Penetration testing is a phrase that is used a lot in the current climate, especially with regards to web applications. There have been occasions where I have come across people who still do not see the value in cyber security services, particularly regarding a full penetration test.
Vulnerability scanners – software either run locally or from the cloud, which can be used to run various scans on a website or web server and aim to give you a list of vulnerabilities graded from low to high, often with some suggested remediations.
Some of the most commonly used –
- Nexpose by Rapid 7 (https://www.rapid7.com/products/nexpose/)
- Tenable Nessus (https://www.tenable.com/products/nessus/nessus-professional)
- OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project),
- Netsparker (https://www.netsparker.com/)
- Greenbone Openvas (http://www.openvas.org/)
Some vendors imply they can do the job of a manual penetration tester but running one vendor’s vulnerability scanner is not conclusive. Some scanners produce false positives and different scanners throw up different results. The key to using a vulnerability scanner effectively is having the knowledge to understand which results are critical and then offer advice on mitigation or remediation.
A good way of describing this is a Security Assessment, which involves using several, both automated and manual, tools to check web applications for vulnerabilities or weak points and giving suggestions to the client regarding the solutions to the critical vulnerabilities discovered by these tools. Although not as conclusive as a full penetration test, the Security Assessment can still provide valuable steps on how to ensure you application is secure. Of course, the penetration tester will need a good knowledge of web applications to offer these solutions.
Black Hat – a malicious hacker who is primarily doing it for financial or personal gain.
White Hat – the opposite of a black hat, using their skills to help companies find security holes and vulnerabilities with a view to protect their hardware and their data.
There are two types of full penetration test, white hat and black hat. The process for each type of penetration test is slightly different for each and both have their pros and cons.
A black hat test is taken from the perspective of a malicious hacker and is one of the best ways of testing whether your application or network can withstand an attack. The penetration tester is given no information about the company or website that they have been employed to test. This sort of test is the most labour and time intensive as the penetration tester must first start with an exhaustive footprinting stage of which social engineering is a big part of.
Often, we find that the weak points in an organisation are the employees themselves whether it be clicking on a link on a website or opening an attachment in an e-mail, people are just too trusting. A penetration tester will exploit these weaknesses and suggest areas that more staff training is required. The internet has a wealth of information on it about your company and the people who work for your company which is all valuable pickings for a penetration tester and again they can show you how to better protect your data online. Social engineering can be a long process, depending on the size of the company and how strict the employees are with their data.
The scanning stage comes next; a penetration tester will try to find weak points in your network or on your website using many different tools. They will use a vulnerability scanner to automate some of these searches alongside manually probing your network and/or web app. Only after a detailed review of the results, will the penetration tester determine which alerts are false positives and which need to be looked at further, perhaps with a different tool. The aim at this stage is to find weak entry points through which the attacker will be able to gain access to your network or application.
These two stages are just the preliminary steps to a full black hat penetration test, the aim is to find entry points from which the penetration tester will be able to get inside your web application or your network and exploit any weaknesses.
A white hat test differs in that the penetration tester is given a lot of information by the client, even sometimes given logins so that they can test the internal systems. Although a black hat test simulates a malicious attacker, the penetration tester may not always gain access to the internal system which means that those internal systems may not get tested fully. This is the benefit of a white hat test; the penetration tester can exhaustively test internal systems and discover any vulnerabilities or weak points on the off chance an attacker does gain access. When performing a white hat test, the penetration tester will still go through a scanning stage but will be able to scan internal systems more easily before moving on to the exploitation stage.
When the penetration tester starts to move on to exploitation, the tools available are even more numerous. Whether it be cracking passwords, sniffing the traffic on your network, high jacking sessions or using an exploit to gain backdoor entry to your server or network. Once the penetration tester manages to gain access to critical systems, they are then able to produce mitigations and remediations for the client so that an attacker would not be able to follow the same path. The true purpose of a full penetration test is to simulate what a malicious hacker would be doing so the key is to be both conclusive and exhaustive, leading to a detailed report that will help the client harden entry points and remediate vulnerabilities.
It is important to note that a penetration test can never be 100% effective, because the tools available to attackers are constantly improving. However, without a penetration test, the network, server or application is left significantly more vulnerable to attack.
Alongside a wealth of available software that penetration testers utilise, they will go through numerous manual tests and even write scripts themselves, just to exploit a specific vulnerability that they have found in your network, server or application. The training path for a penetration tester is both long and difficult but at the same time very rewarding, because we actually enjoy finding vulnerabilities and exploiting them. The idea of protecting people from hackers is one of the reasons I got into the cyber security industry in the first place.
So, the next time you consider how to protect your application, server or network from the multitude of threats out there, make sure you think about the intricacies and hard work that goes into penetration testing and how much it can offer in terms of stopping those threats.
Technical Engineer – Cyber Security