6 Important Questions in Pentesting
Penetration tests and code reviews are necessary to demonstrate the resilience and effective operation of the security.
Types of Pen Testing
Penetration tests have 3 different attack scenarios. These are performed to uncover vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps. These scenarios are the Black Box, Grey Box and the White Box. They are briefly explained below. In all cases, the pen tests are carried out according to international standards.
- Black Box pentest. A Black Box audit can be compared to a real attack as hackers would perform it. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.
- Grey Box pen test. In this pen test, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both without and with information.
- White Box pentest (also called Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.
What is the difference between a pentest and a vulnerability scan
The biggest difference between a
pentest
A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security. A vulnerability scan finds commonly known vulnerabilities, identifies common configuration errors and provides technical risk assessments for each vulnerability. A pen test does the same and much more. A pentest provides a more detailed picture of current IT security, focusing on all potential weaknesses. In a pentest, the ethical hacker also actively seeks out vulnerabilities through a dose of creativity. A pentest therefore gives a more complete picture because a hacker does the same during an attack.
Why are certified experts needed for a penetration test?
The NFIR pen testers have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements. Furthermore, our pentesters have a large amount of experience, plenty of creativity and up-to-date professional knowledge.
How long does a pentest take?
How long a pentest takes strongly depends on the environment that needs to be tested and the agreements made with the client about the attack scenarios to be used. In order to be able to carry out a pen test properly, NFIR advises to take a minimum of 40 hours. In those 40 hours the environment is tested and the report is written. Would you like appropriate advice for your environment or (web) application? Please contact us for an introductory and intake interview!
Black box or white box scenario?
With a pentest based on the White Box principle, all information about the environment is shared beforehand. The pen testers can test the environment very specifically, because they know in advance what they are dealing with. This variant leads to a thorough pen test of the client’s environment. A Black Box pentest means that no information about the environment is shared with the pen testers beforehand. However, an area of investigation (scope) is always established, so the pen test is limited. The pen testers work like real hackers in this variant. If you are having a pen test performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.
Black Box pentest
A Black Box audit can be compared to a real attack, like hackers would do. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.
Grey Box Pentest
In this pentest, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both with and without information.
White Box Pentest
(a.k.a. Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.
What more does a grey-box pentest offer than a black-box?
A Grey Box Penetration Test is an intermediate form of the Black Box and White Box Penetration Test, in which the researchers have limited login details and information at their disposal. Because the pentester receives limited information from the organization, it is by definition better informed than a malicious hacker. The Grey Box pentest is generally used to see how safe an environment is from the perspective of an employee or customer.
Make good arrangements about the pentest
Good appointments ensure that a pen test can run smoothly. It is important that it is clear beforehand what is expected from both parties. The most important thing is clarity about the scope of the assignment in order to have clarity about what is being tested, within which agreed time (and what the costs are). The assignment must be clear and the information required in advance must be provided on time, otherwise a pentest cannot start. Make arrangements with each other when the information should be delivered, when the pentest will take place, what the pen test means for the daily operations within your company and when the report will be delivered.
What pentest methodology and standards to use?
In order to carry out a successful pentest, NFIR uses various methods for testing information security. The three most important standards (depending on the environment being tested) are the Penetration Execution Standard (PTES) and the 2 standards of the organization Open Web Application Security Project (OWASP). The standards are; The WSTG and the MASTG. The Common Vulnerability Scoring System version 3.1, abbreviated to the CVSS risk model, is used to determine the severity of a vulnerability. This international model is used by NFIR to classify security breaches.
Penetration test?
NFIR classifies pen testing vulnerabilities using the Common Vulnerability Scoring System (CVSS 4.0).
Why hire the ethical hackers from NFIR for pen testing?
NFIR is a specialist in the field of cyber security. We help organizations limit the consequential damage of a cyber incident and secure digital forensic evidence to identify the cause of the damage. In addition, our services can help you increase your resilience against cyber incidents and support you in improving your digital vital infrastructure. Our experienced staff, all of whom have received approval from the Chief of Police, are able to support and advise you in a no-nonsense manner with our preventive services and reactive services.
Free consultation about the possibilities of pen testing
You may have many questions about pentesting. We offer a free 15 minute consultation to answer your questions.
Ask your questions about a vulnerability scan or a pen test during a free consultation.
- What do you choose, a vulnerability scan or a pen test?
- How many hackers try to break into my server each day?
- Would you like to have an advice, pen test, investigation or audit carried out?
- What exactly is a pen test, what variants are there, what is involved and what is the use of a pen test?
- Is a pen test sufficient for good security?
- How can a firewall look into encrypted packets?
What do I do to help the organisation prepare for a pen test? - Why hire nfir’s ethical hackers for pen tests?
