Maybe it’s that mail server that IT forgot to decommission when the company transitioned to Office 365.
It could be the smart thermostat or the new printer that’s still running the default password. Or perhaps it’s that iPad logged onto the hotel Wi-Fi network.
Companies of all sizes have a seemingly endless number of IT security vulnerabilities, any one of which can land them in trouble.
What Is Penetration Testing?
One way to discover such holes is by conducting a penetration test, an exercise in which an ethical hacker aims to break into a network, application or device to uncover vulnerabilities and warn organizations about them before malicious hackers can exploit them.
Not all penetration tests are created equal. “A good pen tester is not just about finding that little hole on your network but about helping you figure out how that hole got there in the first place and why it wasn't patched or protected,” says Joel Snyder, senior partner at Opus One, a Tucson, Ariz.-based IT security consulting firm. “It’s an educational process. The goal is to knock off 100 things, not one.”
A major part of that process is the opportunity to work closely with security professionals. “I feel that most of the value that the client derives from us doing assessments is from them being able to sit down with us and have conversations instead of just relying on a written report,” says Ian Odette, a CDW security consulting engineer.
Before hiring a pen tester, it’s important for organizations to understand how pen tests work, the different types and when it makes sense to conduct one. Here are just some of the most prominent penetration testing types used by ethical hackers.
Red Teaming Exercises
Conventional targeted penetration testing is very focused: A company hires a tester to attempt to attack its website directly. The problem is that real hackers don’t stick to a tight scope; they just go around the site if necessary, explains Ross McKerchar, CISO at security technology company Sophos.
“Hackers aren’t standing still,” says Laura DiDio, principal of Information Technology Intelligence Consulting research firm. “It’s like watching X-Men. The mutations are evolving so quickly.”
Red teaming, on the other hand, employs a more comprehensive collection of attack methods, including cyber and social engineering. A targeted attack aims to break into the front door; a red team can go around the building, check the windows and try to persuade a staff member to let them in, adds McKerchar.
Not every organization is ready for a penetration test. A small business without a strong security plan is probably better off hiring a consultant to help build one or employing a managed services provider.
Companies that are ready to test their systems might be wise to start with a vulnerability scan or a network assessment before a full pen test. For instance, CDW’s Threat Check is a free service that passively scans a company’s network to uncover vulnerabilities. A team from CDW then discusses the results with the company. If there are security solutions that can help, the company can test tools from Cisco, Tenable and others for free.
“If you have a security program and have the basics covered — good passwords, patching, encrypting devices, running anti-virus, running firewalls, etc. — then it makes sense to think about your more critical assets,” says McKerchar. “We have many layers of defense. The interesting question is which layers are working well, and that's something a red team can help you with.”
Black Box Testing vs. White Box Testing
There are additional types of pen testing beyond red teaming exercises. A tester conducting a black box assessment, like a real outside attacker, doesn’t get any information from the company, whereas a white box assessor is given upfront information about the organization’s infrastructure, including network diagrams and application source code.
Alternatively, a gray box assessment falls between black box testing and white box testing: The assessor gets some information but not nearly as much as a white box assessor.
Network Penetration Testing vs. Web Application Penetration Testing
Penetration tests also vary based on their targets. Network penetration tests, for example, focus on network services, such as firewalls or DNS servers, whereas web application penetration tests are highly specialized attacks on one application at a time.
Organizations should consider testing customer-facing applications that drive the most revenue and contain the most customer data, advises McKerchar.
What Are Some Examples of Penetration Testing Tools?
Pen testers also use an array of open-source and commercial tools. Some of the most effective include:
Nmap, an open-source utility that maps a network by taking a range of IP addresses and trying to make connections to every device that responds in that network range using a variety of protocols. “It’s the fastest, quickest way to see what’s going on inside a network,” says Snyder.
Burp Suite by PortSwigger Web Security is a commercial web vulnerability scanner with manual testing tools.
Kali Linux includes hundreds of tools preinstalled on it.
MetaSploit by Rapid7 is a powerful tool for pen testers to illustrate vulnerabilities.
Nessus by Tenable is a vulnerability scanner that can generate an initial list of issues. “Everyone should run it on their own networks on a frequent basis,” says Snyder.
“A good pen tester has at their fingertips dozens or even hundreds of tools,” says Snyder. The tools used depend on the type and stage of the attack.
A pen tester’s strategy begins with reconnaissance followed by attempts to get a foothold onto the target. He or she then aims to move laterally across resources or escalate the attack. The reconnaissance stage could include everything from looking at Whois records or email headers to social engineering to get that initial foothold.
“An attacker isn't just going to scan your systems looking for unpatched systems,” says Mark Lachniet, information security solutions practice manager for CDW. “They're going to go after the path of least resistance, which is the way people are easily tricked.”