What is Penetration Testing? Measurement is Part of Management
Penetration testing is the process of mimicking real cyberattacks to uncover and address vulnerabilities in systems or networks.
How can you get an objective measurement of the effectiveness of your cyber defenses? Are the measures you’ve put in place as impenetrable as you hope? Penetration testing gives you the facts.
Techopedia Explains
Sound cyber security is built on three pillars:
- Technological measures
- IT Governance
- Staff awareness training
Your staff awareness training, refresher sessions, and induction for new employees are defined and scheduled in your IT governance procedures, and your IT governance should be periodically checked by performing audits. That’s covered off two of the pillars. But how do you audit your technological defenses?
That’s the function provided by penetration testing. It looks for vulnerabilities and weaknesses in your network defenses. Cyber security isn’t something you can fit in and forget. You might implement state-of-the-art hardware and software, but that isn’t the end of it. You can’t put your feet up and think you’ve ticked off cyber security.
All non-trivial software will contain bugs. That includes application software, operating systems, and firmware in network-attached devices such as firewalls, routers, and switches. Those bugs may lead to vulnerabilities, and vulnerabilities can be exploited. That’s why manufacturers release security patches. These fix the bugs and close vulnerabilities that have been discovered since the previous patch was released.
Penetration tests are performed as scans. Sophisticated software is used to scan networks, applications, devices, and physical security components. It identifies each element of the network, retrieves the software or firmware version and patch status, and reports on the known vulnerabilities that have not yet been patched on your networks.
Good penetration testing will also look for attack vectors that are not reliant on software or hardware vulnerabilities. It will also look for misconfiguration issues and issues stemming from poor cyber hygiene, such as default passwords not being changed on devices, poor quality passwords, or accounts without passwords on them at all.
If you can’t measure it, it is difficult, if not impossible, to manage it. Penetration tests allow organizations to truly know the strength of their defenses and to make sure all areas, departments, and networks are equally well protected.
You need to find and address the vulnerabilities before threat actors do. Because the vulnerabilities that are reported are ranked or banded by severity, it is easy to prioritize the ones that need to be addressed urgently.
The Significance of Penetration Testing
Good penetration testing will allow you to:
- Verify Your Security Controls: Measure the overall health of your application, network, and physical device security layers. Vitally, what do you need to do to improve it?
- Uncover Vulnerabilities: Penetration testing will find vulnerabilities you’ve never even considered. And if you don’t know about them, you cannot address them.
- Maintain Compliance: Standards bodies – or customers or partners – might require you to undertake scheduled penetration testing, and to provide evidence of the remediation you have performed to address the vulnerabilities. For example, the Payment Card Industry Data Security Standard (PCI-DSS) has this requirement once your credit card transaction rate is high enough.
- Demonstrate Commitment to Security: Asking to see evidence of IT governance, compliance with relevant data protection standards and asking when your last penetration tests were conducted are now a standard part of due diligence.
Performing Penetration Testing
Penetration testing can be performed in-house or outsourced to specialist businesses.
In-House Penetration Testing
To perform penetration in-house, you’ll need penetration testing software and sufficiently skilled personnel. Professional penetration testing can take different forms, from automated software scans to white hackers actively trying to break into your network, website, or organization in “red team attacks.”
Outsourcing Penetration Testing
Outsourcing penetration tests can be advantageous. It ensures you get objectivity. The results can also carry more gravitas. A penetration report from a reputable business that is dedicated to penetration testing is likely to be more compelling than a report produced in-house.
There are external penetration tests and internal penetration tests. These are sometimes called black box and white box tests.
External Penetration Test
In an external penetration test – a black box test – the tester has no information about the client’s defensive measures. They are in the same situation as a genuine threat actor. They are trying to find ways from the outside world into your network or website.
Internal Penetration Test
Internal penetration tests – white box tests – are scans that are performed inside the network. These scans check operating systems, firmware revisions, application versions, device configuration, and more. They detect vulnerabilities that can be leveraged by a threat actor if they do manage to compromise your network.
They also detect vulnerabilities that can be exploited by malware, such as ransomware. With a white box test, the tester has some information about your network because they are inside your firewall and connected to your network.
Combined, these tests will yield a wealth of information that may confirm that all is well and as secure as you had thought or that there are items that need addressing. Over time, subsequent penetration tests should discover fewer and fewer vulnerabilities.
Different Types of Penetration Testing
Threat actors will exploit three types of vulnerability: hardware, software, and people. Penetration testing software can be set to perform suites of tests according to the type of testing that is being performed. Some of them can also be set to scan and grade the results against a standard you want to comply with, such as PCI-DSS or ISO/EUC 27001.
