What is Penetration Testing?
By now, most people have a basic understanding of internet security principles and concepts. For example, most users in a corporate environment can tell you what “phishing”, “compliance” and “ransomware” are, however; if you were to ask them what penetration testing is, the answers tend to become a lot less clear. A significantly smaller group of individuals in the business world are familiar with penetration testing, and even fewer understand what it really is and the value it can bring to any organizations well-being and long-term success in the marketplace.
Many organizations will hire third party cyber security firms to conduct penetration testing for a variety of reasons, for example PCI-DSS compliance or customer request. However, a great number of these organizations have a really weak understanding of the techniques involved, what an effective scope entails and how to differentiate a strong penetration testing protocol versus a comparatively weak one.
Clearing the Confusion
Penetration testing, in brief, is a type of security testing that utilizes automated tools, manual techniques and procedures that real-world hackers would use if their goal was to attack your business organization. Penetration testers, otherwise known as ethical hackers are skilled individuals who will look to exploit any level of security vulnerability in your business’s defense in order to gain a foothold into your company network.
From there, a penetration tester would attempt to leverage that foothold to move laterally within your network, gaining credentials with greater permissions until they’re able to complete their objectives, which may be to gain control over your network and intellectual property. In doing so, they are actually able to indicate where your vulnerabilities are so you can remediate them before an actual malicious party is able to.
Penetration testing itself is actually an umbrella term that includes probing external and internal networks, web applications, and even social engineering techniques such as phishing, tailgating and other physical attacks.
It is very important to understand that penetration testing is not simply running automated vulnerability scanners and providing the client with a report of unvalidated results littered in false positives and false negatives. Where a vulnerability scan is produced by an automated tool that may scan ports, networks, and applications for vulnerabilities, a skilled penetration tester will use a vulnerability scan as just that, a tool; a tool that they may leverage in their objective, but their work goes far beyond the depth and comprehension of an automated scanner. Once a vulnerability scan has been run, to highlight potential vulnerabilities, a penetration tester will then follow a logical methodology in effort to exploit all the attack vectors a real hacker might use to break into your systems. A vulnerability scan alone cannot provide a sufficient security measure.
Even further in depth is the red teaming process known as objective-based penetration testing. Objective-based penetration testing, colloquially known as an OBPT pen test, goes further than vulnerability scanning and penetration testing and can include social engineering techniques, such as phishing and deceitful phone calls, as well as physical security attacks, such as tailgating, card cloning and device drops. This sort of testing allows for a more real-world, holistic view of an organization’s security. It should be noted that while many organizations utilize phishing exercises internally, they pale in comparison to the comprehensive value provided by an objective-based penetration test.
Objective-based Penetration Testing: A penetration test in which, during the scoping process, the client defines a clear set of objectives they wish to evaluate rather than defining the individual target applications or networks. In this simulated-attack process, the organization will have a clear idea of how the organization will fair through a real-world cyber-attack. As well, the efficacy of the organizations incident response process will be tested, a service that is invaluable in and of itself.
Why is Penetration Testing Important?
Simply put, penetration testing is conducted for one purpose, to safeguard the organization. By efficient use of penetration test results, a participating organization can identify and mitigate their vulnerabilities. Qualified penetration testers are very helpful cybersecurity professionals who will not just identify security issues, but will also walk a client through the findings with precise recommendations on how to remediate them.
Proactive, regular penetration testing is absolutely imperative because standard security investments will never identify and mitigate every security gap; malicious parties will consistently find ways through defenses in order to succeed in their goal. Penetration testing is today’s businesses best way to accurately replicate, predict and thereby thwart a hacker’s probable attacks.
What You Need to Consider Before the Pen Test!
As a client, it is very important to understand who and what you are contracting in order to avoid surprises that may come up during or after the testing process. As mentioned earlier, you need to be clear on the differences between vulnerability scanning, penetration testing and objective-based penetration testing, first and foremost. It’s absolutely critical to understand that not all penetration testing is created equal and before choosing a penetration testing company a client needs to be clear on the qualifications of the penetration testers, scope of testing, methodology as well as experience.
Along with deciding on a penetration testing firm, the next item of importance is obtaining a complete understanding of the depth of penetration test to be performed; a VA scan, penetration test? Is it objective-based? Risk-based? Etc. Do not be afraid to ask the questions; it is critical that a client is active in the scoping process and be clear as to what you wish to accomplish, methods allowed, and any omission requirements. As well, consider that although some testing methodologies may be vague by design (I.e. if the client or any staff are aware of certain aspects of the testing, it may interfere with the results.), a penetration testing firm should be providing a description of their methodology. If not, you’d be wise to question them; proper scoping and a thorough understanding of the testing requirements will help to eliminate the chance of confusion and dispute during the testing phase.
As pen testers, we are frequently called upon to investigate after a security incident has happened. More often than not, proactive penetration testing could have easily identified the exploited vulnerabilities used by malicious parties, and remediation efforts could have saved the organization a whole lot of grief, not to mention possible fines, loss of customer confidence, and business interruption. Verizon’s 2019 Data Breach Investigations Report suggests that 52% of breaches involved hacking, 21% involved human error, 15% involved misuse by authorized users and 33% involved social engineering. At Packetlabs, we’ve found that the most commonly exploited vulnerabilities are those that could easily be missed by automated scanning including lack of security awareness, improper security policies and privileges, and missing patch updates.
Remember, although security tools do a decent job, it should be understood that a skilled hacker will find a way around them. The best way to stay ahead of a malicious hacker, is to hire a skilled team of ethical hackers to find and isolate your organizations vulnerabilities before it’s too late. Don’t forget to make sure to compare scope, depth of testing, as well as the qualifications of testers!