Penetration testing. Ethical hacking. Call it what you will, but businesses are quickly learning that their security is only as good as their test measures.
No, not that kind of pen testing. Network penetration testing. Ethical hacking. Getting paid to break into other people’s networks, pentestingnot.pngnot by some nefarious organization or Draconian government agency, but by the businesses themselves. It isn’t an especially new phenomenon, but the mainstream use of pen testing to document network vulnerabilities is fairly new, driven by high-profile hacks and the increasingly mission-critical nature of our networks and the data we store on them.
I recently moderated a webcast with Kevin Beaver, author of Hacking For Dummies. We had a great conversation about the tools and approaches organizations can take to gauge their own security, but as he wrote in his book, “Until you can think like a bad guy and recognize the vulnerabilities in your systems, you can't build an effective plan to keep your information secure”. We’ve all heard the stories of hackers (the bad kind) being hired by intelligence organizations or large enterprises with unique security needs (or corporate espionage machinations). Now, though, we’ve entered a period where anyone with computing and networking expertise can get certified in ethical hacking (here’s a link, for example, to a certificate program at Edmonds Community College - Not an endorsement, by the way, just one of many examples of how mainstream this has become).
While some organizations keep pen testers on staff (Fortinet, for instance, employs a certified ethical hacker), many more contract with legitimate hackers to evaluate the security of their networks and systems. Bryan Watson (said Fortinet certified ethical hacker) wrote a great piece on one of his adventures attempting to penetrate a client’s network called “The Secret Life of a Pen Tester”. The post is a fun read but it makes the serious point that it’s clearly smarter to hire someone to safely find the vulnerabilities in your network than to let a “real” hacker find them and exploit them. The former is a best practice - the latter is how to make headlines.
Pen testing can take a variety of forms, much like the very real threats we face every day from less-than-ethical hackers. Mobile devices, for example, are an emerging and often poorly understood threat. As Fortinet security strategist Aamir Lakhani put it, “When done right, BYOD is great. When done wrong, it can stand for Bring Your Own Disaster”.
Aamir described two successful tests in which a company contracted with his team to attempt to penetrate their network. In the first, he attached an iPhone to an extended battery and installed specialized software to enable remote control and network penetration. He addressed the phone to a fake name at the company where it sat unclaimed in the mailroom. Once the phone was inside, he not only used it to expose vulnerabilities in the network but was actually able to move laterally, continuing to access network resources even after the phone and its extended battery died. Even better than this cloak and dagger-style successful pen test? “I didn’t expect to get the phone back - I just bought it on Craigslist,” Aamir recalled. “But the company sent it back unopened, returned to sender, since I used a fake employee name on the box.”
Taking the device experiment a bit further, he also sent a modified iPad to an executive in the company by courier with a note congratulating him on his team’s great work that quarter. As the exec eagerly began setting up his new iPad, special software on the device captured usernames and passwords that his team was able to retrieve. Fortunately, these were both part of a contracted penetration test and none of the data made it into the wrong hands. But if a contracted pen tester can do it, so can a malicious hacker.
Bryan Watson’s brother, on the other hand, has a monthly contract with a pen tester to evaluate PCI compliance. As the sole IT provider for a California oil company, the external penetration testing provides an even more valuable service than just checking off regulatory boxes. It’s a way to check for the minor oversights and mistakes that we all make that hackers are all too happy to exploit, quickly exposing everything from intellectual property to credit card numbers.
And therein lies the real value of pen testing. We can buy the very best security hardware, protect our networks with multi-factor authentication, install video surveillance and roll out physical security measures to rival the NSA. But all it takes is one chink in the armor we use to secure our environments to invite a breach. When it comes down to it, security still relies on people and people make mistakes. End users still install rogue unsecured routers (“Gee, Mr. CIO, I just wanted a stronger signal at the end of the hallway!”). Admins forget to apply updates. Options get improperly configured. Stuff happens.
The best protection against all of that “stuff” is, ironically, another human or two who will apply all of the same tools and techniques as the bad guys to find vulnerabilities, document them carefully, and help organizations develop and prioritize remediation plans.
web application security , penetration testing , computer forensics everything about security
pentest 101
Penetration testing. Ethical hacking. Call it what you will, but businesses are quickly learning that their security is only as good as their test measures.
