Maybe you’ve been told you that your organization needs to conduct a Penetration Test. Maybe it’s your auditor that’s said it, maybe your IT folks are telling you that it’s needed, or maybe you are the IT director and you just don’t know what to ask for from a penetration testing provider. To use a completely worn-out phrase, if I had a nickel for every time someone came to us and said, “I need a penetration test, but I’m not sure what to ask for”, well…I’d have a lot of nickels. But what in the world are they talking about? Why would you want to do one? How do you know what you really need?

Fundamentally, the purpose of a Penetration Test is to find security weaknesses and then use those weaknesses to break into your IT systems so that the good guys find and close the security gaps before the bad guys do. So in the simplest terms, penetration testers do their work in two phases:

• Phase 1: Find security weaknesses (“vulnerabilities” in cybersecurity vernacular).
• Phase 2: Attempt to use those weaknesses to break into your systems.

Easy, right? It should be, but many people confuse a Vulnerability Assessment with a penetration test. In a vulnerability assessment, we use automated scanning tools do Phase 1 and then stop. The reason we stop is to allow your team to fix the vulnerabilities before they are used against you during a test.

So why conduct a penetration test if you can get away with doing a Vulnerability Assessment and fixing everything ahead of time? The answer is threefold:

1. A Vulnerability Assessment only finds weaknesses in the technology — in a Penetration Test, we can test do things like try to trick your employees to into helping us circumvent your security and break into your systems;
2. A Penetration Test validates whether the vulnerabilities found in the Vulnerability Assessment were fixed correctly; and finally
3. A Penetration Test can determine whether your organization can detect when/if a hacker breaks into your systems and take action to stop them.

As you can see, while Vulnerability Assessments and Penetration Tests are related and complimentary, they are not the same.

So now that we know what a Penetration Test is at a high level, let’s talk about the options you have as a buyer. Penetration test options fall into categories and types.

Fundamentally, there are three categories of penetration test: black box, grey box, and white box.

• Black Box: A black box test is the most realistic simulation of an attack from a threat actor (a fancy way of saying a “bad guy”) that is just beginning their journey of attacking your organization. With this type of test, we are simply provided the name of the organization and it is up to us to find out everything we can in order to develop specific targeting information (web presence, email addresses, social media accounts of key personnel, clientele, Internet connections, etc.) and then to use that information to launch our attacks.

This is usually the type of test that we recommend for clients that haven’t had a penetration test conducted previously or it’s been several years since their last test was conducted. The reason for this is that it’s a good way to see what’s out there on the “clear web” and the “dark web” (e.g., hacker marketplaces) that can be used to attack your business. The potential “blind spot” in this type of test is that we may not find every Internet connection or web site thlongs to you so our testing may miss some things.

• Grey Box: A grey box test is where we are provided with specific targeting information such as network addresses , WiFi network names, lists of email addresses, building floor plans, security system information, and other key pieces of information. This category of test is useful to simulate attacks from an adversary that has spent a lot of time gathering the type of information we would gather in a black box test, but presumes that they have found everything they need to know to launch attacks.

We usually recommend grey box exercises for a second test because we’re ensuring comprehensive testing of all of the targets within the scope of the test.

• White Box: White box tests are most useful when the organization needs deep and thorough testing to maximize the coverage and depth of the testing within the test timeline. This is also the least realistic category of test because we’re provided with lots of detailed information about the environment and sometimes we have the client make exceptions in some of their protective mechanisms in order to test other controls in the target system or network.

We usually recommend white box testing when the organization has a more rigorous security testing regime where they may conduct a combination of black and grey-box tests each year and want to do more in-depth testing throughout the year (say, on a quarterly basis).

Types of Tests

Within each category of test, there are several types of tests that we can conduct:

• Intelligence Gathering: An Intelligence Gathering test determines what types of data exist in publicly available sources (i.e., the “clear web”), and the “dark web” that can be used by a threat actor to conduct attacks against your organization. It’s during this phase that the penetration tester uncovers possible weaknesses and entry points within the security of the organization, including the network, applications, website and wireless networks, physical facilities, cloud-based systems, employees, and more. This is automatically part of a black box test, but is optional in a grey box test and is almost never used in a white box test.

• External Network: An external network penetration test is where we test the security of your Internet presence including firewalls, web sites, etc. The purpose of this test type is to assess the effectiveness of the defenses for your network perimeter.

• Internal Network: Internal network tests test the defensive capabilities of the security controls inside of your network. It simulates an attack where the adversary has breached the perimeter of your network or gained physical access into your facility and plugged into your network.

• Wireless Network: Simulates an attacker working to breach your network through your WiFi while they’re sitting in the parking lot, an alleyway, on the street outside of your building, or inside another part of your building.

• Physical: This tests the security controls to protect sensitive areas of your building(s). This simulates an attacker trying to gather sensitive information from inside of your office and/or place a device on your network that then allows them to attack you from the inside, all from the comfort of their own home. With this type of test, we work to defeat your physical security controls through technical means, social engineering (described below), or a combination of both. We also use this type of test to conduct “dumpster diving”, a means of gathering information from sensitive data disposed of in an insecure manner (e.g., not shredded, just put into the normal trash).

