Securing any organization through the use of policies and technical controls is absolutely critical; however, without thorough testing of these controls and policies, an organization cannot truly determine their efficacy.
Every day, news reports of data breaches are dominating headlines around the world. Although we’re in the middle of a pandemic, still, we are bombarded with new reports of organizations around the globe finding themselves the unfortunate victims of cybercrime. The reasons for this are quite simple: opportunity, convenience, and vulnerability. As discussed in previous Packetlabs blogs, more often than not, hackers will seek to low-hanging fruit or the path of least resistance. Currently, IT security teams find themselves balancing not only security but remote worker access. For hackers, this is the perfect environment for success.
In order to establish, maintain and improve on your organization’s security posture, penetration testing is an essential practice.
Penetration Testing: What is it?
Penetration testing, also known as pen testing, simply put, is a series of tests completed by specialized testers, known as ethical hackers. These testers utilize these as a means to gain access to an organization’s systems to find vulnerabilities that could be exploited, externally or internally, by cybercriminals or other malicious parties.
Often, penetration testing is a requirement mandated by industry regulators as we see in financial services, government organizations, and healthcare. In other industries, penetration remains optional; however, considering the global shift to an online marketplace, and mandatory breach reporting laws as indicated by PIPEDA and GDPR, at Packetlabs, we expect to see other industries quickly follow suit.
With threat tactics evolving on a regular basis, penetration testing has become an essential information security practice that should be included in every organization’s security plan, regardless of industry.
Penetration testing can be performed either by internal testing teams or through the use of third-party consulting firms, such as Packetlabs. That being said, in order to gather a truly unbiased and objective result, it is an ideal practice to leave it to specialists outside of the organization in question.
External Penetration Testing
External penetration testing is the practice of testing the externally facing assets of an organization.
During an external penetration test, the penetration tester(s) will attempt to gain access into the internal network by leveraging vulnerabilities noticed within external assets. External penetration testing also attempts to gain unauthorized access to privileged data through externally facing assets including email, company websites, and fire shares.
During the external penetration test, the tester will often start by performing reconnaissance and information gathering to collect as much relevant intelligence as possible. This reconnaissance includes scanning for open ports, vulnerabilities, and even general information with respect to an organization’s staff for use in password attacks. Once an organization’s external perimeter has been successfully breached, the tester will proceed with an internal penetration test, which we will highlight next.
Internal Penetration Testing
Internal penetration testing expands on the assessment by helping the tester to accurately identify how far an attacker can move, laterally, within an organization’s network after successful external penetration testing is concluded.
During the internal penetration test, testers will either leverage the exploited asset from the external penetration test, or plug a device into the network to conduct the assessment. Using a device is the preferred method, as this typically allows the tester more reliable testing path than through the utilization of tools run through the asset exploited during the external penetration test.
From the initial phase of the internal penetration test, penetration testers will perform internal reconnaissance, gathering details and information about the network. After enough pertinent detail is gathered, suitable attacks are launched in attempt to complete testing objectives and escalate privileges. This approach almost always involves leveraging discovered vulnerabilities found in systems to obtain control over the domain. Once a tester successfully obtains domain admin access (DA), or acquires the defined objectives, such as an organization’s most valued information, the internal penetration test is typically ended.
Both external penetration testing and internal penetration testing uncovers vulnerabilities in an organization’s systems, policies and practices. As well, penetration testing, as a whole will help an organization develop a better understanding of the flaws in its security program and validate staff adherence.
At Packetlabs, we recommended both internal and external penetration testing be performed annually, as well as anytime critical changes are made. This is an organization’s best bet at maintaining a solid security posture. Failure to maintain this frequency of testing may eventually lead to a breach as attackers develop and exploit new attack vectors. If you would like to learn more about either external penetration testing, internal penetration testing, or anything more about what Packetlabs can do for your organization, please contact us for more details!