Introduction
Penetration testers use a variety of tools to analyze the security of IT systems, often using the same
methods that a perpetrator would deploy when attempting to execute an attack. The knowledge gained provides assurances to
organizations that their products and services have been configured with good security practices in mind and are not susceptible to any
common or publicly known vulnerabilities.
In todays digital world, many establishments are finding it increasingly difficult to protect the confidential data of their users. In
response, the penetration testing industry is fast growing and is expected to reach a market size of over $3 billion by 2027. The escalating occurrence of high profile cyberattacks have caused significant financial losses and damage to the victims. With tighter regulations and mandated controls being introduced, it is expected that the industry will remain an important part of organisational structure for the foreseeable future.
Role & Purpose of Penetration Testing
Penetration testing can be considered as a legally authorized attempt to successfully find and exploit computer systems and networks,
with the purpose of improving security and mitigating imminent threats. The routine involves probing for vulnerabilities and providing
evidence of the potential damage and risks associated with the results. Upon completion of the testing, there should be specific
recommendations provided to address and fix any issues that have been discovered.
It is said that the best way to stop a criminal, is to think like a criminal. Installing an alarm and adding a wall is simply not enough to
prevent determined groups or individuals from gaining access. To effectively stop such threats, you must predict the moves that an
attacker would make. One of the best ways to do this is by hiring trusted third party security firms to penetrate
the desired systems and provide a full assessment. By simulating a live attack, organizations can witness the possible outcomes of a
malicious entity gaining entry or causing damage to their assets. With threats constantly evolving, security should be viewed as a
journey. There are new ways to exploit vulnerabilities being devised each day, so even the most rigorous of testing routines can only
offer a snapshot of a systems security. Penetration testing is simply a healthy component of risk assessment and best practices, it
should not be used as the primary method for determining security protocols.
Before a pen test can begin, testers and their clients should agree on the overall
scope and desired goal. They will need to decide on the types of tests, which
members of their team will be aware of the scenario, the amount of information
and what level of access the testers will start with. There
are black box, white box and gray box tests. Black box tests are simulating an
external attack, it will demonstrate how an outsider would breach defenses and
usually requires automation, brute force and excellent knowledge of network
topology. Sometimes referred to as clear box, white box gives access to internal
architecture from the beginning. It looks at what harm can be done from inside
the system, agents have a deeper understanding of the data flow and could be
provided source code or admin accounts. Gray box is thought of as middle
ground where the security team will replicate an external threat, however they
may already have partial knowledge of the system or access to basic user
privileges from the start.
The first step in any test is the reconnaissance phase, here the ethical hacker will
spend their time gathering crucial data and information that will be used during
the simulated attack. This data could be scraped from online platforms such as
social media pages, or it could be the responses from a phishing campaign and
other predatory activity. Things like names, job titles, email addresses, key dates
and location information all hold a great amount of value.
Account details and password cracking dictionaries can be pieced together using
traces of personal details that are found online. The more information that is
collected, the greater chance of success during the later stages.
Once a sufficient amount of data has been gathered, the attacker can begin the second stage; scanning the system in an attempt to
discover any flaws. IP addresses collected from phase one can be used to conduct port scanning, this will provide a list of open ports
and potential services that can be targeted. Vital details about the system firewall and software versions should be captured, then
vulnerability scanning is used to locate and identify specific weaknesses. It is important that the response of the
target to each step of the process is recorded in detail, as this information may help at another time. Various inputs, random strings
and general probing may be done to check for any errors or unintended behavior from the system (Saindane, no date). Pen testers
must keep themselves up to date with the most recent exploits, although there are many automated mechanisms to scan and detect
flaws they should not be solely relied upon. More often than not, manual testing does very well to identify unknown vulnerabilities.
Now that the tester is aware of the possible vulnerabilities, they can continue to the exploitation phase. Geared with knowledge about
the asset, open ports, various services and the exploits associated with those services, an attack can begin. This is the phase that most
newcomers envisage when thinking about hacking, and the means to do so can involve lots of techniques, tools and code. The goal in this part of the test is to see exactly how far the agent can get into the environment, identify valuable targets and avoid detection, all within the planned scope. Although experienced pen testers may raise issues outside of the defined remit, it is imperative to stick to the agreed parameters and maintain a thorough line of communication with the client.
One of the most common types of pen testing performed is a network based attack, there are various methods that leverage SSH,
FTP/SMTP, IPS/IDS evasion, DNS level (zone transfer, switching/routing), man in the middle, firewall misconfiguration and open ports.
