As a Chief Information Security Officer (CISO), you have the responsibility of not only directing your organization’s security but also conveying your risk status to leadership.
That’s where annual penetration tests come into play: giving you a professional, outside look into your security posture— with specific remediations to continually improve your defenses.
But before committing to a pentest, we know you have questions. Luckily, we’ve got answers. Here are the most frequently asked questions we receive from CISOs before running a penetration test at Mitnick Security:
1. How Does a Penetration Test Differ From an Automated Vulnerability Scan? What More Will I Get From a Pentest?
Network Security Assessment Software (NSAS) exists to check for overarching vulnerabilities. These vulnerability scans can be conducted in just a few short minutes and are intended to catch any glaring gaps in your security.
Some pentesting companies take the vulnerability scan a step further by offering a vulnerability assessment. During a vulnerability assessment, a professional pentester reviews the scanned results to locate, quantify, and prioritize technological weaknesses in your systems and network. During this time, the pentesters often pick up on things the scan has missed and verify any identified vulnerabilities through active exploration. These scans and assessments can be performed frequently, and are usually recommended quarterly.
A penetration test is more timely, thorough, and detailed than a vulnerability scan or a vulnerability assessment. Not only do the pentesters discover your vulnerabilities, but they also try to exploit them in a series of simulated cyberattacks. In the end, you leave with a comprehensive pentesting report detailing the attacks the testers launched, what they were able to breach, as well as specific, actionable recommendations for improving your security.
2. Which Pentest Is Right for My Organization?
- External network
- Internal network
- Social engineering
Each of these pentests focuses on a different area of your security. For example, you may choose to test one of your web applications, or how easy it would be for someone to break into your physical office headquarters.
Generally speaking, it is wise to start with one or two types of pentests at a time. You can consult your pentesting company to help you determine which type takes precedence.
Companies with more advanced security postures who have previously conducted penetration tests may choose to pursue a Red Team engagement. A Red Team is a more sophisticated pentest where the pentesters are looking for one way in, unlike traditional pentests where the goal is to discover as many vulnerabilities as possible.
3. How Do You Define the Scope of the Pentesting?
Before beginning a penetration test, you will work with the pentesters to define your project’s scope. You’ll meet with the pentesters to set the parameters of the engagement, clearly detailing the environment, what will be tested, if any networks, databases, accounts, people, or attack vectors are off-limits, how long the test will run, the key objectives of the test, etc.
It’s crucial to agree on a clear scope to be able to estimate the cost of the engagement and how you can properly prepare. While the scoping process can differ from company to company, at Mitnick Security, you’ll discuss and sign a scope of work agreement that confirms the type of test you will receive and the duration of the test. Afterward, you’ll lock down test expectations like specific targets, hours not to pentest, any off-limit attack vectors, etc. during your kick-off engagement call. This ensures that everything is set so the test can begin and run without any surprises.
4. How Much Does a Pentest Cost and How Long Will It Take?
Penetration tests vary in scope based on what type of test is being conducted, the particular organization’s goals, network size and complexity, etc. That means there’s no one-size-fits-all cost.
Typically, most organizations spend between $15,000-$50,000 on professional pentesting. We encourage you to read our resource What You Should Budget for a Penetration Test to understand the true price you may expect.
Because the scope is different for every test, it’s also hard to define a set length for an individual penetration test. But as a general estimation, the typical time span for a deep-dive penetration test is anywhere from three to five weeks, sometimes lasting up to a couple of months.
5. Will Pentesting Disrupt My Team’s Day-to-Day?
Penetration tests are simulated cyber attacks on your business’s network and infrastructure. Because they are professionally simulated attacks and not real threats to your network, you are able to define the rules of engagement prior to conducting the test. Typically, disruptions that would cease or drastically hinder the daily operations of your business are excluded to ensure you can function uninterrupted during a pentest, such as denial of service attacks or complete restriction of compromised software or devices.
Team members that are not involved or aware of the penetration test, however, may notice suspicious activity during the process and report it to your security team. This is a good thing! It showcases that your employees are being vigilant in protecting your organization against foul play.
6. Can We Do Our Own Penetration Testing?
If your budget does not allow for frequent pentests, yes, you can conduct your own security assessments. But think of it as a second line of defense: something meant to work in tandem with a professional test. Having the capability to run your own penetration tests can help you stay on top of your security between annual professional external tests.
Simply put, running your own pentest is subject to bias. You are too close to home, metaphorically speaking, and oftentimes unaware of true vulnerabilities that exist. It’s imperative to have a different set of eyes on your infrastructure to catch security gaps you may have missed.
No One Knows Pentesting Like Kevin Mitnick
When investing your business’s valuable time and money into an annual pentest, you want to know that you're paying for the very best.
That's what you get when you trust Kevin Mitnick and his Global Ghost team. From FBI’s Most Wanted cybercriminal to esteemed government-entrusted pentester, Kevin is now a leading source in the industry, detecting vulnerabilities that other pentesters can’t uncover.
Explore our penetration testing services today.