Cyber Technology Security Protection Monitoring Concept Penetration Test

Penetration testing: An in-depth look

Summary

Learn about penetration testing and why it is important.

Time: 12 minute read

Organizations that have successfully reduced their exposure to all manner of cyberthreats focus on three key areas:

Employee awareness – Teaching users how to identify and respond to phishing attacks and best practices for network security and passwords.
Threat detection – Using malware and intrusion detection technology to constantly monitor the network and every endpoint for malicious attempts.
Preventative measures – Implementing tools to harden security defenses against new and emerging threats.

This article provides an in-depth look at one of the key preventative measures used to reduce the risk of a successful cyberattack: penetration testing.

What is penetration testing?

A penetration test, or pen test, is a simulated cyberattack against a computer system to check for potential vulnerabilities and security weaknesses against real-world hacking attempts.

Instead of waiting until an attack eventually happens (and it likely will), pen testing probes for vulnerabilities in a safe, controlled environment.

A penetration test doesn’t just reveal vulnerabilities, it also will actively exploit them to demonstrate the extent of damage that is possible.

The concept is for a “friendly hacker” to try to break into an application, mobile device, database, server, or a website without permission or using stolen credentials and show exactly how an actual attacker would attempt to install malicious code, steal and sell customer data, or hold intellectual property for ransom. Pen testers need to think and act like actual attackers.

Once the system, app, or device targeted for initial attack has been breached, it can lead testers down a rabbit hole of access to other networked resources and additional entry points that can be further exploited, digging into escalated levels of assets and user privileges.

After the testers have exposed all potential weaknesses, their findings are delivered to IT staff who will drive the effort to close identified security gaps through measures that include –

Software patches and firmware updates.
Closing unguarded network ports and activating endpoint protection.
Removing old user credentials, expired software licenses, and outdated software.
Implementing Least Privilege or Zero Trust policies such as identity and access management (IAM) tools like two-factor authentication and data encryption.

The importance of penetration testing

The purpose of pen testing is to determine the feasibility or probability of a threat actor actually compromising the IT environment – in other words, what are the odds of a hacker successfully targeting the company, which systems are most vulnerable, where will they go first, and how much damage can be done before being noticed?

Pen testing tells IT decision-makers where to best invest their security dollars and prioritizes which vulnerabilities should be addressed first.

In addition to intelligently managing the highest security priorities, periodic pen testing offers other benefits including:

Uncovers unknown weaknesses by offering a model to test for new and emerging threats like the latest ransomware.
Reduces the time and cost of network downtime after an attack. A smaller attack surface means easier identification of targeted systems and faster recovery.
Proves the network is compliant with regulatory requirements and insulates the company from damages and penalties in the event of a breach.
Confirms remediation steps are working and effective through re-testing for the same vulnerability.
Improves IT staff response to actual events from increased preparedness through simulated attacks.

In sum, the goal of penetration testing is to help organizations stay one step ahead of the bad guys by finding and fixing security vulnerabilities before they can be exploited.

What's the difference between pen tests and vulnerability scans?

Vulnerability scans are just that – automated inspections of entire IT environments that search for and report on known weaknesses in networked devices, applications, and infrastructure.

There are many vulnerability scanning solutions commercially available, each with different options and feature sets to find different kinds of weaknesses. Organizations many use multiple vulnerability scanning solutions to ensure they are scanning for all types of threats.

One thing most of them have in common is that they use a list of CVE identifiers. CVE stands for Common Vulnerabilities and Exposures. It is an industry standard used by global databases to identify, describe, and classify known vulnerabilities.

Network assets are scanned and checked against a list of thousands of CVEs. A vulnerability score is then assigned to each asset to list and prioritize potential security weaknesses.

Vulnerability scans are a good place to start, but they do not address the cause; they merely inform and rank present risks based on severity.

Even so, a low score does not mean the risk is insignificant. It may still be a doorway to destruction.

Pen testers take vulnerability scans to the next level and add further insight by seeing if the exposed vulnerabilities can indeed result in a breach.

They will poke and prod to discover if the weakness could be leveraged to access the IT environment, or if it is a false positive or dead-end.

Security breach, smartphone screen, cyberattack hacking

Who runs penetration tests?

The answer is, it depends.

Hiring the internal talent to perform penetration testing can be a tall order, especially for smaller firms. Highly qualified security professionals are expensive, in demand, and in short supply.

