Network vulnerability typically has the aftermaths that are really unpleasant and costly. On numerous, to say at least, occasions businesses learned their lessons the hard way: services down for quite a time, extensive (expensive too) recovery labors, saying nothing about lost profit and other long term effects. Businesses on a smarter side got a craving for data protection that is proven to be effective. How to prove it? Imitate attacks – the nastier (from all around and by various means), the better.
This is briefly how penetration tests, shortened for pentests, went to life.
Targets in sight
Let’s quickly cite the most common objects of hacking. They are:
- Information disclosure in multi-cloud environments, Server Side Request Forgery in particular.
- Authentication procedures, including ones inside local networks and attempts for external access.
- Common messengers, specifically when used to share sensitive information.
- Outdated and/or improperly patched software. Non-licensed copies seem to be the easiest prey.
- Finally, it’s rather a subject of hacking than its object. Humans: with their erroneous or purposeful behavior to get more out of the company (like escalation of personal privileges) or simply to cause harm.
Adhering further to military wording: threats are present and clear. So the known survival routines for a unit are regular drills.
Get sick to get your cure
An unexpected comparison: think of penetration test as of vaccination. What is that sting, essentially? A tiny dose of what it’s intended to be against – the real virus or bacteria, dissolved ump-thousand times. In most cases the shot will get you slightly sick, yet immune to that very disease, in some cases for your lifetime.
Penetration tests (and testers) simulate the number of attacks directed towards the same single entity. Many tasks are automated, but some, like breaking into OS, hardware and software of a client, require manual involvement.
External assaults are staged first; first line of security is tested via Internet. Then the inner perimeter is entered: testers with the access rights of an ordinary employee check an internal network – usually thru remote VPN connection. Some prohibited activity of the attacked side’s staff is often tested too; such behavior can even be provoked within the set of attacks. At the end the customer gets a thorough report on how the business is protected in general and in details; the most critical issues are put first, together with the improvement suggestions.
Currently five penetration test methods are in use. The Open Source Security Testing Methodology Manual (OSSTMM) and NIST SP800-115 seem to be the most used.
Regulations in regards to penetration tests are worth separate mentioning. Entities that process payment card data are obliged to complete whole perimeter penetration tests annually, in concordance with PCI DSS Requirement 11.3. Some local regulations may also nurture the existence of pentests.
Hence, pentests do have certain similarities with that flu (or whatever) shot. Before it you are quite agitated, at times disturbed, then there’s an “ouch” – but in fact it hurts much less than anticipated, then you’re proven to be in good health and free to be contacted without prejudices.
The real, however virtual, thing
It is a bit frightening that a penetration test has to be orchestrated absolutely “live”: customers’ concerns of “what if things go wrong” kind are comprehensible. Yet the biggest advantage and ultimately the sense of pentest are in its realism. The given client, the existing infrastructure with its hills and pits – and at the end the very trustful, thus valuable answer: is business adequately protected or requires enhancement.
Below is the description of real pentest conducted. Of course, there will be no real names or exact figures, but simply feel the authenticity in this ample reference:
“Side security expertise is inevitable as it is less biased; clients often lack competence to conduct big scale tests. Alas, small business considers penetration tests too complicated and pricy. Yet we have conducted pentest for a small business.
Our skilled team attacked client’s corporate infrastructure via all routes available both externally and internally. Not only technical tools were involved; some social engineering was also present. It simulated both massive cyber attacks and internal fraud activity, but all under control and with no dangerous aftermaths.
To imitate an intrusion Black Box model, when an attacker has no specific targets, was used. For internal penetration testing Remote User model, when a hacker connects non-controlled workstation to a local network trhu VPN, was chosen. There was neither logic access to Active Directory domain nor information on network structure and its protection available for that remote user. Wireless network protection was tested via Visitor model, when a real person gains an access to the client’s office next door.
Each test had an introductory reconnaissance phase, collecting domain names and zones, network addresses and components, protection means, web applications, account names, software and services in use. Some data on personnel were gathered as well: during social testing the team performed a pseudo-phishing send-out and monitored human reaction. In addition USB flash drives with malware imitation were dispersed around the client’s office: drives’ connections to office computers were recorded remotely.
Issue of mutual trust was big during the entire series of tests. Each phase or model was thoroughly conversed with the client. The separate memorandum on potential harm or irreversible changes was signed by both sides; if at any moment of testing the risk appeared too high or the testers were successful in their penetration, operations were stopping immediately until further clearance.
The pentest conclusion came surprise for the client. The external protection was above adequate. While the web application resistance to DDos-attacks appeared to be very low. So potential fraudsters needed not much of a computing power to get thru.
The internal structure also revealed some significant issues. But the main concern wasn’t technical. Client’s employees demonstrated lack of both care and knowledge of data security. If a corporate network looks firm from the outside, then there is always risk that someone will try to devastate it from within.”
Considering penetration tests for your business, please keep in mind:
- How big is your turnover?
- How much of your business depends on IT?
- How much could you lose in case of penetration?