A network often serves mission critical applications to an organization, so it is essential to be adequately protected against these attack
vectors. Other tactics deployed include web based, zero day, client side, Wi-Fi and even physical attacks. Research shows
that a large number of security breaches rely mainly on some means of social engineering. For some, it can be
much easier to persuade or manipulate a user into giving away credentials or committing an action that results in damage. Oftentimes,
access to the system is only temporary so there is a need to move quickly in order to create a more permanent backdoor. This is to
establish solid administrative privileges that will survive program closures and system reboots. A more persistent threat can remain in a
system for long periods of time, accessing the most sensitive data and creating the conditions that can enable the sabotage of
fundamental infrastructure.
A report will be produced using the findings from the investigation. It will contain a detailed technical explanation of all the methods
and tools that have been used, the level of access gained and how to consider patching, hardening and configuring specific systems. It
should outline the attack step by step, showing exactly what path was taken to accomplish the breach. There will be a high level
executive summary, this section offers a non technical insight into the main concerns identified during the assessment. It should
provide a risk level or severity rating that clearly represents the likelihood and impact of an attack along with the key findings.
Once the report has been considered, remediation actions should be completed. It may consist of small tweaks, software and operating
system updates and occasionally third party solutions. It is not unusual for the security firm to issue debriefing and support to various
members within the target organization, then test the systems again once the recommendations have been implemented. Penetration
tests should be run regularly, typically each year. Alongside annual testing, a pen test should be considered whenever new network
infrastructure is added, there are changes to the physical location, and any significant application or policy updates take place. The
evaluation forms part of a broader set of security principles and it is important that institutions recognize that it is their responsibility
to act upon the suggestions expressed by the testers. The solutions offered are not necessarily the only ones available, internal team
members should also give their advice on any suitable alternatives.
Legal, Ethical & Social Issues
Within the world of hacking, there are significant ethical decisions to consider. Both sides, good and bad,
have access to incredible power. As a hacker becomes more skilled, they will eventually need to make a
decision about whether to use their power in a law abiding manner. It is unlikely that many people begin
learning this skillset with the goal of becoming a super villain, but a small number of important choices can
easily lead to a slippery slope of criminality.
Practitioners must be careful of their actions and think about the consequences of a variety of situations.
Many dilemmas are highly sophisticated and lay within a gray area, an undertaking may lead to the
inappropriate disclosure of private information or severe service disruption. This makes it
vital that the client is cognizant regarding the impact of a pen test, particularly on live and production
systems.
Various security related institutions have attempted to draw up a code of conduct for ethical hackers, the
Computer Ethics Institute established ten commandments as a model for people to use regarding the correct
use of computers. The UK Cyber Security Council stipulates a set of values and principles for
their member organizations to follow, it provides guidance on behavior and decision making within
challenging environments. Some clients may wish to pursue a target,
possibly hack an attacker in response to an incident. In most parts of the globe, this kind of behavior would
be unlawful.
The implications of tactics such as social engineering might easily be construed as unethical. It risks breaching the trust of members and
causing problems with relationships inside an establishment. Tricking an individual or manipulating somebody into giving away access
to their system could make them feel like they have failed or done something wrong, it could potentially cause anxiety about their role
and future within an organization. It is imperative to avoid conflict between department members and teams that have fallen prey to
the deployed social techniques. Likewise, there is a need to be tactile about the feedback and results of a pen test, as the developers of
software and network infrastructure may be defensive surrounding criticism of their work.
There are some black hat hackers that used their endeavors to launch a legitimate career. Individuals and groups can gain notoriety
and public image plays an important part in our world. There can be ample opportunity in claiming bug bounties or selling the details of
an exploit privately. That being said, as a pen tester the ramifications for failing to adhere to strict controls can be very serious. Before
starting a pen test, legal agreements should be made that will specify the exact operations and objective. Authorization is paramount,
but what constitutes as authorization and who is responsible for clearance of such access is not always particularly straightforward
. Some organizations may not have true ownership of certain parts of their system and various security professionals have
been criminalized for conducting what were believed to be sanctioned tests, so the scope of indemnification should be a top priority
for all ethical hackers.
Summary
The threat of hacking is expanding and the networks that we value are becoming increasingly complex, such intricacy can lead to bugs
and unintended faults that will be discovered sooner or later. So much of our sensitive data can be accessed instantly at the click of a
button, and the majority of our key services and infrastructure rely on computer systems functioning without interruption. Training
new analysts with a good ethical approach will help keep our virtual lives protected. Penetration testing can play a significant role in
certifying that the systems we build around us are safe, robust and can be relied upon.
The rules and laws governing this space continue to develop at high speed, what organizations need to do to maintain solid security
practices and how they should achieve it are ever evolving. As technology continues to develop, the policies and procedures for
maintaining security should follow.