Larger enterprises may have the resources to bring pen testing expertise in-house, but not the workload to justify a dedicated employee.

However, not every pen test requires an expert to run it. There are a number of intelligent, automated penetration testing tools that can be operated by internal IT staff members who do not have expertise in pen testing to safely run expert-level tests.

Wizards walk users step-by-step through the process, allowing novice users to run pen test simulations or validations with just a few clicks. More experienced testers can create a routine once and then save it as an automated module for repetitive tasks.

When performing more complex testing that involves different systems, responding to multiple attack threads, and diving deep into IT rabbit holes to simulate the threats of the most sophisticated, nefarious attacks, a team of expert pen testers will be required.

Sometimes called Red Team Exercises, a team of third-party experts will launch an attack on an IT environment from multiple fronts to see how the organization responds to a major event.

The skill shortage in cybersecurity is well documented. It can take years to develop the knowledge organically. For that reason, many organizations are turning to third-party pen testing providers to ensure their IT environments are protected because:

The cost of engaging with an outside vendor for pen testing services on an as-needed basis is less than the cost of carrying an internal pen testing team.
The cost of pen testing is a fraction of the cost of the average breach, not to mention potential compliance penalties and damage to the company brand.
Third-party testing brings outside expertise with unique and diverse testing techniques and strategies to yield an objective, unbiased examination.

The key is finding the right penetration testing partner that understands the regulatory requirements of your industry, and the motivations of the attackers.

Penetration testing stages

When executed properly, penetration testing identifies network or IT infrastructure vulnerabilities before an attacker can exploit them.But you can’t just throw a network, app, or website at a pen tester and say, have at it, go find all the vulnerabilities you can. You need a plan.Here are six stages and some thought-starter questions to help map out effective pen testing strategies.

1. Planning & Scope.

What are you testing against, and why? Identify the goals and limits of the test so both tester and client can be prepared and properly measure outcomes. Testing for every threat at once is not possible.

Will the test be a simulated attack originating from outside the organization, or will it be from an internal threat with network credentials?
Will the IT team be informed of the test, or will it be a surprise event to judge staff readiness and responsiveness?
What kinds of tests will be run? What CVEs will testers be trying to exploit?
How much information will be shared with the testers about vulnerabilities before the test? Do they know what to look for (a.k.a., a blind test)?
How aggressive should the testers be? Should they benignly poke around to identify vulnerabilities and stop, or actively try to exploit them?

2. Discovery.

This information gathering stage is when testers attempt to learn as much as possible about the target system and its users without actually penetrating the environment and setting off alarms.

What networking information can be gleaned without detection? IP addresses, firewall configuration, user credentials?
What vulnerabilities have been found? (This is where a Vulnerability Scanner is used).
What personal information can be gleaned without detection? Data such as employee names, titles, and email addresses open the door to phishing scams through which hackers can get greater access into systems.

3. Penetration and exploitation.

Armed with information about the target system and users, testers now attempt to find and breach security weaknesses and see how deep they can penetrate network resources.

Can access privileges be elevated once inside a compromised environment?
What other types of endpoints are vulnerable? Mobile phones or IoT devices?
What secondary doorways and weaknesses were discovered after the initial compromise?
What kinds of information can be exposed, stolen, or held for ransom?
Could the network be taken offline by the attack? For how long?

4. Analysis and reporting.

This post-mortem stage documents the steps of the test, the identified weaknesses, attack path details including the tools used to defeat current defenses, the information that was compromised, and recommendations for remediation.

What tools were used to penetrate the system?
What weaknesses were found?
What are the highest priority items that need to be addressed?
Were any compliance violations found?
What specific technology recommendations can testers provide to solve identified vulnerabilities?

5. Leave no trace.

After testing is complete, testers should examine all penetrated systems and remove any evidence of their presence, as any artifacts or cookies inadvertently left behind could be leveraged by a real attacker in the future.

Is there any evidence of a recent pen test on our system that hackers could exploit?
Are all “backdoors” into the system closed?

6. Retest.

Make sure all the recommended remediations are working by periodically testing for new as well as the same vulnerabilities again. Cyberattack methods are constantly evolving, so it does not mean the pen test was a failure if new weaknesses are found.

Is our environment hardened against all known threats?
Can a similar attack be detected and thwarted?
Are there new variations of a threat against which we have not tested?

