The IT world is full of phrases that could come off as odd or confusing to those who aren’t full-time in the industry. It’s not uncommon at all – there are definitely some really odd phrases farmers or shoemakers or chefs all use that might make us scratch a hole in our heads. But when it comes to today’s topic, penetration testing is a wildly straightforward concept, at least as far as naming conventions go.
If you’ve never heard the phrase before, just stop right here and take a stab at it.
As you probably guessed, or maybe already knew, a penetration test is an approved, inert ‘attack’ on your network to evaluate its security. And it’s a pretty common test, even if you are new to the concept. A recent report found 93% of companies were able to be breached successfully, and at one-sixth of those companies there were traces of previous attacks.
71% of companies could be breached by an unskilled hacker, meaning any bored teenager could access all of your incredibly important – and incredibly private – work data.
Look, we know it sounds funny. But penetration testing is incredibly important for your organization to perform. So let’s look deeper at just what penetration testing is, how it works, and what to do if you fail.
What Is Penetration Testing?
As we mentioned before, penetration testing, which some call a pen test, is an approved, pre-planned attack on your system to determine its weaknesses. For years, organizations have hired ethical hackers that would break into their systems, essentially playing the “Keep Your Friends Close & Enemies Closer” card for all to see. This is a more elegant approach to the same concept.
These tests, then, are searching for things like insecure setups and configurations across the network, including various hosts and devices. Additionally, pen tests can detect flaws in encryption and authentications, code and command injections, session management issues, and more.
So how does all of this happen? Pen tests can be slotted into five main steps:
Goals are established and the necessary information (domain names, mail servers, etc.) is obtained to stage an attack.
Using static (an estimate of the behavior of the code) & dynamic (an inspection of the code in use) analysis methods, the “attackers” understand how the target application will respond to various attempts.
Taking control of your network utilizing web application attacks like cross-site scripting, SQL injection, and backdoors, the “attacker” can uncover vulnerabilities. The “attacker” tries to exploit these vulnerabilities by escalating privileges, stealing data, intercepting traffic, or however else they can cause damage to the system.
After they gain access, their goal is to see how long they can stay. Essentially the goal is to prove they could – if they were “real hackers” – gain in-depth access. The idea here is to imitate advanced threats, which often remain dormant and hidden in a system for months.
As usual, the most critical stage of any test is your final review. Depending on if – and more likely how – they were able to access your network, your “attacker” will provide information like the specific vulnerabilities that were found, sensitive data that could be touched, and the length of time the “attacker” went unnoticed.
There are a few ways to perform this testing, but quite frankly they can get pretty… techy? Yeah, way too techy. But regardless, your unique situation will provide ample opportunity for your staged attackers to walk through what kind of tests will be best for your situation.
Penetration Testing vs. Vulnerability Testing
So we know what a pen test is, but how is it different from a vulnerability test?
First and foremost, penetration testing provides plenty of great data points about externally accessible vulnerabilities. But… it doesn’t cover how the attackers get into your system, just what happens once they’re in. That’s where vulnerability tests come into the game.
Sometimes called vulnerability scans, these tests start in reverse of pen tests. Rather than being provided access to see what they can see, vulnerability tests are given information to attempt to find, and their goal is to see if that data can be compromised along with your network.
Pen tests find vulnerabilities, and vulnerability tests try to find ways to penetrate your system. Y’know that phrase “two sides of the same coin”? It’s that.
A large part of vulnerability testing is checking to see how IT teams did while building out a company’s infrastructure and setting up its internal security. Vulnerability testing, to us at least, seems more like homework than hacking.
Scanning for vulnerabilities regularly is useful, don’t get that part twisted, friend. Your organization can easily take care of this kind of scan by keeping up with your patch management schedule – but don’t stop there. Many businesses only seek to meet the minimum requirements and will simply stop once those boxes are checked, which often isn't enough.
Research has found more frequent vulnerability scans help reduce the average number of vulnerabilities on a network by two-thirds and decrease the time to fix vulnerabilities by more than 30%.
What Happens if You Fail a Penetration Test?
*Cue Vecna’s clock*
Okay, it’s not Vecna-is-coming-for-you bad if you fail a vulnerability test – a lot of people fail them, that’s why they exist. But… It's also not good news. The actual good news (we always have good news) is you’ve got a roadmap in front of you detailing exactly what needs to be remedied to keep yourselves safe moving forward.
- Read the Report - Once you have, in-hand, a detailed list of what went wrong, it’s effectively a detailed roadmap for the immediate future of your security needs. A good report should give information about the attack processes that the team followed, what worked, and what didn’t.
- Assign the Resources - Designate the necessary time and money that the report suggests needs the help. i.e. If the vulnerability identified relates to a web application your web developer should be assigned to tackle the task. Tackling critical areas quickly – with the right energy and resources – can save you in the long run.
- Investigate the Findings - Here is where things get techy again. Basically, you’ll want to review everything with the internal or external IT professionals who are assisting with this test. No matter who it is, they’ll be able to decipher the lingo and make an action plan.
- Finalize the Plan - Speaking of an action plan, here is where techy stuff gets specific. No two businesses are the same, even in the same building with identical client bases. Every scenario is different, and your plan will need extensive review to ensure every t is crossed.
- Re-Run the Test - You’ve fixed all the major flaws – or did you? Just like wiggling the door handle before you leave for vacation, assuming you’ve “locked the door” to potential intruders isn’t enough. Retest at least once more to ensure your changes have taken root.
The reality of penetration testing is that, honestly, you’ll probably fail. With 93% of companies being breached successfully, there’s really little wiggle room to say you can’t be targeted. Penetration testing is nerve-wracking but provides incredibly important information that prevents a teenager on their lunch hour from stealing your entire company’s login information.
To learn more about penetration testing – and what we can do about it for you – give us a call at (864) 552-1291 and we'll help you evaluate capabilities and options. Also, sign up for PTG Tech Talk for bi-monthly tech news and consider following us on LinkedIn, Facebook, and Twitter!