If you are new to the security industry, then penetration testing may be one of those topics you are starting to look at in more detail. If you’ve been in the industry for a while, then you will already know (I hope) the importance of this particular exercise. Penetration testing and ongoing vulnerability assessments are essential given today’s risk of cyber crime and data breaches, and most clients when performing due diligence will probably ask when the your most recent test was conducted. If you’ve never completed a test, and your client asks the question, don’t be surprised if you detect a glimpse of a raised eyebrow, or even a loss of confidence - and ultimately a loss of business because of this.
The mitigating factors here are risk and gap analysis. If you have multiple potential entry points into your network, be it intended, or unintended, a vulnerability scan should be completed at least once a year (my personal preference is once a quarter, but this depends on budget) to verify the security of endpoints exposed to the public. Such endpoints are typically firewalls, routers, and essentially, anything that is hosting an externally accessible service.
What does a penetration test involve ?
The main concept is the word “penetration”, meaning to enter. Be it lawfully, or illegal, the principle remains the same - if a device can be accessed, it needs to be tested. Most services that are public facing are designed to be entered, but what if the entity utilising such access decides to violate the intended purpose ? A hacker could circumvent your controls and gain access to other areas, or leverage a flaw in the system that negates the intended service. Such a compromise can either provide access to personally identifiable data, or make the affected system vulnerable to another form of attack. Before any testing is performed, the penetration testing company will need to sign an NDA (Non Disclosure Agreement). This protects both their client in the form of confidentiality, and their reputation. After all, if they do find a weakness, you wouldn’t want them telling everyone about it. This may seem glaringly obvious, but you will be unpleasantly surprised if you knew how many companies had been duped over the years by a fake penetration testing entity that actually turn out to be hackers !
Any penetration testing company that is legitimate will be more than aware of the importance in terms of client confidentiality and security, and will normally make the NDA their first discussion point before even asking about your network. If any potential penetration testing company does not raise this point, or attempts to deviate when asked questions around confidentiality, they should immediately be treated as a risk, and certainly never provided privileged information about your network topology.
In all cases, you should check and verify the identity and integrity of any company before entering into any contractual agreement. My suggestion here is to only accept reviews or recommendations from people you can actually meet or speak to over the phone without the penetration testing company facilitating any meetings or phone calls on your behalf. This removes the potential for fraud, and reduces the overall risk.
The penetration test scope depends on the criteria predefined - If an external penetration test is conducted, then this will typically be limited to devices or services exposed to the internet. The usual practice is to provide a list of IP Address ranges and associated subnets, and allow the penetration testing company to “walk” these ranges looking for services. Additionally, if you are looking to conduct a test of your internal network, then (at least to me), this is not a penetration test, but a vulnerability assessment. Why ?
Because if someone is already inside your network, you aren’t testing the ability to penetrate something you already have access to - you are testing to see how effective your internal infrastructure is
The penetration testing company will begin by scanning all IP Addresses and subnets to see what will respond. If the tester finds an exposed service (normally one you’d expect in an ideal world), they will perform an array of tests against the address to determine (but not limited to)
- The type of device
- The operating system
- Device fingerprint
- What services are running
- What ports are open
Once the penetration tester has this information, further interrogation is possible. This part of the exercise is often automated using custom tools and scripts - most of these are often enhanced by the penetration testing company themselves, which provides a unique testing style (more on why this is important later). For example, if the penetration tester finds SNMP exposed on a device, they will then attempt to exploit known vulnerabilities in the protocol in order to get the device to “cough up” other details it wouldn’t normally divulge. A weak SNMP configuration can expose the running configuration of a router for example, meaning that the attacker then gains intelligence about your network and adjacent devices.
Such intelligence allows the penetration tester to leverage other vulnerability checks, and ultimately, they may gain access through a route you did not expect - or even know existed.
The remit of a penetration tester is not to hack your network, steal data, or bring the infrastructure to it’s knees, but to expose and report vulnerabilities to their client in a responsible and professional manner. This is typically in the form of a confidential findings report that is delivered to a predefined and authorised contact within your company.
Testing findings and exceptions
If the penetration testing company finds a vulnerability or exploit that is considered high risk, then they are duty bound to inform you of this discovery within a predefined time frame. This varies depending on the severity of the issue or potential exploit. In cases such as this, the penetration testing company provide documentation on the steps taken to reproduce the vulnerability, and provide an example of what they were able to do by leveraging it. This provides the client with sufficient knowledge to prepare to rectify the issue before the main findings report is produced. Seeing as penetration testers have other clients, the report can take some time to compile, and they wouldn’t want you to have an unknown exploit in the report when it does finally arrive.
The implications of high risk vulnerabilities are wide ranging, can cause significant reputation damage for the tester if unreported (although this is at the discretion of the tester to report if they deem it important enough), and worse, could be exploited if left unpatched.
The report should be protected with a strong password, and be in a format that cannot easily be manipulated or altered. A secured PDF with the ability to edit removed is the preferred medium. The method of delivery should be as secure as possible to prevent it from falling into the wrong hands. An ideal solution is to provide the report via a Secure SFTP server, or encrypted email. Most penetration testers use certificates when sending email, and are secure by default.
This part is up to you. A thorough and respectable penetration testing company will provide all relevant information in relation to the risk levels they have identified, and will also provide a means to work towards remediation. Depending on the issues identified, the remediation will obviously be different for each device in scope, or each vulnerability identified. In most cases, penetration testing companies offer a reduced rate for performing the same test against devices and vulnerabilities subject to remediation provided all steps have been completed within a defined time period - typically 30 days. Look at it this way - if you are presented with a report that shows your infrastructure (external and internal) alluding to a block of Swiss Cheese and you chose to ignore it, then you deserve to be hacked in my view. Harsh ? Yes. A reality ? Very much so. Ignore vulnerabilities at your peril.
Look at it this way - it’s much easier to avoid spilling milk in the first place than it is to mop it up afterwards
Should I perform my own testing ?
Yes, but your test results could be seen as one sided, or biased given that you have conducted the test yourself. My advice here would be
- Perform your own interim testing. The frequency really depends on attitude to risk, I personally consider once a quarter as a sane value
- Complete remediation as far as possible, and perform as much post-testing as you can to identify any further risk
- Engage a recognised penetration testing company to carry out their own independent testing to validate and confirm your remediation
The report generated by this entity will carry much more weight, and can be used for client evidence if they request it. There’s much more to this topic, so if you’d like any further information, just ask - I’ll be more than happy to answer questions.