Frequently Asked questions

A penetration test, or “pentest,” is an authorized cybersecurity assessment designed to evaluate the security of your infrastructure by safely exploiting vulnerabilities. This test shows you the strengths and weaknesses of your infrastructure and how to remediate vulnerabilities while giving you an idea of your organization’s security risks.

Many organizations will point to their internal security team and say, “I already have a security team.” Unfortunately, it is easy to become biased with your network. A penetration test will show you vulnerabilities you may not know even exist. A penetration test uncovers critical vulnerabilities while allowing you to fix the flaws. The penetration test will also show you how attack vectors impact your organization.

Additionally, a penetration test will highlight strengths and weaknesses in your network while identifying controls you need to implement.

Experience in IT and Security – When hiring a penetration testing company, it is critical to know who you hire. Each consultant should have a vast array of experience and training for penetration testing and IT in general. Many organizations will employ penetration testers who have little IT experience. Having little experience in IT means the pentester will lack knowledge of how devices, networks, and applications are supposed to operate normally, which means the pentester could overlook misconfigurations that make you vulnerable.

Our penetration testers have many years of IT experience before becoming a penetration tester, which is critical to understanding enterprise networks and systems. Our team also has many relevant certifications such as the OSCP, OSCE, OSWE, Cloud certifications, and Microsoft certifications.

Integrity – Ensure the company is honest about its accomplishments, personnel, and certifications. The team members working on your network, systems, and applications should be trusted and prompt when responding to your security concerns. For example, ask for a penetration test example report to view if the report is an actual penetration test or a vulnerability scan masked as a penetration test.

Safety – Make sure the company has checks in place to verify the trustworthiness of its employees and confirm they run background checks against their employees.

Open About Their Work – When hiring a penetration testing services provider, companies must ensure that the vendor uses an industry-accepted approach. The team must give a clear statement of work that includes testing parameters, engagement time, tools and methodologies used, privacy considerations, data access processes, and reporting expectations and criteria.

Data Security – Regardless of the guarantees gained during the contract negotiation process, it is critical to inquire about data handling. For example, how is data transported? How long does customer data stay on file? Does the company use an NDA to protect your information?

Liability Insurance – Companies must have liability insurance and compensate for any losses caused by their testing and infiltration attempts if problems arise. Ensure that the pentesting company has adequate insurance to cover any potential losses if any data is released or compromised.

The length and expense of penetration testing vary greatly based on many factors. These factors include the number of IP addresses, the number of employees for social engineering, and the complexity and number of applications. Our team ensures the project’s scope fits your organization’s needs when considering these factors.

At Artifice Security, we have all highly-experienced and skilled senior-level penetration testers performing assessments.

With that stated, there are common project patterns and ranges we see. Penetration testing typically starts at $5,000 but can cost in the six-figure range for very large, more extensive projects.

Vulnerability scans, such as Nexpose and Nessus, check your systems for known vulnerabilities and alert your company about possible risks. Penetration tests find flaws in your IT network’s architecture and estimate the likelihood of a malicious actor gaining unauthorized access to your critical assets. The penetration test will also exploit complex vulnerabilities while a vulnerability scanner cannot.

Additionally, vulnerability scans will have many false positives, while a penetration test should not, as the penetration tester will manually exploit the flaw and show proof of concepts.

Lastly, a penetration test can find vulnerabilities using logic that automated scanners miss. For example, a vulnerability scanner will not alert against a file share that stores critical information with read/write access for the “everyone” group.

Red Team assessments differ from penetration tests as they focus on testing your incident detection and response capabilities. Red team operators will also move stealthily to mimic real-world attackers. During a red team engagement, the goal is not to find every vulnerability against your assets but to mimic a real-world attack and break in using the path of least resistance. For example, a person walking in the side door of your building and walking out with a server in hand could be the easiest path to get your data.

For penetration testing, the consultant will attempt to find as many vulnerabilities on your network or application during a set period and combine attacks to reach your critical data. This type of engagement is not stealthy and will often involve your IT staff, who knows about the occurrence of the penetration test.

In short, a penetration test attempts to find as many vulnerabilities in your organization as possible while not worrying about being detected, while a red team assessment focuses on your incident detection and response capabilities.

Black-box Approach for Penetration Testing

The tester cannot access the online applications or networks in a black-box engagement. The tester must do reconnaissance to obtain the sensitive information needed to proceed.

This method provides the most accurate simulation of a cyber-attack. However, it takes a long time and poses the most significant risk of missing a vulnerability within a network or application’s underlying components. A real-life attacker generally has no time constraints and can plan an attack strategy for months while waiting for the right opportunity.

Additionally, many defensive measures are available within networks to help prevent existing vulnerabilities from being exploited. Even if a vulnerability remains, some web browsers now provide alternatives for preventing attacks. To exploit the vulnerability, all required is a change in settings or a connection from a different browser version.

The fact that security settings prevent a vulnerability from being found or exploited does not mean it does not exist or your team is addressing it. It merely means that another factor is influencing the outcome. Someone with more time can eventually take advantage of this false sense of security to study this attack surface properly.

Gray-box Approach for Penetration Testing

Gray-box testing enables the tester to obtain internal access and data from the administrators, such as IP addresses or subnets, application logic flow charts, or network infrastructure maps. This access might be from an attacker who has already broken the network’s perimeter and has restricted inside access, or it could be from a hostile insider.

Starting with fundamental baseline knowledge, low-level credentials, or networking information allows for a more efficient and streamlined procedure. This information and limited access can save time during the reconnaissance phase, allowing consultants to focus on exploiting potential vulnerabilities in higher-risk systems rather than attempting to locate them.

