Cybersecurity As Relatable As Possible (#6) - Pen testing

Yeah, that is probably what my mum would think of when she hears about pen testing. Can’t blame her, right?

In the fourth episode of the Cybersecurity ARAP Series, I talked about hackers and mentioned white-hat hackers as a type. These individuals are also called ethical hackers because they carry out their activities in accordance with the regulation and proper authorization.

Today, I want to discuss the primary responsibility/job role of these so-called ethical hackers — penetration testing.

Imagine yourself as a homeowner. You have just moved into a new home and you want to ensure its security.

You’ve purchased all the necessary components from a reliable vendor, ensuring their authenticity. But since you take security very seriously, you decide to take proactive measures.

You hire a skilled burglar to try to break into your house using various methods that a real thief might use.

The burglar will assess your doors, windows, locks, how sharp the barbed wires are and any other entry points to find weaknesses in your security system.

Similarly, in penetration testing, a knowledgeable cybersecurity professional (the pen tester) seeks to identify vulnerabilities in your computer systems, networks, applications, or other digital assets.

They use a variety of tools and techniques to simulate real-world attacks and assess the effectiveness of your security measures.

All of these is done to find weaknesses before potential attackers do.

Quite the sneaky, sharp landlord you are, huh?

Penetration testing is a practice of testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit.

If you’re thinking of it as an authorized and simulated cyberattack on systems to identify security gaps, you’re absolutely right.

These vulnerabilities, if left unchecked, and can exploited by malicious actors to gain unauthorized access to an organization’s sensitive data.

It’s essential to understand that this practice of testing computers or networks to identify weaknesses is a proactive security measure. It’s an activity carried out in advance, aimed at preventing an individual, a company, or an organization from being attacked.

To illustrate this. Hear this story about the Equifax data breach.

The Equifax data breach in 2017 is one of the most significant security incidents in history. Equifax is one of the largest consumer credit reporting agencies in the United States. The breach exposed the personal information of 143 million individuals, including their names, social security numbers, birthdates, and addresses.

You see, Equifax had previously hired a third-party vendor to conduct a penetration test on its system. However, the vendor failed to identify a critical vulnerability in their web application framework — Apache Struts. This loophole allowed attackers to gain access to the company’s data.

If Equifax had conducted a thorough penetration test, this vulnerability would have been identified and remediated before the breach occurred. As a result, Equifax paid a hefty price, including paying out $700 million in fines and settlements.

These are the consequences of mishandling customer data, which can result from not conducting proper penetration testing.

What Are the Types of Pen Tests?

Assets are generally sensitive information the company needs to protect, like credit card information, for example. 

Obviously, penetration testers do not cause damage or delete any data. The goal of the exercise is to expose flaws and breaches to show how much data could be stolen, or how the infrastructure and security team would cope with a real life attack.

In order to simulate a real life attack as closely as possible, they will attempt to break into your network using all means available and without any prior knowledge of your network (black box testing). 

All data will be gathered from publicly available sources or from our own internal assessment procedures. And to make it even closer to reality, they only get financial reward when they get in!

External penetration testing

External penetration testing refers to trying to compromise your assets from outside your perimeter network. In order to protect yourself from outside threats, professionals test all internet-facing components (Corporate website, email server, DNS servers, etc.) for potential holes in their security that would allow an attacker to breach the system.

Internal penetration testing

Internal attacks can have a large impact on a business and its processes, given the nature of internal trust relationships. Insider threat is one of the dangerous threats to information security, so it gives an attacker an important edge in stealing sensitive information or bringing down critical services of the company.

Black Box testing

Black box testing refers to testing a system without any prior knowledge of the target, all information is gathered from either public sources, or through a specific assessment of the client’s infrastructure. Black box testing is usually preferred to simulate real life attacks from outside hackers (like bug bounty hunters).

White Box Testing

In contrast to black box, White box testing refers to testing a system with shared knowledge of the system, in full collaboration with the client and its technical staff. In our new house analogy, the professional burglar is conducting this type of test if he liaises with the architects and structural engineers of the building. White box testing is typically preferred when simulating internal attacks, where an employee might exploit well known flaws in the system.

The tools used in penetration testing are numerous but I will mention the top three.

1. Metasploit

This is the most advanced and popular Framework that can be used to for pen-testing. It is based on the concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain system. If entered, it runs a ‘payload’, a code that performs operations on a target machine, thus creating the perfect framework for penetration testing.

2. Wireshark

This is basically a network protocol analyzer –popular for providing the minutest details about your network protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many other systems. The information that is retrieved via this tool can be viewed through a GUI or the TTY-mode TShark utility.

3. Burpsuite

The most sought after tool in web application pentesting. This tool is used by bug bounty hunters and other type of white hackers to find vulnerabilities in web apps and report them accordingly.

Pentesting vs Ethical Hacking

Penetration testing is a part of ethical hacking, where it specifically focuses on penetrating only the information systems. Most of the people think that ethical hacking is penetration testing. Ethical hacking is a broad concept with many job roles and responsibilities. Only some of the responsibilities are shared with penetration testing.

This image might give you more clarification

Most of the penetration testers use Kali Linux operating system as the platform to penetrate information systems. Kali Linux has over 600 tools that help them with the penetration.

Penetration testing is commonly done in 5 phases:

1. Reconnaissance: This phase has all the steps to gather evidence and information on the targets you want to attack

2. Scanning: Take the information you gathered in recon and actively apply tools and techniques to gather more in-depth information on targets

3. Gaining access: In this phase, accurate attacks are leveled against the targets enumerated in the second phase

4. Maintaining access: In this phase, hackers ensure that they have a way back into the compromised system

5. Covering tracks: Attackers try to conceal their success and avoid detection by security professionals

The Essence of Penetration Testing

In information security, penetration testing is likened to sending a secret agent into your digital building to find hidden weak spots before the bad guys do.

It’s all about uncovering sneaky vulnerabilities and fixing them up before hackers can sneak in. That’s it.

So if you’re a CISO or a stakeholder in a company, trust in the power of penetration testing to be your guardian, always on the lookout for trouble and ready to defend your digital environment.

I hope this clears things up.

Follow up on the previous episodes here:

Cybersecurity ARAP Series Welcome to the ARAP series — an adventure into demystifying cybersecurity through analogies, aiming to enlighten…medium.com

See you again soon.