Penetration Testing Basics

In this cybersecurity basics article, we sat down with Jun Yano a manager at NRI SecureTechnologies, Ltd, who has been conducting penetration tests for organizations around the globe for more than 15 years. The goal of this interview was to get a better basic understanding of penetration testing, some of the tools that are used, and the job of being a pen-tester.   

Let’s start off by asking, what exactly does a Penetration Tester do?

We conduct cyber-attack simulations in order to determine if customer’s system, network, or web application has any vulnerabilities or misconfigurations which have the possibility of being attacked and potentially causing serious problems - like if their customer’s information was leaked for example.

After the penetration testing is conducted, a penetration tester will create a detailed report that includes information on any vulnerabilities as well as the recommended next steps in order to fix the problem.  This will allow the customer to remediate the vulnerabilities quickly in order to prevent them from being compromised in the event of an actual attack.

Nowadays, the time-span of being attacked after new vulnerabilities are discovered is getting shorter, and shorter.  So, there’s a real advantage in knowing about potential problems ahead of time and getting any vulnerability remediation that’s required done as soon as possible.

What is the difference between a penetration test and a vulnerability assessment?

Vulnerability assessment is used for an initial discovery and listing vulnerabilities.  On the other hand, a penetration test goes a step further and attacks the vulnerabilities to determine the actual degree to which they could be exploited. Companies in the PCI (Payment Card Industry), vulnerability assessments are supposed to be conducted once a quarter but penetration testing is regulated to take once a year.

How is a penetration test performed?

Of course there are a lot of details on how exactly everything is done, but at a basic level you can look at most penetration tests as having around 5 individual stages:  Reconnaissance, Scanning, Vulnerability Checking, the actual Penetration Test, and the Report.

Reconnaissance is conducted as a first step in penetration testing. In this step, preliminary company information such as email addresses, website footprint, and IP address are some of the type of information that we gather. This manual first step is necessary to understand a customer’s attack surface beforehand and determine what kind of things an attacker could find doing their own reconnaissance during an actual attack.

Once we have the information from the reconnaissance stage, scanning can be performed to gather even more details. Examples of this could be things like IP addresses or what contents the customer’s website provides. 

After the scanning is completed, a penetration tester would work using the results to determine if the customer’s website or services running on specific ports have any vulnerabilities that could potentially be exploited during an attack.

After any vulnerabilities have been discovered and researched we would then implement the manual penetration testing.  NRI Secure always assigns two separate penetration testers for each project. This is the stage of the process that should actually clarify that the vulnerabilities have the potential to be attacked by a hacker.  In the course of implementing the penetration test, the pen-testers would prepare a narrative and start the processes to go along with it. The narrative basically includes how we will approach the vulnerabilities. 

Finally, all of the information we gather from the penetration test is summarized with recommendations and next steps and submitted as a report.

What are some of the tools that are used during a penetration test?

There are tons of tools have been developed and are used in a penetration tests. The segmentation of tools can roughly be divided into two groups. One group is for network and OS targeting while the other group is more for Web applications that have either been created by vendors or developed by individuals.  As I mentioned, there are a great many tools that get used but here are some of the more popular ones.

In the first group of tools used for targeting network and OS some examples would be,

• Maltego is one of the most familiar tools used in the reconnaissance stage. This proprietary software is effective and efficient at gathering open-source information and intelligence. The software can search thorough the results of Google searches and Whois databases and visualize the information in a graph format.
• Nmap is extremely well known as a security scanner that can be used to discover hosts and services on a computer network and is used during the scanning process.
• Nessus and OpenVAS are popular proprietary vulnerability scanners. They are effective to use during the initial scan for vulnerabilities.
• Metasploit can be used during the penetration test and has a lot of prebuilt exploits. It also provides information about vulnerabilities which can further aid in penetration testing. 

As for the tools that can be used for web applications, 

• Burp Suite is a graphical tool often used for testing Web application security. This tool is often preferred by professional user.
• Vex (UB Secure), AppScan, and Webinspect all of which can play a similar role though, these tools are very integrated so easier for beginner or application developer tend to use them. 

Why is a penetration testing important?

There are many different regulations and best practices that call for regular pen-tests, but beyond those according to NRI Secure Insight, the rate of companies experiencing security incidents in 2016 in the US is more than 80%. Besides, IT industry is drastically changing and growing, IoT is one of the examples accelerating the increasing need for effective cybersecurity.

Article on automotive penetration testing is HERE. 

NRI SecureTechnologies, Ltd. Contact : sales.us@nri-secure.com