PENETRATION TESTING 101
Ethical hackers use penetration testing, or “pentesting,” to test the security measures of computer systems. Pentesters will use all the tricks of the hacking trade to try and breach the networks of their clients. They then advise on how to make them safer.
WHY IS IT USEFUL?
Organizations often have very complicated computer networks. And their in-house IT experts often don’t have experience with actual hacking. Hackers are at an advantage because they only need to win one attack while the target has to win every defense. Because pentesters know how hackers think and operate, they have a better chance of detecting vulnerabilities.
HOW DOES IT WORK?
Pentests can be anywhere from mild to extreme. An organization may just want its web apps or a specific portion of its software to be tested, and would consider everything else “out of scope” (forbidden from hacking attempts by the pentesters). Another organization may want a more thorough investigation, which might involve malicious targeted surveillance, long-term keylogging, the planting of bugs, or in-person surveillance of a client’s office.
Some of the more novel pentester ploys include dressing up as a janitor and requesting access to a computer room, following employees of a company to the local bar to extract information from them, and shutting down an office’s Wi-Fi so employees are forced to use an insecure connection in a neighboring café.
When techniques like these are combined it’s known as “red teaming,” a highly intrusive operations in which pentesters act like the enemy in every possible way. RedTeam Security explains:
“The objective of a red team test is to obtain a realistic level of risk and vulnerabilities against your technology, people and physical/facilities.
- Technology — Networks, applications, routers, switches, appliances, etc.
- People — Staff, independent contractors, departments, business partners, etc.
- Physical — Offices, warehouses, substations, data centers, buildings, etc.”
Check out one of their red teaming projects in action here.
During the pentest, logs of every action are carefully kept so that a final report can be delivered. The report contains an assessment of how at risk the client is to different threats. Some reports can be scary for the client: They may learn that they’ve been hacked in the past, or that a hacker is sitting in their network at present. Sensitive/personal data may also be uncovered. That’s why it’s crucial to establish trust between the client and the tester.
WHO ELSE DOES IT HELP?
You may not think it, but having a pentest increases security for everyone else. Pentesters may discover new attack methods that others may also be vulnerable to. Every pentest makes the testers themselves smarter. The more systems they investigate, the more viruses can be patched and vulnerabilities overcome.
Hackers can be a force for good. They're often hired by companies and governments to assess security risks and potential vulnerabilities in networks.