Penetration testing methods

As mentioned earlier, there are different kinds of pen tests that search for different types of vulnerabilities.Testing tools are optimized for the segment of the IT environment they are examining and the type of threats each is most likely to encounter.Five common types of pen testing include:

1. Web Application Tests

Examine the overall security of web applications and attempt to uncover flaws such as coding errors, firewall vulnerabilities, broken links, and other potential bugs. Typically performed before a web application is live.

2. Network Security Tests

Focus on network defenses by searching for and exploiting vulnerabilities in different types of network operating systems, and through network devices like routers and switches, and hosts.

Testers look for things like weak passwords or misconfigured assets in order to gain access to other devices on the network, and even other networks.

3. Cloud Security Tests

The cloud is a new attack front, and many clients mistakenly assume their cloud service provider maintains the necessary protections. Cloud environments must be tested equally as on-premises resources.

Pen testers work with cloud providers to validate the security of a cloud deployment and its applications, and how it integrates with on-premises elements of IT infrastructure to ensure attackers cannot access critical systems through the cloud.

4. IoT Security Tests

IoT devices can be almost anything from a TV to a thermostat. While connected to the network and “smart”, IoT devices are not usually equipped with malware defenses, making each one a potential entry point for a cyberattack.

Pen testers analyze each IoT device and the interaction between them, looking to breach the network through unsecured devices with weak passwords, misconfigurations, or outdated firmware. Vulnerable devices can be identified and removed from the network.

5. Social Engineering Tests

These attacks target people to access technology through deception. Often called phishing, a target receives an email that looks like it came from a trusted source asking to share credentials or containing an attachment with malware.

Pen testers emulate phishing campaigns to identify susceptible employees. Further education and training can then be provided to recognize phishing scams and prevent users from inadvertently unleashing an attack on the network.

How often should you run penetration tests?

Here again, it depends.

Penetration testing should be performed on a regular basis. After all, you won’t know if your defenses are working and up to date unless you test them.

However, there are specific instances when the IT or regulatory environment changes that pen testing should be performed to check for new weaknesses:

When new compliance mandates are passed by state, federal, or international regulatory bodies.
When new applications, online payment systems, or infrastructure upgrades are added to the network.
After new security patches are applied to fix identified weaknesses.
When end-user policies are modified.
After a forced layoff or staff reduction, or after a new group of employees is onboarded to ensure only those with current credentials can access systems.
Before a new website or web-based enhancement is launched to the public.
After branch offices are opened or closed.
After news of a major new threat to test for specific vulnerabilities, such as against the recent SolarWinds[TM] malware or Colonial Pipeline[TM] attacks.

Penetration testing tools

If you were a hacker, would you spend hours or days at a keyboard manually entering myriad combinations of characters trying to decipher a password, or would you use a password cracker tool that could automatically enter thousands of random passwords in minutes?

The same principle applies to pen testing.

Rather than manually searching through endless lines of code probing for weaknesses, pen testers use tools like:

Vulnerability scanners
Port scanners
SQL Injection scanners
Network sniffers and protocol analyzers
Compliance scanners
Web browser scanners
Encrypted password crackers

These tools speed through thousands of CVEs across entire IT environments to make testing more efficient.

Penetration testing tools offer features such as:

Automation of routines to eliminate manual probing.
Self-destruct capabilities to remove all traces of a pen test upon completion.
Expiration dates to close any gateways that might be inadvertently left open.
Detailed logging and reporting for audit trails.
Verifying real threats from false positives.
Wizards to guide users who may not have an extensive pen testing background step-by-step through standard tests.
Interoperability with other types of pen testing tools.

Pen testing tools are available from multiple providers.

With so many threats out there and so many solutions to choose from, it can be difficult to know what the right steps are and, which tools to use to protect your IT environment.

The security experts at Ricoh can help you vet and install the proper penetration testing solutions to stay ahead of threats, ensure industry compliance, and protect your vital information.

Contact us to schedule a no-obligation assessment of your security requirements.

Recommended for you

8 benefits of managed cloud services

Discover the 8 benefits that lead companies to choose managed cloud services to meet their cloud computing and cloud hosting needs.

9 low-tech security threats that put company data at risk

Digital data breaches get more visibility in the press, but physical data breaches have the potential to be even worse.

Fetch Robotics relies on RICOH Service Advantage

Fetch Robotics partnered with RICOH Service Advantage to keep its robot automation technology running remotely and provide expert field service.