• Social Engineering: Social engineering tests your “human firewall” to assess how much your own people present a point of entry for an attacker. Social engineering can consist of “stand-off attacks” such as phishing campaigns or direct contact such as pretexting (the “Microsoft Tech Support” scam, for example), or posing as an imposter (e.g., a “phone technician” or “IT guy” showing up on-site). For most clients, we recommend that we at least conduct a phishing campaign as part of black box and grey box tests as they’re frequently our most reliable of breaking into your systems.

One last thing: if you’re thinking about having someone in your own organization conduct a Penetration Test to save money, I encourage you to rethink that. The reason is that someone on your staff will probably have prior knowledge of your security and this limits the value of the testing, particularly in black box and grey box tests. Internal white box tests are, however, a viable option and worth consideration if you have the skills on staff.

So now that you know more about Penetration Tests, don’t be scared of them. Embrace them as a way to make sure that your data and systems are secure.

This is part 1 of a series that is going to teach small-mid-sized organizations how to navigate the complex world of cybersecurity, how to budget, plan for, and implement a cybersecurity program. This series will give you the tools to make the decisions needed that protects your reputation and your ability to do what you do best – whether it’s treat patients, help customers achieve their financial goals, run a state agency, county or city, educate children, or any other business. We will take you through the process of deciding whether you do it yourself or hire a service provider to handle it for you. We know this is daunting, but we’re here to help you navigate through the process using plain English. And do you want to know something? It can be done so that the cost is within the financial reach of most of those small-to-mid-sized organizations just like yours.

As the CEO of Assura, I am often asked why people are forced through laws, regulations, and directives to implement a cybersecurity program. The answer is simple. You really do not have to do cybersecurity. Nobody is holding a gun to your head to do anything. (Well, unless they really are holding a gun to your head right now. If so, you have bigger problems to focus on right now and should probably handle that instead of reading this blog.)

Now back to the topic. You’re probably shocked by that statement, especially coming from the CEO of a cybersecurity services firm. However, there is truth in that statement. You do not have to do anything. In fact, cybercriminals would prefer that you do nothing. I can hear what some of you are thinking right now, “Get real, Karen. The regulators are forcing us to do it or we can get hacked. We can’t delay it any longer.” That might be the case, but what I am trying to highlight here is that there is always a choice. What happens when people feel forced to do something? Do they step right up and get started or do they kick the can until the negative consequences of not doing something overpowers the benefit? The reality that I’ve seen time and again is that forcing someone to do something, they see no immediate benefit in doing, will only get them to comply with the bare minimum.I bring this point up because I have dealt with leaders from all walks of life. You name it: CEOs, government leaders, elected officials, and the list goes on and on. They are constantly faced with a long list of things they “have” to do and their auditors, IT executives, and other members of leadership are frustrated because they are advocating to get cybersecurity initiatives implemented because “the regulators are coming”.

The audit is coming! The audit is coming!

So, what’s the answer to resolve this tension between being told that you have to implement a formal cybersecurity capability and other, high priority business demands? Here are three that I believe can guide the way to the answer:

1. Acknowledge the past and present.

The news is strewn with headlines about this data breach or that. They happen so frequently that it’s almost to the point of just being background noise. In fact, there is a whole site dedicated to tracking the daily breach headlines.

Ten years ago, the bad guys were going after the big targets like large banks, but it’s a different ballgame and even the smallest companies are targets. These days, the bad guys don’t care about size because it’s all a numbers game to them. They cast their net wide and if you get caught in it, it doesn’t matter whether you’re Bank of America or a small doctor’s office with patient’s protected health information. Cybersecurity is now the cost of business in all modern companies because every company relies on computers connected to the Internet to facilitate key business functions – even if it’s nothing more than keeping the books.

Time for decision is now. Decide if you want to avoid what is playing out (rather publicly) for other organizations. I have a feeling that most of you will decide that it is not in your best interest to continue to kick the can on cybersecurity. (Otherwise, why would you be reading this post on a cybersecurity website?) If that’s the case, then proceed to the next step. That said, I know that some people may need to process some additional considerations.

For folks still on the fence, I ask this: what does the constant fear, stress, and worry about becoming a data breach victim or coming under increased regulatory pressure buy you? If your answer is “nothing” and if it isn’t bothering you, then I give you the permission to do nothing. In fact, you do not need to read the rest of this blog post. Thanks for visiting.

2. Think about the possibilities for the future.

For those of you still with me, I want you to think about a future. In fact, get a nice soft blanket and a warm cup of tea and think about what a world looks like with cybersecurity in your life.

• Do you want to push the “easy button” and just have someone handle cybersecurity for you and your organization?
• Do you want to appoint or hire someone to be guru of cybersecurity for your organization but don’t know where to begin or whom to select?
• Could a hybrid solution where you make decisions about your cybersecurity, but do not necessarily do all the heavy lifting work for you?

