Penetration testing, known as "pen testing", is a cyber security tactic your company can employ to harden your network and protect against cyber attacks before they happen. While some may think pen testing is just for software vendors, in today's day and age, every company can benefit from pen testing.
But what really is penetration testing? What are some of the tactics employed by these security researchers? And why does my company need this? Continue reading to find out.
Penetration testing extends far beyond just testing your systems, and can encompass widespread practices across your company's entire cyber strategy. At its core, pen testing analyzes a variety of different attack vectors for potential vulnerabilities, and delivers your company a report with recommendations on how to improve your security practicies.
The most straightforward type of pen testing looks at your company's network and tries to find unintentional misconfigurations and open vulnerabilities. Your company likely has a private network on which your internal resources are accessible. Even the smallest of companies at least has a basic wifi network - and surprisingly CNBC reports that almost half of all US small businesses' networks have been breached whether they know it or not.
Network pen testing involves a security expert reviewing your network configuration and ensuring only users with appropriate authority and permission can access your internal resources. Business data, especially finanicial and supply chain data, can be detrimental in the wrong hands. The first line of defense is having a strong and secure network to keep out unwanted actors.
Another piece of the cybersecurity puzzle are the actual systems your company uses to do business. Even with the strongest network in place, it can all be for naught if you use insecure systems. System vulnerabilities can span a wide array, all the way from insecure API endpoints that allow to unauthenticated users to access data, to things like using external software libraries with compromised code that gives access to hackers.
Pen testers are experts at analyzing and understanding the systems you use, and can discover attack vectors exposed by the systems themselves. These threats can sometimes be exposed due to misconfigurations that can be quickly remedied, but also can be actual system bugs that need to be addressed by the software vendor. Typically cybersecurity contractors can work with your vendors directly to correct these issues with minimal involvement required on your part.
Cybersecurity experts can also be engaged during the system selection process to give recommendations from a security perspective on which solutions to implement.
An often forgotten aspect of cybersecurity are your company's physical locations and the security related therein. Consider this: while we are all acustomed to accessing the internet via wifi, almost every office building or company location contains network jacks / ethernet ports that allow computers to plug into the company's network. And unlike wifi, which is protected by layers of password authentication, wired network connections rarely required authentication to access (the assumption in most cases is, if someone is inside the building, they have authority to access the network).
Even if your company locations employ access controls like badge scanners and security guards, how many times have you watched employees hold doors open and follow each other in without scanning their badge? It is human nature to be helpful and courteous, but it's these kinds of simple actions that can allow bad actors to physically access to your buildings which can then give them access to your cyber networks.
Physical pen testers can assess all of these vulnerabilities and recommend best practices for your company. Security researchers employ a variety of tactics to determine your company's potential risks, and provide recommendations custom to your company's needs (see the Social Engineering section below for more details).
The people in your company continue to be the weakest link in your security chain. According to research, 99% of all cyberattacks require some level of human interaction to execute successfully. With proper training, your associates can thwart most any attack on your systems.
And that's not to say your employees are intentially not focused on security. Many times, attackers are extremely careful and employ tactics like spear phishing that are very difficult for even the most security concious associates to detect (see the Phishing section below for more details).
Pen testers often test your people as part of other security assessments. You can also engage security experts to provide training and seminars to help teach your people to spot and stop threats before they affect your network.
While there are almost endless tactics that information security professionals can employ, we wanted to highlight three of the most common vulnerability research strategies. These strategies are not only the most common to be used by pen testers, but these are also common tactics employed by threat actors.
Phishing attacks often employ fake emails (and increasingly common more scrupulous tactics like text messages, LinkedIn messages, etc.), attempting to get a user to either download a file or click on a link that ends up running a malware exploit on the employee's computer. These exploits can then expose your network to remote access (addressed in the Remote Access section below), or run more autonomous attacks that exfiltrate data without human intervention.
A spear phishing attacks differs from general phishing in that spear phishing is extremely precise and targeted at a particular user or set of users. While a general phishing attack may simply spam your entire company with an email hoping someone will accidentally click on a malicious link, a spear phishing attack will be sent to a specific individual and often employ extreme personalization.
For example, hackers may use LinkedIn to identify an IT manager in your company that they think may have privileged access to your network. They then may utilize social research (i.e. Google) to find your IT manager's boss, and then send a targeted email to your IT manager impersonating that boss, either asking the user to login to test a system (using a malicous link) or something much simpler like downloading a PDF attachment that contains an embedded exploit.
