Cybersecurity is in a state of constant flux. Each week brings headlines informing the public about a new strain of ransomware infecting companies across the globe or a new zero-day exploit Windows or Apple have just discovered. With this ever-shifting threat landscape, it’s more difficult, yet even more important, that companies keep their network infrastructure secure. One of the tried-and-true methods companies use to double-check their vulnerabilities is hiring third-party penetration testers.
Penetration testing involves simulating cyberattacks to check for and expose vulnerabilities. Penetration testing can involve an attempted breaching of any kind of entry point into a network: APIs, front or backend servers, and internet routers would all be subject to a pen test. The insights gained from penetration tests can be used to update security protocols and patch vulnerabilities. The professionals who carry out these tests are essentially acting as though they have nefarious goals in order to realistically simulate how a true cyber-attack would take place. This simulation is magnified if a company decides to keep their employees in the dark about a pen test taking place.
While most pen testing focuses on digital vulnerabilities, physical vulnerabilities can also be tested for. Tactics like in-person social engineering can allow a bad actor (or a pen tester) to access a device, plug a flash drive with malware into a computer and walk away unnoticed. A full-scope pen test could involve:
- Pretending to be an IT admin and asking for access to employee laptops or local servers
- Asking employees to let them through a locked door without a key fob
- Sending phishing emails to employees to acquire high-level admin rights or to create a foothold for malware
- Brute-forcing network passwords
- Intercepting web traffic
All of these attempts at securing network access would be outlined in the initial scope of the testing a pen tester is being hired to carry out. So what are the most common types of pen test?
Here are a few:
Black Box
- When the pen tester does not have any internal knowledge of the target system
- In this type of project, pen testers use automated tools to find the vulnerabilities and loopholes of the system
- Determines the vulnerabilities in a system that are exploitable from outside the network
Grey Box
- Grey-box testers have access and knowledge levels of a low to mid-level user
- Testers have some knowledge of a networks’ internal setup, potentially including design and architecture documentation
- The purpose of grey-box testing is to provide a focused and accurate assessment of a network’s security
- Simulates an attacker with longer-term access to the network
White Box
- When the pen tester has complete knowledge about the target
- This includes full access to source code and architecture documentation
- The main purpose here is combing through the massive quantity of data available to identify potential points of weakness
- The most time-consuming type of pen testing
Each of these tests has its own trade-offs and advantages. Black Box pen testing, for example, is the most similar to an external attacker trying to gain access to a system. However, it’s also the most expensive option available. On the other extreme, White Box testing is the most efficient but, due to the increased information given to the pen testers, it least resembles real-world conditions and can cause missed vulnerabilities. Grey Box testing splits the difference by providing pen testers with limited information and creates a scenario similar to a hacker with long-term access.
These categories give us a good framework of understanding a high-level overview of pen testing, but what are the specific methods used in this process? Most professionals on the subject break penetration testing stages into five steps:
- Planning and reconnaissance
- Defining the scope and goals of a test, including the systems to be targeted and the testing methods to be used
- Gathering intelligence to understand the network layout (domain names, mail server, etc.) to understand its potential vulnerabilities
- Scanning
- Static Analysis – Viewing an application’s code to understand the way it behaves while running.
- Dynamic Analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning since it provides a real-time view into an applications performance.
- Gaining Access
- Using attack methods such as cross-site scripting, SQL Injection and backdoors, testers begin to uncover the target’s weak-points. Then they try to utilize these vulnerabilities by giving themselves escalated privileges, stealing data and intercepting web traffic. The success or failure of these attacks begins to paint a picture of how much damage could be caused in a real-world scenario.
- Maintain Access
- The goal here is to see if the exploit can provide persistent access to the network being tested. This is an imitation of advanced persistent threats, which silently remain in a system for a length of time to steal sensitive data.
- Analysis
- Results of the penetration test are compiled into a report detailing:
- Specific exploits uncovered
- Sensitive data accessed
- The amount of time the pen tester was able to remain undetected in the system
- Suggestions for patching the exploits
- Results of the penetration test are compiled into a report detailing:
Findings from pen tests can be invaluable. In the current threat landscape, the ability to efficiently find and patch business vulnerabilities is practically mandatory for keeping your data (and your customers’ data) safe.
Making a pen test happen
So, what does it look like to hire and plan with a test from a third-party service? I spoke with a Webroot Luminary about what it was like to go through this process on the hiring end of things. Jimmy Tassin used to work for a bank that was required by regulations to be pen tested every 18 months. Between pen tests, Tassin ran audits on their network to continually patch and improve their security. He was also vital to planning stages of each pen test. Each pen test fell under the White Box category, meaning that testers were given quite a lot of information to work with such as:
- Open ports
- Network layout
- Assigned accounts
- How management reviews changes
With this information they were able to efficiently analyze the banks’ system for any known security flaws. They could act as high-level employees within the network, simulating a hacker who has access to the system for a long period of time. Activities that the testers planned with the bank included:
- Initial, week-long audit inside the building
- Vulnerability assessments
- Finding outdated security patches
- Locating insecure settings
- Discovering open ports that aren’t being used
- Performing password cracking/brute-force testing
- Reviewing security tools/security settings
- Reviewing password policies
- Remote phishing attempts on employees
- Asking employees for sensitive documents
- Investigating local computer equipment
Tassin tells me that this process usually took 2-4 weeks from start to finish. The third-party testers didn’t stop at telling the bank what was wrong, however. At the end of each testing period, they provided the bank with a comprehensive analysis of their results that included suggested fixes for any vulnerabilities.
With these potential findings being on the table, the obvious recommendation we have to companies around the world is to hire a third-party pen tester. Before you go out and hire one, there’s a few things your business should consider:
- What is the budget?
- Keep in mind that a successful pen test could yield thousands in savings
- Get a reference from a business partner
- There are a lot of third-party pen testers out there
- See if you can get a reference from a trusted source
- What should the scope of the test include?
- A reliable testing organization will help you determine the most common vulnerabilities for your business
We want to hear about your experience with pen tests. Has your business ever hired a pen tester? Any relevant stories you’d like to share? Are you going to run to your employer right now and explain why they should look into this? Send it down in the comments so we can discuss!