The webinar is moderated by Michelle from Insight Assurance and features Dr. Marwan Omar, Chief AI Officer and Lead Penetration Tester at Insight Assurance, and Dan Lee, CEO and CISO at RedCub IT.
The session covers several key topics:
- What is penetration testing and why it is critical.
- Compliance regulations and pentesting frequency.
- How organizations can maximize pentesting results.
- Choosing the right pentesting provider, including internal versus external options.
Key takeaways and a Q&A section.
What is Penetration Testing? Penetration testing is the process of trying to break into networks to find vulnerabilities, security flaws, bugs, or backdoors. The main objective is to address and remediate these issues before attackers exploit them. Attackers work around the clock, 24/7, so it’s important for organizations to be proactive and protect their networks. This requires thinking like hackers and understanding the tools, techniques, and tactics they use.
Penetration testing is described as a simulated attack. It aims to simulate a real-world attack to understand the potential damage and data exfiltration that could occur if someone breaks into the network through various means like database applications, operating system flaws, or phishing attacks. Unlike a simple vulnerability scan, penetration testing reveals whether something is actually exploitable. Testing defenses like firewalls, intrusion detection systems (IDS), and antivirus involves looking for vulnerabilities and attempting to exploit them to see if unauthorized access can be gained.
Penetration Testing vs. Vulnerability Scanning A simulated attack is not just a scan. Vulnerability scans and penetration tests are completely different. Scanning an environment just looks for common open things like ports. While scanning is one aspect, a full-blown penetration test is a methodical process with several steps. Vulnerability scanning is just one step in the overall penetration testing process.
Beyond Software Security Penetration testing can go beyond just testing applications, operating systems, APIs, or web application security. It can also include physical security testing and social engineering attacks. Humans are often considered the weakest link in cybersecurity. Examples shared include walking around a fence with a lock, pretending to be a repair person to gain access to a police station server room, and finding unlocked server rooms or accessible door control systems during physical assessments. These examples highlight how attackers can exploit physical weaknesses and human helpfulness to gain access to sensitive areas. Testing physical security is important because just having locks and keys, or even compliance, doesn’t guarantee security. It’s crucial to test both the “front door and the back door” in real-world and cyber scenarios.
Compliance vs. Security Many companies believe that compliance equals security, but this is not true at all. Compliance frameworks like SOC 2, PCI, and ISO 27001 have made penetration testing a requirement, but meeting these requirements doesn’t necessarily mean an environment is secure. Certain vulnerabilities can only be detected by attempting to exploit them, which is part of penetration testing methodology. Having security controls like antivirus, IDS, or firewalls is good and helps check the box for compliance, but penetration testing is the only way to test if these mechanisms can be compromised. Regulatory requirements are often lagging indicators of what needs to be done, as hackers are constantly developing new tools and techniques. Passing an audit means you’ve passed an audit; it doesn’t mean you’re secure.
The Penetration Testing Process A full-blown penetration test follows a methodical process:
- Intel Gathering/Information Gathering: This is the first and most important step, often taking 70% to 80% of the time. This involves studying the target environment, learning about operating systems, infrastructure (on-premise or cloud), applications, and APIs. Open-source intelligence (OSINT) is heavily used in this phase to gather information externally, thinking like attackers who spend a large portion of their time planning the attack.
- Vulnerability Scanning: After gathering intel, this step involves looking for specific vulnerabilities applicable to the identified systems.
- Exploitation: Finding exploits (pieces of code) that can take advantage of specific vulnerabilities. Not every vulnerability is exploitable. Gaining unauthorized access through exploitation confirms a system is truly vulnerable.
- Post-Exploitation: What happens after gaining access. Attackers might seek long-term persistence, stay dormant, gather more information, exfiltrate data, delete applications, or manipulate software.
Scoping and Prioritization Defining the scope is crucial before conducting a penetration test. This involves clarifying exactly what the client wants tested and what is out of scope. This is especially important when clients are unsure or have limited budgets. Prioritizing testing based on what is most valuable to the company, such as customer data, client lists, or proprietary information (“crown jewels”), is recommended. A data-centric view helps categorize items and focus testing efforts where the risks are highest. Starting with the most high-risk environments and then addressing high, medium, and lower risks over a multi-year plan is one approach for limited budgets.
Types of Testing Methodologies Within penetration testing, there are different types of testing based on the level of information provided by the client:
•White Box: The client provides access to the environment (e.g., dummy user accounts). This simulates an insider threat or an attacker who has already gained initial access.
•Black Box: Simulates a real-world external attack with zero initial knowledge or credentials provided. Attackers rely heavily on OSINT in this scenario.
•Gray Box: A combination of both, testing externally without credentials and internally with provided credentials. This methodology is recommended for getting the best picture of security posture as it simulates both external and internal threat vectors.
Red teaming is also mentioned as going further than penetration testing, looking at the environment from an attacker’s perspective to uncover what’s not seen or known, including supply chain risks.
Choosing a Penetration Testing Provider It’s important to look for a mature team with the right credentials, certifications, years of experience, and potentially individuals who have experience building the systems they are attacking. Checking for credentials like Certified Ethical Hacker (CEH) or SANS certifications is recommended, ideally from neutral certification bodies. A company’s track record and the willingness to demonstrate their testing methodology (e.g., using a mind map) are important factors. The quality of the penetration test report is also critical, as auditors or customers may reject reports lacking key items.
Human Skills vs. Automated Tools While automated tools like Nmap, Kali Linux, Metasploit, or Burp Suite are used, the human element is critical. A 12-year-old can learn to push buttons on these tools, but the value comes from analyzing the output with critical thinking, analytical thinking, creative thinking, and outside-of-the-box thinking skills. Automated tools often produce irrelevant output or false positives; human analysis is needed to correlate findings, validate vulnerabilities, and interpret the results meaningfully. Human creativity is what allows attackers to breach environments.
Acting on Findings A penetration test is only valuable if the vulnerabilities found are fixed. Remediation and retesting are critical for improving security. When unsure how to act on findings, engaging internal IT/security teams or external consultants is necessary to review, assess applicability, push back if needed, or fix the problems. Failure to patch systems and remediate vulnerabilities, even months after a test, leaves organizations vulnerable.
Continuous Testing Most compliance standards require annual penetration testing at a minimum. However, given the constant evolution of threats, continuous pentesting is recommended, ideally at least twice a year or quarterly.
In summary, penetration testing is a critical proactive measure that simulates real-world attacks to find and exploit vulnerabilities across various attack surfaces, including technical systems, physical environments, and human factors. It goes beyond compliance requirements and vulnerability scanning by actively testing defenses and confirming exploitability. Effective penetration testing requires a methodical process, careful scoping based on risk and data value, skilled human testers with critical thinking abilities, and a commitment to remediating findings.
