Introduction

Penetration testers use a variety of tools to analyze the security of IT systems, often using the same methods that a perpetrator would deploy when attempting to execute an attack. The knowledge gained provides assurances to organizations that their products and services have been configured with good security practices in mind and are not susceptible to any common or publicly known vulnerabilities.

In todays digital world, many establishments are finding it increasingly difficult to protect the confidential data of their users. In response, the penetration testing industry is fast growing and is expected to reach a market size of over $3 billion by 2027. The escalating occurrence of high profile cyberattacks have caused significant financial losses and damage to the victims. With tighter regulations and mandated controls being introduced, it is expected that the industry will remain an important part of organisational structure for the foreseeable future.


Role & Purpose of Penetration Testing

Penetration testing can be considered as a legally authorized attempt to successfully find and exploit computer systems and networks, with the purpose of improving security and mitigating imminent threats. The routine involves probing for vulnerabilities and providing evidence of the potential damage and risks associated with the results. Upon completion of the testing, there should be specific recommendations provided to address and fix any issues that have been discovered.

It is said that the best way to stop a criminal, is to think like a criminal. Installing an alarm and adding a wall is simply not enough to prevent determined groups or individuals from gaining access. To effectively stop such threats, you must predict the moves that an attacker would make. One of the best ways to do this is by hiring trusted third party security firms to penetrate the desired systems and provide a full assessment. By simulating a live attack, organizations can witness the possible outcomes of a malicious entity gaining entry or causing damage to their assets. With threats constantly evolving, security should be viewed as a journey. There are new ways to exploit vulnerabilities being devised each day, so even the most rigorous of testing routines can only offer a snapshot of a systems security. Penetration testing is simply a healthy component of risk assessment and best practices, it should not be used as the primary method for determining security protocols.

Before a pen test can begin, testers and their clients should agree on the overall scope and desired goal. They will need to decide on the types of tests, which members of their team will be aware of the scenario, the amount of information and what level of access the testers will start with. There are black box, white box and gray box tests. Black box tests are simulating an external attack, it will demonstrate how an outsider would breach defenses and usually requires automation, brute force and excellent knowledge of network topology. Sometimes referred to as clear box, white box gives access to internal architecture from the beginning. It looks at what harm can be done from inside the system, agents have a deeper understanding of the data flow and could be provided source code or admin accounts. Gray box is thought of as middle ground where the security team will replicate an external threat, however they may already have partial knowledge of the system or access to basic user privileges from the start.

The first step in any test is the reconnaissance phase, here the ethical hacker will spend their time gathering crucial data and information that will be used during the simulated attack. This data could be scraped from online platforms such as social media pages, or it could be the responses from a phishing campaign and other predatory activity. Things like names, job titles, email addresses, key dates and location information all hold a great amount of value. Account details and password cracking dictionaries can be pieced together using traces of personal details that are found online. The more information that is collected, the greater chance of success during the later stages.

Once a sufficient amount of data has been gathered, the attacker can begin the second stage; scanning the system in an attempt to discover any flaws. IP addresses collected from phase one can be used to conduct port scanning, this will provide a list of open ports and potential services that can be targeted. Vital details about the system firewall and software versions should be captured, then vulnerability scanning is used to locate and identify specific weaknesses. It is important that the response of the target to each step of the process is recorded in detail, as this information may help at another time. Various inputs, random strings and general probing may be done to check for any errors or unintended behavior from the system (Saindane, no date). Pen testers must keep themselves up to date with the most recent exploits, although there are many automated mechanisms to scan and detect flaws they should not be solely relied upon. More often than not, manual testing does very well to identify unknown vulnerabilities.

Now that the tester is aware of the possible vulnerabilities, they can continue to the exploitation phase. Geared with knowledge about the asset, open ports, various services and the exploits associated with those services, an attack can begin. This is the phase that most newcomers envisage when thinking about hacking, and the means to do so can involve lots of techniques, tools and code. The goal in this part of the test is to see exactly how far the agent can get into the environment, identify valuable targets and avoid detection, all within the planned scope. Although experienced pen testers may raise issues outside of the defined remit, it is imperative to stick to the agreed parameters and maintain a thorough line of communication with the client.