Network Security
An external penetration test that uses scanning software to look for and catalog vulnerabilities that can be detected from outside of your organization, primarily examining firewalls, switches, routers, and exposed services such as Remote Desktop Protocol. Remember to include your websites!
The types of network components that are examined and tested are:
- Misconfigured devices, software, or accounts.
- Product-specific vulnerabilities may exist in a certain batch of products or a particular make and model of devices. These tests are also conducted for software, protocols, and APIs that should be updated, deprecated, or patched.
- Wireless network vulnerabilities. Is your Wi-Fi strongly encrypted, and do you have a separate guest Wi-Fi network?
- Rogue services that don’t need to be enabled.
- Firewall ports that don’t need to be open and legitimately open ports that are inadequately protected.
- Weak passwords or default passwords, and accounts or ports that are not password protected at all.
- Much, much more.
Penetration testing companies can usually be engaged to extend the test beyond the scope of the automated scans. They can perform red team testing and attempt to manually compromise your network.
This will involve a multi-stage approach.
Reconnaissance
Digital surveillance is performed on your company. The red team will try to uncover as much as possible about your company and your IT infrastructure as possible. They will check social media such as LinkedIn, visit specialist search engines, use port scanning probes, and use other techniques to build up a picture of the structure and make-up of your network, and the names of your staff members.
Some of this can be easily discovered by looking at the Meet The Team page of your own website if you have one. These names are critical details if the testers are going to launch a benign phishing attack against your company as part of their test suite.
Threat Selection
The red team will select the attack vectors they are going to use and the threats they will employ. They will list targets and decide what their primary and secondary targets are. These will usually be your most valued assets.
If they can demonstrate that a real threat actor could have accessed those assets, your C-suite is likely to pay close attention to the remediation work and other recommendations that the red team makes at the end of the test.
Attack and Compromise
Armed with a set of exploit software, experience, skill, and the knowledge they have gained about you and your network from the reconnaissance phase, the red team will attack your network exactly like a threat actor would.
Reporting
The red team will deliver a report that details what they managed to do, which exploits were successful, and the potential damage to your company had the attack been real. Corrective actions are also reported to allow you to address the shortfalls in your security.
If a benign phishing attack was conducted, those staff that fell for the scam emails and clicked the links or opened the attachments will be identified as candidates for a refresher cyber security staff awareness session.
Physical Penetration Testing
Physical penetration testing measures the strength of a company’s existing physical access controls. This can include elements of social engineering, with red team members visiting your company posing as fire marshals, salespeople, potential customers, or anything else that gets them from your reception area and properly into your building.
Once they have access to your building, they can plant hidden devices that open up remote access for the testers, remove printed documents, drop malware-laced USB drives, and so on.
Web Application Penetration Testing
Penetration tests for websites include tests for a particular set of technologies, protocols, and software libraries that are used to build and run websites. Of particular interest are the databases of passwords – are they hashed, encrypted, or plain text? – and the susceptibility of the database to unauthorized access.
Internet of Things Penetration Testing
Businesses are starting to deploy Internet of Things (IoT) devices such as smart thermostats to reduce running costs and Wi-Fi-enabled CCTV cameras to provide security surveillance without the hassle of wiring. These devices are often cheap to purchase, easy to fit, and provide the functionality that we need or want, so there is a compelling case to use them.
But it must be remembered that these are internet-accessible devices that are also connected to your Wi-Fi. Securing them is as important as securing any other network-connected device.
IoT penetration testing will check for default passwords, vulnerable firmware, misconfiguration issues, insecure or deprecated protocols, insecure APIs, and more.
What Happens After the Test? The Bottom Line
You should use the report to guide your actions. Obviously, address the critical issues first. If you go below decks on a ship and see the hull is breached with a big hole, a smaller hole, and a tiny hole, you plug up the big hole first. The same principle applies here. Deal with the top-most set of threats and vulnerabilities, and repeat until you have worked through the list.
Penetration test reports can be huge. But very often, one corrective action clears off pages of issues. For example, an out-of-date or self-signed SSL certificate can throw up a long list of vulnerabilities, but it is an easy fix and will address all of the associated vulnerabilities with one easy fix.
If you need to, put staff who fell for the phishing or the social engineering attacks through cyber security awareness training.
Schedule your next penetration tests. If you are bound by a standard such as PCI-DSS, the minimum frequency of tests might be decided for you.
References
- World-Class Cybersecurity Solutions (Almata)