Frequently Asked questions

About Security, Penetration Testing, Our Services and More…

Artifice Security will demonstrate real-world attacks on your network, devices, web applications, infrastructure, and personnel to expose your hidden security risks and give you the steps to strengthen your security posture.

Most popular

Questions &
Answers

What is penetration testing?

A penetration test, or “pentest,” is an authorized cybersecurity assessment designed to evaluate the security of your infrastructure by safely exploiting vulnerabilities. This test shows you the strengths and weaknesses of your infrastructure and how to remediate vulnerabilities while giving you an idea of your organization’s security risks.

Why would I need a penetration test?

Many organizations will point to their internal security team and say, “I already have a security team.” Unfortunately, it is easy to become biased with your network. A penetration test will show you vulnerabilities you may not know even exist. A penetration test uncovers critical vulnerabilities while allowing you to fix the flaws. The penetration test will also show you how attack vectors impact your organization.

Additionally, a penetration test will highlight strengths and weaknesses in your network while identifying controls you need to implement.

What should I look for when hiring a penetration testing company?

Experience in IT and Security – When hiring a penetration testing company, it is critical to know who you hire. Each consultant should have a vast array of experience and training for penetration testing and IT in general. Many organizations will employ penetration testers who have little IT experience. Having little experience in IT means the pentester will lack knowledge of how devices, networks, and applications are supposed to operate normally, which means the pentester could overlook misconfigurations that make you vulnerable.

Our penetration testers have many years of IT experience before becoming a penetration tester, which is critical to understanding enterprise networks and systems. Our team also has many relevant certifications such as the OSCP, OSCE, OSWE, Cloud certifications, and Microsoft certifications.

Integrity – Ensure the company is honest about its accomplishments, personnel, and certifications. The team members working on your network, systems, and applications should be trusted and prompt when responding to your security concerns. For example, ask for a penetration test example report to view if the report is an actual penetration test or a vulnerability scan masked as a penetration test.

Safety – Make sure the company has checks in place to verify the trustworthiness of its employees and confirm they run background checks against their employees.

Open About Their Work – When hiring a penetration testing services provider, companies must ensure that the vendor uses an industry-accepted approach. The team must give a clear statement of work that includes testing parameters, engagement time, tools and methodologies used, privacy considerations, data access processes, and reporting expectations and criteria.

Data Security – Regardless of the guarantees gained during the contract negotiation process, it is critical to inquire about data handling. For example, how is data transported? How long does customer data stay on file? Does the company use an NDA to protect your information?

Liability Insurance – Companies must have liability insurance and compensate for any losses caused by their testing and infiltration attempts if problems arise. Ensure that the pentesting company has adequate insurance to cover any potential losses if any data is released or compromised.

How Much Does a Penetration Test Cost?

The length and expense of penetration testing vary greatly based on many factors. These factors include the number of IP addresses, the number of employees for social engineering, and the complexity and number of applications. Our team ensures the project’s scope fits your organization’s needs when considering these factors.

At Artifice Security, we have all highly-experienced and skilled senior-level penetration testers performing assessments.

With that stated, there are common project patterns and ranges we see. Penetration testing typically starts at $5,000 but can cost in the six-figure range for very large, more extensive projects.

What is a vulnerability assessment, and how does that differ from a penetration test?

Vulnerability scans, such as Nexpose and Nessus, check your systems for known vulnerabilities and alert your company about possible risks. Penetration tests find flaws in your IT network’s architecture and estimate the likelihood of a malicious actor gaining unauthorized access to your critical assets. The penetration test will also exploit complex vulnerabilities while a vulnerability scanner cannot.

Additionally, vulnerability scans will have many false positives, while a penetration test should not, as the penetration tester will manually exploit the flaw and show proof of concepts.

Lastly, a penetration test can find vulnerabilities using logic that automated scanners miss. For example, a vulnerability scanner will not alert against a file share that stores critical information with read/write access for the “everyone” group.

What is a Red Team Assessment, and how does that differ from a penetration test?

