Pen testing for businesses can help stop hackers before they start

Main photo courtesy DepositPhotos

Carl Mazzanti

Businesses typically try to take steps to defend their digital networks, but many organizations discover their weak points the hard way: when they get slammed with a full-court cyber-attack. The aftermath of a successful hack is not pretty: the direct costs of repairing a breach and settling liability claims from affected customers can cripple a company, while the indirect costs associated with reputational damage and loss of client confidence can reverberate for years to come.

And the pace of attack activity is on the rise, with published reports indicating that the number of ransomware attacks alone surged by 13% in 2022, a jump that equals the last five years combined.

But instead of waiting for an attack and then scrambling to put an organization back together, companies are increasingly utilizing penetration testing to identify cyber-defense weaknesses and stress points ahead of time, under controlled conditions.

A penetration test, or Pen Test, involves a simulated attack staged by a Cyber Security team that can proactively identify and address vulnerabilities before hackers can exploit them. Penetration testing can deliver several key benefits, including providing a clear picture of a company’s security stance from the perspective of a motivated attacker. A Pen Test can go beyond identifying vulnerabilities; it can also determine the level of risk involved in a breach of specific systems. With this information, the organization can prioritize risk and develop an effective Cyber Security plan.

Depending on the type of organization and its specific business needs, a Cyber Security Services provider may offer different types of penetration testing with various methods and objectives. In an external penetration test, for example, the ethical hacker will attempt to breach security through such outward-facing technology as websites or external servers. In contrast, during an internal penetration test, the tester will attack through the organizations inside network. This mode can uncover the types of damage an unhappy employee or a hacker with stolen credentials could cause.

Additional types of tests include attacks through social engineering or IoT (Internet of Things) devices. Some organizations may also commission a “red team attack,” where penetration testers employ a multi-layered assault simulation that simultaneously measures the effectiveness of network and application security, human security awareness, and physical security.

A penetration test typically includes five phases:

• Reconnaissance – During the first phase of the test, the “white hat attackers” will gather detailed information about the target system. This stage includes using network scanning tools to identify open ports, running services, and other access points. The testers will also scan for known vulnerabilities in the system. The testers may also comb through publicly available information, including social media accounts, company websites, and other public domains, to identify usernames and information that may help the testers to crack login or passwords and otherwise defeat existing defenses.

• Gaining access – Once they create a detailed map of the organization’s system and gain a deep understanding of its vulnerabilities, the ethical testers will use various techniques to gain unauthorized access. This stage may involve a combination of social engineering, exploitation of software vulnerabilities, and password cracking.

• Once the ethical attackers are inside a system, they will focus on digging deeper by collecting data like privileged information or credentials that may enable them to expand their control. This could include “privilege escalation” — or elevated rights, permissions, entitlements, or privileges beyond what is normally assigned for the user — in addition to creating “back doors” that may enable an attacker to return to the system at a later point and continue to move deeper, capturing even more layers of sensitive data. During this phase, the testers will mimic a malicious attacker by covering their tracks by disabling security controls, clearing logs, and taking other steps to hinder the efforts of security personnel to detect their presence.

• Following the staged penetration, the testers should create and deliver a prioritized list of security issues they discovered, along with a step-by-step description of how to replicate the process, and detailed reports on weak and reused credentials.

• Finally, based on the results of the test, the IT Security provider will suggest strategies for improvement.

Organizations should conduct penetration testing regularly, at a minimum, annually. However, with any significant change to an organization— including infrastructure or application upgrades, new offices, or changes to assets and services — they should undergo a new Pen Test.

An experienced IT security consultant should have years of penetration tests under their belt and be able to document the use of advanced penetration testing framework in addition to expertise in manual penetration methodology. Consulting organizations that use both automated scanning and manual testing should be able to replicate the attacker mindset and highlight weaknesses while developing and implementing security strategies specifically designed to optimize a company’s investment, providing tailored protection against threat actors.

Businesses that work with a Cyber Security consultant to periodically run comprehensive penetration tests are less likely to suffer the kind of unpleasant wake-up call that comes with a serious cyber incident.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, N.J., providing IT consulting services for businesses ranging from home offices to multinational corporations.

l