What is a Pen Test and why do you need it?

A Penetration Test (Pen Test) is a simulated cyber-attack against an organization to identify exploitable weaknesses. The purpose of the simulated attack is to uncover any weak spots on a network, application or endpoint that a threat actor could take advantage of and address them accordingly before an attacker can exploit them. Pen testing is becoming more critical as all companies have a network presence and thus, are susceptible to attackers. Moreover, a successful cyber-attack has major consequences that can be detrimental to the livelihood of an organization.  

Why Pen Test?

The most effective way to protect against adversaries is to get into an opponent’s decision cycle and “think like a hacker.” The proliferation of the internet means criminals today are no longer constrained to their geographic location for targets and enjoy anonymity, but the world is their oyster. What’s more, is the lack of cybersecurity understanding and has resulted in many organizations unintentionally positioning themselves as easy targets. This is where conducting a penetration test can help.

Penetration tests are typically performed by “ethical hackers,” or individuals who are legally authorized to test the network. Ethical hackers apply the hacker mindset through following the cyber kill chain or similar testing methodology. They not only discover ways an adversary might gain unauthorized access to sensitive data or systems but also establish how the current controls stand up to an ostensible attack and the severity of a breach should one occur.

By design, pen tests aim to uncover a network’s vulnerabilities, and report the discovered weaknesses rather than exploit them. With the complexity of technology infrastructure increasing every day, organizations are more prone to have vulnerabilities go unnoticed. At the same time, hackers are becoming more sophisticated in exploiting vulnerabilities. A vulnerability is a weakness in a system or application that can be exploited by threats to gain unauthorized access. A threat is any agent that can cause harm to a target organization. In this particular article, the threat in question is a hacker or cybercriminal. However, they can also include forces of nature, vendors, and even disgruntled employees. 

Penetration tests increase an organization's security by reducing their risk level. Risk is when a threat and vulnerability overlap, resulting in exposure to some type of danger. Risk is measured in likelihood and impact. While it is impossible to reduce risk likelihood down to zero percent, pen tests can drastically aid in reducing vulnerabilities thus reducing the likelihood of a threat successfully executing.

The consequence of a threat being successfully exploited result in obvious financial loss from system damage, lawsuits, decreased stock and legal fines. However, there are also hidden related costs effects like customer loss and reputational harm that are not direct monetary loss but rather indirect and potentially long term. Avoiding these pitfalls is possible through conducting proactive assessments like pen tests. Pen tests can help validate current security controls or identify areas where controls need to be implemented. Security controls can be adjusted to mitigate and reduce the likelihood of a vulnerability getting exploited. Pen tests also help organizations validate compliance and regulatory requirements – or the lack thereof.

Let's Talk

Types of Pen Tests

There are two primary choices for pen tests, but several different iterations. Automated penetration testing is the first option and a highly favored method because it does not require extra human capital or time. Instead, it identifies weaknesses using pre-set code that anyone can kick off with a couple of clicks. Unfortunately, a single tool is not capable of finding all vulnerabilities and is where manual automated tests lag.

Manual automated testing is the second type of pen test. Manual testing does include the use of automation and computerized tools, but also incorporates experienced cybersecurity specialists who possess a unique skill set and a wealth of industry knowledge. Robust security is an Expertise-Driven Cybersecurity® process and not a software or tool. Silent Sector has the experience to understand the internetworking processes of applications, systems, and networks that standard organizations employ. This knowledge enables us to effectively use the automated capabilities of pen testing tools coupled with our human proficiency and thinking outside the box philosophy to bring the highest value for our customers.

More specifically, the methodology we use blends traditional NIST methods for pen testing combined with a strategic analysis of the operating environment of each client – asking questions like “If we were cybercriminals, how would we behave against the business?”

