If your organization is serious about cybersecurity, you may already or be looking to have testing of your security programs performed.
It’s one of the best ways to ensure that your defenses are working the way they are intended to.
So, in today’s article, we’re going to discuss, What is penetration testing.
We’ll talk about why it’s beneficial, various types of testing, the methodologies your testers should be following, and some other tips to help you get the most value from a testing engagement.
What is penetration testing?
There’s no doubt:
Penetration testing is much more common today than it has been.
But before we get too deep into the topic, I want to briefly explain:
What is penetration testing?
Penetration testing is a type of security audit in which someone (or group of professionals) attempts to attack a computer, network, or system just like a real hacker would. That way, the organization being tested can identify vulnerabilities in the system and mitigate them before criminal hackers find them.
So now, let’s look at tips for having penetration tests done for your organization.
Benefits of Penetration Testing
Types of Penetration Tests
Penetration Testing Methodology
Considerations & Tips
Benefits of Penetration Testing
Find unknown vulnerabilities & security holes
I think that every organization has holes in their cybersecurity programs that they have no idea exist.
Having penetration tests done uncovers these holes and allows organizations to resolve them before the bad guys exploit them.
Here’s an example:
On a recent pen test that we conducted, we kept finding these Creston devices on a certain subnet.
So, I did a little research and figured out what they were:
They are part of a room scheduling system for conference rooms.
I decided to enumerate the devices and what did I find?
Their operating system is Windows-based, they allow anonymous FTP, and the FTP access has full access to the root directory!
Are you following?
I could have tampered with the OS of the displays.
But I wanted to use them for something different.
USB access was restricted at the organization, so I couldn’t drop off the malware payloads that I wanted to.
Easy to get around.
I just dropped it off on the Creston devices and connected to that from the device I wanted to put the malware on.
My point in the story is this:
Your organization probably has lots of security holes like this one.
Having a pen test done can help you find these kinds of holes.
Using Penetration Testing to plan incident response for Real Attacks
Pen tests can be a GREAT opportunity for your organization to test their incident response plans.
(Another answer to the question: What is penetration testing good for?)
Organizations that are serious about their cybersecurity know that EVERY organization has security incidents – no matter how good their security is.
Want to know the difference in organizations that fail and those that succeed at cybersecurity?
Those that succeed have robust incident response plans.
Here’s where penetration testing engagements can be super beneficial:
During penetration tests, your security team can practice walking through their incident response plans.
Don’t tell them that penetration testing is going to occur.
Have the testing begin and monitor how they respond to incidents or alerts.
Once they realize that a test is happening, go back through what the steps the security team took and whether they aligned with the incident response plan.
Do a post-mortem analysis and see how plans should be changed, or what attacks weren’t planned for and create a plan for them.
Organizations that we’ve worked with that do this drastically improve their security programs and are better prepared for real attacks.
Preserving the company’s image
Ok, what is penetration testing good for?
Preserving your image to your customers.
You’re probably wondering what security auditing has to do with your public relations:
Let’s talk about it.
We need a little context though.
The Ponemon institute has been doing research for over a decade on cybersecurity.
Every year, they release the “Cost of a Data Breach” study that they conduct in partnership with a sponsoring company.
Very early on, they began to realize this:
Most people think about direct costs that are the result of a breach – infrastructure repair, fines, forensic costs, etc.
They forget that there are indirect costs.
Brand image is one of these costs.
When a data breach makes headlines and people hear about it, it tarnishes your company’s image – even if it’s subconsciously.
Your customers expect you to protect their data.
In fact, this recent poll showed that 71% of customers believed it was the duty of the company to protect their data.
And even though it’s hard to quantify, organizations almost definitely don’t acquire some of the customers they would have if they had not had a data breach.
You can save your organization from avoidable security mistakes costing your organization by having penetration tests look for them.
Want to be sure a developer hasn’t left an unlocked database with all of your customers’ data? Have a test done to look for those kinds of oversights.
