When discussing cyber security, one of the first things most people think about is the term ‘hacking’. A penetration tester (aka pen tester, or ethical hacker) is one of the more well-known cyber security jobs out there. Plenty in this role will simply go by ‘Security Consultant’ though, keeping that slight air of mystery around what they actually do.
In this introduction to penetration testing (or pen testing), we’ll cover what it is, some common lingo you will hear or may want to be familiar with, some of the most common types of pen tests conducted, and why pen testing might be a job for you.
What is penetration testing?
To be proactive about cyber security, an entity needs to do more than just monitor for threats and attacks to try to detect and prevent them. By actively searching for vulnerabilities, exploiting security weaknesses, and thinking like a threat actor, it is possible to expose security gaps and address them before the bad guys do. This puts an entity on the offensive side of security, and is where penetration testing comes in.
In a controlled manner, with a pre-determined and agreed-upon scope, a pen tester(s) uses tools and skills to explore ways to attack and exploit hardware, software, network infrastructure, applications, people and more.
Pen testing is less frantic and adrenaline-pumping than it’s sometimes imagined. In fact, pen testing often requires performing actions to a testing methodology or framework. This sets a benchmark for what is tested, how it is tested, and ensures consistent and measurable results can be used for a universal assurance of security.
Some common pen testing methodologies include:
- The Open Web Application Security Project (OWASP) Top Ten
- The Open Source Security Testing Methodology Manual (OSSTMM)
- The National Institute of Standards and Technology’s (NIST) Special Publication (SP) 80-115, Technical Guide to Information Security Testing and Assessment
Pen testing, often referred to as offensive security consulting in professional services talk, is formal and prescriptive most of the time, and requires high repeatability and evidence collection. This is in order for the entity receiving the test to verify the results, reproduce the results, and then remediate security issues and close gaps to improve its overall security posture.
Most pen testing results in findings rated according to a severity or vulnerability score, such as the Common Vulnerability Scoring System (CVSS). The deliverable outcome of a pen test that the client wants is a report that details the vulnerabilities, findings, how they were exploited step-by-step, context and dependencies, and suggested remediations and other security recommendations.
Following the delivery of the pen testing report, usually, pen testers are required to perform a retest on the remediated issues and vulnerabilities identified to consider it closed. The pen tester or testing organisation will then provide an attestation document of the security and remediations being performed.
It’s important to keep in mind that, typically, pen testing is time-bound (due to cost and resource limitations), so is considered both a best effort and a point-in-time engagement. As environments or application code changes and gets developed, new vulnerabilities may be introduced or realised. Therefore, pen testing is routine: at least annually, or after significant changes, and often before an application is released.
Ethical Hacking vs Penetration Testing
So, you may have heard of ethical hacking as well as penetration testing. If you are wondering whether there is a difference, the short answer is there is not. As ethical hacking became more widely associated with malicious or nefarious activities, there was a need to distinguish between the threat actors doing the hacking and those doing the testing and assurance work, often using the same tools and methods, but for ethical and legitimate reasons. The term ‘ethical hacking’ dates back to the mid-1990s, first used by IBM.
‘Hacking’ has been used since the 1960s right through to the present, to describe creative, interesting or more efficient ways to do activities or perform tasks. There are plenty of news articles, social media posts and discussions about ‘life hacks’. Those qualities apply to ethical hacking, aka pen testing too.
Hacking is a term sometimes used to describe types of pen tests; black hat hacking, white hat hacking or grey box hacking.
- Black Hat: Generally speaking, the bad guys – threat actors in true cyber security lingo – targeting entities with a malicious intent to attack and exploit applications and environments for criminal gains.
- White Hat: The good guys – ethical hackers, pen testers – who obtain permission and perform security tests for entities to best understand how they can improve and stop the black hats from getting in or moving around.
- Grey Hat: Somewhat in between the black and white, often acting illegally but offering a potentially positive outcome for the entity. Grey hats take the actions of a black hat in terms of hacking without permission or to a scope etc. However, provide the offer of findings to the entity, usually with the ask of a reward.
If you have ever heard of bug bounties, this is one way organisations engage the hacking community and wider cyber security community by offering reward bounties in return for following proper secure channels of disclosure of bugs, vulnerabilities, security issues and weaknesses discovered by the public. Many grey hat hackers chase lucrative bug bounties, avoiding the white hat scenario red tape but teetering the edge of legitimacy issues of a black hat scenario.
Just to add extra shades of grey to it all, there are black, white and grey box tests that can be procured by entities when implementing pen testing services. The terms glean their shades somewhat from the aforementioned hats.
- Black Box: The pen tester has no information about the infrastructure or environment, and is closely performing the attack simulations like an external threat actor would have to.
- White Box: The pen tester has knowledge of the internal infrastructure and may have credentials that place them inside the environment to create a greater view of what could be done either with access or after the black box scenario is breached.
- Grey Box: Sitting somewhere in between, the tester has some, but not all, the perspective of black and white. This may be a time and cost decision by the entity. Reality sees much longer for a black hat to perform tactics, techniques and practices than can often be justified for a pen testing engagement.
