In this day in age cyber-security and penetration testing seems to occupy a lot of talk throughout the Government, IT, and Intel industries. You can hardly go a day without hearing about a hacker somewhere in the world accessing sensitive corporate or government data. For all the talk we hear about this occurring, I’m sure the average user feels like the boogeyman is lurking behind every web-page they visit.
But what about the good guys? We hardly hear anything mentioned regarding the Good or “Ethical Hackers.” Um, excuse me, good hackers? Yes, there really are some good people left in this world! These ethical hackers use many of the same tools and skills as the bad or “Black Hat” hackers but for the sole purpose of securing computer information systems by identifying vulnerabilities before an attacker has the chance to find and exploit them. These hackers are often referred to as “White Hats” or Ethical Hackers. If you are a bit confused, don’t worry, all will be revealed below.
In today’s short but informative read we are going to discuss a few topics related to these ethical hackers/cyber warriors, namely Pentesting. We will cover what Pentesting is, who needs it, who conducts it, and why you should consider incorporating Pentesting into your regular information security evaluations.
What is Penetration Testing?
Jumping right in, what is Pentesting? The term Pentesting stands for Penetration test. These types of tests are typically conducted by seasoned IT professionals (who are usually white hat hackers), for many institutions to identify security shortfalls or to validate the existing security posture of the organization’s physical and technological security implementations.
Before we continue, it is very important to remember, and I stress this point emphatically; you must obtain written permission from any and all organizations before conducting any tests on their facilities or networks. Doing so without written consent is highly illegal and you will go to jail, face prosecution, and possibly end up in prison. Have no delusions that you are going to hack into an organization’s network and reveal it to them after the fact, thinking they are going to appreciate it, offering you a job or money for your efforts, and throw a parade in your honor. They will more than likely call the police and press charges against you, landing you not a job but serious jail time. Don’t say you haven’t been warned, companies and governments take hacking very seriously and will waste no time prosecuting violators, making examples out of them to deter other would-be script-kiddies.
Pentests are usually conducted by an individual or group of individuals who have been certified to perform such tests. To be clear, there is no “one size fits all” type of Penetration test. Each organization has its own requirements, equipment, operating systems, databases, and network topology. Ethical hackers need to be familiar and comfortable operating in such environments.
Types of Penetration Testing
Let us take a moment to quickly cover the three most basic types of Penetration tests that are typically performed: White box, Gray box, or Black box.
White Box Penetration Tests
The individual(s) conducting the test are provided with all the information about the target system. These are primarily performed to internally audit the system.
Gray Box Penetration Tests
This type of test limits the amount of information that is given to the team testing the system. This type of test simulates what an insider might know about certain parts of the system but does not provide the testers with full knowledge of every aspect of that system.
Black Box Penetration Tests
This type of Pentest is the most difficult because the tester(s) have no knowledge and are in essence going in blind with little to no information about the target system.
The Penetration Testing Process
Now that we have some idea about which type of tests may be conducted and the level of information that would be provided depending on which type of test is selected, there are some other considerations that need to be made before the actual Pentest can begin. Since no two systems or organizations are alike, it will be up to each institution to determine the type of testing that is required based on their specific needs. Certain security requirements and industry standards will also need to be taken into consideration, as well as the frequency of such tests.
Ultimately a document will be created that includes the scope of each particular test as well as granting permission to the specific organization or person(s) conducting the Pentest. The scope needs to include a date range with start and stop times, specific IP addresses or range of IP addresses that can be scanned/attacked, services that may or may not be interrupted, reporting procedures for both the IT department and the tester(s) in the event IDS/IPS is triggered, along with many more considerations that will not be covered, for the sake of brevity.
It’s important to also realize that Pentesting has the potential to affect normal system operations which is why a scope document must be developed and defined. This protects not only the organization, but also the Pentester(s), by setting the boundaries for the test. Basically, a Pentest can be thought of as giving a trusted and qualified team of individuals permission to hack (legally) into your network based upon a predefined testing plan. Anything outside of the scope is not permitted and the testing personnel would be liable for any damage that occurred due to their negligence.
Why Conduct a Pentest?
So up to this point you may be wondering why you would even want to engage in anything that has the potential to disrupt your operations, or why would you allow anyone from outside your network to conduct any sort of Penetration tests on your system? It’s a very common concern and you would not be alone in voicing it. The reasons are actually very simple and from a security standpoint, they make a lot of sense.