No, not that kind of pen testing. Network penetration testing. Ethical hacking. Getting paid to break into other people’s networks, pentestingnot.pngnot by some nefarious organization or Draconian government agency, but by the businesses themselves. It isn’t an especially new phenomenon, but the mainstream use of pen testing to document network vulnerabilities is fairly new, driven by high-profile hacks and the increasingly mission-critical nature of our networks and the data we store on them.
I recently moderated a webcast with Kevin Beaver, author of Hacking For Dummies. We had a great conversation about the tools and approaches organizations can take to gauge their own security, but as he wrote in his book, “Until you can think like a bad guy and recognize the vulnerabilities in your systems, you can't build an effective plan to keep your information secure”. We’ve all heard the stories of hackers (the bad kind) being hired by intelligence organizations or large enterprises with unique security needs (or corporate espionage machinations). Now, though, we’ve entered a period where anyone with computing and networking expertise can get certified in ethical hacking (here’s a link, for example, to a certificate program at Edmonds Community College - Not an endorsement, by the way, just one of many examples of how mainstream this has become).
While some organizations keep pen testers on staff (Fortinet, for instance, employs a certified ethical hacker), many more contract with legitimate hackers to evaluate the security of their networks and systems. Bryan Watson (said Fortinet certified ethical hacker) wrote a great piece on one of his adventures attempting to penetrate a client’s network called “The Secret Life of a Pen Tester”. The post is a fun read but it makes the serious point that it’s clearly smarter to hire someone to safely find the vulnerabilities in your network than to let a “real” hacker find them and exploit them. The former is a best practice - the latter is how to make headlines.
Pen testing can take a variety of forms, much like the very real threats we face every day from less-than-ethical hackers. Mobile devices, for example, are an emerging and often poorly understood threat. As Fortinet security strategist Aamir Lakhani put it, “When done right, BYOD is great. When done wrong, it can stand for Bring Your Own Disaster”.
Aamir described two successful tests in which a company contracted with his team to attempt to penetrate their network. In the first, he attached an iPhone to an extended battery and installed specialized software to enable remote control and network penetration. He addressed the phone to a fake name at the company where it sat unclaimed in the mailroom. Once the phone was inside, he not only used it to expose vulnerabilities in the network but was actually able to move laterally, continuing to access network resources even after the phone and its extended battery died. Even better than this cloak and dagger-style successful pen test? “I didn’t expect to get the phone back - I just bought it on Craigslist,” Aamir recalled. “But the company sent it back unopened, returned to sender, since I used a fake employee name on the box.”
Taking the device experiment a bit further, he also sent a modified iPad to an executive in the company by courier with a note congratulating him on his team’s great work that quarter. As the exec eagerly began setting up his new iPad, special software on the device captured usernames and passwords that his team was able to retrieve. Fortunately, these were both part of a contracted penetration test and none of the data made it into the wrong hands. But if a contracted pen tester can do it, so can a malicious hacker.
Bryan Watson’s brother, on the other hand, has a monthly contract with a pen tester to evaluate PCI compliance. As the sole IT provider for a California oil company, the external penetration testing provides an even more valuable service than just checking off regulatory boxes. It’s a way to check for the minor oversights and mistakes that we all make that hackers are all too happy to exploit, quickly exposing everything from intellectual property to credit card numbers.
And therein lies the real value of pen testing. We can buy the very best security hardware, protect our networks with multi-factor authentication, install video surveillance and roll out physical security measures to rival the NSA. But all it takes is one chink in the armor we use to secure our environments to invite a breach. When it comes down to it, security still relies on people and people make mistakes. End users still install rogue unsecured routers (“Gee, Mr. CIO, I just wanted a stronger signal at the end of the hallway!”). Admins forget to apply updates. Options get improperly configured. Stuff happens.
The best protection against all of that “stuff” is, ironically, another human or two who will apply all of the same tools and techniques as the bad guys to find vulnerabilities, document them carefully, and help organizations develop and prioritize remediation plans.
