Why Penetration Testing is Critical to Improving Cybersecurity Defense
Penetration testing has long been a primary method for organizations to test their defenses against cyberattacks. By hiring an outside company to pose as an attacker, organizations are able to identify weaknesses in their systems to prevent future breaches. During a penetration test, a CEH or certified ethical hacker simulates the techniques a criminal attacker might use during an attempt to gain access to IT systems, potentially including password cracking, malware, and even social engineering.
Penetration testing or ethical hacking, has been around since at least the 1970s – when the U.S. military and RAND Corporation began using tiger teams to test the ability of computer networks to resist attack. Today’s penetration tests are increasingly a standardized service – a packaged bundle of discovery scans, vulnerability scans, and limited attempts to exploit any discovered vulnerabilities.
While traditional techniques still dominate marketplace offerings, penetration tests in 2018 are increasingly adopting new and improved methods of testing defenses, including new attack techniques, red teaming, capture the flag and bug bounty programs.
Phases of a Penetration Test
Penetration tests remain a primary method of simulating a cyber-attack and testing defenses. A penetration test does not stop with simply discovering vulnerabilities as a vulnerability scan would – it takes the next step of actively exploiting vulnerabilities to simulate a real-world attack.
Penetration tests usually include the following phases:
Attackers progress through these phases over a period of days to weeks in order to simulate an attack and produce meaningful discovery data to the target company.
Top Five Benefits of a Penetration Test
Penetration test benefits include the following
Recommended by LinkedIn
New Tools and Techniques
While traditional penetration tests usually involve similar tools that have been in use for many years, tools are regularly updated to target new vulnerabilities and system misconfigurations. Some of today’s most popular tools include the following:
Red Teaming
Organizations with more advanced defenses are increasingly turning to red teaming to simulate attacks on their cyber systems. A red teaming exercise is more in-depth and wide ranging than a penetration test. Red teams are tasked to simulate cyber-attacks at a greater depth than a penetration test, without the scope or time-limits of penetration tests. Defensive actors are typically not notified of the red team exercise. Red teams can include reconnaissance and physical breach specialists, phishing experts, and traditional penetration testers skilled in communications and IT.
Capture the Flag
Some organizations choose to turn their penetration test into a type of competition – placing a ‘flag’ (usually a sensitive file) in a secure location on their network. The attacking penetration testers are given the task of accessing this file or “capturing the flag” by any means possible. A defending ‘Blue Team’ – usually the incident response staff at the organization – is evaluated during the simulated attack, testing their ability to detect and respond to the attacker. This style of capture the flag penetration test allows companies to test their defensive capability in a more realistic way, placing the focus on protecting sensitive data rather than their entire network.
Bug Bounty
Bug Bounty programs are another increasingly popular way for organizations to test their cyber defenses. Sites like Bugcrowd and HackerOne offer ways for potential attackers to turn in discovered vulnerabilities in exchange for a reward. Organizations use these programs to offer compensation and recognition to white hat hackers that report bugs, exploits, or vulnerabilities on their systems, allowing the organization to patch them before they are exploited by a malicious attacker. Large organizations like General Motors, Microsoft, and HP are offering $10,000 to $100,000 per verifiable discovery reported. Larger organizations are able to start their own programs, and smaller companies can leverage bug bounty-as-a-service providers like Bugcrowd or Synack to run a program for their website or applications.
Conclusion
Penetration tests remain a primary way for organizations to test their cyber defenses. While the traditional penetration test remains important, some companies are now leveraging new tools and techniques, more advanced red teaming exercises, capture the flag competitions and continuous testing via bug bounty programs as a way to test their defensive capability. Regardless, having an ethical hacker, a genuine cybersecurity professional hack into your system instead of a legitimate attack, the defense weaknesses can be bolstered before a malicious hacker targets your organization.