“We have a problem here…” said the voice on the phone. Our customer hired us to test their computer systems for vulnerabilities…and we had just found a big one.
Our testing had uncovered a serious bug in the customer’s firewall. This bug crashed the network, knocking the whole company offline. The bug was similar to the recent CrowdStrike flaw, but on a vastly smaller scale.
After a tense 30 minutes, we got the customer’s network back online. Our customer was appalled that in years testing, nobody thought to attack the firewall protecting the network. We did. Because that is what a black hat hacker might do.
Penetration testing, or “white hat” hacking, attempts to exploit weaknesses in systems, applications, or networks to determine how vulnerable the organization is to a data breach. The idea is for the “white hat” hackers (good guys) to find the flaws before “black hat” hackers (bad guys) do. For our customer, the test revealed a serious flaw in their network that they patched quickly, preventing another disaster.
Penetration testing is a vital part of building a secure environment, but it is not without risks. I did “white hat hacking” for years. Before you hire a penetration tester, here are some important issues to consider.
Risk is unavoidable
It is impossible to predict how systems may react to penetration testing. As was the case with our customer, an unknow flaw or misconfiguration can lead to catastrophic results.
Skilled penetration testers usually can anticipate such issues. However, even the best white hats are imperfect. It is better to discover these flaws during a controlled test, then during a data breach. While performing tests, keep IT support staff available to respond to disruptions. Furthermore, do not be alarmed if your penetration testing provider asks you to sign an agreement that releases them from any liability due to testing. The whole point of a test is to see what breaks. It is unreasonable to expect a penetration testing provider to shoulder the expense and liability of an outage or data loss due to testing.
Hacking the void
Black hat hackers will attack anything and everything they can. Consequently, penetration tests must test everything. If parts of your network are excluded or systems are turned off, testers cannot assess their security. If you cannot test everything, then define a generous sample set that encompasses every possible type of system, application, and network you control. Likewise, testers cannot test something they cannot access. Testers will need access to all parts of the network to make the tests valid.
Path of least resistance
Black hats will generally follow the path of least resistance to break into systems. This means they will use well-known vulnerabilities they are confident they can exploit. Some hackers are still using ancient vulnerabilities, such as SQL injection, which date back to 1995. They use these because they work. It is uncommon for black hats to use unknown or “zero-day” exploits. These are reserved for high-value targets, such as government, military, or critical infrastructure.
It is not feasible for white hats to test every possible way to exploit a system. Rather, they should focus on a broad set of commonly used exploits. Lastly, not every vulnerability is dangerous. A good white hat hacker will rank vulnerabilities based on how easily they are to exploit. Exotic or complex attacks may be interesting, but they consume time and can distract your team from the more mundane, and more likely to be exploited, vulnerabilities.
Skill matters
Most white hats use a broad set of tools for testing. While automated and AI tools can speed up the process, they are no replacement for skilled hackers with extensive IT knowledge and an understanding of human behavior. Before hiring a penetration testing company, validate the team’s experience, ensuring senior members have at least five years of specific penetration testing experience. Be careful with testing providers that assign only junior or contracted testers.
Change testers regularly
While it is good to build relationships with testing providers, change companies annually to avoid complacency. Use a pool of three to five companies and rotate among them. Different companies have different skill sets. For example, my company was exceptionally skilled with attacking infrastructure, which is how we found the firewall bug mentioned at the beginning of this article.
Beware of “gotcha” testing
A “gotcha test” focuses exclusively on breaking into the environment rather than assessing overall security. These tests will focus on a single exploit path and can miss many other exploitable avenues. A good testing company will conduct both a systemic assessment and a focused “black hat” style break-in.
Third party traps
One of the most significant areas of weakness is third party applications or systems. WordPress servers, for example, tend to be full of vulnerabilities due to the widespread use of third party plugins that do not undergo rigorous security testing.
Unfortunately, some vendors may specifically prohibit you from testing their systems. This can present a massive set vulnerabilities you cannot detect or defend against. Require third party vendors to either provide you with proof that they conducted their own independent penetration tests or permit you to perform testing with your own vendor(s).
Social engineering has limitations
Social engineering tests trick employees into divulging confidential information through fake phone calls or phishing emails. These tests are overwhelmingly successful, because people are inherently trusting.
Rather than random tests, perform targeted phishing tests to evaluate if employees follow security policies. If users fail a social engineering test, focus on education not admonishment.
Time is the enemy
Time is the ultimate constraint for any penetration tester. There are only so many hours in an engagement. Consequently, testers must use their time efficiently. This means automating as much as possible, so they can focus their attention on the more nuanced vulnerabilities. Black hats, on the other hand, do not have time restrictions. They can take weeks, months, or even years to break in. This inherently creates an unequal arrangement. It is unreasonable to expect penetration testers to devote unlimited time or effort into a test. This would make the testing outlandishly expensive.
Fixing falls on you
Penetration tests do not typically fix discovered vulnerabilities; that task falls to your internal teams or a contractor. Allocate resources to address issues after the test.
Think systemically
Avoid fixing vulnerabilities individually. Implement systemic improvements across the organization. Most vulnerabilities can be remediated through automated software and OS patching. For misconfigurations, standardize system deployment and management. For mission critical systems, you may want to consider emerging technologies like Moving Target Defense, which creates a dynamic, constantly updating environment that is extremely difficult to exploit.
Conclusion
Penetration testing is essential for any organization. It is better to have an white hat hacker find a vulnerability before black hat does. However, no security control or technology is perfect. Flaws are inherent in any complex system. Even the best security products, practices, and people can fail. The technologies you use are not as important as how you manage, monitor, and test those technologies.
Lastly, it is important to remember that black hats do not follow rules, policies, or org charts. They will break anything to get your data. For security to be effective, you need to think like a black hat hacker, and test everything. Especially the systems you believe are safe.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro