To keep your company safe from hackers, you have to be able to think like a hacker. That means that you might consider subjecting your network and systems to a pen test. A pen test, or penetration test, is a simulated cyberattack against your devices and systems conducted by ethical hackers to reveal any vulnerabilities and develop a strategy to mitigate those risks. Ultimately, pen tests help you see whether the security measures you have in place are enough to protect your organization from potential cybersecurity threats.
What Happens in a Pen Test
Ethical hackers will use different methods in their ‘tool kit’ to breach the system. Mark Wharton, a certified ethical hacker with Secure Data Technologies, described different methods an ethical hacker might use to test your systems, thus revealing your weaknesses for exploitation:
- Information gathering- getting as much information as possible to get into the system
- Password and wireless attacks- using the WIFI or a user’s password to get into the system
- Reverse engineering- taking apart the block or program to find any vulnerabilities
Once they’ve tested your virtual fences, the ethical hacker will make a plan to breach the system after gathering intelligence and begin trying to find ways into the system. They look through the code for backdoors or holes in security and then try to exploit these vulnerabilities by inflicting (temporary) damage. This can include anything from escalating privileges to stealing data. The ethical hacker also needs to see how long they can maintain the access they gained. Once complete, the ethical hacker compiles a report for the client, detailing the vulnerabilities and suggestions on how to patch them. Pen tests should be conducted on a yearly basis or whenever new software or programs are being rolled out. There are multiple ways to do a pen test, but we will be focusing on external and internal pen testing.
External Pen Testing
External pen testing is a planned cyberattack on your systems by a third party. Ethical hackers mimic the actions of an actual threat as they try to find any way into your servers. They do this through public domains, like your webpage, emails, or your company’s web application. They might even go to employee social media pages in search of information to synthesize a social engineering attack. Ethical hackers will also use other means of getting in, such as password testing.
Another method utilized in a pen test is sending a phishing email to someone within the organization to see whether they can recognize the hallmarks of a phishing attempt. Human interaction has a large part in hacking; social engineering is one-way human error can cause problems for your organization. Social engineering, as described by Wharton, is this: “I want something from you, so I am going to craft my response so I can elicit information from you.”
Internal Pen Testing
Internal pen testing is done by someone familiar with the organization’s network. Their job is to find vulnerabilities inside the network to gain administrator access to exploit the system and get to sensitive documents and data. Once they’ve achieved this goal, they then cover their tracks by clearing any traces that they were there. Without the obstacle of a firewall in their way, they can move faster than an ethical hacker performing an external pen test.
Another aspect of a pen tester’s responsibilities is to do internal testing on external vulnerabilities. Ethical hackers test the firewall, the ports, and the employee passwords for any exploitable weakness. A good reason to conduct an internal pen test is to prepare for an internal attack. It should be noted that an internal attack does not always mean a rogue employee. These attacks can be carried out by anyone who knows the system well enough or has access to it through passwords.
Internal and external pen testing both do the same thing in wildly different ways. Pen testing is used to see how well an organization would do against a cyberattack. Whether it be an internal cyberattack or an external one, organizations that conduct a pen test know that preparation is key in keeping their valuable data safe. Finding reputable companies, such as Secure Data Technologies, to conduct a Security Assessment will make that job even easier.