Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #21 - Penetration Tests: What You Need to Know (Part 2)

This week we take a deeper dive into the types of penetration testing. The guys discuss why it's important to consider the reason behind a penetration test and some different methods of testing to consider. The team compares white box vs black box penetration test. In addition, they cover options that companies can take in their testing initiatives, along with providing best practices for companies getting their first pen test.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe! 

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals  and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome  to the cyber rants podcast this is your co-host  
zach fuller joined by mike rotondo and lauro  chavez and today we are continuing our mini series  
about penetration testing lots to talk about it'll  be a good episode mike why don't you kick us off  
with the news hey greetings how are you doing  today everybody um headlines for today i'm going  
with the fbi to start out with the internet crime  complaint center which is affectionately known as  
ic3 i received a record number of complaints from  the american public in 2020 surprise surprise  
791 790 with reported losses exceeding 4.1 billion  that's with the b dollars this represents 69  
increase in total complaints from 2019 uh bec or  business email compromise schemes can you continue  
to be the cost of this almost 20 000 complaints  with adjusted loss of almost 2 billion phishing  
scams are also prominent with 241 000 complaints  about 54 million in losses uh ransomware as  
it continues to rise with 2400 incidents  reported in 2020 over the years i'm sorry  
and then uh finally state and local governments  had also had a five percent increase in losses  
um from 2019 to 2020 they lost over 2 1.8 billion  crime is out there be careful cyber cyber security  
bug hunting sparks enterprise confidence we're  going to kind of touch on this a little bit  
in today's podcast but uh nearly three-quarters  of it professionals surveyed say they prefer to  
buy technology and services from vendors who are  proactive about security that includes pen tests  
including leveraging ethical hacking and having  transparent communications about vulnerabilities  
but they believe less than half the vendors  actually deliver 74 say that ethical but  
hacking bug hunting fine vulnerabilities is  highly important so you're for software company  
uh get a pen test and there's a place called  silent sector that doesn't um anyway fbi what type  
of scam is costing business the most that is this  new scam it used to be you pretended to be the cfo  
and tell someone to transfer money now they're  doing tech support fraud so you're getting a call  
from a bank saying you're from tech support they  want you to go ahead and give them your password  
so you can log in and unlock your account i got  three of those fan emails today alone microsoft  
fixes office issues causing memory and disk  space errors and you aim microsoft microsoft has  
addressed a known issue causing memory and disk  based errors when opening word or excel um this  
primarily function hits the microsoft office  apps from the microsoft store there's a new  
sh as excuse me zhtrap botnet malware which  deploys honey pots to find more targets basically  
this botnet is hunting down and transforming  infected routers uh network devices into honey  
pots and how to find other targets to infect  and once it does the insidious part is just  
things that blocks all other malware using white  listing so uh interesting stuff there's another  
banking trojan out called metamorpho that started  as a latin american banking trojan back in 2018.  
uses the legitimate binary used for  creating shortcut keys and windows  
to use malware to sneak past defenses so careful  out there top msp challenges in 2021 are growth  
remote working and dns so you may want  to look in your new sassy programs  
microsoft azure sdk site tricked into listing  fake packages a security researcher was able to  
add counterfeit test package to official list of  micro microsoft azure sd key sdk latest releases  
so um be careful what you're pulling down uh from  the justice files the tampa twitter hacker agrees  
to three years in prison and you remember the guy  that did the hundred thousand dollars of bitcoin  
uh hack on twitter he's going to jail for  three years is it really a hack if you if  
you work there and you have admin access i don't  know ah i i think theoretically yeah it's still  
it's a rogue admin but uh you know it couldn't  happen to a nicer company like twitter security  
the linux kernel bugs that surface after 15 years  and 15 year old bugs that are showing up that uh  
found in the kernel code that implements  iscsi there's cbe 2021-27365 cbe 2021-27363  
and cve 2021-27364 buffer overreads buffer  issues basically uh google fixes chrome zero  
day bug exploited in the wild so more more bugs  for google update your update your chrome chinese  
threat actors target global 5g operators believe  these attackers are using a phishing website  
masquerading as the huawei company career page  which transfers you to a domain under control of  
the threat actor where they're infected infected  with malware which a threat actor leverages to  
perform a digital discovery and data collection i  don't know if we all noticed but microsoft had a  
massive outage um on the 15th uh basically there  was an issue with the signing of the keys rotation  
and token and validation issues as microsoft  explained the authentication and login issues  
behind yesterday's outage were caused by an error  that affected the correct rotation of signing keys  
used for azure ads use of open id i can tell you  from personal experience talking to some people  
they're still having issues with this um the four  thousand dollar covered 19 relief checks cloak  
drydex malware cyber criminals have literally  wasted no time the new american rescue plan that  
just got passed i don't think it was last week  or whatever um it's supposed to send out 1400  
