What is Penetration Testing?

The bad guys use a variety of tools to try to gain unauthorized access to your systems and networks. There are a number of automated tools, including network scanners, software debuggers, password crackers and malware which are important tools for the attackers’ toolkit.

But what is penetration testing or pen-test? Well, this bridges the gap between the use of the technical tools to test an organization’s security and the power of those tools when placed in the hands of a skilled intruder. Pen-test are “authorized” legal attempts to defeat an organization’s security controls.

 

Why are pen-tests important?

Pen-tests try to mimic external intruders trying to break your organization’s defenses. If you know your own vulnerabilities, or which doors you have accidentally left unlocked to the world, you can fix the vulnerability and lock the door before a real hacker attempts to reach your organization.

Therefore, pen-test provides you with knowledge that you can’t obtain elsewhere. By conducting thorough penetration tests, you will learn whether an attacker with similar knowledge, skills, and information as your testers would likely be able to penetrate your defenses. If at the end of the pen-test exercise we can penetrate your systems, then this will provide you with an important blueprint for remediation.

 

The goal of penetration testing

The goal of penetration testing is to ensure the CIA (Confidentiality, Integrity and Availability) of the information in your organization. A quick definition of each will show their importance:

  • Confidentiality: This seeks to prevent unauthorised access to the information or systems in your company.
  • Integrity: This seeks to prevent unauthorised modification of the information or systems in your company.
  • Availability: This ensure that the use of information and systems of your company are available when needed.

 

Therefore, external attackers try to undermine any of the previous three goals through:

  • Disclosure: Accessing your systems and breaking the confidentiality of it, or
  • Alteration: Changing the information on your systems, i.e. ransomware, and braking the integrity of it, or
  • Denial: Making your system not available for your customers, i.e. Denial of Service attack.

 

Different types of Pen-Tests

If you engage a provider like Calibre One to perform a penetration test, you will find out that there are a number of testing levels and different outcomes to each one of them. For instance: you may want to scan only a few external IP addresses of your organization and look for vulnerabilities, or you may want to go further and try to exploit any of those vulnerabilities to gain access to your systems, or you  may want to take it even further to try to exfiltrate information from any of your systems. To learn more about different types of penetration testing, read our blog post about the definition and importance of Penetration Testing..

As you can see there are different levels, and every level is more comprehensive than the previous one and also more expensive.

Sometimes, you want to know only what you have open to the world, and it is a good starting point to begin working on internal mitigation strategies before engaging for a more indepth pen-test.

 

Pricing

As discussed previously there are a number of different level tailored to different situations and security maturity of an organization.

You can find the description of every level below:

LevelInclusions
Pen-Test Level 1-External vulnerability scan (up to 2 IP addresses)
-Search for all known vulnerabilities
-Reconnaissance and OSINT on target IPs. -
OSINT framework gathering information such as username, email address, domain name, IP address, social network, phone numbers, etc.
-Reporting and recommendations
Pen-Test Level 2Pen-Test Level 1 plus:
-External vulnerability scan (up to 32 IP addresses)
-Search for all known vulnerabilities
-Reconnaissance and OSINT on target IPs
-OSINT framework gathering information such as username, email address, domain name, IP address, social network, phone numbers, etc.
-Internal network vulnerability scan (one physical location)
Pen-Test Level 3Pen-Test level 2 plus:
-Search for all known vulnerabilities
-Reconnaissance and OSINT on target IPs
-OSINT framework gathering information such as username, email address, domain name, IP address, social network, phone numbers, etc.
-Internal network vulnerability scan (one physical location), External vulnerability scan (up to 32 IP addresses)
-Full penetration test including: Escalation of privileges, capture/relay hashes, crack passwords, exploit vulnerabilities discovered in vulnerability scan, exfiltrate data, setup backdoors and command/control connections
-Reporting and recommendations

 

The approximate cost for each of those levels are:

LevelCost
Pen-Test Level 1$3,000
Pen-Test Level 2$11,000
Pen-Test Level 3$20,000

 

Interested In Penetration Testing?

Get In Touch Today!

Ph: 1300 4 CALIBRE (1300 422 542)

[contact-form-7 id=”4413″ title=”Penetration Testing Service Form”]