So, in the end, penetration tests can help you find weaknesses before an attacker does and they go public.
Thus, you protect your brand image to your customers and future customers.
Types of Penetration Testing
There’s no lack of industry jargon being thrown around when it comes to penetration testing.
And as a non-technical person, you may feel like companies are trying to pull the wool over your eyes with all of these big terms.
So, let’s take some time to talk about various types of penetration testing.
So, what is black box penetration testing?
Essentially, it’s a type of penetration test in which the attacker (tester) has no knowledge of the environment he is trying to break into.
The company doesn’t provide any descriptions of the types of systems they use or the code to applications or websites that are being tested.
Black box penetration tests attempt to emulate real attackers as much as possible.
The testers have to enumerate the systems and find potential entry points.
Depending on the scope of the penetration test, this could sometimes include via social engineering.
Either way, black-box penetration tests are typically faster than other types.
The attackers are simply looking for one way into your organization and attempting to go as far as they can with the opening they find.
One downside to this is that you don’t get a thorough understanding of the vulnerabilities within your systems.
Grey box penetration testing is the in-between test method.
The attacker is still attempting to test from the perspective of an outsider, but they have more knowledge about the organization’s systems.
Here’s what I mean:
For grey-box assessments, a lot of times, the organizations will provide the attacker with a description of the IT systems within their environment.
This is so that the tester can focus on high-risk systems within the organization without having to try to figure out what the high risk systems are.
This can save the tester a lot of time and provide a more comprehensive risk identification for the organization.
A lot of times, during a grey-box penetration test, the organization will provide a user account to the tester.
That way, they have access to the network and a “head start” on testing.
Again, the reason for this is to allow the tester to provide a more thorough report of security weaknesses within the systems.
Internal Penetration Testing
Another group of penetration tests that you may have heard referenced is internal penetration testing and external penetration testing.
What is internal penetration testing?
It’s a pen test in which the organization being tested wants to validate their layered security approach or see just how far an attacker could get once inside.
Usually organizations that get internal penetration tests are comfortable that their external-facing security controls are pretty secure and want to strengthen their controls against rogue employees.
External Penetration Testing
External pen tests test an organization’s security from the outside.
During external penetration tests, the attackers will enumerate an organization’s externally facing systems – things like email, file shares, websites – for vulnerabilities that could be used to gain initial access into an organization’s network.
The penetration testers usually perform in-depth reconnaissance to learn as much information as they can about the systems.
They look for information about open ports, services running, software and system types, etc.
With this information, they attempt to find a weakness that will allow them to gain access.
Penetration Testing Methodology
Nothing about cybersecurity works with an ad-hoc approach.
That includes penetration testing.
Cybersecurity is a tedious discipline.
Let’s take a look at some of the different approaches to penetration testing.
If you have ever tried to hire an organization to perform a penetration test for your own company, you have probably been inundated with phrases and words you don’t understand.
It can be completely overwhelming.
Here’s a little piece of advice to cut through it all – ask them what penetration testing methodology they use.
If they don’t have an answer, you should question their legitimacy.
Now, let’s look at some of the processes and methodologies for conducting penetration tests.
Penetration Testing Steps
So, you’ve seen the videos of someone hacking, right?
Fingers typing like crazy – computer code flying through the screen.
Well, that’s not actually quite how it goes.
It’s a very deliberate and time-consuming process.
In fact, there are 6 phases of penetration testing.
Defining the scope
The first phase of penetration testing is establishing a scope.
This is actually the most important phase of a penetration test since it sets the stage for every other phase.
During the scope phase, the organization being tested and the penetration tester(s) decide which type of test to perform and which systems will be tested.
Since, everything a penetration tester does is actually illegal without permission, you want to be sure that the scope and the permission to test contracts are clear.
The second most important phase of penetration testing is reconnaissance.
During this phase the testers gather as much information as they can about your organization and the systems they are testing.
The more they are able to discover about the systems, the more likely the attack they formulate is to work.
You know what
This is the exact same thing a real attacker would do too.