checks to people um they're already sending out  emails and personally the irs trying to download  
the drydex trojan so be careful they're just gonna  send the checks you don't have to do anything  
um twitter can be twitter images can be abused to  hide zip and mp3 files researcher david buchanan  
attached example images to his tweets that include  simple pictures but hide zip archives and mp3s  
you just have to download and change the file  extension and then contain the entire content  
of the file so last but not least uh check your  zoom settings under personal look and see what  
data centers you're leveraging and apparently all  of them are checked uh that includes china in the  
australia singapore may want to just use the us or  you know some some other place where you're from  
but uh may not be the best to route through china  that's the news lauro yeah thanks mike thanks  
zoom for uh yeah not telling us we're we're being  routed through whatever data center you feel like  
at any given time so yeah make sure you make sure  you change that uh from an exploit perspective  
a couple interesting things have dropped uh this  week um especially around and not specific to what  
they are right i mean we're always going to kind  of see the same amplification bypass or injection  
right i mean those are really kind of the main  flaws in code that allow you some some good  
some good caltrops that you can drop right and so  i think what's more is the intent that this is um  
the software that this that these exploits are  and they're they're like 14 of them um towards  
specific 4g connected security surveillance  software uh made by kc tech jayton tech and noatel  
if you're running soyal or casey tech or jaeton  these are um not us-based these are not i would  
say a-quadrant technologies but they're probably  affordable technologies that you can obtain that  
do the same job as the a-level technologies so  there may be some companies here that are using  
these liquid worm drop quite a few all kinds of  the worst of you can imagine for this type of  
surveillance software so if you're using those  types of software again kc tech jayton and notel  
and soyal make sure you're looking at the the  versions and you want to upgrade those to the  
most recent and that's that's really all that's  worth talking about from an exploit capability  
it's what it's not what how vulnerable you  are it's it's how exploitable are you yeah  
yeah you can have 10 10s on your scanner but  if they're not exploitable what's the point  
exactly exactly excellent point well speaking  of which that's where pen tests could come in  
isn't it today we'll talk about bit more dive dive  deeper and deeper into pen testing last week we  
talked about it at a high level and uh some of  the things that we're seeing out there in the  
industry and some are good some are not so good  and some just are so uh today we'll talk briefly  
about and mike this touches on the article  that you mentioned basically companies want  
to see companies get pen tested right they're  vendors and i think that's probably the most  
common request that we get an organization  that maybe hasn't had a penetration test before  
have hasn't had one recently um or maybe they're  they are in a tempo and they're doing it annually  
or something like that either way they need  somebody to come in and do the pen test largely  
in part because it's a request to their client and  so that's very very common and and as such your  
penetration test can either be a big asset for  the organization or it can be a hindrance it can  
actually make you look bad so we we talked about  a bit about some of the differences last week but  
let's dive into some of the scoping considerations  and some of the um areas if you know if your tasks  
if your organization has to get a penetration test  not even of course as a best practice you should  
be doing them anyway but let's say a client wants  one what do you think they're going to be looking  
for out there what are they what types of things  are they going to want in a penetration test  
good question zach um and there are a lot of  expectations i think that you can you can get  
out of a penetration test you know we can get  into the details of what the report should look  
like but i think in general you should be looking  for the value that it provides you um you should  
you should be looking toward um you know the  methodology and we'll get into that right but but  
essentially the pentax should tell you what  your risk and attack surface look like today  
for whatever target you pointed it at and and  that's something also that we should talk about  
right but i mean really at the highest level  when you get that report it should tell you  
what the risk is um and and that's all  going to depend on the type of contest  
right the methods um what you paid for if you  did a code analysis if you did a black box  
you're going to get different results there's  going to be different data but that data should  
all tell you um a type of risk that you have  for the for the attack surface it was looked at  
and if there is something that is exploitable  there that is worth you know gonna be time money  
people that sort of thing to resolve or was it  trivial items right and i mean i think i mean i  
think that's really what you're what you're you're  going to want that's what i want out of it i want  
to know what the risk state is you know when i  have a home inspector come look at the house i  
want to know what what i'm going to have to fix  after i buy it i mean i think that's probably the  
easiest analogy that i can provide is that you  should get some data out of it and that and here's  
the other thing too is that there's going to be  times where you've been a proactive organization  
and you've done this over and over again  you've embedded lots of good cyber security  
practices and defense and depth methodology  and this whole bit and you you need to pay  
for a penetration test right it's time for that  and you can pick whoever you want and they're  
going to come at you with their tools and their  manual techniques and they may not find anything  
