For example, years ago everyone thought that if you were called a hacker you were a bad guy. Now, that’s not the case. With white hats, grey hats, and the like, many people these days hear the term hacker and know it isn’t always a bad thing.
That said, there are people who believe things like, “Pen testing will secure my organization or provide an adequate amount of security.” This is false. Pen testing will help to develop your security posture and increase your security level, but it is not the one thing you can rely on to secure your organization completely.
This article contains most of the common questions and concerns folks have about what is true and not true about pen testing. Keep these penetration testing myths in mind, but don’t consider them definitive. There’s always more to learn.
All forms of ethical hacking are the same
Many forms of security analysis take place. As a security professional, knowing which one to conduct at appropriate times is important to understand. Vulnerability assessments, for example, are used to check the status of systems to find and expose weaknesses.Pen testing is the act of actively trying to penetrate security defenses. This includes (and is not limited to) using any tool at your disposal to thwart the security in place to assess whether a vulnerability exists, and if so, whether it can be exploited.
An example would be a tool that checks to see whether you have an open port on a firewall. A pen test (and ethical hacking) is acting in a role to attack and penetrate that port and attempt to gain access, see what you can leverage from there, and continue in hopes of gaining access to valuable data or information.
Not all forms of ethical hacking are the same. Some are just to find vulnerabilities, other forms are to penetrate the systems, and other forms are to conduct full-scale APTs.
We can’t afford a pen tester
Although many company leaders and department heads believe they need to have security (and also fund it), they might not be aware of the value-add that a real pen tester can bring to their organization nor believe one is worth the cost. So, this myth really has two parts:- Pen testers do not bring value. A pen tester should be considered the highest level of security analyst you may have employed at your firm. An ethical hacker knows what black hat hackers know. Hackers (and other forms of attackers) is why you have an investment in security in the first place.A pen tester who can identify and prevent a major breach can save a company not only tangible assets and costs, but also intangible assets and costs such as reputation management. A bank that suffers a breach, for example, will likely lose customer’s trust and their business.
- Pen testers cost too much. Whether a company can afford one depends on how much that company is willing to lose in the case of a security incident. Hopefully, we can start to bridge the gap because there are ways to lower the costs of pen testing. Maybe train a trusted in-house employee (another IT team member) to use pen testing tools to solve security issues for you.
The important takeaway from this basic set of metrics is to see that the volume of attempts and penetrations are very, very high and growing. The correlation to the growing amount of records exposed can also be analyzed and quantified various ways, but it’s believed that because there is a focus on cybersecurity and penetration testing in the past 10-15 years, the amount of exposure isn’t always directly correlated to the volume of attempts.
We can’t trust a pen tester
Some companies are so worried about their sensitive data (secrets, salaries, plans, and so on) that they do not want anyone involved even for the purpose of checking their security. Healthcare organizations especially might be wary because if patient-related information is exposed, that organization is legally liable.Unfortunately, you can’t apply security without giving in to a small amount of vulnerability, but companies need to be smart about it:
- To do nothing is unwise; to test is smart. The trick is to find someone who can do the pen testing and who the company trusts. Anyone responsible for hiring a pen tester must explore whether the company has a trusted IT professional in the organization who could be groomed for pen testing.
If that person is you, consider shopping your skills to your organization’s leaders to let them know you’re interested in that role.
- An interview process is necessary to reveal the best candidate. This process should include an extensive background check that looks into financial standings, substance use, and credit standing. If a candidate “passes” these tests, that’s good because things like this are clear markers that the person is indeed trustworthy.
- Audits can help. An audit process checks the pen tester’s work to make sure no wrongdoing took place. This can include spot checking logs, reviewing pen test results, and doing a follow-up with those conducting the tests to validate results. This can help bring peace of mind to those you are vetting or are new to the team.
We don’t trust penetration testing tools
Beyond building the trust for those conducting a pen test, you must also be comfortable using the toolkit and the tools you build, install, and maintain. This comes in the form of getting reputable tools that are free from malware or are not malware themselves. (Some tools can contain Trojan horse programs that can take over your machine.)Another concern is that the lack of knowledge in using the tools could create bigger problems by causing a production outage. If a new pen tester (and even a more experienced one) makes a change or uses a tool that somehow has a side effect, it could create more problems than the ones you’re trying to identify.
Another concern is about the actual tools themselves being fully operational and free of bugs (problematic software). This is why it’s the choice of some elite pen testers to use industry supported tools that are free of bugs or are fixed when found. Because of this, I suggest using vendor supported tools.
Vendor-based tools are the best option for new pen testers to be trusting of their toolkit. Tools such as Wireshark, Nessus, and Nmap are maintained and kept up to date. The following image shows how Wireshark is maintained by the vendor. It includes updates, new versions, and bug updates.
There are new builds, patches, and a support network built into these tools. I would say that if you download a sketchy application off the internet to use in your toolkit, properly virus-scanning it prior to using it may help to reduce you infecting yourself or company with a Trojan horse (as an example).
