Penetration Testing: The Key to Pinpointing Cyberattack Vulnerabilities
Your IT department is up to speed on firewall protections, filters, and the latest trends in information security. You feel strong in your stance against cyber attackers. Yet back in the furthest reaches of your mind, a little voice keeps asking, "If a cyberattack happened, would our company be able to withstand it?"
It's a question that's fueled one of the fastest-growing professions in the digital age. Penetration testing—the act of simulating a cyberattack from a multitude of angles against a company—is the only true way to get an accurate answer.
We dive into the topic here.
It Started at the Top
In his piece, Penetration Testing: What It Is, and How to Do It Well, Brian Nordli shares the origins story of a government-sponsored computer vulnerability test in the 1960s. It proved their networks could be hacked and spawned the industry as we know it today.
When the internet emerged in the 1990s, it ushered in a new age of digital vulnerabilities, although not everyone saw them as permanent.
Nordli's piece shares an anecdote about a seasoned computer scientist who predicts a budding pen tester has 'about ten years' left in the profession before all vulnerabilities are identified and fixed.
What the veteran failed to realize is that technological advancements are a double-edged sword: they present opportunities for good guys and bad guys.
Today we have networks connected in ways early computer engineers could barely anticipate. Wifi-enabled devices are everywhere, and so are cybercriminals with the skills to infiltrate them, which makes penetration testing a profession with unlimited potential.
So, let's say you're ready to answer that question that's been nagging at you by conducting a penetration test for your organization. What would that mean, exactly?
In some ways, it's like a bank president asking a security expert to rob his facility to see if it's possible. Or, as Nordli's piece calls it: ethical hacking. "The only difference between us and another hacker is that I have a piece of paper from you and a check saying, 'Go to it,’" says one pen tester.
Be Prepared for the Worst
A proficient pen tester will do everything possible to hack your system. They'll often succeed, revealing a litany of trouble spots and vulnerabilities that need strengthening.
Throughout the process, the pen tester will meticulously document various attack methods and outcomes so your IT team can learn from them. In extreme cases, the pen tester's efforts will result in a complete shutdown of your network—all for the sake of protecting you.
Prior to Testing
Most companies prepare for a pen test by shoring up their systems to the best of their abilities. While pen testers invite this type of pre-work, the profession takes issue with the fact that most organizations only do this to prepare instead of making it an ongoing practice.
Most pen tests are with a vulnerability scan that highlights weaknesses that can be exploited. From there, a pen tester will look at domain names, server records, DNS records, employee emails, and third-party software to assess attack scope and options.
Armed with this information, Nordli outlines tactics a pen tester will try to mimic the work of a hacker, which include:
- Sending phishing emails to see which, if any, employees fall for it
- Entering junk data into input fields to break systems
Backing up systems before a pen test will ensure you'll still have access to important files and data if the test results in a system crash.
The Big Reveal
Once the test is complete, your pen tester will outline what issues were revealed. One of the more common ones includes default passwords still in use for wifi-enabled devices. These default passwords are readily available on the dark web and can be exploited if they're not changed as the manufacturer recommends.
Your pen tester will also outline all issues revealed in the test and will likely go through them with you and your IT professionals. At the end of the process, you'll come away with a clear understanding of your overall information security stance—along with the recommended fixes to shore up weaknesses.
While a pen test may reveal your deepest darkest information security fears, it's also the key to remedying them. Try the resources listed here to find a pen tester for your organization.