S2 E12: The Essentials of Penetration Testing Part 1

The Essentials of Penetration Testing Part 1

Listen to part 2.


Jordan Eisner: Welcome to Compliance Pointers. This is your host, Jordan Eisner.

I’m very excited today to be talking about the essentials of penetration testing, cyber testing, ethical hacking, called many different things.

But I’m joined today by the manager of our cyber practice group here, Matt Lawson, who’s got a pretty extensive background. For the last 10 years or so, he’s been pen testing himself, managing pen testing teams, and directing pen testing. Very experienced in that realm.

Prior to that, he had experience working for FinTech organization. He worked in the public sector a little bit, and he was an IT technician in the Navy for a few years beforehand. So Matt, pleasure to have you on.

Matt Lawson: Absolutely. Thanks for having me here, Jordan.

Jordan Eisner: Sure. Today, as I already alluded to, we’re talking about penetration testing. I would say specifically what organizations need to know if they’re new to pen testing, which maybe isn’t a lot of companies, but maybe is. I think in our realm and where we’re talking with organizations, it’s a pretty known topic just because of what we do and who we typically interact with. But certainly small and medium-sized companies out there probably haven’t done pen testing, so I think this will be relevant for them as to who, what, why, when, where. But then even organizations that have done it.

Maybe sometimes just a reminder, some organizations I think just do it as a formality, maybe because of some compliance obligation or going through the motions or they did this before I got here, so now I do it now.

So we’ll get a little bit rudimentary, but I think that’s okay for people that even have been through pen testing. Let’s start with just a basic overview. What’s penetration testing? Why is it important?

Matt Lawson: Absolutely. Well, so this is one topic I love talking about. With penetration testing, it is a point-in-time security assessment of your infrastructure and your attack surface. That is the easiest way to put it.

Essentially, it is one of the next steps to your security maturity of being able to advance further in knowing what your vulnerabilities are, what risks you’re putting out there, what you’re willing to accept, and fixing the things that you can before those threat actors get in and actually target your business to go after it.

Many businesses lose money off of just generally, you would think easy wins that if they had known about the risk in the first place, they would have been able to plug that hole. Pen testing helps on that level.

Jordan Eisner: I like it. I think you asked pen testers, you get different answers on it. But I hadn’t heard it described that way before, but I like that. I think that’s pretty basic and good.

What are the areas within an organization? That was a high level. If I’m a company, what’s going to be tested? Break that down for us.

Matt Lawson: Hundred percent. This is going to depend on what type of company you are. However, all the different types are generally split up into these different engagement types.

You have network testing, which can include external network or internal network testing. What this means is the testers will attempt to access targets, hosts, desktops, computers, servers, anything like that at the network layer. Any services that are being displayed out on those network protocols are open for attack and they’re considered attack surface. That’s what we’ll be attacking on that side of things.

There’s also web application and mobile application testing. Web application, it’s going to be layer 7, a lot of the high level of the OSI model. You go to www.compliancepoint.com and that is my target. Everything that’s on that front end that a user would see through an Internet browser.

Same thing on the mobile application side. Generally, if you can download it from an App Store, there is an available jailbreak for every single mobile device. When they update and fix them, the general public will immediately update it right after. There are ways to test for how you can secure those mobile applications.

Just as well, there’s wireless network testing. This has to do a lot with proximity and APs. There’s a lot that’s included under that. You could do war driving, which is detecting the signal that’s coming off of maybe your central location building or office. There is also just attacking the APs directly or even intercepting authentication from users who are connecting to those wireless networks. There’s many different tactics for jumping into that.

Then one that’s very near and dear to my heart, one of my bread-and-butter specialties is social engineering. There are three types of social engineering, technically four, but three that have to be the most common would be phishing, which has to do with sending e-mails. I’m sure everybody’s gotten the e-mails where they want you to click and open up a PDF file. You’ve never even heard from this person before. The address looks like a gobbledygook, just random set of letters and numbers. This is a phish.