The first and foremost reason for hiring an external agent is to verify internal integrity. Now what do I mean by internal integrity? Basically insider threats are dominating as the most critical security concern facing organizations, a trend that is projected to rise in 2019. It may be a disgruntled employee who creates a backdoor or Tammy from Sales who just forgot about not clicking on links inside random emails she received from the ITT (This is not a Typo…) Department requesting she change her password.
Insider threats take many forms, which is why it is necessary to have an unbiased third-party conduct Penetration tests. They can identify common and uncommon vulnerabilities that may exist within your infrastructure and bring them to light. This gives your organization not only an impartial extra set of eyes but also tests your current security/defense solutions, provides you with a detailed report that outlines each and every vulnerability that was discovered during the test, whether they were able to exploit those vulnerabilities or not, and if they were successful in accessing secure data. For these reasons, Penetration testing is a very valuable resource for all institutions that have the responsibility for storing private consumer or patient data and serious consideration should be made to use Pentesting on a regular basis to ensure the robustness of their security solutions in protecting such sensitive information.
The Mission of the Ethical Hacker
For most of us, the term “Hacker” has a negative connotation associated with it. The term conjures up images of black hoodie-wearing malcontents frantically typing code into a sticker laden laptop in some abandoned warehouse at an undisclosed location. I’m not really sure where/when this idea was implanted into our collective psyche but I’m pretty sure TV, Movies, and popular Video Games are largely responsible for this misconception. If you look at the history of hacking and where we are today, you would actually be hard-pressed to find the stereotypical hackers previously mentioned.
Hacking is actually big business for cyber-criminals, as well as nation states that subvert our corporations, government, and intelligence agencies. Since we are now networking everything from the doorbell to the kitchen sink (IoT), it doesn’t appear that these trends will cease anytime soon, at least not in the foreseeable future. Enter, the Ethical Hacker/White Hat. These individuals have committed themselves to learning the mindset of the criminal hacker and use it to secure computer information systems rather than exploit them for nefarious reasons. It takes a lot of time, patience, and continued learning to become an effective and formidable White Hat. You may be wondering how one goes about developing the skills to become an Ethical Hacker. The answer is practice and commitment. There is currently no degree program offered, at least not one that I know about, that one could obtain to become an Ethical Hacker. The truth is that you have to like learning and more importantly, be able to teach yourself through trial and error.
In the world of IT and cybersecurity, there is no stop to the amount of things you will learn. I myself, learn multiple new things everyday. An Ethical Hacker must love to learn and be able to adapt to the constant changes regarding technology and programming. This is what makes a White Hat or team of White Hats so invaluable for securing networks. They know so much about so many different aspects of computer information systems and how to secure them. You really have to be a jack of all traits and even a master of some to be an effective Ethical Hacker.
So how do you go about finding one these White Hats? Many have industry recognized certifications which provides you with the knowledge that they have had to undergo many grueling hours of practical and written verification of skills. Look for experienced individuals who work in the industry that have partners with government and large civilian corporations who are actively performing cyber-security at NIST compliance levels. If you’re reading this, you have found one such entity, wink, wink… Overall, you want to hire an Ethical Hacker that you can rely on to assist your organization in providing not only it’s customers with the best security possible but also provide your personnel with a secure computing environment to operate within and protect the companies intellectual property from prying eyes. This is the goal and mission of every Ethical Hacker.
Watch Out – CyberSecurity is Becoming More Complex
It has been said that cybersecurity is a moving target, and IMHO this statement only gets more veracious with time. Each day we are presented with more vulnerabilities that have the potential to give would be attackers a foothold on our computer networks, which compromises the integrity of information systems and could possibly lead to the exposure of sensitive data. This is not a fight we wanted or asked for but it is one in which we must engage seriously in. We are constantly plugging holes and things are getting more secure despite what we may hear from the media on the subject.
As we move ahead, it is vital that all of us take a more proactive role in cybersecurity. Every company as well as government agency needs to incorporate some form of Penetration testing into their security requirements. The recommendations made earlier are not just opinions but professional advice gleaned from years of experience working in both Military and Civilian occupations where sensitive data handling is not only important, but critical to mission success. There may be some organizations that wish to handle these types of tests internally, and we say that’s great and applaud you for taking a proactive role in the defense of your infrastructure. Our only recommendation is that you separate duties and rotate responsibilities to give your organization some internal checks and balances. We recommend outside consulting for impartiality but we do realize that each institution faces different budgetary challenges and we would never want to discourage anyone from taking an ardent stance towards their own security because of prohibitive costs. We all have a responsibility to secure our computer systems without delay. There is no reason to wait to begin taking those first steps towards hardening our information systems and reducing the attack surface of our networks.