Why is penetration testing important?
There are several factors that come into play when determining the value of pen testing for an organisation. In an ideal world, every organisation would want to be as secure as possible and do whatever it takes to do so. This isn’t always practical, economical or reasonable to do. Even when it is, there are still unknowns and new risks evolving.
Some common business drivers for pen testing are:
- Security: An organisation needs to protect valuable and sensitive data, whether it’s intellectual property, personally identifiable information, staff information, financial or anything else. Keeping threat actors out of the environment ensures business can continue as expected. Furthermore, reputation stays in check, and negative impact incidents are avoided.
- Compliance: Many organisations have to comply with regulations, standards or laws. In order to achieve compliance with security standards, pen testing is very often a requirement to provide an acceptable level of assurance. This may be to a standard such as PCI DSS, APRA CPS 234, ISO 27001, SOC 2, or the many various local and regional frameworks and laws.
- Assurance: Providing assurance to customers, partners, suppliers, stakeholders etc., is an increasingly common requirement to not only stay in business but to succeed. Many organisations, as part of their information security programs, require third parties to meet agreed levels of security assurance, and this can drive pen testing as part of the attestation to adherence to required controls.
All of the above, regardless of similarities and differences, assist in driving business goals. All aspects of cyber security need to support the organisation’s strategies.
Types of penetration tests
For each respective part of the environment, there is testing that applies. Pen testing spans software, hardware, applications, physical locations and has many different scopes and flavours. Some of the most common types of pen testing engagements organisations undertake are as follows:
- External: Taking the perspective of a threat actor outside of the network environment, with public access and information, this type of test focuses on perimeter and external security controls and how those prevent initial access and exploitation.
- Internal: Takes the perspective of a threat actor that has gained access to the internal environment or perhaps already has that access for a legitimate purpose. Internal testing often looks at what is implemented to prevent or minimise lateral movement, privilege escalation and taking advantage of the environment and configurations to further compromise internal security functions.
- Wireless: Just like physical and logical networks, wireless networks have their own vulnerabilities. Wireless network pen testing usually involves technology that assesses the wireless connection configurations, security protocols, frequencies and is often successful in finding gaps where organisations permit multiple types of wireless networks, such as guest vs corporate.
- Web Application: Is one of the most common pen tests. As a significant amount of data may be linked to, stored behind or provided via a web application, this is lucrative for threat actors to target. The coding of applications does not have a large degree of mandatory requirements, oversight or regulation. Organisations may develop internally or outsource the development of applications. This can result in varying degrees of security in the coding across the world, organisations and vendors. Pen testing web applications is not only considered good practice but is often required in order to get the application to market.
- Mobile Application: Similarly to web applications, mobile applications need to be tested for vulnerabilities and risks. With a massive amount of data and access provided to mobile apps on a constant basis, the security of that data and mobile app access is crucial to meet the expectations of the app stores and consumers.
- Hardware / Device: Just like software, hardware and devices are also susceptible to compromise by a threat actor. Testing of hardware and devices is quite specialised and usually requires dedicated testing tools and trained personnel. Off-the-shelf hardware and devices are not usually pen tested by procuring organisations. However, an organisation that is developing hardware to go to market would be wise to have it pen tested in order to provide the required level of surety.
- Physical: Not all threats come from online or behind a screen. Many attacks still have a physical element to them, and plenty of organisations assume a certain level of goodwill and let physical security controls go to the wayside. Physical access may lead to network access, whether via a port in a wall, wireless access or to physical media that could range from a password on a post-it note stuck on a monitor, to a server room with access to infrastructure or just an internal phone line. Physical pen testing engagements test a range of physical controls, often led by physical social engineering to see what access can be gained based on staff awareness and goodwill through to lock picking, digital card reading and replicating or more.
- Objective-based: The most specific of pen testing, this will be called different names by different providers or may not be offered at all by some. Objective-based narrows the scope to target something of value in particular. This may be valuable to an organisation that has identified its crown jewels and believes it has implemented security controls to protect them but needs assurance. Objective-based pen testing may target a specific database of sensitive data, a particular domain controller, breaching a certain part of the internal environment or anything else of high value.
Pen testing has many interesting elements to it. Becoming a pen tester is one of the most exciting cyber security jobs going around. Working as a pen tester does have a fair degree of reporting and procedural work that goes into it. It will feed a creative, ambitious, curious mind. Not only do you need to have a highly technical understanding of software, hardware, coding and the interactions of systems and data, but you also need to understand people and their environments. Pen testing suits someone who embraces a challenge, can think like a threat actor, has proven discipline to self-educate and continually learn new vulnerabilities and skills.
A sought-after skill by organisations hiring pen tester resources is the ability to translate technical information into easily digestible language. Whilst pen testers will usually liaise with a technical resource of the entity, there is a need to be able to convey the risks, vulnerabilities, threats and processes of remediation in a way that is not over the top technical. Executives and leadership may want to better understand the engagement and its outcomes.
If pen testing has got your ethical hacking itch going, book a career consult today to find out more about the Cyber Security Program to learn how you can get the job-ready skills to step up and into the industry.