Penetration Testing Companies and Methodology Explained:
Before 2020, the Information Security industry is expected to be just under 200 billion dollars. Yes, that’s billion… with a B. In 2016, there were nearly 1 million job openings. What is the cause of this unbelievable growth? The answer is because criminals are looking for your data, constantly. Everything we do revolves around data. Your medical records, credit card data, social security number, and banking information is just a small sample of the information that criminal hackers are looking for every day. People are quickly becoming numb to the news reports about new vulnerabilities, breaches, and cyber attacks because they seem to have become just a normal part of life. It is almost as though society accepts the fact that their data will be stolen. Should this be acceptable? Absolutely not. Most of these breaches could have been prevented if the companies knew about their vulnerabilities before the hackers found out about them. A security vulnerability is a weakness within a company that allows an attacker to gain information, bring a system down, gain control, or compromise the system in any way.
A Penetration Test can Protect your Company from Hackers
Penetration Testing is the art of ethical hacking. A penetration test is built around the idea of having a team of professional hackers attack and takeover your network. That might sound scary at first, but of course here we are talking about “ethical hackers”. These are the good guys that hack your network and then report their findings to the companies. This penetration test is not harmful, but extremely helpful to companies because they can quickly fix the security vulnerabilities and weaknesses before the bad guys find them and cause harm.
Penetration Testing Methodology
So just how is a penetration test completed? It is divided in a few categories. We will break each one down and explain.
The recon phase is sometimes where the penetration testing company has the most fun. This is the process of Googling like crazy to find any information about the company that exists online. For example, they are looking for any footprint on the web that has anything to do at all with your company. Examples would be in technical forums, Facebook, LinkedIn, and other social media sites. For example, companies are often able to find employees on LinkedIn that have sometimes too much information posted to their account. For example, maybe an employee has listed every type of software, server, and appliance that they are currently working with in their position. Too often, this can be big pieces to the puzzle for hackers. The easier the hacker can find information, the more enticing the company’s network may become. I once ran into a forum online where a network engineer was looking for help with a firewall configuration and had posted an entire config online. This config gave away all types of information including IP addresses, and other pertinent information. Posting this type of information online is definitely considered bad practice.
Social engineering is the art of tricking someone into doing something. For instance, standing at a main entrance of a company and telling an employee that you forgot your badge and asking them to let you in. In large sized companies, employees don’t often know everyone but their kind nature tells them to open the door. This can lead to someone walking in and sitting down at a computer that they should not have access. Worse yet, they may even make their way to the server room or data center. Other methods of social engineering are tricking someone to open a file that leads to a computer take-over or dropping “free usb drives” into the cafeteria that lead to malicious backdoor connections when plugged into the computer. Many types of social engineering exists, but these seem to be the most common.
External Penetration Testing
External Penetration testing is just what it sounds like. Penetration testing companies sometimes get hired to test only the external network. This type of penetration test looks all of IP addresses on a network. These IP addresses could be attached to devices such as network servers, websites, firewalls, camera systems, and other devices that potentially hold data or can lead to other attacks. There are over 65,000 ports on a typical computer system. Each port can lead to different versions of software running. Because it is a tedious task, many network and systems administrators fail to keep their software updated. This in itself can lead to major company breaches. Each and every day software vulnerabilities are found and made public knowledge. If an attacker has knowledge about a particular software vulnerability, they will often look for a system that may be vulnerable.
Internal Penetration Testing
Internal penetration testing is very much the same as external, only they are typically focused on the RFC 1918 IP addresses. These IP networks are typically 192.168.0.0, 10.0.0.0, or 172.16.0.0 networks. The “old fashion” way of a penetration test was complete by the penetration testing company going onsite because the internal network can’t be reached from the outside. The modern way companies are completing this is by sending the company a “jumpbox” which is a machine that sits inside the network that the pentesting company has VPN access to. VPN access to the jumpbox allows an internal assessment to be completed. Ethical hackers are typically looking for weaknesses such as flat networks (networks that are all on the same subnet), insecure protocols being used, and old test servers that have never been turned off. All of these can lead to attacks. Internal assessments are often overlooked because companies think that the firewall will protect them from these attacks. After all, these networks should not be accessible from the outside right? If you remember above, when we talked about social engineering, you will recall that there are various ways that an attacker can gain access to the inside of a network. This can be done simply by someone inserting a malicious usb drive or opening a specially crafted PDF file that reaches outbound through the firewall to the attacker’s system, creating an open tunnel right into the internal network. If an attacker gains access to an internal network, that attacker would then have access to everything inside. This is why Vlans, ACLs, and proper use of network controls are extremely important.
Web Application Penetration Testing
Web application security testing is a totally different process than external and internal testing. Application testing is the process of looking at websites that the company runs. These can even be intranet sites that are used inside the company. Without diving extremely deep into this type of testing, the OWASP top ten vulnerabilities are usually looked for. To name a few, vulnerabilities like SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Directory Traversal, and many other forms of attack can used to not only gain control of a website, but to possibly pivot to the internal servers behind it. Many companies host their own websites which attack to a database that could hold large amounts of data. Because nearly every business has a website, attackers have an extreme focus on these types of vulnerabilities.
Wireless Penetration Testing
This type of testing is the most overlooked. Wireless Penetration Testing is the art of trying to penetrate a company’s network by simply breaking into their wireless network. Many companies do not put an extreme focus on protecting their wireless infrastructure. Extremely powerful antennas can allow an attacker to sit miles from a company’s location and still gain access to the wireless. Methods such as dictionary attacks can be used. An example of a dictionary attack would be an attacker using an open source tool such as Kali and tools within it (aircrack) to run every single word of the dictionary against a company’s network (with many variables at the beginning and end) to try and find the password to a network. For larger networks that are using certificate style authentication, other methods can be used by trying to gain information from other company wireless devices by intercepting traffic during authentication. During a wireless penetration test, a the penetration testing company will look for “rogue” access points. These could be access points that employees may have plugged into a switch or wall jack so that they can have wireless access to the network. Often these rogue devices are not locked down properly leading to major wireless vulnerabilities.
When and Why Should a Company have a Penetration Test?
Many regulations such as HIPAA and PCI set standards for companies to have penetration tests completed. PCI penetration test requirements are typically set by the company’s credit card bank acquirer. These requirements are often set by how many credit card transactions are happening on a yearly basis, volume, dollar amount, etc. HIPAA requirements are typically enforced anywhere there could be medical data stored or transmitted. These could be pharmacies, doctor’s offices, grocery stores (because of their pharmacies), and hospitals.
Even though companies are sometimes required to have penetration testing completed, many are not required. However, any company should have these tests done to be sure that they are doing due diligence to ensure they are protecting their customers and even their own company data.
There are may low cost ways to get a Penetration Test completed. In the link below, is one of the top penetration companies. This company has one of the best pricing packages around.
Picture in article by elhombredenegro on Flickr via CCL 2.0