Spear phishing attacks can be extremely hard to detect for even the most security aware employees, as attackers will often use spoofed email addresses that very similarly match your company's email domains (for example, if your company's domain was "acmeinc.com", they might register "acmeinc-marketing.com" and send emails from that, or even common mispellings like "amceinc.com").
And increasingly, attackers have started creating fake LinkedIn profiles, word-for-word copying profiles from high-ranking employees in your company and then sending messages to lower level associates with malicious links or asking them for credentials to access a system.
Phishing attacks are considered a type of social engineering, employing psychological tactics to manipulate people into unknowingly divulging company secrets and confidential information. Social engineering attacks span a wide array of techniques, far beyond just phishing, and estimates show that 98% of cybersecurity attacks use some form of social engineering.
Social engineering attacks can include:
Pretexting: creating a false sense of authority to gain access to confidential information, like calling an employee claiming to be your company's IT team and asking for confidential information to "confirm the employee's identity".
Baiting: promising an item or good, like a free music or app download, or a coupon code to an associate's favorite store, in return for filling out a survey (which involves clicking on a link in an email).
Tailgating: following an employee into a restricted area, often by dressing up and claiming to be a service provider (like a pest control associate) that needs access to a room or building to do their job.
Social engineering tactics are often used in combination, like pretexting and tailgating, to create a believeable and hard to detect attack that plays on human nature and exposes your company without your associates even being aware they are being attacked.
Pen testers utilize the same types of social engineering attacks as malicious actors in order to test your company and expose any weaknesses you may have to help you improve your processes.
Often the end goal of a cybersecurity attack is establishing unauthorized access into your company's network. Once a bad actor gains access to your network, they can view internal communications, steal customer data, and compromise company secrets, among many other nasty things. This is often accomplished by gaining remote access capabilities (often called "establishing persistance").
Hackers can establish remote access in one of two primary ways: by either attaching a new device to your network (like plugging a Raspberry Pi into a network port hidden behind a TV in a conference room), or by running malicious code on a computer already attached to your network (often by getting an associate to click on a link on their work computer).
Both of these tactics utilize a remote access terminal, often called a RAT, that allows hackers to get into your network in ways beyond the initial attack vector. RATs can be deployed extremely quickly and easily, often just by plugging a USB flash drive into a computer for just a few seconds.
Pen testers use many of these tactics during their analysis, although typically they stop short of acutally installing code that allows access from outside. For example, pen testers may simply drop a text file onto a compromised computer in order to show that malicious code could have been installed.
Now that you have a better understanding of penetration testing and the tactics employed by security researchers, you may be asking yourself "why do I need this?"
More often than not, security vulnerabilities are not intentionally put into place. Employees are typically quite loyal to their companies, and it is extremely rare that associates deliberately want to expose confidential information.
Misconfigured systems and networks account for many security issues in corporations today. This can be as simple as forgetting to change a solution's default password when implementing in production (in fact, over 80% of data breaches involve compromised, often default, passwords). Pen testing can find these issues and offer recommendations for resolution.
As you probably gathered from the above sections, people are often the root cause of security issues. Training and awareness are your best tools in fighting social engineering attacks. With 43% of IT professionals reporting they have been the target of a social engineering attack, it's well worth the time and effort teaching your people how to respond.
While phishing and other social engineering tactics can be extremely deceitful, with proper training from information security experts, your employees will be better prepared to recognize and report attacks before they compromise your network.
Data breaches are a huge concern for many companies, especially consumer facing application that store sensitive customer data like passwords, credit card numbers, etc. However, supply chain data can be as dangerous if not more in the wrong hands.
For example, consider the scenario where a pharmaceutical company's shipment and routing data is compromised. Bad actors now have visibility into which trucks are carrying drugs on what days, and that information can be sold to criminals who want to hyjack and steal narcotics. What's even scarier about this scenario than stolen credit cards is that, while a consumer seeing fraudulent charges on their card is a pain to deal with, shipment hyjacking can be deadly to the operators driving those trucks.
Your company needs to get ahead of these potential attacks before they happen, because once a bad actor is in your network, the damage is already done.
We hope this post has given you an insight into the infosec world, and exposed you to potential threats and attack vectors your company may face. We strongly encourage all of our customers to take advantage of pen testing to gain an advantage over malicious actors.
Want to stay informed? Subscribe to PorterLogic’s newsletter, and you’ll get bimonthly analysis and rundowns of the supply chain’s latest trends and challenges in your inbox.