Penetration testing: An in-depth look

Who runs penetration tests?

The answer is, it depends.

Hiring the internal talent to perform penetration testing can be a tall order, especially for smaller firms. Highly qualified security professionals are expensive, in demand, and in short supply.

Larger enterprises may have the resources to bring pen testing expertise in-house, but not the workload to justify a dedicated employee.

However, not every pen test requires an expert to run it. There are a number of intelligent, automated penetration testing tools that can be operated by internal IT staff members who do not have expertise in pen testing to safely run expert-level tests.

Wizards walk users step-by-step through the process, allowing novice users to run pen test simulations or validations with just a few clicks. More experienced testers can create a routine once and then save it as an automated module for repetitive tasks.

When performing more complex testing that involves different systems, responding to multiple attack threads, and diving deep into IT rabbit holes to simulate the threats of the most sophisticated, nefarious attacks, a team of expert pen testers will be required.

Sometimes called Red Team Exercises, a team of third-party experts will launch an attack on an IT environment from multiple fronts to see how the organization responds to a major event.

The skill shortage in cybersecurity is well documented. It can take years to develop the knowledge organically. For that reason, many organizations are turning to third-party pen testing providers to ensure their IT environments are protected because:

• The cost of engaging with an outside vendor for pen testing services on an as-needed basis is less than the cost of carrying an internal pen testing team. 

• The cost of pen testing is a fraction of the cost of the average breach, not to mention potential compliance penalties and damage to the company brand. 

• Third-party testing brings outside expertise with unique and diverse testing techniques and strategies to yield an objective, unbiased examination.

The key is finding the right penetration testing partner that understands the regulatory requirements of your industry, and the motivations of the attackers.

Penetration testing stages

When executed properly, penetration testing identifies network or IT infrastructure vulnerabilities before an attacker can exploit them.But you can’t just throw a network, app, or website at a pen tester and say, have at it, go find all the vulnerabilities you can. You need a plan.Here are six stages and some thought-starter questions to help map out effective pen testing strategies.

1. Planning & Scope

What are you testing against, and why? Identify the goals and limits of the test so both tester and client can be prepared and properly measure outcomes. Testing for every threat at once is not possible. 

• Will the test be a simulated attack originating from outside the organization, or will it be from an internal threat with network credentials? 

• Will the IT team be informed of the test, or will it be a surprise event to judge staff readiness and responsiveness? 

• What kinds of tests will be run? What CVEs will testers be trying to exploit?  

• How much information will be shared with the testers about vulnerabilities before the test? Do they know what to look for (a.k.a., a blind test)? 

• How aggressive should the testers be? Should they benignly poke around to identify vulnerabilities and stop, or actively try to exploit them? 

2. Discovery

This information gathering stage is when testers attempt to learn as much as possible about the target system and its users without actually penetrating the environment and setting off alarms.

• What networking information can be gleaned without detection? IP addresses, firewall configuration, user credentials? 

• What vulnerabilities have been found? (This is where a Vulnerability Scanner is used). 

• What personal information can be gleaned without detection? Data such as employee names, titles, and email addresses open the door to phishing scams through which hackers can get greater access into systems. 

3. Penetration and exploitation

Armed with information about the target system and users, testers now attempt to find and breach security weaknesses and see how deep they can penetrate network resources.

• Can access privileges be elevated once inside a compromised environment? 

• What other types of endpoints are vulnerable? Mobile phones or IoT devices? 

• What secondary doorways and weaknesses were discovered after the initial compromise? 

• What kinds of information can be exposed, stolen, or held for ransom? 

• Could the network be taken offline by the attack? For how long? 

4. Analysis and reporting

This post-mortem stage documents the steps of the test, the identified weaknesses, attack path details including the tools used to defeat current defenses, the information that was compromised, and recommendations for remediation. 

• What tools were used to penetrate the system?

• What weaknesses were found? 

• What are the highest priority items that need to be addressed? 

• Were any compliance violations found? 

• What specific technology recommendations can testers provide to solve identified vulnerabilities? 

5. Leave no trace

After testing is complete, testers should examine all penetrated systems and remove any evidence of their presence, as any artifacts or cookies inadvertently left behind could be leveraged by a real attacker in the future. 

• Is there any evidence of a recent pen test on our system that hackers could exploit? 

• Are all “backdoors” into the system closed?

