A thorough penetration test identifies possible vulnerabilities, determines how they can be exploited, and works to mitigate them.
In a previous post, we discussed how incident responders are essential to mitigating the damage caused by a data breach. They put out fires, contain the threat, then eradicate the vulnerability to get your company back to full operation as fast as possible. However, what if you want to prevent hackers from exploiting vulnerabilities before they can steal your data?
One of the most important services for proactively defending your network is the penetration test, commonly referred to as “pentest” by industry professionals. Penetration testing falls under the category of vulnerability management and should be a major component of any network security policy. Vulnerability management is the process of regularly reviewing your cybersecurity landscape to minimize and mitigate vulnerabilities in a network before they can be exploited.
Penetration testers are the superheroes of the hacking world. They choose to use their powers for good instead of evil. Commonly referred to as “white hat hackers,” these cybersecurity professionals scan for vulnerabilities to protect others, rather than to cause harm. “Black hat hackers” utilize many of the same skills as white hat hackers, but they use their powers for nefarious purposes. This includes targeting companies to steal data, corrupt networks, and deny services. Having cybersecurity professionals on your side is essential to protecting your data from the villains of cyberspace.
Penetration testing is an authorized attack on a network by a security professional that identifies security flaws that could potentially give access to the system’s features and data. The main objective is to find and mitigate any weaknesses in the network before an attack happens. Once the best possible network is built and its architecture reviewed, then a penetration test should be performed. A typical penetration test has four main steps that must be completed to thoroughly test the system and understand its vulnerabilities. These include:
- Identifying attack surface
- Exploiting vulnerabilities to determine business impact
- Reporting findings with detailed recommendations to mitigate the issue
During the reconnaissance phase, information is gathered about the target to determine the operating systems and software used and the architecture of the target’s network. This is done prior to the test and can either involve direct access to the network or covert attempts to understand how users interact with the network environment. Reconnaissance is essential to determining the approach because what works on a Windows computer might not work on a Mac computer, and vice versa. Software can act as an entry point into a system, which is why discovering it is included in this phase. Additionally, the architecture of a network can leave it susceptible to attacks. For example, if a company’s database accepts unauthenticated login requests, that flaw can be exploited to access data.
Using the information gathered from reconnaissance, penetration testers can determine what types of attacks might grant access to the network or its data. Once a penetration tester knows what software is running on a system, the type of computer, and the architecture of the network, they can determine which types of attacks to try. Identifying old software and then cross-checking it with known vulnerabilities is one method of discovering an entry point. Others are much more difficult to find and require unique solutions for identifying and exploiting a vulnerability. Some organizations promote penetration testing software that claims to find vulnerabilities within a network, thus automatically performing the reconnaissance and entry point identification phases. However, this method is not a true penetration test as it only looks for common vulnerabilities that were known at the time the software was written. Additionally, scanning software is limited to its ability to interact with complex systems and applications. Not all vulnerabilities present themselves by simple requests and responses. This is where the people factor of penetration testing and the penetration tester’s experience come into play to identify vulnerabilities that scanners simply cannot. Chris Foster, GRA Quantum’s Director of Global Vulnerability Management, says, “Penetration testing is about the people. A skilled professional can look at a system and understand what is going on better than any software. Automated software that claims to provide penetration testing fails to identify numerous false positives and negatives.” Trained vulnerability management professionals can identify these false signs and thus provide a complete assessment of a system or application.
Most people think of the exploitation phase when someone mentions hacking. Testers will attempt to exploit the vulnerabilities they found during the identification process. Testers will perform both commonly known attacks as well as design and implement new ones based on their knowledge of the system’s architecture.
The last step in the process is assessing the results of the penetration test. Once a tester has discovered vulnerabilities, they create an assessment report detailing the threat level of each discovered instance. The scale rates threats by severity: Critical, High, Medium, Low, and Attention. The rating is determined by how easily a vulnerability can be exploited, the business impact if exploited, and the probability of exploitation. This helps a team determine what needs to be addressed and the urgency of the situation. This detailed report helps save companies time and allows them to mitigate the vulnerabilities to prevent a successful attack.
