Maybe you’ve been told you that your organization needs to conduct a Penetration Test. Maybe it’s your auditor that’s said it, maybe your IT folks are telling you that it’s needed, or maybe you are the IT director and you just don’t know what to ask for from a penetration testing provider. To use a completely worn-out phrase, if I had a nickel for every time someone came to us and said, “I need a penetration test, but I’m not sure what to ask for”, well…I’d have a lot of nickels. But what in the world are they talking about? Why would you want to do one? How do you know what you really need?
Fundamentally, the purpose of a Penetration Test is to find security weaknesses and then use those weaknesses to break into your IT systems so that the good guys find and close the security gaps before the bad guys do. In the simplest terms, penetration testers do their work in two phases:
- Phase 1: Find security weaknesses (“vulnerabilities” in cyber security vernacular).
- Phase 2: Attempt to use those weaknesses to break into your systems.
Easy, right? It should be, but many people confuse a Vulnerability Assessment with a penetration test. In a vulnerability assessment, we use automated scanning tools do Phase 1 and then stop. The reason we stop is to allow your team to fix the vulnerabilities before they are used against you during a test.
So why conduct a penetration test if you can get away with doing a Vulnerability Assessment and fixing everything ahead of time? The answer is threefold:
- A Vulnerability Assessment only finds weaknesses in the technology — in a Penetration Test, we can test do things like try to trick your employees to into helping us circumvent your security and break into your systems;
- A Penetration Test validates whether the vulnerabilities found in the Vulnerability Assessment were fixed correctly; and finally
- A Penetration Test can determine whether your organization can detect when/if a hacker breaks into your systems and take action to stop them.
As you can see, while Vulnerability Assessments and Penetration Tests are related and complimentary, they are not the same.
So now that we know what a Penetration Test is at a high level, let’s talk about the options you have as a buyer. Penetration test options fall into categories and types.
Fundamentally, there are three categories of penetration test: black box, grey box, and white box.
- Black Box: A black box test is the most realistic simulation of an attack from a threat actor (a fancy way of saying a “bad guy”) that is just beginning their journey of attacking your organization. With this type of test, we are simply provided the name of the organization and it is up to us to find out everything we can in order to develop specific targeting information (web presence, email addresses, social media accounts of key personnel, clientele, Internet connections, etc.) and then to use that information to launch our attacks.
This is usually the type of test that we recommend for clients that haven’t had a penetration test conducted previously or it’s been several years since their last test was conducted. The reason for this is that it’s a good way to see what’s out there on the “clear web” and the “dark web” (e.g., hacker marketplaces) that can be used to attack your business. The potential “blind spot” in this type of test is that we may not find every Internet connection or web site pinging you so our testing may miss some things.
- Grey Box: A grey box test is where we are provided with specific targeting information such as network addresses, WiFi network names, lists of email addresses, building floor plans, security system information, and other key pieces of information. This category of test is useful to simulate attacks from an adversary that has spent a lot of time gathering the type of information we would gather in a black box test, but presumes that they have found everything they need to know to launch attacks.
We usually recommend grey box exercises for a second test because we’re ensuring comprehensive testing of all the targets within the scope of the test.
- White Box: White box tests are most useful when the organization needs deep and thorough testing to maximize the coverage and depth of the testing within the test timeline. This is also the least realistic category of test because we’re provided with lots of detailed information about the environment and sometimes we have the client make exceptions in some of their protective mechanisms in order to test other controls in the target system or network.
We usually recommend white box testing when the organization has a more rigorous security testing regime where they may conduct a combination of black and grey-box tests each year and want to do more in-depth testing throughout the year (say, on a quarterly basis).
Types of Tests
Within each category of test, there are several types of tests that we can conduct:
- Intelligence Gathering: An Intelligence Gathering test determines what types of data exist in publicly available sources (i.e., the “clear web”), and the “dark web” that can be used by a threat actor to conduct attacks against your organization. It’s during this phase that the penetration tester uncovers possible weaknesses and entry points within the security of the organization, including the network, applications, website and wireless networks, physical facilities, cloud-based systems, employees, and more. This is automatically part of a black box test but is optional in a grey box test and is almost never used in a white box test.
- External Network: An external network penetration test is where we test the security of your Internet presence including firewalls, web sites, etc. The purpose of this test type is to assess the effectiveness of the defenses for your network perimeter.
- Internal Network: Internal network tests test the defensive capabilities of the security controls inside of your network. It simulates an attack where the adversary has breached the perimeter of your network or gained physical access into your facility and plugged into your network.
- Wireless Network: Simulates an attacker working to breach your network through your WiFi while they’re sitting in the parking lot, an alleyway, on the street outside of your building, or inside another part of your building.
- Physical: This tests the security controls to protect sensitive areas of your building(s). This simulates an attacker trying to gather sensitive information from inside of your office and/or place a device on your network that then allows them to attack you from the inside, all from the comfort of their own home. With this type of test, we work to defeat your physical security controls through technical means, social engineering (described below), or a combination of both. We also use this type of test to conduct “dumpster diving”, a means of gathering information from sensitive data disposed of in an insecure manner (e.g., not shredded, just put into the normal trash).
- Social Engineering: Social engineering tests your “human firewall” to assess how much your own people present a point of entry for an attacker. Social engineering can consist of “stand-off attacks” such as phishing campaigns or direct contact such as pretexting (the “Microsoft Tech Support” scam, for example), or posing as an impostor (e.g., a “phone technician” or “IT guy” showing up on-site). For most clients, we recommend that we at least conduct a phishing campaign as part of black box and grey box tests as they’re frequently our most reliable of breaking into your systems.
One last thing: if you’re thinking about having someone in your own organization conduct a Penetration Test to save money, I encourage you to rethink that. The reason is that someone on your staff will probably have prior knowledge of your security and this limits the value of the testing, particularly in black box and grey box tests. Internal white box tests are, however, a viable option and worth consideration if you have the skills on staff.
So now that you know more about Penetration Tests, don’t fear them. Embrace them to make sure that your data and systems are secure.