As you can tell there is a world of difference between types of test, types of systems, size of organisation and also the type of penetration test:
The pentester knows very little
In these tests the pentester is usually given information that is definitely discoverable, but that may take a long time get. This is because often the tools that are used will alert protection systems to their presence if used at full speed, so to gather information they have to be slowed right down to avoid detection. This is as close to a real world hacker as you can get, but the problem is that if they can’t find any weaknesses that allow them entry, there may be a whole host of undiscovered weaknesses inside.
The pentester has some information
Grey box testing involves the pentester being given more information, usually similar to that of a general user within the organisation. This is a good way to test both inside and outside of the organisation without wasting too much time in the discovery phase. But even with this method it is possible that vulnerabilities in entire systems could be missed.
The pentester has all the information they need
With a white box test the pentester will be given all the information about servers, systems, software etc. They will usually have access to source code, network diagrams IP subnets and the like, and often work more closely with developers and IT support. A white box test is the best way of discovering the most vulnerabilities. The flip-side is that the pentester may sometimes be working differently, with information that would not be available to an outsider, and therefore discovering vulnerabilities that are of little consequence.
There are also different types of test that can be undertaken depending on the client’s needs:
- Web Application Testing – Targeted very much towards website code, plug-ins, APIs and the like.
- WiFi Testing – The pentester specifically targets wireless devices and networks.
- Social Engineering – The pentester attempts to ‘trick’ people into doing something or releasing information.
- Client-side testing – Where attempts are made to gain access through client software, usually browsers and mail clients.
So how much does a penetration test cost? Between £300 and £300,000, depending on your needs, BUT, in almost all circumstances the value of the test is a fraction of the cost of a hacker finding the vulnerabilities before you do.