Man is a social animal, our urge to connect to other and interact in in built in our DNA. In todays hyber connected world perhaps we are more connected than ever before, technology has seeped in every aspect of our lives from humble landline phone to smart devices inculding smart phones. Therefore, today's man is digitally connected social animal with every aspect of our lives measured, computed and visible to others.
Organizations on the other hand also have gone thru major transformation, aptly called digital transformation. This transformation was/is aimed at increasing organizational efficiency and productivity. However, this gave rise to a new kind of criminal, the cyber criminal. Often refered as a Hacker these individuals or groups steal company information, customer information, company IP and sell it to the highest bidders. This resulted in major losses to organizations and often huge loss to reputation.
High-profile security breaches have been dominating the cybersecurity world. As cyberattacks are growing in sophistication and complexity, the chances of businesses falling into the traps of cyber attackers/hackers are also increasing rapidly. Having all the required security measures in place does not ensure that the IT infrastructure of the organization is immune to cyber risks. In fact, it prompts the alarming need for advanced security strategies. For a concrete defense mechanism, existing and future strategies should be put to the test regularly. This is why businesses need penetration testing.
What is Pentesting ?
Penetration testing, pen testing or ethical hacking, is the practice of testing a computer system, network or web application's cybersecurity by looking for exploitable security vulnerabilities. Penetration testing can be automated with penetration testing tools or manually by penetration testers.
In essence, penetration testing seeks to answer:
How would an attack overcome my security program
How would they gain access to my and my customer's sensitive data
It views your network, application, device and physical security through the eyes of a malicious actor and an experienced security team to uncover weaknesses and identify how your security posture could be improved.
Pen testers launch authorized cyber attacks designed to gain access to sensitive information, simulating what a real world attack would target, how your security controls would fare and the magnitude of a potential data breach.
What is involved in a penetration test?
Typically a target system is identified and a particular goal is defined, e.g. to gain access to PII and PHI that would result in a notifiable data breach. Pen testers then review available information and use various methods to try and meet their goal. For example they may employ SQL injections, phishing and other social engineering attacks, cross-site scripting or exploit vulnerabilities.
Once the penetration test is completed, the security experts provide a security assessment to the owners of the target. The assessment generally outlines the potential impact and countermeasures designed to reduce cybersecurity risk.
What are common areas for penetration testing?
Common areas for penetration testing include:
Application penetration testing: Identifies issues issues such as cross-site request forgery, cross-site scripting, injection flaws, weak session management and more
Network penetration testing: Highlights network level flaws including misconfigurations, product-specific vulnerabilities, wireless network vulnerabilities, rogue services, weak passwords, vulnerable protocols and default passwords
Physical penetration testing: Reveals how physical controls, such as locks, biometric scans, sensors and cameras could be overcome
IoT penetration testing: Uncovers hardware and software vulnerabilities in Internet of Things devices, including default passwords, insecure protocols, open APIs, misconfigurations and more
What is the goal of a penetration test?
The goal of a penetration test will depend on the type of approved activity and your compliance requirements. Penetration testing can help organizations:
Determine the feasibility of particular attack vectors
Identify high-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular fashion
Highlight vulnerabilities that go undetected in automated network or application vulnerability scanning software
Assess the potential business, operational and regulatory impact of successful cyber attacks
Test network defense and your organization's ability to successfully detect, respond and stop an attack
Provide context to support increased investment in information security policies, procedures, personnel or technology
Meet compliance requirements, e.g. Payment Card Industry Data Security Standard (PCI DSS) also requires regular penetration testing.
Validate the implementation of new security controls put in place to thwart similar attacks
In the end, the standard goal is to find security issues that could be exploited by an attacker and then sharing this information, alongside relevant mitigation strategies with the target.
While penetration testing can help identify weaknesses in network security, information security, application security and data security, it is only one part of a full security audit.
What are the six stages of penetration testing?
Penetration testing can be broken down into six stages:
Reconnaissance: Gathering information on the target to be used to better attack the target. For example, using google hacking to find data that can be used in a social engineering attack.
Scanning: Using technical tools to gain further knowledge of the target's externally facing assets, e.g. using Nmap to scan for open ports.
Gaining access: Using the data gathered in the reconnaissance and scanning phases, the pen tester can deliver a payload to exploit the target. For example, Metasploit can be used to automate attacks on known vulnerabilities like those listed on CVE.