Each of these approaches have their own merit from cost, strategic, and operational standpoints. I’ll be discussing those in a future post in this series. However, if you have an immediate need to answer those questions, feel free to contact me through our Contact Us page and I’d be happy to talk to you about those personally. And don’t worry, it won’t be a sales pitch and I won’t even send you a bill.

So think about a future where your operations aren’t disrupted by some faceless attacker across the world, where you maintain customer/constituent trust, and where you aren’t constantly playing catch-up to satisfy regulators and auditors.

Not an effective cybersecurity audit remediation strategy.

3. Develop a Plan of Action.

No matter what decision you make, whether you use a company like Assura or decide to develop your cybersecurity capabilities in house; the very first thing you must do is to create a Plan of Action. In the immortal words of Yogi Berra, “When you see a fork in the road, take it.”

The biggest mistake we see people make with cybersecurity is that they jump in without a plan and just start addressing “the low hanging fruit.” I like to call it Cyber-Whack-A-Mole. While some of that work can be done immediately, you need to follow a structured process that empowers key decisions to be made by leadership. Once you’ve made the commitment to build a cybersecurity capability, taking time to define the process, tasks, and resources needed to achieve your goals is the single most important thing you can do to guarantee the success of your effort.

Whether you decide to become a cybersecurity conscious organization or continue to kick the can down the road, just keep in mind that it is a choice you are making. Not doing anything is just as much of a choice as doing something. You are in the driver’s seat and you are making the decision. Just understand the potential risks and go in with your eyes open.

The Surface Web is only 10% of the total size of the Internet. All sites on the surface web are indexed by search engines and are easily accessible. Examples of the surface web are Facebook, Twitter, YouTube, etc. The Deep Web and Dark Web contain the other 90% of the Internet.

The Deep Web includes: Non-public databases, password protected sites, torrent sites, private discussion forums.

The Dark Web includes: Black Markets, Botnets, Terrorists, Hoaxers, Hackers, Fraudsters, Phishing, Hitmen, Pornography (mostly illegal), and more…

“Bad guys” use the Dark Web to sell goods and services to make money. Here is a sample of how much they make:

• Fake Facebook account with 15 friends: $1.00
• Your Medical Records: $50+
• Your Credit Card details: $0.25-$60
• Your Banking Details: $1,000+

So how does one get to the Dark Web? The answer by using  a special web browser freely available for download called “Tor”. However, instead of using a web address that ends in .com, .org, .net, etc. you  use an address that looks like this:

http://3g2ipfel2j43nkr3m.onion

The number and letter combination is a randomly generated hostname or hidden service. The “.onion” is a domain suffix that is only reachable via Tor (an acronym for “The Onion Router” — hence, the “.onion” domain suffix). The purpose of Tor is to anonymize the communications of the people who access web sites in the .onion Internet domain. The Tor Project, Inc. is a not-for-profit organization dedicated to developing and propagating the Tor technology. So what is the purpose of Tor?

Tor, like many things in life, is a double-edged sword. True, it’s used by “scum and villainy” to sell illegal narcotics, child pornography, and contract killing. However, it’s also used by political dissidents in repressive regimes such as Iran, Cuba, China, and Russia to organize protests and agitate for change in those regimes. It’s also used by ordinary people who simply want to try to remain anonymous online without having every aspect of their surfing habits sold by large Internet conglomerates. The latter is the true intent of Tor. From The Tor Project web site:

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

The good news is that law enforcement and the US intelligence community has had some success in peeling back the anonymity of the Tor onion and caught several purveyors of downright awful stuff. And sometimes they just get plain lucky. That’s also the bad news because those that use Tor for benign web surfing or to agitate for political freedom also risk their identities being compromised.

With respect to cybersecurity more directly, Dark Web marketplaces exist to sell the treasure trove of information that hackers siphon out of companies such as Social Security Numbers, credit card information, identities, and compromised user IDs and password pairs. There are also marketplaces that sell hacking toolkits, hacking services for hire, and undisclosed software vulnerabilities called “zero day vulnerabilities”. Why are they called “zero day vulnerabilities”? Well, because the world has literally zero days to secure their systems before the vulnerability is disclosed and being used actively to attack…well…whatever targets help them advance the attacker’s geopolitical and/or financial goals.

Companies such as Risk Based Security and IntSights are giving the rest of us a fighting chance at protecting ourselves through their monitoring of the Deep Web and Dark Web for threats and vulnerabilities that we would otherwise not know about until it’s too late.

In the meantime, best to stay away from dark web marketplaces and stick to regular web sites (your kids too).

One last thing about Tor. It’s slow. Really, really slow, even on a fast Internet connection. Without getting into the technical details, the way it’s designed makes it inherently slow. So it’s really bad for general purpose web surfing. So again, unless you’re super committed to your anonymity online, there are other ways to protect your privacy online such as VPNs and privacy-focused web browsers that will provide a much more pleasant experience. But we can get into those in another post.