um if your if your infrastructure is configured to  drop packets um you know i think they're going to  
they're not going to be able to to really  obtain any usable place if you've got a  
lot of white listing so that that report  may come back and say you've just done an  
outstanding job of providing a defense  in-depth strategy and protecting the  
the attack surfaces that you have to put  on the public facing internet of things  
and that's a good thing right it's like getting  a gold star or an a-plus report or you know  
getting a home inspection doesn't have anything  other than the faucet should be changed you know  
um which would just be an outstanding ordeal  and if you can live with the faucets that are  
there you don't have to spend any money that's a  whole different conversation than there's termites  
in the foundation you know where it's going  to cost lots of money and you know you should  
you know then you should you may have to  dedicate people or time but the value is  
is there if the information makes sense to the  organization and and gives you a site of risk  
i think one of the other things that you want  and it's kind of you is to show that you're  
remediating your risk right so if you have a pen  test and then they find things and then you have a  
follow-up test you can show that look we have this  risk we identified it because we're proactive in  
our security and then we fixed it and here's the  clean report the other thing going back to the  
report i want to talk about is that you know  that's the difference between a manual report  
and a automated report so lauro when you you're  talking about how you know you may find nothing  
in the test well with those automated scanners and  that that kick out where the report sets you're  
going to see the happy birthday attack on the  golden poodle attack and all these attacks that  
really mean nothing right so they're all going to  be reported yeah they're all going to be reported  
as you know attacks and vulnerabilities when  reality they're not they're not exploitable so um  
you want to be concerned about what you're  paying for who's doing it are they really paying  
attention to it are you just getting some machine  language out of the human interaction spit out  
onto paper that you then have to justify and  explain and that could in theory cause you to  
spend a lot of cycles chasing down something to  fix something that doesn't really need to be fixed  
so we see that a lot a lot yeah absolutely  and i i think another thing that  
a lot of people get caught up in the jargon  uh and the terminology that don't have a  
background in this so a lot of times we'll get  somebody they might have a tech background but  
but not in pen testing not in cyber security and  they'll come and they say hey we need this tested  
and uh what you know sometimes they'll  be sold certain things what they need and  
not really reality so different different  people get asked about things like  
white box versus black box penetration testing  for example um some organizations will tell me  
you need you know you need everything you need  um everything from you know static code analysis  
to you know you need somebody there at your  office doing wireless pen testing and such and  
in some cases it's true and others uh it can be  a bit exaggerated so i think defining how you get  
the most bang for your buck can be tough um one of  the things though that we we tell people a lot of  
times you've never done any penetration testing  before a lot of times it makes sense to start  
with if you're looking at say your your network  environment or even a web app in some cases might  
make sense to start with a black box penetration  test and what a black box pen test is is basically  
an attack from a a external attacker's perspective  with very little information almost no information  
about the target so they don't have any  user credentials they don't have your  
architecture diagrams or anything  like that they're just basically  
going after a specific ip or url and looking at it  that way and so a lot of times that's i i refer to  
that as a drive-by uh approach right and and to  do an initial round of testing i think that's  
step number one anyway um so organizations  especially that are on a budget and such that  
can be a great place to start now it's not going  to reveal as much as a more in-depth pen test  
um but it's a good place to start and then the  opposite end of the spectrum would be a white  
box penetration test right and that's where  the tester has complete information about the  
environment they have the diagrams they have user  credentials they probably even have the code base  
and really can take a granular look at the program  and this can make more sense when you're looking  
at it from maybe potential insider threats right  large organizations massive numbers of employees  
might prefer to take that approach on a regular  basis but it doesn't necessarily make sense for  
everything um i think a lot of times in the web  app space at least we um do a lot of gray box  
testing right because and that's basically fairly  a little bit of information including some user  
credentials to test the application the reason  why we recommend that is because people have  
there are so many stolen user  credentials out there available  
on the dark web in deep net that they're easy to  come by and so many people are guilty of reusing  
their user credentials the gray box application  makes a lot of sense so i just wanted to touch  
on those three because i know that is a  common question people ask what should we do  
um and you know really it comes down to speaking  on a case-by-case basis but at a high level  
um those are the the approaches that you'll come  across um well so let's tie that back into what we  
were talking about in the in the b2b space in that  it's a money maker pen tests are actually a money  
maker believe it or not you they your clients want  the confidence to know that you're being tested  
right they want to know that you're  proactive in your cyber security and  
