An employee receives a targeted phishing email and, without realizing what it is, downloads an “urgent update” for his computer. The attacker now has access to their device and is able to install a keylogger on the computer, learn more about the network, and gain domain admin access to dig even deeper.
But rather than wreaking havoc on your network and stealing information, the “attacker” provides a detailed report to company leadership, giving them a rundown of the movement they made on the network and actionable steps to prevent similar attacks.
This is a penetration test.
What is Penetration Testing and Why is it Important?
Penetration testing involves an expert security team running a real-world attack simulation on your network to detect vulnerabilities and assess risks in company security.
It goes beyond a basic vulnerability report of your network, because it involves the good guys acting like bad guys, all for the purpose of revealing the holes in your security technology and employee training.
Posing as a hacker (and using their methods) allows an organization to confidently know their security risks, remove false positives, and add an important manual component to the test. These tests are significant for a variety of reasons, from compliance and in-depth risk assessments to greater awareness of cybersecurity threats to an entire company.
While there are a variety of methods and styles of penetration tests, the general idea is simple:
Cybersecurity experts (either provided with information about your security or given no additional information) use the same methods as a hacker to pinpoint vulnerabilities on the network, exploit those holes, and move throughout the system.
How Often Should Pen Tests be Done?
The frequency of penetration tests depends on a variety of factors, from the type of industry, to compliance regulations and network technology. If there are industry compliance regulations in place, penetration tests should also be conducted as necessary to fulfill those requirements.
It is often recommended that a pen test be scheduled if any of the following occur:
- A security patch is applied
- Significant changes are made to the infrastructure or network
- New infrastructure or applications are added
- An office location changes or an office is added to the network
- New industry regulations require additional compliance
- An increase in media attention that could increase the likelihood of an attack
Who Should Perform a Penetration Test?
One main purpose of a penetration test is to have a holistic view of your security framework. This can be challenging to accomplish if the test is conducted by an internal resource.
Most compliance regulations do not require that a third party perform the penetration tests, but they must be experienced penetration testers and be organizationally separate from the day-to-day maintenance of the network being tested. This leads many companies to select a third-party team of security experts who have the necessary expertise but also an unbiased view of the company’s current state of security.
95% of all successful attacks are the result of spear fishing.
Spear phishing is an email spoofing campaign that targets a specific individual or organization to steal sensitive information or gain a foothold on the network.
The Stages of Penetration Testing
A typical pen test is broken out in multiple stages, similar to the cyberattack lifecycle. Each stage has an objective that they need to accomplish in order to further the attack.
Stage 1: Information Gathering
This is the research stage, where the tester learns all they can about your organization and employees externally. The team will use the same resources a hacker would use to target your network, including your company website, programs, online presence, employees’ social media, and more.
Stage 2: Enumeration & Identification
At this stage, the testers research your network specifically, looking for open ports, services, and applications that might be vulnerable.
Stage 3: Vulnerability Scanning
This is the final stage of preparation and research where they test manually and automatically scan for vulnerabilities on the network.
Stage 4: Attack Surface Analysis
At this stage, all of the preparation is compiled and the tester determines the best method of attack, including possibilities for capitalizing on network vulnerabilities—ultimately leading them to develop an attack plan.
Stage 5: Penetration & Exploitation
Then the plan is put into action as those vulnerabilities are exploited and the network is compromised.
Stage 6: Privilege Escalation
From there, the goal is to achieve domain admin access. The team will move throughout the network, looking for ways to gain admin access.
Stage 7: Create Persistence
The priority in this stage is to establish persistence on the network. This is typically done by creating a backup, personal login that has admin access on the system.
Stage 8: Pivot
Once persistence is established, it’s about moving throughout the network to gain access to new information. This helps the tester find the information hackers want to accomplish their goals.
Stage 9: End Goal
After all of the preparation and network movement, the end goal of the test is accomplished, whether the target is sensitive information, intellectual property, or financial accounts.
These stages of a penetration test are modeled to follow the same steps an attacker would take, using the same methods they use to learn about the organization and network, determine vulnerabilities, and plot the course of their attack. But the specific information the security experts receive from an organization varies based on the type or methodology chosen for the penetration test.
Types of Penetration Testing
Based on the tactics and objects involved, there are multiple types of pen tests that security teams can use when looking to simulate an attack on a network.
This is the most common pen test, and it involves finding the security weaknesses and vulnerabilities in a network infrastructure. A tester completes a number of network tests after gathering extensive research. Because of internal and external access points, it’s important to run these network tests both locally and remotely to gather the most information possible.
This type of pen test involves testing the employees at the organization. Psychological tactics used by hackers are often the cause of successful breaches (95% of all successful attacks are the result of spear phishing). Therefore, a pen test should test using similar tactics.
There are two types of social engineering:
1. Remote Testing - tries to trick an employee into compromising credentials or network information using an electronic means, such as a spear phishing campaign.
2. Physical Testing - uses direct contact with employees to discover and retrieve sensitive data. Many testers will impersonate other individuals via phone calls or on-site contact, and even walk through the physical office looking for unlocked computers or potential vulnerabilities.
These tests work to find the security gaps on applications locally. For example, there could be a missing application update or patch that a hacker can easily exploit, furthering their attack. The types of applications that should be tested include web browsers, content creation software packages, and more.
This test goes beyond the client network and devices to look at any security vulnerabilities on web-based applications. This type of test is incredibly complex and can take a large amount of time to be done correctly, thoroughly testing each web application in use.
