH) and “shadow IT” – today’s IT environment is complex! Knowing and understanding where an organization’s data is stored, how it’s protected and what technical vulnerabilities exist that could lead to a partial or full compromise of an organization has never been more important.
Vestige’s Network Penetration Testing addresses this issue. Our assessments combine technical analysis of the organization’s environment with our Penetration Testers’ real-world experience to identify, test and report upon vulnerabilities that the organization should address to improve its security.
Vestige provides a handful of options when it comes to network penetration testing. Each provides benefits and has limitations. As such, it is important to discuss your overall goals with Vestige and understand not only what you’re looking to achieve in this penetration test, but how this test fits in with an overall risk management and cybersecurity program. We’ve also included the pros and cons of each.
Designed to simulate a real attack, black box pentesting pits the pentester against the environment with no known information up-front. Our penetration testers perform reconnaissance to learn as much about the organization and its digital assets to formulate an attack plan. Depending on the engagement, this can even include social engineering, Open Source Intelligence gathering, and review of known information available on the Dark Web. Generally speaking, the goal of a black box pentest is to demonstrate success with gaining access or a foothold into the organization. While realistic, black box pentesting has its deficiencies; namely, thoroughness and lack of confidence that all vulnerabilities have been discovered.
PRO: Most realistic approach
CON: May not identify or focus on all areas of the areas of most concern to the organization
Vestige’s White Box External/Internal Penetration Test starts with our engagement team and your team engaging in a discovery/exchange of the organization’s footprint – both external and internal. By sharing this information, you will gain the advantage of knowing that the entire environment will be evaluated during our penetration testing. Of course, should we discover information assets outside of the discussed scope, those will be tested and identified as part of the investigation. While sometimes viewed as “less realistic”, White Box approaches are the most comprehensive, since detailed information about the organization’s environment is provided to the testing team.
Upon agreement with your team, we establish a targeted game plan for which areas, services and assets will be subjected to our additional levels of testing.
PRO: Focus on the areas of highest concern
CON: Less Realistic approach
Vestige’s Hybrid External/Internal Penetration Test is a combination approach of our “Black Box” penetration test and our “White Box” penetration test – seeking to bring about the best of both approaches. Keeping in-line with the black box approach, Vestige commences the engagement having been provided little to no information about the environment. We proceed to identify as much of the environment through techniques consistent with what an outside attacker would use. Upon completion of this phase, we reconvene with the organization to discuss our findings to-date and discuss areas which may not have been transparent to Vestige. Upon agreement with your team, we then establish a targeted game plan for which areas, services and assets will be subjected to our additional levels of testing.
The Hybrid approach provides a unique opportunity to see the results of the way that an outside attacker may take and yet gain the additional benefits afforded by a white box approach.
Of course, with all options there are trade-offs. For the Hybrid approach those trade-offs include a slightly longer engagement as we proceed to re-engage with your organization to validate our initial reconnaissance, resulting in a slightly higher investment.
PRO: Good balance between realistic and focus on highest areas of concern.
CON: Higher investment
Contact Vestige today do discuss your Network Penetration Testing needs and what will work best for your organization.
Actual Threat Environment™
Network Penetration Testing
Pre-Certification & Readiness Compliance Assessments
SOC2 & SSAE18
Web Application Penetration Testing
Wi-Fi Penetration Testing