Red Team assessments differ from penetration tests as they focus on testing your incident detection and response capabilities. Red team operators will also move stealthily to mimic real-world attackers. During a red team engagement, the goal is not to find every vulnerability against your assets but to mimic a real-world attack and break in using the path of least resistance. For example, a person walking in the side door of your building and walking out with
a server in hand could be the easiest path to get your data.

For penetration testing, the consultant will attempt to find as many vulnerabilities on your network or application during a set period and combine attacks to reach your critical data. This type of engagement is not stealthy and will often involve your IT staff, who knows about the occurrence of the penetration test.

In short, a penetration test attempts to find as many vulnerabilities in your organization as possible while not worrying about being detected, while a red team assessment focuses on your incident detection and response capabilities.

What is a white-box vs. a black-box penetration test, and why would I pick one over the other?

A white-box penetration test equips the penetration tester with all the network or web application information. This information includes network diagrams, source code, security settings, security tools, IP address schema, etc.

A white-box approach gives the penetration tester a comprehensive list of systems to review while not overlooking any areas due to a lack of information. For example, a pentester might not know to assess a particular subnet as a single jump-box can only access it. If the organization did not give the information to the pentester, the pentester might not test the entire subnet.

This additional information helps speed up the enumeration phase of the penetration test as it takes less time to find all the systems in scope.

The most considerable difference between a white-box approach and a black-box approach is that a white-box approach typically doesn’t reflect real-world scenarios with how a malicious actor will view your network or web application.

The most common applications of white-box approaches are compliance testing, such as PCI and HIPAA, and customers who do not want the penetration tester to miss any areas of their network or application.

In a black-box penetration test, the penetration tester has no information provided to them. For this approach, the pentester has to find each system in the network or exploit the web application blindly as a real-world attacker sees it, making it more authentic. Without IP addresses, source code, and network diagrams, a penetration tester would need more time to explore and is more prone to overlook systems if the system is on a segmented network. The black-box approach is best when a red team assessment is unnecessary, but the organization wants basic checks against security defenses and personnel.

What is your penetration testing methodology?

Artifice Security uses several proven penetration testing methodologies such as the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), and the Open Web Application Security Project (OWASP) for web applications and IoT.

How safe is a penetration test against your environment?

A penetration test involves exploiting systems and applications and making these systems perform in unintended ways; therefore, there is no such thing as a risk-free penetration test.

For example, if a system has a hardware issue or software bug already present, running something as simple as a port scan could knock it over.

The expert security consultants at Artifice Security all come from backgrounds in system administration, network engineering, and web development. With profound experience and understanding of enterprise networks on top of professional certifications, they understand the systems and networks deeper than most. Our team acts methodically and with extreme care during each engagement as if the systems they were testing were ours.

Artifice Security will not use Denial-of-Service tools or create traffic that would impede your regular business traffic.

What are the certifications held by your company?

An IT certification is a recognized benchmark based on standardized testing translated to a specific skill set.

At Artifice Security, our consultants have a vast array of certifications that make them well-rounded. Below are the collective certifications held by team members at Artifice Security:

  • CompTIA A+
  • CompTIA Network+
  • CompTIA Security+
  • Microsoft Certified Systems Administrator (MCSA)
  • Microsoft Certified Systems Engineer with Specialization in Security (MCSE+S)
  • Microsoft Certified IT Professional (MCITP)
  • Microsoft Certified: Azure Solutions Architect Expert
  • Cisco Certified Network Professional (CCNP)
  • Red Hat Certified Engineer (RHCE)
  • EC-Council Certified Ethical Hacker (CEH)
  • EC-Council Certified Security Analyst (ECSA)
  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Certified Expert (OSCE)
  • Offensive Security Web Expert (OSWE)
  • Certified Information Systems Security Professional (CISSP)
  • AWS Certified Solutions Architect
  • AWS Certified Security
  • National Security Agency INFOSEC Assessment Methodology (NSA IAM)
  • National Security Agency INFOSEC Evaluation Methodology (NSA IEM)

What do you cover in your penetration testing report?

