Truths of Penetration Testing - What you need to know when considering a penetration test

When considering a penetration test for your business, there are some essential truths you must accept before going forward.

  • The testing is limited by nature.
  • Things change.
  • Humans, not systems, are the weakest link.

Let’s examine these points in detail.

The testing is limited by nature

Here at 0meta Security, the goal is a thorough penetration test that gives you the best picture of your risks and your effective security posture. We are only limited by the timetables of the parties involved, and the budgets available.

The practical limitations of a penetration test aren’t just time and expense though. Penetration tests, by their nature, involve risks to networks and resources because the methods, code and tools we use take advantage of programming or process errors. This means a flawless exploitation of a server, for example, might still result in a crash of an application, the operating system, and/or loss of data. This risk is real, and unavoidable.

The result is that our customers typically limit the systems we are allowed to interact with. This is the ‘scope’ of the test. While this risk-averse behavior is completely understandable, you must accept that the results of the testing will be incomplete.

For sure, your adversary won’t care about your patient record database crashing, or the potential legal ramifications. They won’t care about server downtime, or network outages. They only care about their goals for your business. Sometimes, disruption is the goal!

All is not lost however. While we still prefer actual exploitation to prove a vulnerability exists, simply considering in the abstract various attacks on your most critical infrastructure is a worthwhile activity. However, we must assert strongly - this is not as effective as real testing! Planning deals in “what-ifs;” testing proves risk exists. With proof, action can be taken.

Things change

A penetration test is a snapshot of your security posture. Immediately following the end of the engagement, your IT staff and stakeholders will undertake the process of remediating the issues and risks identified by 0meta Security. Whether that means patching systems, educating employees, purchasing network equipment, or deploying new services, your overall posture will improve.

To maintain this better posture, all of the moving parts of your business will need supporting policies that make security a first-class citizen in your planning, budget, training and operations. As information security pros, we can’t emphasize this enough!

This means keeping up. Keeping up with ongoing patches. Keeping up with telemetry from your network security devices. Keeping up with new application releases. Keeping up with newly announced vulnerabilities. Going to security conferences in your local area or perhaps nationally to hear the latest in threats and tactics.

Without this, your posture will degrade. Your posture represents the “bar” of effort that a motivated attacker must cross to breach your network.

All the tools, equipment, and policy in the world doesn’t matter if an attacker can trick the right person into overriding the right safeguard. Sometimes, in the rush of missed deadlines, rocky product launches, staff changes and good intentions, frustration with the processes that keep your business safer can make you just want to yell “Get out of my way, I’m trying to work!

Consider this scenario. You’re an IT helpdesk employee who just received an email from an executive like this:

“Hey, I forgot my new password to the VPN server. I should have had this report uploaded an hour ago! Can you just reset it for me to XYZ?”

The email is coming from the correct looking address, and you know they’re out of town at a convention. So, you do as they ask, and change their password.

They email back.

“Thanks, I got in!”

All done, right?

Of course, it isn’t like that at all. That email was spoofed to look like it came from your executive. They really are out of town, and the attacker knows because he saw their keynote on the internet. They guessed a likely username from your executive’s email address. And they know your VPN software suite from careful scanning of your network’s border.

Is your email server safe? Of course. Spoofing emails doesn’t require anything more than a modest tool. Your server OS is up to date, and so is the email software.

Is your VPN software up to date? Of course it is, you update it on a schedule, thus keeping downtime and disruption to a minimum. You were patched against that huge encryption vulnerability last year hours after it was published.

But none of it mattered because a human tricked another human into bypassing the security.

This style of attack, called a “social engineering attack” is one of the hardest problems to solve in information security. And some of the highest profile hacks in history are catalyzed by a human element without which the technical attack wouldn’t succeed. The human aspect of security is an ongoing endeavor for everyone with a stake in the war against criminals and malicious actors. Because of this, maintaining education and vigilance in your employees and systems is the only way to maintain your security posture.

0meta Staff