Penetration tests and code reviews are necessary to demonstrate the resilience and effective operation of the security.
Types of Pen Testing
Penetration tests can be performed in three different ways to reveal vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps. These ways are a Black Box, a Grey Box and a White Box pen test. They are briefly explained below. In all cases, the pen tests are carried out according to international standards.
- Black Box pentest. A Black Box audit can be compared to a real attack as hackers would perform it. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.
- Grey Box pen test. In this pen test, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both without and with information. The combination of both attack scenarios provides the most complete picture possible of the technical resilience of your digital environment.
- White Box pentest (also called Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.
What is the difference between a pen test and a vulnerability scan
The biggest difference between a pentest A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security. A vulnerablity scan is used to find commonly known vulnerabilities, detect common configuration errors and make technical risk estimates for each vulnerability. A pen test does the same and much more. A pen test provides a more detailed picture of current IT security, focusing on all potential weaknesses. In a pen test, the ethical hacker also actively seeks out vulnerabilities through a dose of creativity. A pen test therefore gives a more complete picture because a hacker does the same during an attack.
Why are certified experts needed for a penetration test?
The pentesters of NFIR have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements. Furthermore, our penters have a large amount of experience, a lot of creativity and up-to-date expertise. The most important characteristic of certified experts is to guarantee the safety of your infrastructure.
How long does a pen test take?
How long a pentest takes strongly depends on the environment that needs to be tested and the agreements made with the client about the attack scenarios to be used. In order to be able to carry out a pen test properly, NFIR advises to take a minimum of 40 hours. In those 40 hours the environment is tested and the report is written. Would you like appropriate advice for your environment or (web) application? Please contact us for an introductory and intake interview!
Black box or white box scenario?
With a pentest based on the White Box principle, all information about the environment is shared beforehand. The pen testers can test the environment very specifically, because they know in advance what they are dealing with. This variant leads to a thorough pen test of the client’s environment. A Black Box pen test means that no information about the environment is shared with the pen testers beforehand. Usually a research area (scope) is determined, so that the pen test is limited. The pen testers work like real hackers in this variant. If you are having a pen test performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.
Black Box pen test
A Black Box audit can be compared to a real attack, like hackers would do. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.
Grey Box Pen Test
In this pen test, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both with and without information. The combination of both attack scenarios provides the most complete picture possible of the technical resilience of your digital environment.
White Box Pen Test
(a.k.a. Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.
What more does a grey-box pen test offer than a black-box?
A Grey Box Penetration Test is an intermediate form of the Black Box and White Box Penetration Test, in which the researchers have limited login details and information at their disposal. Due to the limited information the pentesters receive, they are better informed that a hacker. A Black Box pen test is especially suitable when an environment is being pen tested for the first time and you want to get an overall picture of the security. The Grey Box pen test is generally used to see how safe an environment is from the perspective of an employee or customer.
Make good arrangements about the pen test
Good appointments ensure that a pen test can run smoothly. It is important that it is clear beforehand what is expected from both parties. The most important thing is clarity about the scope of the assignment in order to have clarity about what is being tested, within which agreed time (and what the costs are). The assignment must be clear and the information required in advance must be provided on time, otherwise a pen test cannot start. Make arrangements with each other when the information should be delivered, when the pen test will take place, what the pen test means for the daily operations within your company and when the report will be delivered.
Which pen testing method to use?
In order to carry out a successful pen test, NFIR uses various methods for testing information security. The three most important standards (depending on the environment to be tested) are the Penetration Execution Standard (PTES), Open Source Security Testing Methodology Manual (OSSTMM), and the Open Web Application Security Project (OWASP). The Common Vulnerability Scoring System version 3.1, abbreviated to the CVSS risk model, is used to determine the severity of a vulnerability. This international model is used by NFIR to classify security breaches.
NFIR classifies pen testing vulnerabilities using the Common Vulnerability Scoring System (CVSS 3.1).
NFIR is a specialist in the field of cyber security. We help organizations limit the consequential damage of a cyber incident and secure digital forensic evidence to identify the cause of the damage. In addition, our services can help you increase your resilience against cyber incidents and support you in improving your digital vital infrastructure. Our experienced staff, all of whom have received approval from the Chief of Police, are able to support and advise you in a no-nonsense manner with our preventive services and reactive services.
You may have many questions about pentesting. We offer a free 15 minute consultation to answer your questions.
Ask your questions about a vulnerability scan or a pen test during a free consultation.
- What do you choose, a vulnerability scan or a pen test?
- How many hackers try to break into my server each day?
- Would you like to have an advice, pen test, investigation or audit carried out?
- What exactly is a pen test, what variants are there, what is involved and what is the use of a pen test?
- Is a pen test sufficient for good security?
- How can a firewall look into encrypted packets?
What do I do to help the organisation prepare for a pen test?
- Why hire nfir’s ethical hackers for pen tests?