It seems counter-intuitive to pay (and thank!) a skilled hacker to infiltrate your computer systems. Surely the security technology you’re deploying is designed to keep them out? Precisely—but how well is it doing its job? Sometimes there’s no beating a practical exercise to really put your online protection through its paces and highlight any potential vulnerabilities before real-life bad guys could find them. Welcome to the world of penetration testing, or “pentesting” for short, where digital ninjas (more on these ethical, white hat hackers later) legally find and infiltrate the chinks in your online armor.
What is penetration testing or pentesting?
The National Cyber Security Centre compares penetration testing to a financial audit. In finance, an accounting team tracks your income and expenditure. Then an external group carries out a financial audit to examine and evaluate the internal team’s processes. Pentesting does the same for your IT to help test and ensure that your technical processes are sufficient. In a nutshell: It’s a simulated, real-world attack on a network, application, or system to help identify any weaknesses. And it’s not (just) a collection of digital stunt (wo)men showing off their hacking skills, but part of a recognized industry approach to quantifying and managing risk. Good pentesting helps expose vulnerabilities in a company’s IT infrastructure and applications and, importantly, also in their processes and people. Even the best security technology won’t stop Maureen from Accounts opening infected attachments. Beyond helping to identify security loopholes, reputable penetration testing services are also able to provide context around breaches. How are they caused and what is their likely impact?
Penetration testing phase one: Planning and penetration test tools
All hacking, whether ethical or otherwise, requires careful planning and a range of penetration test tools. You can’t simply select a target and then launch an attack with whatever you have in your malware arsenal. Timing is as important as the right selection of tools and both need to be tailored to the organization in question. This all requires a detailed reconnaissance mission first. Does the target use an on-premises infrastructure or a cloud service from a third-party? How many employees are there, and do they use their own devices? How many staff work from home and what systems do they have access to and how? This can all be critical information and helps the pentester draw up a blueprint of their hit. It all starts with two steps.
- Information gathering. The company being tested provides the pentester with general IT and company information, as well as details on targets to be included in the scope of the investigation.
- Penetration testing. Usually, passive penetration tests are used. This is a subtle reconnaissance mission (think 007 holding just a martini) that doesn’t involve direct interaction with the target systems. Instead, hackers use public resources to eavesdrop and learn about employees and technology being used. Common tools like Wget can analyze a website offline and reveal details like operating systems and hardware. The tester might also conduct advanced internet searches to extract information such as usernames, passwords, hidden web pages, and files containing metadata. A tool popular with ethical and unethical hackers is this Google hacking database. Real-life cybercriminals also sometimes examine discarded company devices and might even impersonate users!
Sometimes, penetration testing is active. This approach is more direct (think “Rambo”) as the hacker interacts closely with the systems. They probe for vulnerabilities, trying to gain unauthorized access to confidential data and infiltrating any firewalls or routers. Once in, they map the network infrastructure and use tools like open-source Nmap to identify hosts and delve deeper.
Penetration testing phase two: Scanning
Now that detailed information has been obtained about the company and its infrastructure, it’s time to assess how the target application/s will respond to intrusion attempts. This is usually carried out in two ways:
- Static analysis. The tester inspects an application’s code to estimate how it behaves while running. Tools can scan the entire code in a single go.
- Dynamic analysis. The tester inspects an application’s code while it’s running. This is often more useful, as it yields a real-time view into an application’s performance.
At the end of this phase, the penetration tester will have finished the initial vulnerability assessment. They’ll have identified any potential security weaknesses that could allow an outside attacker a doorway into the system being tested. Now it’s time for the real action, where the pentesters get to release their inner (digital) ninja.
Penetration testing phase three: Exploitation
Based on the results of the vulnerability assessment, expert penetration testers use a range of techniques to assail the target systems—from cross-site scripting to SQL injection, and backdoor attacks. They steal data, intercept traffic, and generally try to understand how much damage they can cause. This stage must be extremely satisfying for those who enjoy a spot of virtual havoc-wreaking, or just have a sense of humor. Staff at a small-town GP practice in England, for example, were puzzled by the appearance of a mystery patient in their systems: Mrs Penny Test.
The goal of this stage is also to determine how long the hackers can maintain their presence in the target system. Would a bad actor have enough time to gain in-depth access? This is important, as advanced persistent threats can remain in a system for months as they steal an organization’s most sensitive data.
Penetration testing phase four: Analysis and utilization
Now it’s time to gather all the results from the previous phases and compile a detailed report that typically includes the following: Specific vulnerabilities that were successfully exploited and the methodologies used, sensitive data that was accessed, and how long the pentester was able to remain undetected in the system. It also describes the scope of the testing and makes any recommendations for improvement.
Lastly, and perhaps most importantly, the organization must use these findings to understand their vulnerabilities and analyze the potential impact. Crucially, they must determine remediation strategies and move forward with them.
It matters if you’re black or white: Meet the different penetration testing services
Testers are provided with varying amounts of information about the target system. The level of detail they receive determines the type of penetration testing and there are pros and cons for each.
Whitebox testing: This is sometimes also called “crystal” or “oblique” box testing as testers receive full information about their target, so they have maximum visibility. This type of testing can save time and reduce the cost of testing. It also helps the organization manage known software vulnerabilities and common misconfigurations—plus it’s useful for simulating a targeted attack on a specific system or for trying out as many modes of attack as possible!
Blackbox testing: Testers are, literally, kept in the dark as no information about the target system is shared with them beforehand. This type of testing is performed from an external perspective and tries to identify the ways a hacker could access an organization’s internal IT assets. It may take longer, and costs may be higher, but it more accurately models the risk faced from unknown attackers.
Greybox testing: This blends both approaches above, so limited information is shared with the tester—usually login credentials. Grey box testing is useful in helping understand the access a privileged user could gain and the potential damage they could cause. It’s often a popular choice as it strikes a balance between depth, efficiency, cost-savings, and time.
Prevention is better than a cure: The advantages of pen testing
Cyber-attacks are relentless and becoming more sophisticated. A breach can cause organizations to fall foul of GDPR laws and damage their operations and reputations. It’s understandable that companies are increasingly looking to penetration testing to understand and resolve their IT vulnerabilities—before an attack can take place! They’re like a digital fire drill. Pentesting also helps IT teams invest in the security tools they really need and the protocols they and all users should follow. Plus, penetration testing reports can help developers understand exactly how a malicious entity launched an attack on the software they helped develop, allowing them to be more security-conscious going forward.
Trust is key: Choosing your penetration testing services
Regardless of the form of testing your organization chooses, it’s vital to remember that you’re entrusting a third party with your critical IT infrastructure and confidential data. Be sure to ask the following questions before engaging any penetration testing firms: Are they reputable with a proven track record and security accreditations? How will they securely handle and store your data, before, during, and after the test? Is your penetration testing information fully deleted after the project has finished? Some providers highlight only your vulnerabilities. It’s useful to identify those that will help you resolve any security weaknesses they find.
Are you good to go? Then best of luck as your systems do battle with these so-called “white hat” hackers who work to keep you safe from the “black hats” lurking on the other side…