If you’re afraid to use a tool because you’re uncertain of its output, then set up tests and test labs and get comfortable with the tools prior to using them. If you know that tools run a ping sweep and you can control the output of it (such as in Nmap), then you may want to start small and build up from there to see in a controlled environment what it will do to your systems. After you start to build up your confidence and trust, you will be more comfortable using the tools.
Penetration tests are not done often
Pen tests are done all the time. You have to consider the changes in technology, and the dependence on technology that brings more and more of it to the forefront of today’s companies. As more devices get connected (think IoT), the more testing will need to take place.The truth is that scanning and testing is a rinse and repeat function. Some big enterprises will create a program in their security operations teams where pen testing is conducted often and usually on a schedule. This is good because the hackers don’t operate on a schedule — they are a constant. You should be a constant, too, as well as your pen test program.
A schedule ensures that pen tests are part of your overall security program. The image below shows a listing of what would be a normal grouping of security functions, tests, and tasks that take place for an organization. Having your pen test as part of and incorporated into a general security program makes sure that it’s always part of the plan of testing. Pen tests can also be done ad hoc as the need arises.
This is similar to the myth that pen tests are good for a period of time. In the spirit of trying to manage an operation, a program or work efforts, leaders may want to believe that by conducting a pen test (and a thorough one at that), they’re somehow safe and don’t need to conduct a pen test for a period of time.
Somehow the reports showed that there is no issues or the issues found have been corrected or being monitored. This is a big misconception. The minute the pen test has been concluded, it is already out of date.Penetration tests are only for technical systems
Another constant that should be emphasized is the concepts of defense in depth and the need to think outside of the box. Pen tests are very much technical in nature because they’re trying to thwart the security of technology assets.Technology assets can be thwarted and made vulnerable, however, by other than technical means; the two most common being these:
- Physical security: If a criminal can bypass all firewalls and IDS systems by simply walking into the data center where all the crucial data is hosted and use a thumb drive to snatch data off a server, you’ve invested a lot of money into something that has been easily bypassed.
What is important about this scenario is that it’s common and something you should be considering in your organizations.
It’s easy to focus on information technology systems such as computers and infrastructure such as routers, switches, and other networked devices. But you can’t forget about physical security; it can also be highly technical. Think of any IoT enabled, network connected and software driven devices. Security cameras, doorbell cameras, and other security devices all fall under your scope, too.
- Social engineering: Pen testers don’t need to crack your passwords using tools like Kali if they can just call you and trick you into giving them to me. Social engineering is easier, quicker, and leaves less of a footprint to be caught with.
Contractors can’t make great pen testers
A big point of confusion for anyone looking to enhance their security is, do you use in-house resources or outsource to a contractor? Many believe that contractors come from outside of their networks and do not possess the internal knowledge needed to get around their systems and conduct a fair and thorough assessment. This couldn’t be farther from the truth.In-house resources will know the internal network and systems well, but contractors can conduct the same exercises as in-house teams without much difference. If a contractor is given access to the network the same way an in-house resource is, the test will be the same.
The benefit to bringing an outside resource (if even to conduct a yearly pen test) is that they don’t know your network. If they’re able to penetrate it, they have simulated what a hacker would do, which would be to probe, test, map, identify, and attempt to gain access to resources they aren’t aware of.
Penetration test toolkits must be standardized
In some cases, the standardization of IT assets, systems, programs, tools, and software is a must to remain compliant and have well documented solutions available, but this is not so with pen test tools.The pen tester toolkit will be made by pen testers who use what they need. They may need to keep older tools around for functionality reasons. They may opt to use a different type of packet sniffer because they’re more comfortable automating it. There may be cost reasons why some open source software is used instead of costly vendor solutions.
Regardless, whatever you use as a pen tester, you have to manage your own tools and toolkit and the important rule to follow is that you need to make sure you don’t wind up a victim yourself. Make sure you take care of your toolkit and keep it safe and updated. If you do that, you don’t have to worry about following an IT standard for tools and usage. Your company might mandate something, but as an independent pen tester you should consider using your own tools and what you know works best.
Penetration testing itself is a myth and unnecessary
Hopefully everything you have read in this book has shown you that this is completely untrue. You might find outdated IT processes or workflows that need to be made more efficient or removed completely. You might start to think this way about everything you do and wonder whether pen testing is even needed, doing what you intend it to do, and serving a purpose that provides value.The return on investment (ROI) of pen testing should be measured to show that the costs associated are warranted. The problem with this thinking is when you’re doing a great job keeping all the holes closed because of pen testing. You’re keeping the threats in check, and so others might think there is no threat.
This is why reporting is important in pen testing. To show the actual data points, the metrics and the security applied through reporting, you can show that the investments made are in fact very critical to the security of the information kept on the systems by the company that wants it to be secure.