6. Retest

Make sure all the recommended remediations are working by periodically testing for new as well as the same vulnerabilities again. Cyberattack methods are constantly evolving, so it does not mean the pen test was a failure if new weaknesses are found.

• Is our environment hardened against all known threats? 

• Can a similar attack be detected and thwarted? 

• Are there new variations of a threat against which we have not tested?

Penetration testing methods

As mentioned earlier, there are different kinds of pen tests that search for different types of vulnerabilities.Testing tools are optimized for the segment of the IT environment they are examining and the type of threats each is most likely to encounter.Five common types of pen testing include:

Web Application Tests 

Examine the overall security of web applications and attempt to uncover flaws such as coding errors, firewall vulnerabilities, broken links, and other potential bugs. Typically performed before a web application is live.

Network Security Tests

Focus on network defenses by searching for and exploiting vulnerabilities in different types of network operating systems, and through network devices like routers and switches, and hosts.  

Testers look for things like weak passwords or misconfigured assets in order to gain access to other devices on the network, and even other networks. 

Cloud Security Tests 

The cloud is a new attack front, and many clients mistakenly assume their cloud service provider maintains the necessary protections. Cloud environments must be tested equally as on-premises resources. 

Pen testers work with cloud providers to validate the security of a cloud deployment and its applications, and how it integrates with on-premises elements of IT infrastructure to ensure attackers cannot access critical systems through the cloud. 

IoT Security Tests 

IoT devices can be almost anything from a TV to a thermostat. While connected to the network and “smart”, IoT devices are not usually equipped with malware defenses, making each one a potential entry point for a cyberattack. 

Pen testers analyze each IoT device and the interaction between them, looking to breach the network through unsecured devices with weak passwords, misconfigurations, or outdated firmware. Vulnerable devices can be identified and removed from the network. 

Social Engineering Tests 

These attacks target people to access technology through deception. Often called phishing, a target receives an email that looks like it came from a trusted source asking to share credentials or containing an attachment with malware. 

Pen testers emulate phishing campaigns to identify susceptible employees. Further education and training can then be provided to recognize phishing scams and prevent users from inadvertently unleashing an attack on the network.

How often should you run penetration tests?

Here again, it depends.

Penetration testing should be performed on a regular basis. After all, you won’t know if your defenses are working and up to date unless you test them.

However, there are specific instances when the IT or regulatory environment changes that pen testing should be performed to check for new weaknesses:

• When new compliance mandates are passed by state, federal, or international regulatory bodies. 

• When new applications, online payment systems, or infrastructure upgrades are added to the network. 

• After new security patches are applied to fix identified weaknesses. 

• When end-user policies are modified. 

• After a forced layoff or staff reduction, or after a new group of employees is onboarded to ensure only those with current credentials can access systems. 

• Before a new website or web-based enhancement is launched to the public. 

• After branch offices are opened or closed. 

• After news of a major new threat to test for specific vulnerabilities, such as against the recent SolarWinds[TM] malware or Colonial Pipeline[TM] attacks.

Penetration testing tools

If you were a hacker, would you spend hours or days at a keyboard manually entering myriad combinations of characters trying to decipher a password, or would you use a password cracker tool that could automatically enter thousands of random passwords in minutes?

The same principle applies to pen testing.

Rather than manually searching through endless lines of code probing for weaknesses, pen testers use tools like:

• Vulnerability scanners  

• Port scanners 

• SQL Injection scanners 

• Network sniffers and protocol analyzers 

• Compliance scanners 

• Web browser scanners 

• Encrypted password crackers 

These tools speed through thousands of CVEs across entire IT environments to make testing more efficient.

Penetration testing tools offer features such as:

• Automation of routines to eliminate manual probing. 

• Self-destruct capabilities to remove all traces of a pen test upon completion. 

• Expiration dates to close any gateways that might be inadvertently left open. 

• Detailed logging and reporting for audit trails. 

• Verifying real threats from false positives. 

• Wizards to guide users who may not have an extensive pen testing background step-by-step through standard tests. 

• Interoperability with other types of pen testing tools. 

Pen testing tools are available from multiple providers.

With so many threats out there and so many solutions to choose from, it can be difficult to know what the right steps are and, which tools to use to protect your IT environment.

The security experts at Ricoh can help you vet and install the proper penetration testing solutions to stay ahead of threats, ensure industry compliance, and protect your vital information. Explore Ricoh Cyber Security Services >

Ready to get started?

Contact us to schedule a no-obligation assessment of your security requirements.