VersaTrust Blog

Why wait to get hacked BEFORE getting proactive about your company’s security posture? Doing penetration testing is the proactive way of discovering vulnerabilities within your company’s IT environment and fixing them before the bad guys find them and use them.

Companies across Dallas-Fort Worth are finding new ways to leverage the internet and emerging business technology to expand and do business on a global scale. But with this surge in growth – fuelled by reliance on IT – comes a monumental task, cybersecurity. Cybersecurity is the combination of the tools, strategies, and protocols that make up a holistic approach to protecting your company while you conduct business online. Part of a robust cybersecurity strategy is a tactic called “penetration testing.”

What Penetration Testing Is Not

• Penetration testing is not the same thing as a vulnerability scan or a risk assessment.

A vulnerability scan or risk assessment surveys and quantifies the potential and assesses the variables involved in a scenario in which your internal workflow could be negatively impacted. In A vulnerability scan or risk assessment is very much like walking around your house looking for open doors and windows and evaluating and quantifying the potential of an intruder getting through them. Some windows may be open but are too small for the average adult, so there is a risk, but it’s low. In other cases, doors are wide open, and the risk is high.

• Penetration testing is not the same as vulnerability management.

Wikipedia has a good definition. It says,

“Vulnerability management is the ‘cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.’ Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configurations, and susceptibility to malware infections.”
If your IT systems were a home, vulnerability management would be similar to bringing in a security expert to survey your entire IT system, give his expert opinion, create a report, and fix what he sees that is inadequate.

So, if penetration testing is not vulnerability scanning/risk assessment, or vulnerability management, what is it?
Penetration testing is allowing a trusted “cybersecurity ninja” to attack your business technology systems from the outside or the inside to identify weak points in your defenses. The testing covers all aspects of your operation from procedures and personnel to access points.

If we compare your IT systems to your house again, engaging a trusted IT security company to do penetration testing on your systems would be like hiring a reformed cat burglar to test whether your home security can hold up to his intrusion attempts.

Penetration testing is an offensive threat detection, cyber-security tactic – not a defensive one.

Why do companies want penetration testing?

• To get a baseline of their current IT security status
• To assure themselves that their security is adequate
• To meet compliance standards – PCI, HIPAA, FINRA
• To check the efficacy of cybersecurity controls – IPS, IDS, DLP, firewalls
• To prevent a data breach

What Should Companies In Fort Worth Consider Regarding Penetration Testing?
If your business identifies with some of the above reasons for conducting penetration testing, this section is for you. You see, you shouldn’t hire just anyone, and you shouldn’t give unfettered permission for them to go poking around your network. Some ground rules – and a contract – need to be in place before any penetration testing begins.

So, what’s essential for you and your team to think about when considering engaging the services of an IT security team to do penetration testing?

1. Trust – In this test, you will be giving this person permission to invade your security and privacy purposely, so trust is a big deal.
2. In-house or outsourced? – If you have an in-house team of IT experts, an internally conducted penetration test may be just fine. However, you have to consider that the outcome of the test will be somewhat skewed by these factors:

• Your team already knows your systems.
• Your team has its own bias that will be carried over into the testing.
• Your team’s response to the simulated attack cannot be evaluated if they are conducting the penetration testing.

 

3. Scope – What IT assets or parts of your system are to be tested? Are you targeting the security of certain aspects of your IT environment or everything? It is sometimes important to target the entire system when doing a test like this, but other times it is prudent to simulate an attack only on one aspect of the system at a time.
4. Means – What methods and tools are those implementing the testing allowed to utilize? Are you allowing them to use social engineering? What about cracking passwords, escalating privileges, hiding files, or covering their tracks? The question of what methods are used needs to be settled ahead of time.
5. Internal or External? Is the simulated attack going to be conducted from inside the organization or outside? Internal tests are necessary because according to IBM, 60% of breaches come from inside threats or threats that have been wittingly or unwittingly allowed by insiders.
6. What if they discover human rights abuses, safety concerns, or criminal activity? – If in the course of doing their testing, the individuals doing the testing find something that rises above the level of concerning to the level of alarming, what should they do? Who should they report it to first? A professional will stop the penetration test and report their findings, but deciding first whether that report should be made first to the police or to the company leadership will save confusion.
7. What information will the individuals doing the penetration test for your Fort Worth company have to start? – There are three kinds of simulated attack: Black Box, White Box, and Grey Box
   • Black Box – The testers do not know your system and its configuration.
   • Grey Box – The testers have limited knowledge of your system and its configuration.
   • White Box – The testers have intimate knowledge of your system and its configuration.
8. References – If you are hiring an outsourced IT services company to handle your penetration testing, you may try to ask for references, but it is unlikely that you will get any. Companies that are ethical will not talk about the clients that have hired them to do penetration tests. It just makes sense that their clients wouldn’t want the penetration services company to talk about their work or what they discovered in the client’s systems.

So how does a company prove to you that they are up to the job? They may be willing to do a small-scale penetration test on one aspect of your systems to show you what you could expect if you hire them to simulate an attack on your entire system. Alternatively, they will be glad to give you references relating to other services they offer. If their clients are happy with their other services, it’s likely that they are also pleased with their penetration testing service.

What is the process of penetration testing?
There are industry-recognized, established methodologies that many IT professionals follow or tweak to meet the needs of a particular project. Two such methodologies are Pentest Standard and OWASP.

In general, if you were the penetration testing technician, these are the steps you would take.

• Establish the Goal – What are you trying to accomplish?
• Reconnaissance – Learn everything you can about the company – online, trash, anonymous employee interviews, social media, tours of facility
• Discovery Process – Port Scanning
• Exploitation – Using the information you have gathered in the previous steps, determine what to attack and what tools to use. Along with exploits, the use of brute force and social engineering fit into this stage.
• Take Over the Targeted Machine – At this stage, you should be able to use the target’s computer as easily as if you were sitting in his office with all his passwords.
• Pivot – From the targeted machine, move through the network to target other devices and source the information you are seeking.
• Collect Evidence – By “stealing” files and passwords, you have proof to give to the business leadership that the simulated attack was successful.
• Report – Deliver a full accounting of the simulated attack to the business leadership.
• Remediation – Work with the company to repair any vulnerabilities discovered or exploited in the penetration test.

Is Your Company Going To Be 100% Secure After A Penetration Test?
No, even after all identifiable vulnerabilities have been reported and remediated, no company is 100% secure. There are too many variables – including human error – that open up new avenues for criminals to exploit. Cybersecurity is an ongoing battle to keep the bad guys out and to allow the good guys to do business efficiently online.

What Credentials Do Professional Penetration Testing Technicians Carry?
While penetration testing technicians generally don’t have specific university degrees, they do often carry industry-recognized certifications. Note: There is not one specific industry certification, but several. They include:

• OSCP – Offensive Security Certified Professional
• CEH – Certified Ethical Hacker
• LPT – Licensed Penetration Tester
• CISSP – Certified Information Systems Security Protocol
• Sec+ – CompTIA Security+

What Do Penetration Testing Technicians Have To Know?
While we would – for the safety of your business – never recommend the bare minimum of knowledge in a technician, here are the basics that one needs for penetration testing.

1. Working knowledge of Linux – Many of the exploits use Linux and are not available in Windows or Mac OS.
2. Working knowledge of networks – TCP/IP, HTTP, UDP, ICMP, OSI Model, Packet Structure
3. Working knowledge of social engineering – How people think and how to get them to do something that compromises the network.

Want to read more? We have more for you to learn here.