What is Penetration Testing?
Penetration testing, often called “pen testing” is one of several techniques used to verify cybersecurity posture and provide a level of assurance to the organization that its cyber defenses are functional. It’s a way of testing defenses against an adversary who mimics a cyber-criminal actor.
First Rule of Network Penetration Testing: Make sure you have a signed contract to perform the services of a pen tester, including a statement of work, and a detailed scope for the engagement. Failure to follow this advice could result in civil and/or criminal legal action being taken against you.
It should be noted that many compliance and regulatory requirements, including the General Data Protection Regulation (GDPR) require an organization to undertake regular testing to evaluate the effectiveness of organizational security controls. It stands to reason that the further an adversary can penetrate into your organization and retrieve sensitive and/or confidential information, the more evident the business case for improving your cyber security posture becomes.
The technique of cyber security pen testing is not without controversy. Detractors of pen testing as a cybersecurity test identify the techniques used by professional pen testers as generally reserved for sophisticated cyber criminals or nation state actors. The argument then is pen testing does not mimic the “every day” cybersecurity threat faced by the organization based upon the level of risk tolerance.
Although that argument runs right up against the evolution of and increasing sophistication of cyber-criminal attacks, an organization may not have the financial or IT resources to deal with the outcomes or recommendations of the pen test. In fact, a pen test can be a demoralizing experience for the organization’s already stressed IT resources and potentially document risks the organization would rather not have illuminated.
Simply put, a pen test requires a basic level of cyber hygiene and organizational readiness – there has to be organizational will to mitigate the “findings” of the pen test. If the organization has not instituted basic cyber security controls as prescribed by UK Cyber Security Essentials or the CIS top five security controls, then money invested in a pen test may be quite wasteful.
In short, If the organization has not:
1. Secured the internet connection with a firewall
2. Secured organizational devices and software
3. Controlled access to organizational data and services
4. Protected organizational endpoints from viruses and other malware
5. Made sure organizational devices and software are up to date
Then the pen test will not go well for your organization and an adversary will have a field day.
Penetration Testing Tools
There is a myriad of pen testing tools available with the majority being open source. The profession of Pen Tester is linked to professional certifications such as Certified Ethical Hacker, CompTIA Pen Test+ and Offensive Security Certified Professional (OSCP), and an extensive SANS curriculum all built around pen testing and use of popular tools is available.
Here is a list of common pen testing tools (OK, my favorite tools!) pen testers will unleash on an organization. Many folks in the business of professional pen testing have their own preferences and/or professional software is also available.
Common Network Penetration Testing Tools
- Nmap – Free!
Network scanner and enumerator, supported by a massive community and extensible with a great deal of scripting capability.
- The Metasploit Framework available on Kali Linux – Free!
Many special purpose pen testing tools, password crackers as well as wireless security tools. I would say this is an accepted industry standard.
- Zap – Free!
An older attack proxy framework used to evaluate website and web application security. I like it and find it easy to use as I am not skilled enough to use something like Burp Suite against a website.
- Nessus – Not free.
This software does require professional licensing to use as a professional pen tester, but it is an excellent vulnerability scanner. (Another one I recommend is Outpost 24.)
- Maltego Community Edition – Free!
This does not do any pen testing but it is my go-to-documentation tool for network mapping and domain enumeration. Mostly a cyber threat intel platform but to make the pretty pictures it’s a lot more automated than Microsoft Visio.
As a professional pen-tester you are only as good as your Google-Fu. Depending on the nature of your engagement, websites like Shodan, ExploitDB, or even searching for “Default Password for <insert make> <model number> device” will yield sources of information which may provide useful. It’s also surprising how frequently reverse IP lookups and domain name registration information is necessary to conduct the pen test.
Website Penetration Testing
This is really a subset of network penetration testing and is firmly (at least in my opinion) in the realm of software developer meets adversary. Websites are complex layers of software which usually connect to a “back-end” database. The database is potentially filled with customer or employee information which a cyber-criminal would like to steal & sell and/or destroy with ransomware.
Thousands of hours of developer time may have gone into the creation of customer facing websites and they may even have access to credit card payment information. No matter what the database contains it needs to be defended and it is through any number of techniques a cyber-criminal can gain unauthorized access.
Although a scanner like Burp Suit or ZAP can detect many of the OWASP 10 common vulnerabilities, a skilled web application pen tester can target the website’s API(s) to perhaps coax information from the site which should not be revealed. Because websites are intensely linked to the organization’s online brand and may be a primary source of revenue, many organizations insist on a web application pen test before a site goes live.
Penetration Testing Report
In most cases this is called the “dread” pen testing report. For most organizations who thought they had a decent security posture, this report usually suggests a lot more can or needs to be done. What makes for a good report is a list of the most impactful, readily achievable, and least expensive to implement solutions to the discovered shortcomings. The best pen test report also identifies items which the organization is doing well in addition to items the organization needs to improve upon to allow for some solace as the mountain of work to do is revealed.
One of the most powerful metrics and a significant boost to organizational compliance is to use the pen test report as a road map for key IT projects, process or technology implementations in the next year. The first pen test the organization receives sets the need for future improvement. The second pen test report should have measurable improvements. If there has been no improvement between the two it may be time to consider a radical course of improvement before your organization is targeted by a real cyber-criminal adversary.