you know if you can show that someone come  from outside your organization has gone  
through your application and tested  it and torn it up you have a great  
way of differentiating it differentiating  yourself from your competitors
yeah i'd say that's the most the single  most common you know common request from  
from com especially larger companies of their  vendors is when was your latest pen test and what  
what was the scope of it and they won't they want  to see that you need to understand what was done  
yeah and usually usually i think it's i think  it's safe to say that usually the organizations  
that that that we see that are that are asking for  pin tests are for two reasons is that they're they  
have a client that's requesting it that's gonna  make them money if they get it and can show that  
it's good um or they're in a compliance initiative  again because of a clients that are requiring this  
right customers are requiring this type of  compliance date that then requires annual or  
bi-annual or quarterly pin testing right um and so  again it's money driver it is i mean you're there  
i i we seldom see organizations outside the  department of defense and just say hey we want  
to be as secure as possible it's typically  because they're being driven in some form by  
customers that are requiring that right bigger  bigger organizations that may be requiring that  
that level of of assurance and confidence over  the technologies right you need and you need  
to match the quality of your penetration  test to the sophistication of the customer  
and we've been in this right those discussions  with large large enterprise after doing a pen  
test they want to talk with the tester  they want to talk about the results  
they have detailed questions and if you if you  have a big contract on the line a big customer  
you're supporting you have to be able to answer  those otherwise it undermines your credibility  
um so and last week we talked about some of  the kind of canned approaches commoditized  
services and such those can be fine to kind of  kind of check a block and say you did it but  
um you need to be real careful when you're  when you're getting into discussion because  
we see this regularly it's it's uh they want to  analyze what's really going on um at a deeper  
level just having it just having a penetration  test i i think maybe a few years ago that was  
fairly standard fairly acceptable i think  now though people are realizing that hey  
not all penetration tests are are created  equal and um they want to get more um  
from a vendor vetting perspective probably  than than ever before at least that  
seems seems uh in my opinion that seems to be the  way things are going yeah what about scoping so  
you have this requirement for penetration testing  might be compliance might be maybe it's just maybe  
you are in fact proactive and it's bet you know  it's best practice um or it's client driven i mean  
organizations of course have a lot of different  pieces to their environment um oftentimes we'll  
see they'll put all their focus on one one  part but maybe we should touch on that briefly  
um you have you know internal network pen  testing external wireless you got even things  
like physical intrusion testing testing the you  know physical security around the data protection  
um and then of course web applications and we we  see it all um how would you what would be your  
recommendation to an organization that maybe has  all those things um i mean right off the bat let's  
say they've never done this before should they  go out and get everything tested or how would you  
help them to find the scope assuming they're on  limited resources a good question i mean i think
i think well you can ask me asking me is probably  it's probably not fair because i i always want to  
say you should do everything upfront if you've  never done it before if you've never if you if  
you have the architecture to support all of the  attack surfaces for wireless and intrusion um if  
you've got sensitive data on site um or or you  know other types of things on site that that  
may warrant physical break in or um just uh just  for your applications i mean i'd say do it all  
however that's not realistic for everybody and i  understand that and so i think the tempo that we  
see that's successful that is is that you  just kind of you plan it out over a year  
um or maybe even two years and you  just chunk it out you you focus on  
um you know i guess it just depends on where  you're where you feel you have the most risk  
and i think that you can always ask us right  i mean if you approach silent sector we'll  
we'll take a look and listen to what you have and  we'll give you our recommendation but it really  
comes down to what you feel is going to be the  the the most concerned that you are about risk and  
that's probably where your first target should  be if that's a web app then make it bad if  
you have just some you know random person  come in and build a wireless network for you  
inside and you're you're you're in a building with  a bunch of other businesses and you're just super  
worried that someone's just going to jump on the  wall i mean you know so it just depends i think  
it's it's it's different for everybody but you  don't have to you certainly don't have to get it  
all at once but your goal should be to understand  the entirety of the business's technology system  
and what the attack surface looks like so you can  shore those weak points up um we call that a cyber  
risk assessment right where we do everything we  look at that holistic electronic dependencies  
that you have and and and throw in pin testing  and threat hunting and the whole bit and give  
you a good analysis of where your whole business  from an attack in a risk perspective look like  
um so that's the go that should be the goal i  think of any organization but everybody has to um  
abide by their budgets and i think i think it  was said best by somebody i know very well that  
big big big wars are won through little  battles so you know if you can get little wins  
um that's that's great if you can get a web  application tested even though you have 40.  
if you can just get one tested and demonstrated  that there were some misconfigurations there  
whether they were explorable or not just just to  get something on the on the platter to serve up  
not to say that we're working on it i think  that's by far the best step that you can take  
wouldn't you agree mark i mean yeah i would 100  agree you need to be making an effort um and  
just start the proactive you know every journey  starts with the first step first steps a small  
a small contest then by god go with that yeah  but if you can bite off the whole chunk i mean  
there's really it's a matter of how soon do you  want to know um right i mean that would be ideal  
but who you know small businesses may not be able  to do that that's true they may not be able to  
um but you know i guess if there's if there's  a height if there's a high stress consider  
consideration for data on site or data in a or  data in some form of technology that they're  
they're relying on they may be concerned enough  to do the whole thing i think we've seen that  
happen and it's certainly not common yeah um and  it's usually not the smaller organizations that  
the small b2bs that can do it but that we've  also seen them be able to accomplish it over  
12 to 18 months pretty easily as well  um chunking it out but yeah i agree that
you can put it on your wish list maybe santa will  bring you a a silent sector cra for christmas  
we've also seen him have to bite the bullet and  do it because they've had you know a 500 000 deal  
hanging in the balance right so they've had to  figure out how to do it so yeah all that i mean  
customers is customer driven like we were talking  about you know from that article it's 75 of all  
people want to see that you're being proactive  and that's not the discount and we're not going  
to talk about this today very you know very much  but i mean your whole cyber security program your  
information security program your privacy policy  your data handling policies and all these other  
things that need to dovetail in but you know the  pen test is a good place to start because it shows  
you where your problems are from a technology  perspective yeah the other stuff is easy to fix  
yeah i think and when we with one of our programs  is specifically for b2b tech companies we start  
with what we call the systems triage phase it's  part of our methodology and going in that includes  
some pen testing right off the bat because  we want to see what the cyber criminals are  
seeing right we want to be able to guide them  in a remediation of that those um kind of that  
that low-hanging fruit for the criminals right we  want to get that out of the way first because no  
use having that risk exposure out there and what  and that adds the benefit of having that done um  
for uh clients and prospects that are requesting  it as well but um yeah it's an interesting thing  
i think you know the final note that i would  have on this would be that when you're looking  
at what to have penetration tested a lot of  companies just think about the data specifically  
but for some organizations that may not be the  most critical factor it may be more systems that  
keep them operational right maybe they need to run  certain systems 24 7 or something you know some  
for manufacturing plants for example it may have  um various data sources and lots of backups and  
things like that but if their production systems  go down they're losing revenue immediately so  
think about that it's not always the data a  lot of times it is the data but think about  
the data but also what you are required to  be operational and then also think about your  
liability if a breach occurs right what service  level agreements are you not going to be able to  
meet or what data might may get out there because  those liabilities present a risk factor that's a  
trailing risk after the breach occurs that need to  be considered so that would be my final thought on  
on just a very high level overview maybe we can  get into detailed scoping uh later on but um  
but for today's purposes any other thoughts  uh comments smart remarks about pen testing  
always remember never forget your comments  i'm not sure how they smell how smart they are  
yeah it's just it's important to be proactive  it's just that's the way that's the world we  
live in today right i mean um if you read  the news go to bleeping computer go to  
any of those stories any of those news  organizations out there krebs even  
you just see how bad things are from a cyber  perspective and you really need to stay diligent  
it's no longer it's not that we you know we don't  we're a small company we don't have anything  
anybody wants to steal it's it's now they want to  steal your compute power now they want to steal  
whatever they can from you and you just have  to stay diligent and pen tests are key to that  
absolutely yeah my final thought is is simply  this it's proactivity is necessary zero trust  
even though it's not being talked about a lot  is happening it's an evolutionary step that  
these organizations that have risked too much and  spent too much money and work too hard they're not  
going to risk themselves on businesses that don't  feel the same way about their technology systems  
so it's unfortunate you're going to get  passed over and they're going to spend  
more money on somebody else who does  care so it's it's you it's it's evolver  
it's the age-old thing right above a guy you be  a dinosaur or you can turn into a primate yep and  
if you're paying for this stuff if you're doing  this stuff you might as well use it as an asset to  
grow your revenue to get a competitive advantage  in the future it'll be more standard but now like  
you said from that article based on those surveys  mike it's all only half of companies are really  
delivering on this stuff so you you know chances  are you have a good opportunity in your space  
um to leverage these these types of activities  get a good return on investment so thank you  
for joining us today hope you're enjoying the  uh mini series here on penetration testing we  
have a lot more to talk about uh so stay tuned  in and if you like podcasts subscribe rate us  
uh check out the cyber rants book on amazon and  we will see you next week take care everybody