An internal security team rarely possesses the objectivity needed to identify security gaps. This is in part because they implemented the security program and so there might be a slight bias, but also they may lack the understanding of how risk plays into overarching business objectives. Each system or endpoint introduces an organization to risk that can affect their risk management. Pen testers use their knowledge to demonstrate and analyze how various risks pose as attack vectors that can impact an organization and predispose them to a breach. They can then recommend risk treatment options to bring risk to an acceptable level that aligns with the business’s objectives.

The Phases of a Penetration Test

The phases will vary depending on the clients’ needs, but there is some common ground. The pre-engagement phase, for instance, is always conducted to understand the scope and goals of a test. It is imperative that a tester knows where critical systems reside as to not accidentally debilitate them.

The threat modeling and vulnerability identification phase are often overlooked as most organizations overlook how details like type of systems, operating systems, firewalls, antivirus protection, presence of intrusion detection systems (IDS), etc. can be used by an attacker. Moreover, the assets a company has and how their clients or vendors interact with them will significantly change an adversary’s attitude towards their target – or better stated, neglecting this phase can set up an organization to become a victim just like the infamous Target breach.

The phase after the initial engagement also establishes what kind of action is taken. There are various techniques a pen tester can utilize, such as a “black box” test where a tester has no prior knowledge of the network architecture. This is usually performed from an external network to the internal network. The opposite of this is a “white box” test in which a tester has details of the network configuration and systems prior to testing.  A “grey box” test is the hybrid of these two techniques and generally involves the tester having a set of user credentials.

When conducting Pen tests, there is potential that the organization will experience network latency. To prevent this, organizations can opt for restricted time for testing or a non-intrusive test that will allow them to carry on work without setting off their intrusion detection systems or creating a bottleneck on the network. A non-intrusive test uses the available information to hypothesize the status of the vulnerability. The more severe the vulnerability the higher risk it poses and consequently the more severe it is to the organization. In rare cases, some organizations might conduct an intrusive test to accurately see results should an attacker succeed. However, this is not feasible for most organizations as the network could be taken down and critical systems may become unavailable while a Pen tester is exploiting uncovered weaknesses.

The phases a Pen tester follows are greatly influenced by their knowledge and client goals. Some Pen testers rely on vendor guides, and other courses such as SAN training to gain the know-how behind Pen Testing. Ultimately, the ability to thoroughly execute Pen testing to gather useful intel for a client comes from a multitude of sources and experiences. 

What happens after a Pen Test?

After a pen test, the findings are put into a report and given to the business. This report is typically then used to help the organization understand the impact of a successful attack and their readiness for mitigating cyber threats. Moreover, the report provides them a new perspective of their network, application and data security which they might not have otherwise discovered. This newfound information can enable them to better protect the most critical assets and help them prioritize spending on security.

For some, it can be difficult to justify paying for a pen test but the short-term investment in reducing risks and the likelihood of a breach makes the expenditure worthwhile. Consulting with a pen tester is the equivalent of going to a doctor despite feeling healthy. Doctors can run tests and detect health concerns that you might not yet be aware of, or simply confirm you are healthy. In the same way, pen testers uncover unknown vulnerabilities. It is also worth noting that the severity of uncovered vulnerabilities can later help drive the importance of having Pen tests conducted as well as provide evidence to support increased security investments on valuable assets.

In short, organizations can utilize a pen test to improve their security posture, business continuity plan, and gain peace of mind in knowing what’s exposed and what can be remediated. This will additionally affirm client trust and improve an organization’s reputation. Furthermore, pen tests help determine the business impact of a real-world attack and thus empower an organization to better defend against attacks. As the consequences from breaches become a growing concern, many organizations are starting to recognize the importance of assessing their overall security before the attackers do.

Does your organization understand its current vulnerabilities and risk exposure? Silent Sector offers comprehensive Pen testing and industry specific reporting that not only tests your technical infrastructure but also your people and physical security controls. Call Silent Sector today to engage with our security specialists on how you can improve your security posture from the inside out and ultimately defend against the growing number of threats.

Let's Connect

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.