Maintaining access: After gaining access, the pen tester may take steps to gain persistent access to the target in order to extract as much data as possible.
Covering tracks: The final step is to clear any trace of their access by deleting audit trails, log events, etc.
Reporting: Outlines the findings, providing a vulnerability assessment with suggested remediation steps.
Note that this process can be repeated as the pen tester finds new security issues.
Who provides penetration testing services?
Penetration testing services are generally provided by an outside consultant or internal red team with little-to-no prior knowledge of how the target is secured. This allows them to expose possible blind posts that are missed by the internal security team.
What are the types of penetration tests?
White box pen test: Ethical hackers are provided with background and system information, such as employee emails, operating systems, security policies or source code. This type of security testing could be said to mimic insider threats.
Black box pen test: Security professionals are provided basic or no information beyond the target's name. This means the pen testers only have access to information they can gather through vulnerability scanning, OPSEC failures, social engineering and external security posture analysis. This mimics outside attackers attempting to gain access to your organization.
Grey box pen test: A combination of a white box and black box test, where limited knowledge of the target is shared with the pen tester. This type of security testing can help determine which systems are vulnerable to attackers who are able to gain initial access to your internal network.
Covert/double-blind pen test or Deep Dive: Describes a situation where very few people know a pen test is happening, including the IT and security teams who will be responding to the attack.
External pen test: This is when an ethical hacker targets a company's external-facing technology, such as their website and external network servers. These types of pen tests are generally conducted from a remote location.
Internal pen test: This test is performed from within the company's internal network and is useful to determine how much damage could be done by an insider from within the company's firewall.
Targeted pen test: Penetration tester and security team work together, informing each other of steps taken to attack the target and to defend the attack. This serves as a training exercise that provides real-time feedback.
Why is penetration testing important?
Penetration testing is important because it helps determine how well your organization is meeting its security objectives. The purpose of these simulated attacks are to identify weakness in your security controls which attackers could take advantage of. Penetration testing, and cybersecurity more generally, is becoming more important as we become more reliant on technology to process sensitive information. As part of a cybersecurity program, penetration testing help you improve the quality of your security controls. It can also help reduce the cost and frequency of downtime, improve mean-time-to-repair (MTTR), protect brand reputation, maintain customer trust, avoid litigation and ensure regulatory compliance.
Why penetration testing is not enough?
Security professionals disagree about the importance of penetration testing. Some believe it is the most important thing, others believe it's a waste of time.As with most security practices, the truth is somewhere in between and its efficacy depends on application and scope. Pen testing alone is never enough to prevent data breaches but the information gained from it can play a critical role in bolstering your organization's security controls.
While there are numerous frameworks that outline a pen testing process, it remains a broad term that encompasses a slew of different activities designed to identify weaknesses in your cybersecurity. This could entail the use of specialized security tools such as Kali Linux or Backbox and Metasploit or Nmap to discover and exploit vulnerabilities, carrying out social engineering attacks to test physical controls or employing ethical hackers to simulate cyber attacks. In the end the goal is the same: to improve your security posture and reduce cybersecurity risk. Even the most thoroughly tested applications and infrastructure can fall victim to data breaches or data leaks. That is the disheartening truth of cybersecurity – sometimes attackers are one step ahead of your security team.
Furthermore, even the best pen testers can only work with the knowledge and tools at their disposal.
In the case of zero-day exploits, like EternalBlue that led to the WannaCry ransomware worm, the best you can do is respond quickly. Pair this with the fact that third-party vendors are handling more and more sensitive information, and it's not hard to understand that while pen testing is important, it can't be the only thing you do. To have a lasting impact on the organization, pen testing must be integrated with real-time continuous security monitoring of first, third and fourth-parties.
These tools can automatically detect known vulnerabilities, help mitigate high-risk vulnerabilities, provide ongoing vendor risk assessments and help you scale your vendor risk management efforts.
What are the common penetration testing frameworks?
There are several frameworks and methodologies for conducting penetration tests including:
Open Source Security Testing Methodology Manual (OSSTMM)
Penetration Testing Execution Standard (PTES)
NIST SP 800-115
Information System Security Assessment Framework (ISSAF)
OWASP Testing Guide