Looking at the explosion in cybercrime in the last 20 years, it’s hard not to conclude that the criminals hold all the good cards. There has never been as much investment in cybersecurity defense and yet the attacks keep coming. Some cyber criminals seem to make as much money as successful mid-tier companies. Nobody seems able to stop them.
How did such a world come to pass? One answer is that many organizations have no idea how well their defenses perform under real-world conditions until after an attack by which time it’s too late. Organizations learn one at a time and are easily picked off. The pattern repeats with every new cybercrime innovation, with ransomware being a prime example of how cybercriminal innovation can terrorize even well-resourced organizations.
Penetration testing, or pen testing, promotes itself as one way of tackling this problem. As with most ideas in cybersecurity, it’s been around for decades, but in the Internet era its importance, sophistication, and formats have evolved out of recognition. Once seen as optional or only for big companies with money to spare, some form of pen and vulnerability testing has increasingly become an essential undertaking even for smaller companies.
Pen testing basics
Today, even small networks can be complex, something which increases the possibility of oversight, misconfiguration, as well as equipment flaws, both known and unknown. The point of a pen test is to simulate a real-world attack on this infrastructure, uncovering and exploiting vulnerabilities in the same way an attacker would, identifying as many weaknesses as possible. These can then be addressed before a real attacker exploits them. No damage is done during this process, which happens under a set of pre-agreed parameters, but at the end of a test, defenders should receive a report that tells them about the weaknesses in their network, business processes, and even susceptibility of employees to social engineering.
Types of pen testing
Classic pen tests are defined by three factors agreed in advance – the objective or scenario (to reach a specific target or data), the starting point (launched externally or internally), and the level of knowledge assumed (which can be anything from none to highly defined). Within this, tests usually fall into one of the following categories.
Black box testing in which the pen tester tries to compromise the client organization from the outside with no prior knowledge of its systems. The advantage of this is that by simulating a zero-knowledge scenario, it can uncover weaknesses that can only be found speculatively, that is by trying every door handle and lock.
Internal testing assumes access on the internal network e.g. malicious employee/vendor or even a compromised workstation through different means. The advantage is that this models the common scenario in which attackers have already bypassed perimeter controls, giving organizations an idea of how far an attacker can go with this access.
A ‘white box’ audit in which full access is granted to the test of a specific internal system or application.
Web application pen testing assesses public-facing web applications for common vulnerabilities (XSS), design flaws, and access controls.
Red teaming, a wargaming live test where external test ‘hackers’ is pitted against an organization’s inhouse security team using every and any technique, including testing physical security and resistance to social engineering. Although not strictly a pen test, the popularity of this type of assessment has grown on the back of pen testing as an effective way to assess incident response. Red team scenarios are not intended to be a substitute for conventional pen testing.
How a pen testing happens
The first stage of a classic external pen test starts with information gathering and reconnaissance of the target’s systems before moving on to scan for common vulnerabilities. If this achieves a basic compromise, pen testers then look to move laterally to other systems, wherever possible trying to achieve backdoor persistence to reinstate themselves should they be spotted. Once the objective has been reached, each step of this process is turned into a final report for the client, itemizing vulnerabilities and access control failures with an explanation of patching and mitigation steps needed in order of priority.
Pen test limitations
- A single pen test only shows the vulnerabilities of an organization at one moment in time. Networks, employees, and processes constantly change, which means that new flaws might appear after a test.
- Pen tests come in many forms – working out which type is the most effective for an organization is not always clear.
- In a booming industry, not all pen testing companies are the same. Organizations need to ask for references and make sure the testers themselves are qualified and experienced enough for the type of test being conducted.
Pen testing benefits
Pen testing gives organizations an independent and realistic assessment of the vulnerabilities lurking in their network. These issues can be addressed before attackers exploit them.
Scheduled pen tests give a baseline for assessing security over time. This comparison can be used to help plan security investments going forward or to validate the past investment.
Tests all aspects of an organization’s defenses including factors such as employee behavior and business processes which are often invisible to in-house security teams.
Pen testing has rapidly evolved from a cottage industry of self-starters – so-called ‘ethical hackers – into a professional sector offering a wide range of custom services, backed by accreditations. The sector is now so successful that some larger companies employ full-time pen testers to assess their organization on an ongoing basis. However, pen testing is always better done by outsiders. That approach remains true to the pen testing ethos of giving clients a dispassionate assessment of their security – whether elements inside the organization want to hear this or not.