Many IT practices emerged as an adaptation of approaches from the industrial era. For example, safe manufacturers used to hire safecrackers to find weaknesses in their locks, and now companies are turning to hackers to identify vulnerabilities in corporate networks.
According to statistics, every minute $17,700 is lost as a result of a phishing attack, and a whole trend has emerged as a result of this situation: ethical hacking, in which penetration testing is performed by third-party specialists. “White hatters conduct a series of penetration tests (penetration testing, or simply pentest) on an organization’s network, simulating various attacks and attacker actions. The result is a report detailing the security issues found and recommendations for fixing them.
Why do we need penetration tests?
Penetration testing is part of a comprehensive information security audit. During the audit, most of the organizational and technical information security measures are analyzed. Security system settings are checked, vulnerabilities in hardware firmware, system software, and user software are identified, and employee reactions to traditional tricks, including targeted phishing and sometimes physical access by unauthorized personnel, are examined. Together, these checks reveal weaknesses in an enterprise’s information security system. In general, penetration testing is far less expensive than data breach losses and remediation.
External website testing services of computer systems kill two birds with one stone. First, such an independent assessment allows companies to avoid financial and reputational losses. Secondly, certain activities require proof of compliance with specific safety standards and legislation.
Why do online stores need tests?
Shocking news for business – sooner or later, there will be an attempt to “hack” you. And it’s not just competitors targeting new developments or attacker’s intent on blackmail. Any company could just get hit by a random carpet-bombing, like phishing. Or yesterday’s school kids will find a zero-day vulnerability and never miss an opportunity to exploit it.
When testing, cybersecurity professionals use the same methods as hackers: attacks, hacks, password theft, phishing, viruses, and social engineering. Their goal is to find vulnerabilities and gain access to IT systems.
An excellent result is the failure of a pentest, indicating that the security systems are reliable. But if the security perimeter has been breached, the business owner receives a number of significant benefits.
First, the vulnerability was found before the hackers discovered it. This means that there is time to “work on the bugs”.
The second is identifying priorities for investment. It is not worth fixing what works. It is much more effective and cheaper to strengthen vulnerabilities.
The third is “dissenting opinion”. You can trust your IT people and use the most expensive software products. But this doesn’t guarantee 100% protection. There is always a chance that a vulnerability has fallen out of focus. The result of crash-testing your security system will either confirm the reliability and competence of specialists or help you to anticipate possible problems.
Example: Large company “A” decided to test their security system. Their business is in the B2B segment: selling goods to resellers – online stores that can order a bulk batch of goods and resell them on their resource by connecting to a special online platform.
The result of the pentest was full access to the database with logins and passwords of all the online stores of the service. The results of the pentest revealed full access to the database of logins and passwords of all online stores of the service.
By getting hold of this information, the attackers could purchase equipment worth millions of rubles. Or withdraw the money from the accounts. And anti-fraud checks would be powerless in this situation. Having full access, a hacker could copy the reseller’s contact information and confirm almost any action!
How is the pentest performed?
A pentest is often conducted by a third-party organization to rule out collusion by its own employees and a “give-and-take” game. The penetration testing process mimics a real-world hacker attack and involves several steps:
- Gathering information about the target
- Application of social engineering
- Defining entry points into the network
- Detecting and exploiting vulnerabilities
- Privilege escalation on the system under attack
- Drafting of the report and recommendations
Typically, testing for vulnerabilities starts with the external network and then tests internal services.
On the one hand, pentests contain many typical procedures that can be automated to speed up. On the other hand, every customer has its own peculiarities, which have to be taken into account when performing several manual checks.
The automated method is suitable for finding typical problems: known vulnerabilities, open ports, potentially dangerous and malicious programs, invalid access settings and default enabled services that are not involved in real business processes. In short, to find potential attack vectors.
Sometimes executives are tempted to forego a full-fledged pentest and use vulnerability scanners on their own. The problem is that their configuration requires appropriate skills, and the results must be verified by experts. Without it, they will be uninformative and may contain false positives. Running the scanner in default settings will create a false sense of security.
That is why manual testing is usually used in the second stage of the test. It relies on professional experience and allows finding real problems from a long list of detected defects.