Many new clients come to TCE Strategy asking for a penetration test of their network, their website(s), or one of their branch offices. More often than not, they are not ready for a penetration test. It would be a waste of their hard-earned dollars to perform a test where the outcome can be easily determined in advance. Until vulnerability scans, password reviews, email filtering tests and other cyber security assessments are performed, a penetration test is the equivalent of using a sledgehammer to swat a mosquito.
Let us begin with a simple question: What is penetration testing? Penetration testing is the art of hiring a specific type of security professional knows as a Certified Ethical Hacker (CEH), also known as a penetration tester, to pretend to be a cyber criminal and look for means to take over your computer network. It is often referred to as a “pen test” in the cyber security industry. Penetration tests come in several versions:
Black box testing: This refers to a test from the outside of your network looking for holes to get inside your environment. No advance knowledge is shared with the pen tester beforehand. The pen tester must find security weaknesses or security vulnerabilities on his/her own.
Grey box testing: Grey box testing is also a test from the outside of your organization to try to get inside your network, but some information is shared with the CEH in advance. Normally pieces of information that your everyday employees would know are shared, such as the address for your VPN, the location of your sites, the type of antivirus that your network runs, and so on.
White box testing: White box testing simulates a hack where the CEH has detailed information about your environment, such as the types of firewalls your organization uses, the topology of your network, your logging solutions, and so on. Normally this type of hacking simulates a former IT administrator for your company trying to hack you.
Website testing: Website testing focuses on hacking a website that your company owns. The pen tester will try to gain access to parts of your website that they shouldn’t be able to reach (or that they should have to pay to reach). They will use automated pen testing tools to try to find exploitable vulnerabilities that will get through your website’s security controls. Manual testing methodologies will also be employed. Normally these types of tests are reserved for e-commerce companies or for websites that are hosted inside your network but are facing the Internet.
Assumed breach test: An assumed breach penetration test assumes that a cyber criminal was able to compromise a single computer system in your network, and he/she inherited the “everyday” privileges of one of your users. This simulates what often occurs when one of your users clicks a malicious link in an email or opens a malicious attachment. The CEH then tries to elevate him/herself to become a local administrator, probe your network for other accounts that can be compromised, and so on. The ultimate goal is to gain “domain administrator” credentials, which is a complete takeover of your environment. I am a strong fan of this type of testing, as this is a common scenario in the real world.
Before a penetration test should be considered, there are less expensive tests that can be performed that will prepare your organization for a full “pen test”. Vulnerability scanning, password testing, firewall rule reviews and phishing tests are all good choices to perform before a pen test is considered. These security measures will look for security issues that a penetration tester would likely take advantage of.
Vulnerability scanning: Vulnerability scanning is a type of test when known cyber security holes are scanned for on your network with an automated tool. These holes typically come from known vulnerabilities that software manufacturers have put out patches for, but those patches have not been employed in your environment. The type of scanner used to do this vary widely, and some are open source while others require payment to use. Having an experienced security team to use the tool is much more important than the specific tool chosen. These scans will also look for extremely simple passwords (such as “password”) and other obvious basic flaws in a cyber security profile.
Password testing: Password testing centers around guessing your users’ passwords. This can take two forms: First, a scan of your company’s internal “Active Directory” environment is easy to perform, and an automated tool can look for easy-to-guess passwords. Second, a scan of the “dark web” can be performed that looks for accounts from your company that may have been compromised in other breaches. The passwords harvested from those “dark web” sources can be tested in your environment to see if those passwords are still valid.
Firewall rule reviews: Your company likely has a firewall that separates your internal network from the Internet. The Internet is a literal warzone, and the rules that firewall uses are your first line of defense to let the good guys in while keeping the bad guys out. There are many technical nuances to firewall rules, and a review of your company’s rules would be very helpful to gauge the amount of exposure that your company has to threats from the Internet.
Phishing tests: Phishing tests are emails that simulate the malicious emails that cyber criminals so often send to employees of your company. Normally they contain links to malicious websites that ask for the user’s username and password. They may also contain malicious attachments (Adobe Acrobat documents, Word or Excel documents, etc.) or have a link to a website that will try to infect their computer with a virus. A simulated phishing email will typically ask a user to click on a link that they shouldn’t, and a log of those that fall for the “phish” will be kept and sent to you as part of the test. Sometimes more advanced testing that employs social engineering are used, which could take the form of phone calls, physical letters or well-constructed “spear phishing” emails.
In summary, penetration testing is a very important part of determining a company’s cyber security posture, but it should come after more basic assessments are run in order to maximize the return on investment that a company receives from the dollars they invest in cyber security testing.
BRYCE AUSTIN, CEO, TCE Strategy
Bryce Austin started his technology career on a Commodore 64 computer and a cassette tape drive. Today he is a leading voice on technology and cybersecurity. Bryce holds a CISM certification, advises the boards of companies in a diverse array of industries, and has over 20 years of cybersecurity leadership experience. He is the named CISO (Chief Information Security Officer) for many companies, including one listed on the S&P 500.
Bryce speaks to audiences worldwide on how to stay safe from cybercriminals. The #1 goal of his presentation is for you to learn how to bring your cybersecurity risk to a level that is Secure Enough for you. His best-selling book is titled Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives.
In his free time, Bryce is a high-speed track driver and coach. He has driven cars from a 65 horsepower Mini Cooper to a 650 horsepower Porsche 911 Turbo. He has had over 100 students, none of whom have died while under his instruction.