When I ask information security professionals what keeps them up at night, many times they say, “What I don’t know.” It’s no surprise – with reports of breaches on an almost daily basis, it’s impossible to ignore that there are a lot of hackers out there trying to get into networks wherever they can, with tools and techniques that are constantly evolving. As such it’s important to be diligent about assessing your overall security from the perspective of a hacker. And the best way to do this is through a penetration test.
A penetration test (pen test) is an ongoing cycle of research and attack against a system, application, or network with the goal of discovering exploitable vulnerabilities and determine the impact of those vulnerabilities being exploited.
How a Penetration Test Differs from a Vulnerability Scan
A true pen test is much more than just clicking a button on a tool, performing an automated scan, and running a report. A true pen test takes both automated and manual tools, plus it must be performed by a security professional with experience, training, and expertise.
Who you choose to perform a pen test significantly impacts the results. To ensure that findings are valuable and provide you actionable insight, always choose a pen tester who is certified. The Offensive Security Certified Professional (OSCP) is a popular ethical hacking certification. In order to obtain the certification, you must complete a course and then pass a fairly intense hands-on exam. In the exam, you are given 48 hours to perform a pen test on a virtual network, successfully compromise a certain number of servers and devices, and then write a report of your findings.
Though a vulnerability scan is a component of a pen test, it’s really just the beginning. A true pen tester looks at the vulnerabilities found during a scan, then using research, validates that the vulnerabilities are accurate and determines how to best take advantage of them to gain access to the system.
What is found in the vulnerability scan allows the pen tester to pick the right tool out of their toolbox to break-in. Having the skill-set to understand the orchestration between what the automated tool reports and how to manually exploit it is what provides true value from a pen test. It’s much like a detective story where the pen tester finds clues, then uses those clues to decide how to compromise the system.
How a Penetration Test Differs from a Real Intrusion
Pen tests are a highly valuable tool for an organization because they mimic real-world techniques and real-world results. However, white-hat hackers don’t take it to the same level that a real hacker would. Here are some of the differences.
- Time limitations - Pen testers are limited in time. They have to get in and get out within the engagement scope, and get as much valuable information for the client as possible. Malicious intruders may not have the same limitations. Even though it's if often their goal is to get in and out as fast as possible, hackers are not constrained by time set by a service contract. For example, with an Advanced Persistent Threat (APT), the object is to attack at a very slow pace, under the radar, and go undetected for as long as possible. Therefore, as with the APT, the goal of the hacker may be to stay in the system for as long as possible and keep executing attacks that hopefully will go unnoticed.
- Safety - Pen testers aim to minimize disruption to networks and applications as much as possible. Dangerous exploits are not attempted without permission of the client. At Sage, if our pen tester discovers a vulnerability that when exploited could pose some danger to the infrastructure, they stop what they’re doing, talk about it with our client, and make sure we get permission before going forward. While malicious intruders have some eye on avoiding damage because they don’t want to be detected, they may run more dangerous exploits that could damage or take down systems.
- Exfiltration of data - Pen testers may confirm access to data by looking at a small sample of data, however exfiltration of large amounts of production data is not attempted. This may be the goal of malicious intruders – to actually exfiltrate large quantities of data.
- Persistence within the network - Pen testers remove tools and restore any changes that were made to the environment at the end of the test. Malicious intruders may aim to stay in the network for long periods of time, by installing malware and making other configuration changes.
At the end of the day, the experience, training, and expertise of who is performing your pen test is directly linked to the value the results will provide you. If you’re investing in a pen test, make sure that the person doing it is certified and is doing more than just a vulnerability scan.