Our report starts with an executive summary that gives a concise overview of the penetration test results. The executive summary offers actionable takeaways without going through the entire report and summarizes where the penetration testers bypassed security controls. This section explains the overall risk to the organization while written in layman’s terms for any reader.

The executive summary will also include an overview of the penetration tester’s positive findingsduring testing.

Next, the report will give a storyboard that shows the penetration tester exploiting vulnerabilities and chaining together attacks to reach your critical assets.

Afterward, the report will explain the Threat Ranking Methodology and how we rate vulnerabilities based on the likelihood a malicious actor can initiate the threat and its impact on your organization. Artifice Security uses NIST 800-30 for the threat-ranking methodology to
adhere to an industry-proven methodology.

Each vulnerability will be listed in the report, starting with the most critical. The report explains each vulnerability in detail with repeatable proof-of-concept examples given and will also show the location of the vulnerability with detailed remediation steps for your team.

Artifice Security has a team of engineers with past work experience as systems administrators, network engineers, and web developers. Based on this experience, we can give you precise remediation steps that fit your exact environment.

Do you maintain internal security in your own company?

Artifice Security maintains an internal security policy for our company. This policy requires each member to use encryption on their devices, email, phones, and data transport. All of our systems have been internally tested and tested by third parties. We also use next-generation anti-virus on all our systems, with unique password phrases used on every device and application.

Artifice Security only holds customer data for 90 days in an encrypted cloud storage appliance, at which point we securely remove the data. This data is only kept for 90 days to refer to our clients’ reports or complete a retest.

Is your penetration testing service automated or manual?

Artifice Security uses a manual method approach to penetration testing. Each of our team members fully understands enterprise networks and applications with knowing how to manipulate these systems by hand. We use some automated tools such as port scanning tools (e.g., Nmap) and vulnerability scanning tools like Nessus. However, we use these tools at the beginning for enumeration, then use manual methods to complete the penetration test.

Automated tools cannot find apparent misconfigurations, such as open file shares with critical data inside or weak passwords used by employees. Also, automated tools cannot chain together attacks or exploit complex vulnerabilities.

When using manual penetration testing, the consultant manually reviews each system and exploits vulnerabilities based on their knowledge, experience, and conditions. This manual method yields more significant results, and you can guarantee no false positives as each exploitation will have a proof-of-concept to match it.

Do you perform screening and background checks for your team members?

Our employees undergo a criminal background check and a rigorous screening process to ensure only trusted members work with us. Many of our consultants and management team were former military and government agency employees who held top-secret clearances, with some still having clearances.

How much time is needed to conduct a penetration test?

Artifice Security determines the time needed for a penetration test by the number of internal or external systems or the size and complexity of the web application. For an internal penetration test, it is also essential to know if travel will be involved or can the testing be conducted remotely by giving the client a remote virtual machine (VM). We see engagements starting at one week, with most going multiple weeks or even months.

For any penetration test, we conduct a meeting with you and your team to discuss what you need for testing and determine the exact scope of the assessment.

Do I need to alert AWS, Google Cloud Platform, or Microsoft Azure to penetration testing?

Amazon Web Services (AWS)

Amazon does not require prior clearance of a pentest as of early 2019.

Google Cloud Platform (GCP)

For GCP pentesting, Google does not require any prior notification, but we must adhere to Google’s Acceptable Use Policy and cannot target resources that do not belong to you.

To avoid breaching Google’s Acceptable Use Policy and disrupting any of your activities during our pentest, we do not test for vulnerabilities for “denial-of-service.” Before any potentially disruptive action is carried out, clients are usually alerted.

Microsoft Azure

As of June 2017, conducting penetration testing on Azure services does not require prior authorization. Microsoft Azure does not allow DoS attacks on the server, scan out-of-scope services, or run automated scanners that generate excessive traffic.

These rules of engagement exist to prevent other Azure clients from being impacted by a previously scheduled security test.

Leading-Edge Cybersecurity