Securing data and systems with proactive penetration testing

An effective data security strategy starts with a comprehensive audit – a systematic process that critically evaluates the security posture of an organization’s IT environment. It is believed that, based on the audit results, the company has all the necessary information to build a high-quality information security system.

However, auditing is more about theoretical/potential issues. Its practical effectiveness needs to be tested. That is where penetration testing comes in. By simulating hacker attacks, pentests challenge your system’s defenses, testing for vulnerabilities that could let in real threats.

As a rule, the decision to conduct a pentest rests with the company’s head or the information security department.

Pentest types and goals

Pentests serve two fundamental objectives:

• To identify and demonstrate the weaknesses present in the system being tested.
• To enhance the overall security level of that system.

Highlighting security vulnerabilities is critical, especially when it comes to justifying the need for additional resources. This could mean allocating the budget for security enhancements or expanding the infosec team to fortify existing defense mechanisms. Such a process is integral for refining and strengthening the security posture.

Pentests may be conducted in the following modes:

1. “White box” testing: In this mode, the tester is provided with complete knowledge of the infrastructure, including administrative access and all corresponding privileges. This approach yields a thorough perspective on the security readiness of the system but falls short of gauging its fortitude against actual infiltration attempts.
2. “Black box” testing: The tester operates without prior knowledge of the system/infrastructure. The pentester is essentially in the same position as a potential external attacker, which allows for accurate emulation of an attack scenario from outside the organization’s IT environment. This mode assesses the system’s defense against real-world attacks and breaches.
3. “Gray box” testing: This is a hybrid approach where the pentester has some knowledge and may possess limited or unprivileged rights within the IT perimeter. It provides a balanced perspective, enabling the identification of flaws that may result from an improper structural setup or misconfigured applications. Gray box testing is versatile, offering a moderate level of system insight while still simulating the partial knowledge an insider might have.

What are we testing?

At this stage, it is necessary to define test objects.

Network perimeter

The analysis of the network perimeter is often a top priority for pentesters attempting to breach a company and compromise data. An adept tester will typically handle this part with ease, often breaching security through social engineering tactics in most attempts.

Shadow IT

There is an emerging trend in cybersecurity testing involving Shadow IT – the parts of an IT infrastructure that are off the radar of the IT team. For example, an obsolete yet still active IP telephony system in a company can serve as a gateway for hackers to penetrate the company’s network by exploiting vulnerabilities in old protocols.

Web applications

Web application testing is now in high demand because websites have evolved from simple static pages to complex platforms that can grant access to critical business data, including customer, personal and financial information.

There has been a noticeable increase in web application attacks. In 2022, there was a significant surge, with a 128% increase compared to 2021. Government websites have been hit the hardest, with incidents of successful breaches more than doubling.

Testing a website takes much longer than similar activities in other areas, especially if many interactive elements are used. These tests evaluate both the technical aspects and the application’s logic. It is often possible to gain access to confidential information, take advantage of additional discounts and carry out other unauthorized actions by making minor tweaks to server requests.

Wi-Fi networks

Wi-Fi network testing presents a unique aspect of penetration testing. Typically, it is categorized under internal testing, but it would be more accurate to consider it a distinct segment of penetration testing work. It is mistakenly believed that since the Wi-Fi networks only work inside the office, an attacker will not be able to gain access to them. You should know that there are inexpensive directional antennas in the market that allow you to reach the network from several hundred meters.

Some pentesting firms employ a creative strategy where they set up a decoy Wi-Fi network close to an office, using the same service set identifier (SSID) as the legitimate one. The intention behind this tactic is to find people within the organization who, thinking it is the official network, unwittingly transmit their login credentials to the testers, posing as potential attackers.

DDoS resilience

Testing for DDoS attack resilience is also important. Sectors like retail, gaming and cryptocurrency experience these attacks nearly constantly, spiking the demand for this kind of testing. It is crucial to recognize that a legal, successful DDoS attack during testing could knock out a web application and lead to a loss of revenue. That is why it is recommended to perform these tests on a separate testing environment or during off-peak hours when visitor traffic is low.

Pentesting service selection

There are currently a large number of companies providing penetration testing services. Surveys indicate that organizations tend to pick a pentesting provider by looking at their portfolio and past projects with clients in similar industries.

In selecting a service provider, it is crucial to consider several factors, including the company’s track record, its market experience and the “proprietary” methods used.

Having an accreditation from certification body CREST is a reliable indicator of a company’s prowess in cybersecurity. This certification affirms that a company possesses deep cybersecurity knowledge and the ability to perform pentests that meet international standards. CREST recently launched a new penetration tester-specific exam recognized by Governments and global regulators.

Each penetration testing provider specializes in different services, like classic penetration tests or red teaming. However, finding one that tests process automation systems (PAS) may require more effort.

Before hiring, ask the potential contractor to present case studies, which will give you a clearer picture of their testing methodology.

Pentest preparation steps

After picking a target system and a vendor for a pentest, the first step is to sign a non-disclosure agreement (NDA) and a service-level agreement (SLA). Sometimes, they can be combined. This is crucial because the information uncovered during a pentest is a hot commodity on the black market, especially data originating from large corporations.

For the purity of testing, it is best to test the systems as they are used daily, without altering equipment or software. If testing the live system is too risky because it might interfere with vital operations, then a dedicated testing environment mirroring the live setup is created instead.

Before starting a pentest, it is important to make sure the organization is prepared to fund and support the follow-up actions needed to improve the effectiveness of the company’s security after the test. Just getting a pentest report and not acting on it is pointless.

The testing strategy selected is critical. With a white box approach, testers are provided complete information about the system from the organization itself. This means the internal security team is kept fully informed and clearly understands all the activities taking place during the test.

Another approach to penetration testing is the red team versus blue team scenario. Here, the blue team aims to thwart the intrusion and identify the attackers. They are given a heads-up about the timing and likely method of the attack to better prepare their defenses.

The most rigorous test of security is red teaming. In this setup, the company’s security personnel are kept in the dark about the test to simulate an actual attack. This is a true test of the system’s defense capabilities against unexpected security breaches.

Achieving desired pentest outcomes

It would be best if you had a clear understanding of what you want to test. Ideally, you need to do a pentest in all areas, but it is important to remember that this can be costly and time-consuming.

Do not overlook the needs of the internal customer in this testing process. If the organization’s leadership is primarily concerned about the possibility of potential breaches, then the information security department requires more specific details. This includes information on how quickly an attacker could carry out an unauthorized event, which vulnerabilities were exploited, what tools were used and what kind of information was accessed.

In some cases, the report is mainly required by the IT department’s employees, and it is crucial to outline which software is vulnerable and how these vulnerabilities can be addressed without causing disruptions to ongoing processes. Regardless of the objectives, it is important to recognize that penetration testing can never fully replicate a real hacker’s attack.

Penetration testing is vital for security assessment and improvement. It helps uncover weaknesses but cannot perfectly mimic real attacks due to legal and other constraints. Choosing a reliable provider is crucial, and acting on the test results is essential for enhanced security.