During this part of the penetration testing process, the testers use the information they have gathered during reconnaissance to create an attack plan.
Exploitation is probably the phase that most people think about when they hear anything about hacking or penetration testing, but it’s actually half-way through the process.
The testers will attempt to actually break into systems using the model they created in the last phase.
So, this phase would involve the actual code attacks or whatever they choose to do.
After successfully exploiting a vulnerability in an organization’s systems, the penetration testers (provided it’s allowed in scope) will begin trying to further their reach.
If they were able to break into a website server, for example, they would next see how to move on to employee computers.
The point is they want to get as far into your network as they can before being noticed.
Just like an attacker with ill intentions would.
Finally, once the testers are deep enough into your network or time runs out for testing, they will compile a report.
This is where the value comes.
The testers will (should) tell you exactly how they were able to compromise your organization and give you actionable tips for resolving those vulnerabilities.
And you should resolve the vulnerabilities before the bad guys find them.
Note: When you are looking for a penetration testing company to perform penetration testing for your organization, you should be sure to ask them:
What is the penetration testing framework that your tests will follow?
If they don’t have an answer, you may want to take note. You want your penetration tests to be structured to find as many vulnerabilities as possible.
NIST Special Publication 800-115
The Technical Guide to Information Security Testing and Assessment created by NIST is a penetration testing framework that many organizations follow.
All of the NIST cybersecurity recommendations and guides are very well-respected by the entire industry.
Their penetration testing guidance is probably one of the most detailed.
OWASP Testing Guide
OWASP is an organization that studies common vulnerabilities in web applications.
Every year, they report on the ten most common holes.
Unfortunately, they stay relatively the same.
Anyhow, their penetration testing guidance is geared towards web applications, but it’s very thorough and identifies exactly what testers should be looking for.
PCI Penetration Testing Guidance
If you organization must comply with PCI, you may have mandatory penetration testing requirements.
You must make sure that any penetration tests that you do have conducted meet at least the requirements for PCI.
It’s never a bad idea to be even more thorough, but you don’t want to get into trouble for failing to meet minimal obligations.
Considerations & Tips To Get More Value
Getting value from penetration testing reports
Most teams that do penetration testing will provide a report of their findings by default.
If they don’t agree to provide a report, you should be cautious.
The report is their write up of the findings during the penetration test.
It’s essentially a list of things that your organization should change to improve security defenses.
Here are a few suggestions for getting the most value from penetration testing reports.
Do a debrief meeting
If the agency requesting the testing is willing to do a debrief meeting, you should not miss the opportunity.
You will be able to ask questions and discuss things that you couldn’t if you were only reading the report.
Most organizations offering penetration testing services have seen a lot of things and give you invaluable suggestions as to what is actually working.
Request corrective action steps
Next, request that the organization doing the testing provide corrective action suggestions.
You can really learn a lot and get excellent advice from them.
For example, if they write in a report that they were able to bypass your network access control system, you’d probably want to know what you can do to correct the problem, right?
If you’re spending money on a security control, you want it to be working.
So, be sure to get corrective action suggestions.
Penetration testing considerations
Many organizations can’t figure out whether they should notify their team members prior to a penetration testing engagement or not.
There are people who support both arguments.
Some say that you shouldn’t tell anyone.
Others say that you can overwhelm IT teams chasing alerts and anger them with the penetration testing process.
I actually support a method that’s halfway between both opinions.
When we perform penetration tests, we usually suggest that the client not notify their team initially.
That way, they are able to see how their security team would actually respond to a real attack.
However, should the security team identify the penetration tester or something they are doing, at that point, we recommend notifying the IT team members.
We like this method because it allows us to continue performing a thorough assessment of our clients systems without their security team being overburdened with alerts.
So, your organization may choose to take a different approach to it, but it should be decided in advance of the testing and communicated with all parties involved.
Now It’s Your Turn
So that’s our explantation for the questions:
What is penetration testing?
Now I want to turn it over to you.
What did we miss? Or what would you add to this post?