What’s the best way to protect your business against hackers? Many people believe the best plan is to use hackers’ own techniques to try to break into your company and its network. By rattling the doorknobs yourself, your company can better see where it is vulnerable and build protections to secure itself. The process, called penetration testing, is performed when a company hires white-hat (or ethical) hackers to do their best to break in. Companies can also use their own white-hat hacking team for pen testing.
Doing penetration testing, though, is a lot harder than it sounds. You need to decide what you want to test and why, hire the right people to do the test, properly prepare your company, have the test performed, and then use the results in the right way. This article explores the basics of penetration testing so you know what to expect and how to respond.
What is penetration testing?
Let’s start with defining what a penetration test is and does. Rohit Sharma, director of global marketing for EC-Council, a cybersecurity certification firm that provides a Certified Ethical Hacker program, says a penetration test “proactively identifies the threats and determines the probability of an attack on information assets. A comprehensive penetration test provides an assurance that the organization is operating within an acceptable limit of information security risks.”
Companies in some industries must comply with a variety of regulation and standards, such as HIPAA for healthcare records. Penetration testing helps ensure companies meet those standards, Sharma says.
Penetration testing “is an unauthorized look at what's exposed and what potentially could be broken into," says Ron Schlecht, founder and managing partner of BTB Security, a cybersecurity services firm. It's like a final exam. Imagine a company changed things in its security setup with the goal of beefing up its defenses, such as putting security controls in place. Then, says Schlecht, the company can do a penetration test "to get a real-world view of the types of potential exposures they may have.”
Schlecht emphasizes that the test is not comprehensive in that it examines every potential vulnerability. Instead, when you do a penetration test, you target a specific vulnerability or a group of vulnerabilities. He contrasts this to vulnerability or risk assessments, which look at an enterprise’s overall security on multiple fronts.
How penetration testing works
The key to successful penetration testing is proper preparation. Much of the most important work of penetration testing is carried out before the testers do their jobs. Those tasks are done by the enterprise IT department to determine the scope of work. The enterprise needs to determine what it wants tested and then clearly lay that out in the scope of work.
This can be very specific or quite general. For example, Schlecht says, when a company releases a new application or launches a new website, the security staff may want tests to see if it’s vulnerable. Other times, a company may ask penetration testers to try to break into the company's network by any means possible, including social engineering and probing the network for weak points. In some instances, he adds, enterprises may ask that ethical hackers try to break into their physical facilities.
James Stanger, chief technology evangelist for CompTIA, a nonprofit technology trade association that has a penetration testing certification program, notes that the scope varies dramatically according to the industry and the nature of the business. A manufacturing company may want its robots and control systems hacked, while an online retail company might ask testers to break into accounting and web ordering systems.
Once the scope is determined, the white-hat hackers get to work, during what Stanger calls the information-gathering phase: the actual penetration testing. The security testers use a variety of techniques.
“They use tools that have been out there for years or sometimes create their own tools,” Stanger says. “Sometimes they use spear-phishing and trick people into giving up their credentials. They also use other forms of social engineering. They might also logically hack a firewall, defeat encryption, or hijack web sessions.”
In many cases, Stanger says, the penetration testers are asked to get into an enterprise’s facility as well. “Sometimes they pick locks,” he explains. “Other times, the white-hat hackers tailgate behind legitimate employees and walk behind them into a facility, acting as if the testers have business there. Once inside, they might take a USB drive out of their pocket when no one is looking and install malware on the company’s systems. Or they may connect inside via Wi-Fi and attack the network that way.”
White-hat hackers might also find out an enterprise’s service providers and attack those connections as a way to hack into an enterprise network, Stanger says. “Right now, the majority of attacks are done through social engineering. Any good pen tester knows there are multiple ways to trick people.”
Given all that complexity, Stanger says, “getting access to a system can take hours and days. Then, it can take them days or weeks to effectively scan through a system.”
What to do after the tests are complete
Just doing the tests isn’t particularly helpful unless someone in the business knows what to do with the results. Some companies, Schlecht says, used to treat the tests as merely a check box that shows they take security seriously. But then no one acted based on the test findings. However, because cyberbreaches have become well-publicized, that’s largely a thing of the past, he adds.
Penetration testers frequently do more than report their results. They also hold debriefing sessions in which they provide deeper details, such as how long it took to break into certain systems or what tools were used. Based on all that, companies can revise their security practices.
Once the results are in, Schlecht recommends sharing the results inside the company widely.
“I’m a big fan of being as transparent as possible and sharing the results outside of just IT and security,” Schlecht says. “It makes people much more conscious of how their actions affect security and shows people that even something that seems very minor can lead to a very large breach.” The tests, he says, are particularly helpful in showing the extreme dangers in phishing attacks and other forms of social engineering.
When penetration testing goes bad
Experts emphasize that successful tests are well-planned and highly targeted. And the people whose systems are involved need to be clear about how and when the test will be done so that nothing goes awry.
If all this isn’t done, the consequences can be serious. For example, consider what happened when a penetration test went wrong at the Democratic National Committee (DNC) in the summer of 2018.
First, some background: The DNC had been compromised by Russian hackers from the GRU, the descendent of Russia's KGB, in the summer of 2016, and thousands of sensitive documents were stolen and later released through WikiLeaks in an attempt to affect the outcome of the 2016 presidential election.
Two years after that, in August 2018, the DNC went public with an announcement that it had just thwarted an attempt to hack into its voter files. A fake online site had been set up as part of a phishing attack in which there was an attempt to get DNC staff to give up their login credentials. The alleged break-in effort topped the U.S. news and was widely reported around the world.
It turned out, however, that there was no real hacking attempt. The Michigan Democratic Party had hired a group to perform penetration testing on the DNC. But it hadn’t bothered to tell the DNC about it. After DNC Chief Security Officer Bob Lord found out about the penetration test, he told the Washington Post, “I’m not interested in slowing down people who want to do legitimate and appropriate testing." But, he added, "if you’re building any sort of attack framework, white-hat testing, we need to be aware of that so we can factor that into our decision-making.”
The moral of the story: Plan your penetration testing carefully, make sure all the important stakeholders are involved, and alert anyone who needs to know the testing will be done.
Advice from the experts
Experts have several important pieces of advice for doing penetration testing. Schlecht says it’s important to first do a broad security vulnerability or risk assessment and try to plug every security hole. If you don’t first do that, he says, “a penetration test is almost a waste of time because somebody's going to be able to get in.” But if you do the test after the assessment, you’ll be able to close any remaining weaknesses that you overlooked during your risk assessment.
Next, make sure to clearly define the scope of your testing. Then, choose the right firm to do the testing, one that has long experience and can provide solid recommendations from companies that have already used its services. Also, check whether the firm specializes in the kind of testing you’re interested in. “A good penetration tester is not necessarily an expert in everything,” says Stanger, so choose one that has deep experience in the kind of testing work you want done. You may also want to check whether the company has penetration testing certifications from organizations such as CompTIA and EC-Council.
Finally, don’t ignore the results of the tests. Use them to harden your security, and make everyone in your organization aware of them.
Do all that, and you’ll go a long way toward securing your company’s systems and data. After all, it’s better to have white-hat hackers break into your systems today than to wait until black-hat hackers do it tomorrow.
Penetration testing: Lessons for leaders
- Do an enterprise-wide security assessment before doing penetration testing, and then home in on what you want tested.
- Carefully define the scope of penetration tests.
- Choose an experienced security firm with deep experience in the specific tests you want done.
- Share the results of the test widely in your organization, beyond IT and security staff.