Updated: Aug 21
It is part of my job to know what penetration testers do and how they conduct pentests (finding vulnerabilities in a client's application or system). Since the importance and relevance of cybersecurity are ever-increasing and can affect every single person's daily life, and newspaper headlines are flooded with stories about data breaches and hacks, it was important to me to share this information with you.
In the modern world, cyber security has become increasingly relevant to every individual, from a strong password policy to protect your email account to the need for businesses and other organizations to protect both their devices and data from theft or damage. Penetration testing, or pentesting, is a method to test and analyse the security defenses that protect these assets and pieces of information. Similar to an audit, a penetration test utilizes the same technologies, techniques, and methodologies that would be used by someone with malicious intent.
According to CheckPoint researchers ,
In Q4 of 2021 there was an all-time peak in weekly cyber-attacks per organization, counting over 900 attacks per organization
In 2021, there was a 50% increase in overall attacks per week on corporate networks compared to 2020
Education and Research was the most attacked sector
Penetration Testing Ethics
Penetration testing is always controversial in terms of legality and ethics.
Labels like "hacking" and "hacker" are often seen as negative due to a few bad apples.
Accessing someone computer legally is a challenging concept. What makes it legal??
In a nutshell, a penetration test is an authorized audit of a computer system's security and defences as approved by the owner of the system. It's pretty clear what constitutes an unauthorized penetration; anything outside of this agreement is not allowed. Penetration testers and system owners have a formal discussion before starting a penetration test. They decide what tools, techniques, and systems to test. It is this discussion that forms the scope of the penetration testing agreement and determines the course of the penetration test. Penetration testers will often be faced with potentially morally questionable decisions during a penetration test. For example, they are gaining access to a database and being presented with potentially sensitive data. Or they are, perhaps, performing a phishing attack on an employee to test an organisation's human security. If that action has been agreed upon during the initial stages, it is legal -- however ethically questionable.
Hackers are categorized into three hats based on their ethics and motivations.
White Hat - For example, a penetration tester performing an authorised engagement on a company. These hackers are considered the "good people". They remain within the law and use their skills to benefit others.
Grey Hat- For example, someone taking down a scamming site.These people use their skills to benefit others often; however, they do not respect/follow the law or ethical standards at all times.
Black Hat - For example, ransomware authors infect devices with malicious code and hold data for ransom.These people are criminals and often seek to damage organisations or gain some form of financial benefit at the cost of others.
ROE - Rules of Engagement
At the beginning of a penetration testing engagement, a ROE is created.
Ultimately, the engagement is determined by three sections
You can view an online example of this document at the SANS institute.
Permission - in this section, the pentest is explicitly approved. So they ca carry out their activities legally, this permission is crucial.
Test Scope - In this scope some specific targets that the pentest should cover. Penetration tests may apply only to certain servers or applications, not the entire network.
Rules - The rules section will define exactly the techniques that are permitted during the engagement. For example, the rules may specifically state that techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are okay.
Penetration tests can have a wide variety of objectives and targets within scope. Because of this, no penetration test is the same, and there are no one-case fits all as to how a penetration tester should approach it.
A penetration tester's methodology describes the steps they take during an engagement. An effective methodology is one that is relevant to the situation at hand, where the steps taken make sense.
Using the same methodology you would use to test the security of a web application is not practical when you need to test the security of a network.
OSSTMM - focuses primarily on Telecommunications (phones, VoIP, etc.), Wired Networks ,Wireless communications.
OWASP- focuses on web applications and services.
NIST - popular framework used to improve an organisations cybersecurity standards
Basic pen test steps:
Information Gathering - This stage involves collecting as much publically accessible information about a target/organisation as possible, for example, OSINT and research.
Note: This does not involve scanning any systems.
Enumeration/Scanning - This stage involves discovering applications and services running on the systems. For example, finding a web server that may be potentially vulnerable.
Exploitation - This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic.Privilege EscalationOnce you have successfully exploited a system or application (known as a foothold), this stage is the attempt to expand your access to a system. You can escalate horizontally and vertically, where horizontally is accessing another account of the same permission group (i.e. another user), whereas vertically is that of another permission group (i.e. an administrator).
Post-exploitation - This stage involves a few sub-stages:
1. What other hosts can be targeted (pivoting)
2. What additional information can we gather from the host now that we are a privileged user
3. Covering your tracks
Testing an application or service has three major scopes. The level of testing you perform will depend on your understanding of your target. This task covers three different testing scopes.
BlackBox Testing - This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service.
GreyBox Testing - The tester will have some limited knowledge of the internal components of the application or piece of software
WhiteBox Testing - The tester will have full knowledge of the application and its expected Behavior.
It is my hope that by reading this post you gain a better understanding of the process of pen-testing and the main concepts involved.
I encourage you to check out my website to read more articles like this on a variety of topics related to information technology