Penetration Testing For Dummies
Book image
Explore Book Buy On Amazon
The ultimate goal to penetration testing is to test your technology assets for their security, their safeguards, and controls by trying to penetrate through any configured defenses. But pen testing can be broken down into individual smaller goals.

Pen testing, although a hot topic, isn’t a new concept nor is it an incredibly difficult one. While the underlying technologies, concepts, and techniques can go very deep, conducting pen testing can be very easy if you’re trained and have the right knowledge.

The breadth of pen testing is where the complexity grows because networks, systems, infrastructure, mobility, and cloud architecture all stretch what needs to be assessed. That requires you to look at every aspect of everything your client, company, or business is accountable for.

Protecting assets through pen testing

Your goal as a security analyst (one of the good guys) should be to keep the bad guys (hackers) out of things that they should not be in. It’s important to protect assets so that they can’t be damaged or corrupted (rendering them unusable), altered (changed), infected (with a virus), stolen, hijacked, or the myriad other security threats that could happen.

This list breaks down various security scenarios by industry type:

  • The banking industry: Money can be stolen, moved to other accounts, or debt added to others.
  • Credit card industry: Identities are stolen and that information is used to penetrate accounts that have monetary assets or credit that can be used.
  • The sales industry: Patents can be stolen and products made outside in foreign competitor companies, which causes businesses to fail and stock prices to drop (or rise) based on the intention of the hacker.
  • Health industry: Electronic medical record systems can be infiltrated to change, gather, or corrupt info.
  • Power industry: The power grid needs to stay online, so the government, private industry, and residents can access energy to carry on daily tasks.
  • Military (and other governmental) industries: Secrets need to stay secret and information needs to be protected to prevent harm.

You can be proactive by conducting daily, weekly, monthly, quarterly, and yearly tests to find weaknesses that can be monitored or fixed.

Identifying risks with penetration testing

Risk is another important word to define prior to discussing vulnerabilities to your systems. What is at risk is the technology that runs much of our world today and the data that resides on that technology. By testing the technology, pen testers can reduce the risk of it being exploited and causing harm. What is at risk is simple: security.

Risks run the gamut regarding what level of damage might be done if the risk isn’t mitigated properly although you don’t necessarily handle all risks the same:

  • A small, identified risk: The risk can be small where you know there is a problem, but you accept its risk because you can’t fix it at this time. Maybe a patch is not yet available by a software vendor and you need to wait.
  • An identified risk to monitor: You identify a risk and monitor it, but a penetration and exploitation would lead to very little threat. An example may be hurting the company’s reputation slightly by upsetting a few clients who rely on the systems because they temporarily weren’t available. This risk is low level. There are also other situations where some vulnerabilities can’t be exploited, and it makes sense to monitor them. Other vulnerabilities can be exploited and are of a very high priority (and risk) and, therefore, must be monitored until they’re corrected, which may take some time to accomplish.
  • An identified high-risk ripe to be exploited: This risk is likely to be exploited and may cause loss to a company’s finances, high-level reputation, or worse, a loss of life.
You record all these risks in a risk register and log the results of most security assessments (your pen test results) with a marker denoting the level of risk and the priority in which it should be addressed.

A risk register is a list of known risks and vulnerabilities that you compile as you scan, assess, penetrate, and test. The risk register is the official document (or information stored and accessible in a database, spreadsheet, or other facility) that shows the following:

  • What risks (and vulnerabilities) you’ve found
  • How you may have found those risks
  • The weight you’ve assigned to each risk
  • A priority level in fixing or correcting each risk
The table below shows what a typical risk register looks like.

A Risk Register

Risk Register Entry # Risk Category Risk Sub-category
1 Security Virus
2 Network Wireless
3 Power UPS
4 Environmental Fire Suppression
5 Datacenter Space
6 Environmental Fire Suppression
7 Environmental HVAC
8 Security Physical
9 Server Operating System
10 Datacenter Consolidation
11 Storage Capacity
12 Storage Capacity
13 Security HIPPA And PHI
14 Database Backup
15 Database Corruption
16 Database Network
17 Datacenter Space
The risk register is a great tool to help you identify problems, but it would be hard to guess what changes could cause problems, which is why companies have pen testing conducted: to test their systems for weaknesses. A company might have an in-house team doing the testing or outsource to a security firm or individual consultant.

Testing continues throughout the year(s) — perhaps weekly, monthly or quarterly — to ensure you find all the problems that may have surfaced or been exposed.

A risk register is a living document that you’re constantly updating.

Finding vulnerabilities with penetration testing

A vulnerability is simply a weakness that can be exploited in your technology or something as simple as information disclosure. The technology weakness can be through misconfiguration of an asset, a bug, or code problem in the software installed, or any anomaly in your enterprise.

For example, your hardware vendor updated your firewall, inadvertently introducing a bug. You can be completely unaware of the exploit until either it’s identified by the vendor or another end user, or you run a pen test on your firewall. This doesn’t mean all bugs are exploits, but some can cause and lead to exploits.

Vulnerabilities are a type of risk that can be rated and used as a recorded artifact that can be logged, reviewed, and corrected by people who are responsible for its correction.

