Types of Penetration Testing

What Are the Types of Penetration Testing for the Healthcare Industry?

Healthcare penetration testing is crucial because the value of the data is a primary target for hackers. The typical types of penetration testing for a Healthcare organization includes the following

Network Penetration Testing and Security Device Audit

This penetration testing of the network emulates an insider (bad actor) or hacker that may have already penetrated the security infrastructure. Internal scanning determines what devices and vulnerabilities would be available for a hacker or malware to exploit the network infrastructure. You cannot protect what you do not know you have. If the infrastructure was compromised, you must discover all inventory for any possible targeted devices or software. In addition, network penetration testing checks security logs for failed logins, Inactive user accounts, and Active Directory (or local) policies that do not comply with HIPAA requirements. Also evaluated are weak passwords, improper workstation security, malware, operating system updates and patching, and other network security vulnerabilities that are prone to cyber attacks.

External Remote Penetration Test

An external penetration test attempts to access the target vector through publicly exposed firewalls, all external assets, web domains, and public IP addresses. The penetration testing report will indicate vulnerabilities to the network and compliance regulations as well as security threats.

Cloud Penetration Testing

Cloud penetration testing will include Vulnerability scanning, where possible. A security concern is that hackers might have accessed keyboards through keyloggers. Thus, having obtained login and passwords to the cloud based EMR as well as all cloud providers and services. The pentest will test browsers to determine ability to compromise login and passwords that were improperly saved.

Social Engineering Penetration Tests ​

Penetration tests will focus on User awareness testing by sending fake spear phishing to employee emails. This testing would identify users who are unaware or lack cybersecurity skills and thus present vulnerabilities to attacks.

Wi-Fi​

The wireless access points and infrastructure are tested for weakness in the same manner as an attacker would attempt to breach your systems.

Why is Pen Testing Important?

Penetration testing provides information to keep hackers out by identifying where you are exposed to security vulnerabilities.
Penetration testing determines your financial risk to security threats and vulnerabilities.
Penetration testing prevents computer breaches, network penetration and information breaches which impacts the bottom line and organization survival.
Penetration testing increases customer confidence that you are securing their identities from cyber security attacks.
Penetration testing protects your cybersecurity reputation.
Penetration testing aligns with security best practices.
Penetration testing meets compliance obligations.

What are the stages of pen testing?

The stages of pen testing can vary depending on the requirements of the engagement. The concept is that each stage is completed with a specific, orderly purpose and each step is repeatable and documented. Ethical hackers follow a professional process as do some hackers.

The 5 stages are:

  1. Planning and Reconnaissance (often separated stages).
  2. Scanning (if an internal scan this should include Inventory and Vulnerability scanning).
  3. Gaining access (or proof of ability to access).
  4. Persistent Access.
  5. Analysis and Reporting (usually separated stages).

What are the three types of pen tests?

There are three types of pen tests are as follows:

Black Box Penetration Testing

In the Black Box type of penetration testing the penetration tester’s assignment is to gain access, control or exfiltrate an asset in order to determine the real-world likeliness that the targets are secure to a hacker or bad actor. Specifically in a Black Box penetration test, or often called Blind Testing, the pen tester is not allowed to have passwords, or target vector IP addresses. Black box penetration testing means no internal information or clues about where or how to begin research or enumeration of the company’s assets is given to the tester. The details for this type of pen testing can vary according to the client’s needs, security and compliance regulations and suspected network vulnerabilities.

In general, this is the hardest way to test vulnerabilities and it depends on the “specific” skills of the tester more than other penetration testing methods. This method is the most accurate hacker emulation but could miss other important security vulnerabilities. The assumption here is that the pen tester can gain access to the network. If access is unsuccessful, then the test will be unable to show internal data and security vulnerabilities.

The advantages in this type of test are that the tester only requires the skills specific to the task in order to be successful. The disadvantage is that this might take more time and money than other tests, or might have been covered in previous pen tests so it might not be worth it.

Grey Box Penetration Testing

In grey box penetration testing, the tester typically offers only a few details regarding the inner workings of the system's program. An example of this would be testing the possible exploitation before an application is released or installed on the network. In this case, the professional tester would be given access to the application, perhaps a set of security criteria to test but little else. The tester would likely need to determine if the application is secure to deploy and use.

This process emulates an attack by an outside hacker or web site user who can get unauthorized access to the network infrastructure records of a company. It might just be an internal application that presents a security risk.

This is typically focused on a narrowly targeted assignment and the test results are likely not going to provide a full infrastructure assessment. On the positive side, depending on how the test parameters assess vulnerabilities, this testing might incorporate some aspects of black box and white box findings.

White Box Penetration Testing

White box testing is a technique used in penetration testing when a white hat hacker has complete knowledge of the network or system being attacked. A white-box penetration test's objective is to mimic the actions of a malevolent insider who knows security information and maybe has access to the target system.

This pen test process will yield the most information about the network infrastructure, users, devices, servers, software vulnerabilities, email vulnerability, web site security, endpoints, firewalls, security products, networking, inventory, policies and procedures, management effectiveness and cybersecurity awareness of the organization

The best vulnerability testing processes will include all three types of penetration tests which is what we do at SecureVitality.

What are the types of penetration test services?

The types of pentesting services can vary based on the requirements and scope of a project. Some of the penetration testing services could include:

Infrastructure Vulnerability and Risk Assessment Audit

Full Infrastructure Cybersecurity Audit​

Cybersecurity Risk Audit and Assessment

HIPAA Privacy & Security Risk Assessment Audit (SRA)

Web Application Penetration Testing

Software Code and Security

Application Penetration Testing

Physical Penetration Testing of an Organization’s sites

Physical Penetration Testing of an Organization’s sites

Firewall Auditing and Configuration Services

Firewall Auditing and Configuration Services

Compliance Audit and Assessment

Physical Site Security Assessments

Social Engineering Assessments and Testing

Social Engineering Assessments and Testing

Social Engineering Assessments and Testing

Hardware Device Security Reviews

Mobile Penetration Testing

Frequently Asked Questions

Industry standards for penetration tests are between $4k to $50k depending on organization size, compliance, requirements, locations, type of penetration test and other penetration testing parameters. In some instances, such as a small business, it might be less costly assuming fewer penetration testing requirements. In other cases, multiple locations, a larger number of devices and target vectors could double the penetration testing cost. There is a minimum amount of time to perform a professional security audit, data inventory, network discovery, vulnerability scanning and penetration testing for certain activities which affect fixed costs regardless of the number of devices.

Some MSPs are offering free security audits. This is usually with a hidden idea of taking your business from another MSP. In this case the tools used provide basic security reporting at best and could possibly provide you with a false sense of security.

Hacking a cell phone is accomplished by installing software or an application intended to monitor cell phones for parents and organizations that have legal right to monitor these devices. Hackers use this software to access cell phones. Mobile penetration testing could also utilize this software, since there is the requirement to eliminate administrator access to the iPhone or Android. Therefore, the human engineering aspect would prove the owner of the phone is vulnerable to mobile hacking. In another instance, there is the option to send a code to a cell which could also control the phone.

Typically, cell phones are subject to accessing the internet through Wi-Fi. In this case using a Wi-Fi device that acts as a wireless access point or a cell tower can place the Hacker (or in this case, penetration tester) between the tower or Wi-Fi access point. Thus, controlling or monitoring the cell phone activity. This proof of concept would be one of the tools for a typical mobile phone pen test.

Share this article:

Facebook
Twitter
LinkedIn
Pinterest
Email
You may also like
Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.