How to Protect Your Network Through Penetration Testing
Today we are pleased to share a guest post by Adnan Raja of Atlantic.net, a leading cloud and managed service provider with offices in Orlando that specializes in HIPAA-compliant data management. For more helpful articles like this, check out their blog here.
Hacking is often considered the worst thing that can happen to your business. However, ethical hacking (also called penetration testing) is a tool you can use to greatly bolster your security. Ethical hacking is carried out by a person or organization that is intended to determine security holes so they can be resolved. The penetration tester looks for weaknesses, and those areas are strengthened to avoid intrusion by legitimate threats.
If you are working with an outside party, you should anticipate that the contractor will require written permission before moving forward. They should respect your privacy. They should shut any doors they open to avoid a real compromise. Finally, they should inform you of any weaknesses they identify in your systems.
Penetration testing is necessarily complex. You will be using the same tools and techniques to attack yourself that hackers use. The process includes the following steps:
Understand the scope.
Establish expectations for penetration testing. You want to know exactly what portion of your systems will be included within the test (such as cloud, an OS, or an application). Also be clear on which devices are being examined, such as just SQL servers, just web servers, or all devices.
Automated vulnerability testing may or may not be included with pen testing. Social engineering also may or may not be permitted. Be clear on the days and hours when pen testing is off-limits, along with the dates when it is to be conducted. You should also establish whether service disruptions are acceptable or not.
Understand which of the two basic types of ethical hacking are being used, whether whitebox – in which the hacker is given some details on the target – or blackbox – in which the hacker has no insider information from you.
Test social engineering.
Before we get into more technical aspects, it is smart to look at the issue of social engineering, especially given the rise in ransomware distributed through phishing. It is critical to consider this aspect because you will often find people are your biggest source of vulnerability. You can mitigate the risk of your employees via training.
Testing for the issue of social engineering should be considered important to penetration testing. However, it is challenging because of the ethics related to social media. Proceed with caution.
Perform port scanning.
In order to know how intruders might make their way into your data, you want to map your ports. One free open source tool you can use for network discovery is Nmap. Nmap actually has a scripting feature in addition to its port scanning capabilities, providing substantial details related to open services. The result of the scans is available in several formats that can be integrated with other systems or adjusted.
Perform vulnerability scanning.
A core point for pen testing is to perform vulnerability scanning. A security vulnerability, per the EU Agency for Network and Information Security (ENISA), is “a weakness an adversary could take advantage of to compromise the confidentiality, availability, or integrity of a resource.”
There are basically two types of vulnerabilities. One is public vulnerabilities that you can access in repositories (e.g., OVAL, CVE, and NVD). The other type is zero-day vulnerabilities, which are ones that remain private.
You can perform this task using a wide variety of open source and proprietary tools. You can get systems that scan web applications, looking for cross-site scripting, SQL injection, and other vulnerabilities via automating testing. You can sometimes perform numerous types of vulnerability tests using a single tool.
Make exploitation attempts.
To understand exploits, that is the code the hacker uses to get into your site. You want to find a tool that can be used to exploit vulnerabilities you uncovered during scanning. These automated tools create simulations of actual cyber attacks. Whatever tool you use, keep it updated so that you have the most recent list of exploit data.
When you get attacked, it often involves installation of an exploit kit on your site. This tool scans your server for weaknesses and tries to exploit them. Malware is injected into your system if the exploit is successful.
Conduct post-exploitation tasks.
You can use separate software or plugins of the primary one you’re using to increase your permissions once within a network. Using these tools, you can steal passwords and use them for additional exploitation.
You want to have reports so that you have a record of everything. With built-in reporting, you do not need to waste time looking over past scan reports. Some systems will allow you to pull in the results from other tools and align that data with vulnerabilities, streamlining reporting.
Consider your partnerships.
Ensure your service providers have strong controls in place by checking for Statement of Standards for Attestation Engagements 18 (SSAE 18) auditing, a protocol developed by the American Institute of Certified Public Accountants (AICPA). This form of audit specifically checks for the controls in place at service organizations.
Securing your network by attacking yourself
Penetration testing is critical to cybersecurity. This form of testing can be conducted in-house or through an external service, depending on your expertise. The process should be robust but straightforward, including mapping the ports, scanning for vulnerabilities, and running exploits to see if you can intrude – as well as testing social engineering, provided you have considered ethical issues. When you select service providers, look for SSAE 18 auditing so you know an independent entity has verified its protections.