Two examples of vulnerabilities are:
  • A buffer overflow: Buffers are memory spaces in computers, systems, routers, switches, and many devices in your infrastructure that help to speed up things and make transferring data more efficient. For example, two devices communicating may get impacted by one sending way too much data for the other one to absorb and compute, so it may buffer it (send it into memory, essentially slowing it down for a) moment to let the internal computing of the receiving system catch up.
  • Malware: Malware (malicious software) is a type of exploit created by a hacker that can take this seemingly good service and turn it into a vulnerability. If a malicious party now sends too much data to the buffer in an effort to exploit a weakness and overwhelm (or overflow) it, it could cause performance to be impacted or in the worst-case scenario, crash the system or cause it to be unresponsive.
  • Password usage: Weak passwords (easily guessed or easily cracked with a password cracking tool) allow immediate entry into a system with the click of the tools button. This is a real-world example of a very common vulnerability, which can be found and prevented by a pen test.
A good corporate password policy (with a system that secures and enforces it) is the best chance to protect against this vulnerability. Unfortunately, it’s still common in many places around the world, and I’m sure during your own pen testing, you will find instances of it during your own pen testing.

Scanning and assessing with penetration testing

The successful pen tester uses tools (both hardware and software) to run penetration tests (sometimes also called penetration assessments) to find vulnerabilities and exploit them.

You scan for vulnerabilities on your system, network, or entire enterprise to find risks that you can either fix or acknowledge. The following image shows a scan from Nessus (scanning software).

Nessus pen testing Sample output from Nessus

Never run a pen test, assessment, scan, or security test on a live production network without permission! Many things can go wrong. For example, you could run a scan on a segment of the network configured with devices to block penetration attempts that shut services off that could impact a production system that’s servicing clients.

Another example: In a hospital system, if you decide to run a scan during the day on a protected network segment without making some adjustments, it could shut down services and prevent patients from receiving care.

Securing operations with pen testing

Typical security operations conducted in an enterprise range from simple to complex. It all depends on many factors, including size of the company, importance of the assets, available budget, leadership’s interest in any (or all) of these factors, and the knowledge and skills of those entrusted to secure and keep secure the assets of the enterprise. To do this, you can either conduct your own security assessments, outsource them, and in some cases even crowdsource them.

Responding to incidents

What if you can see an active attack taking place because of issues you identified through pen testing and which you are now monitoring as part of your ongoing risk assessment? The answer lies in a process or workflow called incident response.

Incident response (which is sometimes called incident handling) is the event management of an attack based on an exploitation of a known or unknown vulnerability. As a security analyst, however, you should know what an incident response team (IRT) is and why it exists.

You might wonder why you’d need a specialized team to handle security-related issues, and the answer is actually very simple: The need is based on containing the incident. Special training is required, and special procedures must be followed for an incident to be handled correctly, as these examples show:

  • A need-to-know basis: You don’t want to tip off someone conducting an active attack that you know it’s happening and are watching. To prevent the attacker from knowing their movements are being monitored, who needs to know about the attack as it happens will be restricted to trained individuals who can react appropriately to the incident.
  • Containing the chain of custody on evidence: You might also want to control the actual message of the day as the incident could wind up on social media platforms or the evening news. You just never know how an incident may impact you or your organization, so you have specific handling procedures and a trained team in place to handle the details.
Note that one part of containing the event is to provide tangible evidence in a court of law. Should the company decide to take legal action against the perpetrator, documented evidence will be needed.

What do you do if you have an active incident take place? The answer depends on the following:

  • Where you are: Location is everything! If you’re local to the attack you can start to work the issue and can conduct all tests and other actions without fear of being disconnected from the network. If you’re working on a virtual private network (VPN) connection or remotely connected to a system over a network, it may be part of the attack vector and you could become disconnected. Being local to the system allows you console access directly from the system itself and in most cases, this can be the most reliable option.
  • Who you are (that is, what role you have): To be designated an active member of an IRT, you simply need to be assigned the role. It may be a full-time role in a larger organization or consulting firms, or in smaller firms you may be assigned it as a collateral duty. Either way, the responsibility is the same and understanding your role and the procedures, processes, and plans are important.The actual team you’re assigned to needs to train together. There is value in understanding everyone’s place on the team and how to handle an active incident.
  • What you believe to be happening: Most companies have an IRT that’s responsible for providing support in the case of an active incident handling request, such as a firewall breach, a virus or malware outbreak, an intrusion, or any other security-related matter. What event is actually happening dictates your course of action.
Obviously, you don’t ever want to have to respond to an active attack. Hopefully, you might be able to prevent it in the first place, and that is why pen testing is so valuable in the entire security framework and defense in depth. If you’re able to secure everything properly or identify any weaknesses and fix them (or accept and monitor them), you solve half the exploit battle.

About This Article

This article is from the book:

About the book author:

Robert Shimonski is an ethical hacker and a professional IT leader who has led numerous efforts to architect, design, strategize and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for over 25 years and has written his books from the trenches of experience.

This article can be found in the category: