Penetration Testers (aka pen testers) are an interesting group.
They see things from a different perspective than most people. For example, most people viewing the Mona Lisa painting in the Louvre in Paris would be thinking about the beauty of the picture – and possibly looking more closely at the colors and brushstrokes.
But a pen tester would likely be thinking something more like - “How could someone steal this painting and not get caught?”
They would be looking at the security present like armed guards, video cameras, and other devices, and considering how they could be evaded or disabled. They would almost certainly be thinking of all the security that wasn’t visible to them and how they may determine what those hidden security measures were so they could plan to avoid or deceive them.
Basically, pen testers are always looking for weaknesses they can exploit.
A Penetration Test is usually conducted to mimic what an attacker with malicious intent would do if they tried to gain unauthorized access to an organization's digital assets. A Pen Tester is someone that is trained and experienced in the tactics, techniques, and procedures (TTP) that cyber attackers use.
There is a long history of preparing military defenses by conducting exercises that mimic warfare. Scenarios are constructed and ‘war games’ are initiated by which a military can determine their level of readiness for a real attack.
Modern day penetration testing is performed for the same reason – to help organizations determine their level of readiness for a real cyber-attack. Over the last 60 years, penetration testing has evolved from being an ad-hoc activity engaged in by some thoughtful system administrators (also known as ‘hackers’), to becoming a professional discipline that takes years of experience to develop.
Today, pen testers are highly trained and motivated people that are paid very well to act like criminals, without being criminals. Their job is to find the weaknesses that are in almost every network, system, device or application, and use those weaknesses to exfiltrate data or plant a flag that would indicate they could modify or delete any data they want.
Pen testers act like the warning system to identify security gaps - before somebody else does.
While penetration testing has common methodologies and approaches, most experienced pen testers will adjust their approach if they notice they can bypass steps and achieve their goal with less work. While I mentioned they are professional, I didn't say they liked to spend time unnecessarily!
What are the things that pen testers look for that can provide us the opportunity to finish early, kick back and have that cocktail well before the bell whistles at the end of the day? The three easiest targets are:
Why is software updated?
If you look at the release notes for any operating system or application version, you will almost certainly find some security-related weakness that were fixed. So, it stands to reason if that fix hasn't been applied, then the system running the operating system or application that was not patched will be vulnerable in some way. This is why pen testers look for unpatched systems and applications. Automated scanning tools make it quite easy to identify these systems and will often provide specifics needed to take advantage of the vulnerability.
Most organizations know that patching is important, but they fail to have rigorous checks to ensure that all devices on the network are patched. Most applications that patch systems have flaws that end up reporting that all systems are patched, when in fact there are failures in the patch cycle. This is where ongoing vulnerability management shines. It can help to find those systems that the patching application thinks are up to date but are not.
Unfortunately, many organizations fail to conduct verification between patching applications and vulnerability management.
The verification process identifies gaps and ensures the reasons why the systems are not being patched are identified and resolved. If not resolved, incomplete patching creates a situation where there are always some systems that are not patched. A savvy pen tester knows if there is even one unpatched system then there is a good chance that the exploited system may give them further access and ultimately lead to full network compromise.
Most organizations that practice mature development instill a security culture in their development teams: developers are trained, they know what security requirements are relevant, they embrace secure design, and they understand how to securely deploy an application.
However, there are a large number of application development solutions created by smaller, ad-hoc groups within organizations, or hired as sub-contractors, that do not have these capabilities. These applications often have a substantial amount of high severity vulnerabilities. Pen testers know this and will immediately seek out such applications. It will only take an experienced pen tester a few minutes to determine if a web application was developed by a resource without a strong base of security knowledge.
Once that is determined, it is usually not long until serious vulnerabilities are identified and exploited.
Every system admin has the best of intentions, but tight timelines and heavy workloads can easily lead to situations in which default admin credentials are left in place for administrative consoles for various applications including those that enforce security controls.
The good news is that many vendors have started to eliminate default credentials and force administrators to set a password vs providing a default set that are intended to be changed. But you may be surprised how many of those get set to ‘admin/admin’, with the intention of later being changed to something more secure.
In many cases these administrative applications are hosted on non-standard network ports, so administrators are not always aware they are exposed. The other issue we see often is the gap between system administrators charged with supporting the operating systems, and application administrators that are responsible for the application running on a given system. Without good coordination between these administrators – there may be some system hardening that each of them assumes the other will attend to – some applications may be overlooked.
Most people think that a vulnerability scanner will identify these issues – but the truth is while they do test some default and blank passwords, there are so many different applications out there that many will go undetected by scanners which create vulnerability signatures for only the most popular applications used by their customers.
Pen testers are experts at finding these gaps and – when they do gain access to these administrative systems – can easily leverage their skills to gain even more access depending on the system compromised.
The final Weak Link- Humans
You may have noticed that the above discussion has focused on attacking networks, devices, and applications. But there is another ‘easy button’ for penetration testers that helps them jump into your network and gain access equivalent to one of your normal users. Social engineering, and specifically Phishing, has become one of the easiest ways for a remote attacker to gain access to an organization's digital assets.
The thing about humans is that, unlike patched systems, their behavior can be influenced by so many things: distraction, illness, overloaded work schedule, personal problems, and the list goes on. At any given minute of any day, there is no human that can’t be tricked.
Therefore, the security of the systems they use must include as many-layered defenses as is practical to ensure that even if they are tricked, further compromise is not possible. One of the single best defenses against Phishing attacks is the use of Multi-Factor Authentication (MFA). MFA can prevent access to resources even if a user ends up giving an attacker their credentials. This makes it very difficult for an attacker to exploit the credentials.
While credential stealing is not the only type of Phishing attack, it is by far the most prevalent and easiest to execute.
In closing, let me share a number of high-level items you can review to ensure your organization isn’t easily compromised by a pen tester or more importantly, a real attacker.
- Patch all systems in a timely manner. Create a policy to ensure high-risk vulnerabilities are patched quickly. Ensure there is a double check of vulnerability scanning to check that the patch management application is accurately reflecting patch status.
- Make sure all custom application development is done with a solid Secure Software Development Lifecycle and that all applications are penetration tested prior to deployment.
- Perform discovery on your network for all http/https services, identify management applications and ensure they do not allow default credentials or open access.
- Assume your users will be susceptible to some successful social engineering attacks and ensure there are overlapping controls to prevent further compromise if a user is tricked into giving out their user credentials or other critical information.
While your organization may be spending a lot of money, time, and personnel resources to establish strong security controls, don’t forget that penetration testing can help expose weaknesses that may not have been obvious when looking at the big picture.
Just remember that pen testers look at the world a little differently and that view may help you better secure your organization from the eventual attacks that every organization will be challenged with.
Download this helpful infographic to learn more about what
Pen Testers look for:
About Will Bechtel, Director, Technical Security Services
As Online's Director, Technical Security Services, Will manages our Technical Security Services team that performs hundreds of technical security assessments each year for over 100 different Clients.
Prior to coming to Online, Will held positions as the Director of Product Management for the Web Application Scanning and Malware Detection Service at Qualys, Application Security Practice Lead for AT&T's Security Consulting and Sr. Consulting Manager in the Application Security Practice for VeriSign's Global Security Consulting.
To contact Will or our Risk, Security, and Privacy team please email email@example.com.