Generally, for organizations and businesses, there’s a lot more sophistication that goes into it, especially for spear phishing. When you have high-level C-suite executives that are displayed out on your About Us page for your company, that is definitely going to be one of the main targets and easy information to collect to set up for a phishing campaign.

Vishing has to do with the phone elicitation or phone calls that people would make. Cold calling, pretending to be an employee, and then trying to get an actual legitimate employee to provide them some level of access or some information that they could not get otherwise. Generally, this is done by trying to provide urgent action, or maybe, again, pretending to be a particular person that you’re not.

Finally, the physical side of things is probably as it sounds. This is where we do all of the USB drops, dead drops, we’ll tailgate. There are plenty of devices where we can intercept and clone RFID badges. There are even techniques to mimic the CAC cards that the military utilizes for access into their systems. That has to do with a bunch of different protocols. I won’t jump into the heavy details here on it, but it is possible and can be protected against.

Finally, one that’s maybe a bit less common is going to be that thick client or binary or platform testing. A lot of this is going to be direct to hard applications. You see it less common nowadays because there are a lot of protections built in. However, it was a lot more common back in the day. This is where you would generally get your buffer overflows and other ways to break directly into an application, compromise an application.

Nowadays, though, whenever building a new binary, we have what is called the software development lifecycle, which does help protect more and more against this type of attack.

A lot of information.

Jordan Eisner: No, but very good overview. I think I’m familiar with most of these, but I think a lot of times people think of network testing. Then nowadays, web apps, mobile apps, wireless testing, Things I think are very relevant.

Then social engineering is probably, that’s got to be the most common area that organizations are failing in real cyber instances.

Matt Lawson: You would actually be surprised. The people are probably the most vulnerable thing at a company, 100%.

Jordan Eisner: I think I read the time, 70% of, and stats right there thrown around all the time. Who knows what the real number is, but the thought is a large majority are some sort of human mistake that leads to the cyber incident.

Matt Lawson: Absolutely. It is the number one way to gain a foothold internally.

Jordan Eisner: The phishing has gotten, I know you said, it looks like a gobbledygook email and somebody never heard of, but over the course of the last few years, I’ve seen these get better and better and better and more sophisticated. I’ve been working in this industry, so I’ve been aware of it or at least more aware of it, I think than most. We hear CompliancePoint, we practice what we preach, we’ve got security awareness training, of course, and go through all that, but still some of them, I’ve had to really hesitate, I’ve had to forward some to our IS group. This looks too good. What’s going on here?

Matt Lawson: Somebody could spend two, three days building that campaign to get set up. Even if they send it out to a thousand people, if they fail on 999 of them, it’s still a success because they got that one person. That’s what makes it so important for that security awareness training.

Jordan Eisner: Yeah. You got phishing and then I love the word smishing too.

Matt Lawson: Yeah. That’s the one I did not talk about. Wonderful text messages. It’s the, hey, this is your boss. I need you to send me $100 in Apple gift cards of a denomination of $5. Please, quick. I’m in a meeting.

Jordan Eisner: Right. We’ve had some of those even here. I’ve had employees say, hey, is this person really texting me? Should I expect this? I won’t say who or what, but let’s just say somebody of authority, and when they text you, you pay attention, but then you also question it too at the same time. Also a sophisticated means of going about it.

Okay. It’s a good overview on the different areas and what pen testing is and why.

If an organization says, okay, we need to do that, we need to be tested, what do they need to look for? Is it something somebody can do internally? Do they need to find somebody externally to do this? Assuming that they do need to find somebody externally, given the level of expertise, some companies might have it internally, bigger ones, but I would assume most need to do it externally. Appreciate your thoughts on that, of course,

but let’s say they do need to look externally. What would you recommend in terms of experience and credentials? A multi-part question, I guess.

Matt Lawson: Yeah. Hit me with everything all at once. No worries.

Well, so can an organization do this internally or externally? Yes, an organization can build its own internal pen test team. For larger businesses, this is the more common route as their infrastructure, their business, just everything becomes so complex. They need a dedicated group.

