Ask a Pen Tester Q&A, Part 2: Everything You Need to Know About the Art of Penetration Testing
Penetration testing has become increasingly important to organizations of all sizes, as cyber-crimes increase and attackers run rampant. Identifying vulnerabilities and testing security infrastructure before a hacker attacks can save organizations hundreds of thousands of dollars in damage repair in the long run.
Starting a pen testing effort in your organization can be daunting, with questions about what to look for and where to begin. We sat down with our own penetration testers, Senior Security Consultant Aaron Herndon and Security Consultant Whitney Maxwell, to answer some of your questions about what exactly pen testing entails:
Would you recommend an internal or external penetration?
According to our experts, it’s best to do both internal and external penetration testing. Some organizations try to keep the scope of an engagement focused on external penetration tests, especially if they don’t have to meet a compliance regulation that requires them to conduct internal tests. However, both testers strongly recommend against that, as only external tests take electronic social engineering and other attack vectors off the table. This means that your test could miss important doorways to phishing attacks and give you a false sense of security. An internal test lets companies test the internal network in the more common event that their external perimeter is breached via phishing. For this reason, internal and external penetration tests should go hand in hand, and can even be packaged together so organizations can get a full overview of where their vulnerabilities live.
Do you have to create custom exploit code to penetrate an external network?
According to Aaron, this need depends on the scope of the engagement. Pen testers often only have a week to break into a company’s network, which doesn’t allow for much time to devote to new code. If the engagement is on the longer side, the pen testing team may spend more time on it. Sometimes, Aaron and his team will expand on concept code that wasn’t fully fleshed out, but more often, the team spends the little time they have during a pen test looking for what other attackers have used to get into an environment and whether the environment is susceptible to those methods.
What are the most common vulnerabilities found in pen tests?
Weak passwords coupled with single-factor-only authentication are the most common vulnerability that pen testing teams find. Configuration issues are also common, as is vulnerability to password spraying.
Have you seen production systems go completely down during a penetration test?
While Aaron and Whitney both agree that the goal is obviously not to have a production system go down during a penetration test, they acknowledge that it can happen from time to time. But the fact is, when you’re trying to find vulnerabilities in a system, you may stumble upon bigger issues that lead to a system crashing during the test. The bright side is that these failures can bring other issues to light that may have otherwise gone unaddressed.
What are the top vectors you see success with?
Successful attack vectors depend on the kind of test that a team is conducting. Email phishing is still a common method of attack, especially for initial access, but because of email controls like two-factor authentication, phishing methods have evolved. For instance, Aaron says he may not attach the payload to an email, but instead host it on a legitimate site or Amazon Web Services cloud, which allows him to get around a company’s filtering controls.
Whitney also says social engineering methods are useful, especially if you can be onsite for the test. If you can convince an employee that you’re from the company’s IT department, or if you can get them to plug a USB into their computer, you can gain access into the system easily.
Password spraying can also yield results quickly. Aaron has found that he can even hack into the wireless of companies from his car, getting into an internal network using credentials gathered from password spraying.
What are the top aspects of a pen test service to look for when evaluating a third-party relationship with a potential vendor?
Aaron recommends that you start by looking into a company’s reputation. From there, it’s important to ensure that you’re receiving a true penetration test, and not just a vulnerability scan report. A high-level overview of the test methodology can provide insight into whether the process will be manual through a skilled operator or simply someone running a vulnerability scanner and validating the results.
You should also ask for a sample deliverable report, which will provide insight into the professionalism of the deliverable. A good vendor will provide a well-laid-out storyboard explaining how vulnerabilities were exploited to achieve an objective, and then categorize vulnerabilities into actionable items so your organization can identify areas with the highest risk.
You should also find out if the company provides dedicated testers for your engagement. A penetration test requires the tester’s full attention, and you want to ensure the testers are single-threaded with a dedicated project manager during the assessment.
How can you avoid having an employer skew a test by warning their employees about it beforehand?
Aaron and Whitney both agree that it’s important to not warn their employees about the test in advance. Malicious actors never announce their intentions, so why would you want your employees to be trained that way? In order to prevent any “high-alert” situations that could spoil the test, it’s important to build relationships with the client and have full discussions about the importance of discretion. Our experts recommend getting a sign-off from the leadership at the beginning of the year while keeping the dates of the actual test a secret from everyone but one or two individuals in the organization who need to know.
How do you budget your time for pen testing engagements?
There are several time budgeting considerations that are important for a successful pen test, including scheduling time at the end of the engagement to work on the report. Whitney also likes to leave a few hours at the start of an engagement to make sure she has access to everything she is supposed to have.
What is the key indicator you are going down the rabbit hole and it’s time to move on?
The key indicator for Whitney that it’s time to move on is the ratio of time versus options. Attackers tend to take the easiest path, so if you’ve spent hours on a method and there are still more attack paths available, it’s probably time to move on.
Aaron recommends being aware of where you are in your search path. If you’ve reached the 100th page of Google, it’s probably time to rethink your approach. He recommends setting a time limit of three hours for working on any given challenge, so that you can move on to the next challenge and come back to the original one at a later time.
Have any additional questions for our penetration testers? Please leave a comment below.