The frequency of penetration tests is up to the organization and their risk appetite, a term used to describe how a company prioritizes their cybersecurity based on their budget and internal security capabilities. Foster says, “Companies should perform a penetration test at least once a year, but ideally they should do it more frequently because new vulnerabilities are released hourly.” Having a quality penetration tester regularly performing tests is essential to staying ahead of new and ever-evolving vulnerabilities.
There are various types of tests that can be performed by a tester depending on the needs of the business. These tests utilize the steps in the process mentioned above and may include unique variations based on what part of a system is being tested and the business owner’s risk appetite. These tests may include:
- External testing
- Internal testing
- Blind testing
- Double-blind testing
- Targeted testing
External testing is a network attack that uses the Internet and is conducted from outside an organization’s network. This simulates one of the most common forms of attack, one in which the attacker is an outsider and is attempting to gain access. This test typically targets domain name servers, Web servers, firewalls, and any devices that might be accessible from a remote location. These are considered entry points into a network because servers are how companies send their data between remote locations and the Internet. Breaking into a server allows access to all data that transit through them, which is why hackers commonly target them. Once past a network’s firewall, a hacker can steal data and access the network’s features. External penetrating testing seeks to uncover these flaws before a hacker can.
Internal testing is done with administrative access and attempts to simulate an attack from someone who has either gained access to the network or is an insider threat. These tests seek to emulate an employee, partner, or customer that has standard or advanced access to sensitive data and seeks to harm an organization. The most common form of data breach comes from disgruntled employees seeking to hurt their employer. The result of a successful attack can be exceptionally damaging because leaked information comes from someone with knowledge of the company’s practices, personnel, or proprietary technology. Penetration testers review how users are authenticated as well as the design and implementation of the code that the software is built with. Finding the system flaws in both code and network design can help a company mitigate their risk.
A blind test simulates the actions and procedures that an actual hacker would undertake to penetrate a network. Just like a real attack, the testing team is provided with limited or no information about their target prior to conducting the test. They gather open-source information during the reconnaissance phase and then ultimately utilize different methods than they would if the testers were performing an internal attack. Internal attacks circumvent the need to break a firewall or gain access to the network because they are already users on the system, whereas blind attacks need to get past the firewall as well as gain access to company data. Consequently, the reconnaissance phase can take much longer because the testing team spends more time looking for potential vulnerabilities. This attack gives an organization information on how a hacker would put them at risk of being breached.
A double-blind test is when an organization’s security staff doesn’t know about the penetration test and is intended to test the response of security personnel. This helps an organization determine how prepared their IT department is for an attack. This can also help with performance assessments for IT staff and can be used as justification for implementing a response plan or security training. Additionally, a double-blind test can target users in nontechnical departments to determine if they are possible entry points. Social engineering is a common method that hackers use to target nontechnical employees and can be a component of double-blind penetration tests. Hackers look for any entry point that could give them access to a network. For example, a hacker can gain remote access if an employee clicks on a link with embedded malware that when downloaded makes the hacker an authenticated user.
A targeted test is when both the testing team and the security staff know a penetration test is going to occur. Generally, they will work together to find vulnerabilities and make suggestions on how to mitigate them. This can include reviewing how internal applications are coded, the security practices of the IT staff, and the types of attacks they are susceptible to depending on their hardware and software. Hiring a penetration testing team brings outside eyes to a network that might identify problems that the security staff overlooked.
Penetration tests are just one part of an effective vulnerability management strategy. Training the users of a system, reviewing its architecture, and understanding what is happening on a network are essential steps to implementing a comprehensive security plan. No matter the strategy, organizations should regularly perform penetration tests and create a cybersecurity plan to stay ahead of malicious attackers. No plan is perfect, but having an enterprise cybersecurity strategy plan will enhance the risk management of any organization. Achieving impenetrability is next to impossible, but with proactive planning and risk management, an organization can deter and stop most attacks.