White-box Approach for Penetration Testing

The penetration test expert gets complete access to all web apps, administrator and developer insight, and systems when doing white-box testing. The consultant also has high-level network access and can view source code.

White-box testing, among other things, seeks faults in logical vulnerabilities, potential security exposures, security misconfigurations, poorly written development code, and a lack of protective procedures. This review analyzes internal and external vulnerabilities from a ‘behind the scenes’ perspective that traditional attackers do not have.

Because it takes so long to examine all system elements thoroughly, an organization might only reserve white-box testing for high-risk systems or those that process sensitive data.

Artifice Security uses several proven penetration testing methodologies such as the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), and the Open Web Application Security Project (OWASP) for web applications and IoT.

A penetration test involves exploiting systems and applications and making these systems perform in unintended ways; therefore, there is no such thing as a risk-free penetration test.

For example, if a system has a hardware issue or software bug already present, running something as simple as a port scan could knock it over.

The expert security consultants at Artifice Security all come from backgrounds in system administration, network engineering, and web development. With profound experience and understanding of enterprise networks on top of professional certifications, they understand the systems and networks deeper than most. Our team acts methodically and with extreme care during each engagement as if the systems they were testing were ours.

Artifice Security will not use Denial-of-Service tools or create traffic that would impede your regular business traffic.

An IT certification is a recognized benchmark based on standardized testing translated to a specific skill set.

At Artifice Security, our consultants have a vast array of certifications that make them well-rounded. Below are the collective certifications held by team members at Artifice Security:

• CompTIA A+
• CompTIA Network+
• CompTIA Security+
• Microsoft Certified Systems Administrator (MCSA)
• Microsoft Certified Systems Engineer with Specialization in Security (MCSE+S)
• Microsoft Certified IT Professional (MCITP)
• Microsoft Certified: Azure Solutions Architect Expert
• Cisco Certified Network Professional (CCNP)
• Red Hat Certified Engineer (RHCE)
• EC-Council Certified Ethical Hacker (CEH)
• EC-Council Certified Security Analyst (ECSA)
• Offensive Security Certified Professional (OSCP)
• Offensive Security Certified Expert (OSCE)
• Offensive Security Web Expert (OSWE)
• Certified Information Systems Security Professional (CISSP)
• AWS Certified Solutions Architect
• AWS Certified Security
• CREST Certified
• Portswigger Burpsuite Certified Practitioner
• National Security Agency INFOSEC Assessment Methodology (NSA IAM)
• National Security Agency INFOSEC Evaluation Methodology (NSA IEM)

Our report starts with an executive summary that gives a concise overview of the penetration test results. The executive summary offers actionable takeaways without going through the entire report and summarizes where the penetration testers bypassed security controls. This section explains the overall risk to the organization while written in layman’s terms for any reader.

The executive summary will also include an overview of the penetration tester’s positive findings during testing.

Next, the report will give a storyboard that shows the penetration tester exploiting vulnerabilities and chaining together attacks to reach your critical assets.

Afterward, the report will explain the Threat Ranking Methodology and how we rate vulnerabilities based on the likelihood that a malicious actor can initiate the threat and its impact on your organization. Artifice Security uses NIST 800-30 for the threat-ranking methodology to
adhere to an industry-proven methodology.

Each vulnerability will be listed in the report, starting with the most critical. The report explains each vulnerability in detail with repeatable proof-of-concept examples given and will also show the location of the vulnerability with detailed remediation steps for your team.

Artifice Security has a team of engineers with past work experience as systems administrators, network engineers, and web developers. Based on this experience, we can give you precise remediation steps that fit your exact environment.

Artifice Security only holds customer data for 90 days in an encrypted cloud storage appliance, at which point we securely remove the data. This data is only kept for 90 days to refer to our clients’ reports or complete a retest.

Artifice Security uses a manual method approach to penetration testing. Each of our team members fully understands enterprise networks and applications with knowing how to manipulate these systems by hand. We use some automated tools such as port scanning tools (e.g., Nmap) and vulnerability scanning tools like Nessus. However, we use these tools at the beginning for enumeration, then use manual methods to complete the penetration test.

Automated tools cannot find apparent misconfigurations, such as open file shares with critical data inside or weak passwords used by employees. Also, automated tools cannot chain together attacks or exploit complex vulnerabilities.

When using manual penetration testing, the consultant manually reviews each system and exploits vulnerabilities based on their knowledge, experience, and conditions. This manual method yields more significant results, and you can guarantee no false positives as each exploitation will have a proof-of-concept to match it.

Artifice Security determines the time needed for a penetration test by the number of internal or external systems or the size and complexity of the web application. For an internal penetration test, it is also essential to know if travel will be involved or can the testing be conducted remotely by giving the client a remote virtual machine (VM). We see engagements starting at one week, with most going multiple weeks or even months.

For any penetration test, we conduct a meeting with you and your team to discuss what you need for testing and determine the exact scope of the assessment.

Amazon Web Services (AWS)

Amazon does not require prior clearance of a pentest as of early 2019.

Google Cloud Platform (GCP)

For GCP pentesting, Google does not require any prior notification, but we must adhere to Google’s Acceptable Use Policy and cannot target resources that do not belong to you.

To avoid breaching Google’s Acceptable Use Policy and disrupting any of your activities during our pentest, we do not test for vulnerabilities for “denial-of-service.” Before any potentially disruptive action is carried out, clients are usually alerted.

Microsoft Azure

As of June 2017, conducting penetration testing on Azure services does not require prior authorization. Microsoft Azure does not allow DoS attacks on the server, scan out-of-scope services, or run automated scanners that generate excessive traffic.

These rules of engagement exist to prevent other Azure clients from being impacted by a previously scheduled security test.