Penetration Testing 101

I read somewhere that your security is only as good as the measures you use to test it, which makes sense, and which explains the shift we have seen in the past few years in the security market. Penetration testing, aka ethical hacking, is a way that you can test your network yourself and while it isn’t new, it is becoming more popular. We’ve used the phrase “think like an attacker” for years and that is truly at the heart of a penetration test — you think and act like an attacker trying to get into your system. You are using this tool in the same way that an attacker would and are testing all of the big scary vulnerabilities that your scanners spit out each week to see if you can actually exploit them or if you are safe.

Some organizations hire in-house staff for penetration testing and some of them rely on consultants. Either way these organizations are figuring out that it is cheaper to find these vulnerabilities themselves rather than pay to clean up the breach that happened when someone else did. Companies that must comply with PCI-DSS are actually forced to do penetration-testing in order to remain compliant. However, you should look at this as more than just a checkbox on an audit form. This is a way to check for the minor oversights and mistakes made by the most unpredictable part of your organization- your people.

A good pen-tester is invaluable to your team. The good ones test your organization with fake phishing attacks to see who will click that sort of suspicious link, or try and use social engineering to crack their “hobby + year I was born” password. But the great ones? The great ones go above and beyond and those are the stories that I love the most.

One of the more common ways to test the network is to simply drop a USB in the parking lot at your company and see who picks it up. Bobby Kuzma stated in the previous blog that this type of trick was mentioned at Black Hat and he has even done it himself. It is incredible how many people pick this up and hook it up to their

laptop, while on the network, to figure out what is inside. My favorite story so far was when an iPad was sent to the VP of Sales with the note “congrats on making your quota!” which he quickly opened and started setting up, again on the network, and what he didn’t see were the hidden malware applications that led the tester right to the usernames, passwords, and other access date he needed to worm his way through the company.

Yes, once your penetration tester gets in they need to see where they can go. It isn’t just about exploiting the one vulnerability, it is about seeing how far they can get into your system so that you will know exactly what you need to patch. Choose a solution that can do this for you. Some can not only replicate attacks but can also pivot across systems, devices, and applications to show the chain of vulnerabilities that exist in your system.

How often should you use penetration testing? How often are there new vulnerabilities or exploits released? That’s right — all the time! Make sure that you are using a solution that constantly updates its vulnerability library, so to speak, with all of the newest vulnerabilities and exploits or else you are living in the past. Speaking of the past, businesses no longer run on desktops and a singular network. You should be testing on mobile and web applications as well as your wireless network. BYOD was and is a hot trend in the workplace. If you are allowing this practice without testing it, you are opening up your company to a multitude of risks.

In the end, you are always going to be vulnerable and if there is a hacker out there who is motivated enough then she can still find a way into your system. However, with penetration testing you can take the ease out of it for them. You can stay on top of the serious vulnerabilities in your organization and stop an attacker before they can worm their way to your valuable assets.