Prevention v Cure: Introduction to Pen Testing

CyberLab CEO Gavin Wood explains what penetration testing is and why diagnosing vulnerabilities earlier can save you money. 

• • What is a Pen Test

• • How are Pen Tests conducted

• • Penetration Testing v Red Teaming

• • Prevention v Cure

What is Penetration Testing?

Prevention v Cure? Before I answer that I think I will discuss what Pen Testing is and what we are trying to prevent.

Pen Testing or Penetration Testing is a crucial tool in your IT security toolbox. It provides a method for gaining assurance that an IT system or infrastructure is secure through the use of simulated tools and attacks that are used in the real world, to attempt to breach or gain access.

The purpose of the test is to discover any risks and allow you or your security team to act on them before anyone else does.

Typically pen tests are used to identify the level of risk from any hardware or software vulnerabilities and or any configuration issues within your environment.

The output of a pen test is usually in the form of a report that will grade any issues or vulnerabilities found so that these can be addressed, and any gaps closed.

How are pen tests conducted?

Typically, penetration tests are broken down into 6 stages:

Planning and Scoping

The pen testing team will work with your organisation to define the scope of the engagement. It is important that the pen test is well scope to give the best confidence in the outcome.

Research, Reconnaissance and Enumeration

Once the pen test starts, the assigned pen tester will attempt to gather information on your organisation. These sources may include the following and will assist in identifying and exploiting any vulnerabilities or weaknesses:

• • IP Addresses of Websites and MX Records

• • Details of E-mail addresses

• • Social Networks

• • People Search

• • Job Search Websites

Threat Analysis

The objective of this stage is to identify a range of potential vulnerabilities in an organisation’s target systems, which will typically involve the pen tester examining:

• • Attack avenues, vectors and threat agents

• • Results from Research, Reconnaissance and Enumeration

• • Technical system/network/application vulnerabilities.

Automated tools and manual testing techniques will be applied at this stage.

Exploitation

Once vulnerabilities have been identified, the pen tester will attempt to exploit them in order to penetrate the targeted system.

The phases of this stage are:

Exploit – use vulnerabilities to gain access to a system, e.g. inject commands into an application that provide control over the target.

Escalate – attempt to use the exploited control over the target to increase access or escalate privileges in order to obtain further rights to the system, such as admin privileges.

Advance – attempt to move from the target system across the infrastructure to find other vulnerable systems (lateral movement) potentially using escalated privileges from target systems and attempting to gain further escalated privileges and access to the network.

 

Reporting

As I mentioned earlier the pen tester will provide a detailed penetration test report, detailing any threats or vulnerabilities found and the recommended remedial actions.

Threats and vulnerabilities will be ranked in order of criticality. The report will also contain an executive summary and attack narrative which will explain the risks in business terms.

 

Remediation

While the pen test report will provide information on remedial actions required to reduce the threats and vulnerabilities that have been identified, it will be down to your team to review the risks and create an action plan to reduce the actual risk, this action plan should be worked though on a risk-based approach.

Penetration Testing v Red Teaming

The aim of the pen test is to find as many vulnerabilities as possible within your IT environment and provide you with the information on what these are so that you can remediate. There is another type of pen testing often referred to red teaming or red team engagements. So, what’s the difference?

While the pen test looks for vulnerabilities the red team engagement is goal orientated and aims to show what the real-world threats and risk are against your technology, people and physical environment. It will use additional techniques such as social engineering, enhanced reconnaissance and threat intelligence in order for the pen tester to achieve their goal.

If the goal is to access customer data on a specific sensitive system, the success of the engagement is measured on how well this is achieved.

This type of engagement will also test the response of your security team in a real-world scenario, as the red team will not give any warning of their attack, therefore it is an excellent opportunity to review your procedures for detecting and defending against an attack in real-time.

Red teaming more accurately simulates a real work hacking scenario, and if you have a mature security environment then it’s the next logical step.

Prevention v Cure

With the risk of being controversial I am going to make an analogy between Pen Testing and vaccination.

We all know how vaccines work; they are a pre-emptive action against an illness to stop you getting the full affects and or be able counter the actual illness should you come in to contact with it.

A pen test is a pre-emptive action that allows you to discover and remediate any issues before someone else does.

Having a pen test should be part of your prevention strategy for IT security. Simply put you can’t manage what you can’t see, if you don’t know you have vulnerabilities you cannot close them down. Pen testing is an ideal way to give you the visibility of these issues and allows you to take remediation action to correct.

Given that cyber incidents are the 3rd biggest business risk for 2021 (that year’s top risk) and the average cost of remediating a ransomware attack now at $1.85m, prevention must be better than the cure!

However, pen testing is not a magic bullet, and it does have limitations; it’s a point in time test of the infrastructure. If a vulnerability is introduced after the pen test has been conducted it can still impact on your security. So regular testing is essential, especially after deploying new systems and technologies and as a part of your security continual improvement lifecycle.