One of the most common types of pen testing performed is a network based attack, there are various methods that leverage SSH, FTP/SMTP, IPS/IDS evasion, DNS level (zone transfer, switching/routing), man in the middle, firewall misconfiguration and open ports. A network often serves mission critical applications to an organization, so it is essential to be adequately protected against these attack vectors. Other tactics deployed include web based, zero day, client side, Wi-Fi and even physical attacks. Research shows that a large number of security breaches rely mainly on some means of social engineering. For some, it can be much easier to persuade or manipulate a user into giving away credentials or committing an action that results in damage. Oftentimes, access to the system is only temporary so there is a need to move quickly in order to create a more permanent backdoor. This is to establish solid administrative privileges that will survive program closures and system reboots. A more persistent threat can remain in a system for long periods of time, accessing the most sensitive data and creating the conditions that can enable the sabotage of fundamental infrastructure.

A report will be produced using the findings from the investigation. It will contain a detailed technical explanation of all the methods and tools that have been used, the level of access gained and how to consider patching, hardening and configuring specific systems. It should outline the attack step by step, showing exactly what path was taken to accomplish the breach. There will be a high level executive summary, this section offers a non technical insight into the main concerns identified during the assessment. It should provide a risk level or severity rating that clearly represents the likelihood and impact of an attack along with the key findings.

Once the report has been considered, remediation actions should be completed. It may consist of small tweaks, software and operating system updates and occasionally third party solutions. It is not unusual for the security firm to issue debriefing and support to various members within the target organization, then test the systems again once the recommendations have been implemented. Penetration tests should be run regularly, typically each year. Alongside annual testing, a pen test should be considered whenever new network infrastructure is added, there are changes to the physical location, and any significant application or policy updates take place. The evaluation forms part of a broader set of security principles and it is important that institutions recognize that it is their responsibility to act upon the suggestions expressed by the testers. The solutions offered are not necessarily the only ones available, internal team members should also give their advice on any suitable alternatives.


Legal, Ethical & Social Issues

Within the world of hacking, there are significant ethical decisions to consider. Both sides, good and bad, have access to incredible power. As a hacker becomes more skilled, they will eventually need to make a decision about whether to use their power in a law abiding manner. It is unlikely that many people begin learning this skillset with the goal of becoming a super villain, but a small number of important choices can easily lead to a slippery slope of criminality.

Practitioners must be careful of their actions and think about the consequences of a variety of situations. Many dilemmas are highly sophisticated and lay within a gray area, an undertaking may lead to the inappropriate disclosure of private information or severe service disruption. This makes it vital that the client is cognizant regarding the impact of a pen test, particularly on live and production systems.

Various security related institutions have attempted to draw up a code of conduct for ethical hackers, the Computer Ethics Institute established ten commandments as a model for people to use regarding the correct use of computers. The UK Cyber Security Council stipulates a set of values and principles for their member organizations to follow, it provides guidance on behavior and decision making within challenging environments. Some clients may wish to pursue a target, possibly hack an attacker in response to an incident. In most parts of the globe, this kind of behavior would be unlawful.

The implications of tactics such as social engineering might easily be construed as unethical. It risks breaching the trust of members and causing problems with relationships inside an establishment. Tricking an individual or manipulating somebody into giving away access to their system could make them feel like they have failed or done something wrong, it could potentially cause anxiety about their role and future within an organization. It is imperative to avoid conflict between department members and teams that have fallen prey to the deployed social techniques. Likewise, there is a need to be tactile about the feedback and results of a pen test, as the developers of software and network infrastructure may be defensive surrounding criticism of their work.

There are some black hat hackers that used their endeavors to launch a legitimate career. Individuals and groups can gain notoriety and public image plays an important part in our world. There can be ample opportunity in claiming bug bounties or selling the details of an exploit privately. That being said, as a pen tester the ramifications for failing to adhere to strict controls can be very serious. Before starting a pen test, legal agreements should be made that will specify the exact operations and objective. Authorization is paramount, but what constitutes as authorization and who is responsible for clearance of such access is not always particularly straightforward . Some organizations may not have true ownership of certain parts of their system and various security professionals have been criminalized for conducting what were believed to be sanctioned tests, so the scope of indemnification should be a top priority for all ethical hackers.


Summary

The threat of hacking is expanding and the networks that we value are becoming increasingly complex, such intricacy can lead to bugs and unintended faults that will be discovered sooner or later. So much of our sensitive data can be accessed instantly at the click of a button, and the majority of our key services and infrastructure rely on computer systems functioning without interruption. Training new analysts with a good ethical approach will help keep our virtual lives protected. Penetration testing can play a significant role in certifying that the systems we build around us are safe, robust and can be relied upon.

The rules and laws governing this space continue to develop at high speed, what organizations need to do to maintain solid security practices and how they should achieve it are ever evolving. As technology continues to develop, the policies and procedures for maintaining security should follow.