However, like I said, it can become very expensive, and you can generally find that same value with the external companies who focus on this. They are directly involved in this. They have a lot of leaders and experts who are involved in the community, and you’d be surprised. The offensive security community especially is very small across this industry. Everybody knows everybody.

With that being the case, businesses are probably better off, especially small businesses, medium businesses, in reaching out to a company such as CompliancePoint, for instance, and getting a pen test to go through them.

The reason is because they have the knowledge and understanding already. They have collected the appropriate experts there already, and they are focused on learning your environment custom and taking care of this issue.

Pen testing is not something that you do every day, all day for the entire year. It’s not a 365-day, everyday test. It is something you do want to focus on about twice a year. If you are really security-minded, highly recommend quarterly testing.

With that being the case, having to engage that external company quarterly on those tests is perfect. Having that internal team for your company, that can be very difficult to maintain if you’re not prepared. Again, if you don’t have enough for them to test, it probably would not be worth it to them.

Now, the next set, what experience should they look for? Pen testing is not the beginning level of security. A lot of people will probably get angry at me for that and say I’m gatekeeping. But the reason why I say that is not to keep people out, is to make sure that there are appropriate foundations built. You have to know networking, you have to know some level of system administration, you have to know applications.

If you don’t know how to code, that’s okay, that can be taught. But you do need to understand that application layer. Once you know how to build it, then you know how to break it and put it back together. That’s a very important phrase.

The type of experience that you want to look for though, is going to generally be those who hold certifications that have provided practical experience for their education.

For instance, offensive security, the OSCP, you actually get in hands-on into labs and you’re performing exploitation. I’ll have to be careful about how I speak of it because they do keep a lot of that under wraps. But I will say they have a very robust lab that will teach you lots of different things, and then you take an actual exam, which is actually performing the pen test to get your certification.

Same thing with eLearn Security Certified Professional Penetration Tester, which is a mouthful I know. But certainly, that is also a great certification that provides practical experience.

There’s a lot of industry standards as well. SAMS is a very well-known organization. They are like the gold star of our industry. They offer the G-Pen, which is a very nice entry-level view into pen testing. You will do pen testing during the training.

Then of course, a lot of the newer stuff which provides practical is going to be Hack the Box. Hack the Box is great. If you are trying to get into cybersecurity as a whole, Hack the Box is a great place to learn both defense and offense, and they have certifications for all different kinds of things.

Testers can be really good at six months into doing their job. It really depends on how much dedication you as an offensive security professional want to put into it.

Jordan Eisner: Helpful.

Matt Lawson: There’s a lot there.

Jordan Eisner: In my time doing this, I think I’ve always just understood with pen testing that unless you’re in it, it’s going to be difficult to understand all the different steps. I think they need to unless you’re in it and you’re training, you’re working towards the right for somebody outside looking in like me. I think I get the concept, but beyond that, I’d be a fool to try and I think elaborate or expand on it. I think just even the way you answer some of these confirms that for me.

Matt Lawson: Well, you did highlight a good point, Jordan. It’s one thing I actually left out that really you just don’t get until you have experience in it. The most important thing that a pen tester can do is learn how to communicate the technical to non-technical folk. No offense, not saying you’re not.

Jordan Eisner: None taken. No, there’s a lot of value in that.

Matt Lawson: It’s soft skills, very difficult to teach. You just got to develop them as you go.

Jordan Eisner: All right, well, I think that’s a good place to wrap for this week for our listeners to be on the lookout for part two of our pen testing conversation next week. Matt is going to go over how to create a scope that fits your business, what to include in your rules for engagement, and what to expect in your post-test report. That will be ready for the listeners next week.

Until then, if you have any further questions, feel free to reach out to us. As I always say, you can find us on our website. You can reach out to us at connect@compliancepoint.com. You can even schedule a call from our website. Reach out to me directly on LinkedIn, many different channels to reach out.

Thank you for listening.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.