A wireless network test examines all of the wireless devices used at an organization. It can involve looking to find vulnerabilities by accessing items such as smartphones, tablets, and laptops. It also looks for holes in the wireless protocol and wireless access points, searching for ways to exploit the devices and the network overall.
Penetration testing is customized to your systems and technology, in the same way that an advanced attack would be.
Risk Assessment vs Penetration Testing
Often times when it comes to security assessments or scans, terms are used interchangeably. You might be purchasing a vulnerability scan, risk assessment, or penetration test, and not know quite what you’re receiving. But the truth is these terms are very different and offer different
information to customers.
A risk assessment provides a custom blueprint of your company’s security and builds a strategy to improve the security posture and reduce risk. It uses vulnerability scans, research of your network and security, and information provided by your team to give you strategic direction to manage risks and stay within your budget. These scans use lists of known vulnerabilities to find holes in a network. This means that they are unable to provide a full picture of potential attacks and many unknown vulnerabilities could still be present on the system, leaving your network exposed.
- Provides a detailed look into your company's security environment
- Identifies areas of vulnerability or potential weakness
- Provides a roadmap to a stronger security posture
- Helps you meet requirements for your industry
A penetration test goes a step further to actually exploit known risks and vulnerabilities, but also seeks to discover additional security threats that often don’t show on a vulnerability scan. Risk assessments can provide good insight into some of the gaps in network security, but a penetration test shows how those are exploited and finds other ways attackers could make it onto your system. Penetration tests give you the full picture, from a need for more employee education, to the methods attackers use to achieve persistence on the network.
- Actively exploits vulnerabilities
- Determines the true ramifications of a breach to your network
- Uses human intelligence, not just technology
It’s important to know what you are buying and the service that you are receiving. Risk assessments can provide a blueprint of the security gaps on your system, but they might miss unknown holes that an attacker (or a penetration test) would find. Both services are necessary for a secure network—know what you want to achieve and make sure you’re asking the right questions. The size of your company, industry, compliance regulations, and current security processes should play a role as you determine what service you need at a specific time.
Black Box vs White Box Penetration Testing
As you prepare to resource security experts to conduct a penetration test on your network, the next step is to determine if you want a black box or white box pen test.
What's the difference?
Black Box Pen Tests:
In a black box test, there is no information given to the tester about the internal workings of the organization and their security architecture. It is also done spontaneously on the network, not giving any warning to the target. This allows the test to be as realistic as possible—no warning for the target and no information for the tester.
White Box Pen Tests:
Alternatively, white box tests involve network and attack information for both parties. The tester has full knowledge of the network architecture, allowing for a faster attack time frame and a more thorough pen test. However, this option misses aspects of reality that a black box test provides. While it does expand the area a pen test can cover, it does so at the cost of the tester relying on the same information a hacker would possess.
Discover weaknesses before they cause damage to your organization.
6 Reasons to Invest in Penetration Testing
1. Find Serious Vulnerabilities Before an Attacker Does
The main reason to invest in a pen test is to have an opportunity to find and fix the vulnerabilities in your network before a criminal does. A penetration test goes beyond the “on-paper” vulnerabilities. There might be necessary patches on your network that can be uncovered through a risk assessment or vulnerability scan. But those don’t take into account the extensive research and tactics a persistent hacker will use. Penetration tests are an in-depth, high-level (yet targeted) view of what is taking place in your company, both virtually and physically, that leaves you open to cybersecurity threats.
2. Train Your Team
Speaking in realistic terms instead of hypotheticals can make cybersecurity impactful to your entire team, from your front desk employees to your IT team. Rather than saying, “If you receive a phishing email…” you can say, “When we failed (or succeeded) in detecting the phishing emails from the test…” This also helps you know where to focus your employee training efforts. Maybe that means running a workshop to share tips on how to detect a phishing email, or emailing simulated phishing attacks when online training fails to keep employee awareness high.
3. Efficient Security Response Times
Knowing where your team is quick to respond and areas to improve your security technology or employee training can give you more focused security strategy. Penetration tests leave you with a summary of vulnerabilities (both in your technology and on your team) and actionable steps to make improvements. You can work to solve the security gaps, knowing what your top priorities should be when fighting potential attacks. This will help as you look to focus your cybersecurity investment.
4. Maintain Compliance
Many industries have minimum security regulations, some of which include required pen tests. For example, the Payment Card Industry Data Security Standard, which provides minimum security requirements for handling customer card information, recently incorporated penetration testing into the official process. Even when these tests come as an industry standard, the additional benefits they can provide makes the requirement both practical and beneficial to a company overall.
5. Safeguard Your Company’s Reputation
Leaving your company open to attacks, unaware of the potential gaps in training and technology, can result in a loss of sensitive information. Whether this is company or customer data, it can lead to a loss of trust from your customers that ultimately damages your company’s reputation. Penetration testing can help you find those gaps before it’s too late—and at a significantly lower cost. It will show how successful (or hopefully unsuccessful) that attack might be on your network and how long it takes for your team to detect its presence. It is customized to your systems and technology, in the same way that an advanced attack would be.
6. Test New Technology or Patches
If you have installed new technology software or are concerned about patches for previously uncovered vulnerabilities, it can be beneficial to invest in a pen test to verify that the necessary improvements have been made and your network is safer as a result.
Penetration Tests are a Learning Opportunity
The benefit of a penetration test is that you are able to see weaknesses before they cause damage to your organization. In short, they are a great learning opportunity.
They can be a great resource to bring your whole company on board to fight back against potential threats. It’s not an opportunity to point fingers but can help you move in the right direction to protect the network and show your company and customers that security is valuable to your organization.