How Penetration Testing Secures Your Data
Lots of people have heard the first part of the sentence that begins “Know thy enemy,” but it’s the second part that matters.
In his book The Art of War, Sun Zhu says if you know your enemy “you need not fear the result of a hundred battles.”
From a business perspective, those battles could be cyberattacks from threat actors trying to steal your data. And penetration testing is the best way to know this enemy.
What Is Penetration Testing
Sometimes called ethical hacking or abbreviated pen testing, this is a widely used exercise practiced by security professionals all over the world, and well worth considering as you strengthen your defenses as an organization.
Definition and purpose of penetration testing
Pen testing replicates the process of waging a cyberattack against an organization’s vulnerabilities, but without inflicting any actual damage. Instead, authorized parties simulate what actual cybercriminals would most likely do to penetrate an organization’s network in order to identify potential weak spots.
Benefits of conducting penetration testing
The value of pen testing lies in helping your security team to put themselves in the shoes of prospective hackers and anticipate their actions before they happen. A pen test could also reveal software vulnerabilities, gaps in authentication and access policies and other flaws that might otherwise get missed.
By deepening their understanding of how cybercriminals might break in, security teams also improve their ability to detect and respond to incidents. This can bolster business continuity efforts, support regulatory compliance and safeguard customer trust.
Common misconceptions about penetration testing
Though they can be interrelated, pen testing goes beyond a vulnerability assessment in that you’re not only identifying problems but actively trying to exploit them to understand the risks they pose.
Contrary to what you might hear, pen testing doesn’t involve any kind of illegal activity that could expose customer or operational data. It also doesn’t disrupt the everyday work of employees or negatively affect customer experiences. Don’t assume pen testing is only for large enterprises, either. This is a best practice that can benefit organizations of any size.
Stages of Penetration Testing
If your organization is new to pen testing and wants to get started, there are three phases the process tends to follow:
Reconnaissance and information gathering
Cybercriminals rarely go into an attack blindly, and neither should those conducting pen tests.
The reconnaissance phase of penetration testing is all about learning as much about your target as possible. This could include the number of employee accounts that access the corporate network, for example, as well as particular platforms and software systems that are commonly used.
Some of this information will be readily available online or through other public sources. The more comprehensive pen testing reconnaissance will go even further to get first-hand data. Ethical hackers could do this by trying to sign up for a customer account, for instance.
Scanning and vulnerability assessment
We mentioned vulnerability assessments earlier. By seeing which systems might be left unpatched or poorly protected, pen testers can devise the best strategy for breaking through an organization’s defenses.
This becomes even more powerful when ethical hackers also use the information they’ve gathered in the reconnaissance phase to identify open network ports and other potential entry points where organizations leave themselves exposed.
Exploitation and gaining access
Pen testing isn’t complete until an actual attempt to breach the organization’s security controls has been made. There are a number of tools available to do this so that critical systems don’t actually crash.
Attacks can involve manipulating requests and responses, targeting vulnerabilities with exploits, intercepting client/server traffic and other methods.
Methods of Penetration Testing
It’s difficult to know exactly how much threat actors will actually learn about an organization and its defenses prior to launching an attack. That’s why penetration testers often use a combination of approaches to see how far they can gain access to networks and data.
Black box testing
Sometimes cybercriminals might assume an organization will have at least a few secure holes worth poking. They may know nothing about the organization's web architecture, design or other details about a target.
Ethical hackers will often conduct at least a few tests this way, given that it comes closest to the worst-case real-life scenarios an organization could encounter. They could try social engineering or phishing schemes to see if they could even use employees as an entry point.
Black box tests can take considerable time and effort – and they don’t always uncover other vulnerabilities that put an organization at risk.
White box testing
Some systems and data are valuable enough that threat actors will take all the time they need to learn about security settings that weren’t configured properly, areas where employees were given privileges they shouldn’t have and poorly written code within web applications. This is often how advanced persistent threats (APTs) get in.
White box testing arms penetration testers with a similar body of knowledge so they can go after the most lucrative targets and simulate the data breaches that could have the biggest repercussions for a potential victim.
Gray box testing
The world isn’t black and white, and neither is cybersecurity. That’s why gray box testing often makes a lot of sense too.
In this case, penetration testers might be given some, but not all the information they need to wage a successful attack. They might have some low-level credentials to a business application, for instance, or have mapped out the target’s network infrastructure.
The most comprehensive penetration testing program will likely use any or all of these approaches to ensure the organization is well-protected.
Web Application Firewalls and Penetration Testing
One area where pen tests often come up is in support of web application firewalls, which many organizations include among their cybersecurity defenses.
Understanding the role of web application firewalls
From blocking HTTP traffic between an application and the Internet to monitoring and filtering, a web application firewall (WAF) represents a valuable layer of protection against many threats.
Like any technology, WAFs need to be well-deployed and used properly to provide the maximum benefit.
Challenges and limitations of relying solely on web application firewalls
If a WAF is poorly configured, it’s still possible for attackers to get through and launch a data breach. Some may also give false negatives against issues that represent viable threats.
WAF admins also have to stay on top of the many alerts and notifications they generate, which leaves lots of room for human error. Then there’s the time and effort required to investigate WAF alerts, which can be considerable.
All this means WAFs need to be tested just like any other security control.
How penetration testing complements web application firewalls
Though they may have their own distinct purposes, pen testers can take advantage of WAF data, such as logs, to identify exploits and vulnerabilities. WAF administrators, meanwhile, can use the results of pen tests to fine-tune their configurations and mitigate any risks that they uncover. Using the two in tandem may also assist with standards compliance.
Best Practices for Penetration Testing
Beyond understanding the stages and types of pen testing, there are some other considerations to build out the right approach for your organization
Choosing the right penetration testing methodology
While this post has gone over several methods, from black and white to gray box tests, every organization is unique.
Your goal may be to ensure a previous breach never happens again, or simply to safeguard against an emerging threat.
Take into account the scope of tests, the level of effort required, and what sort of intelligence-gathering may be required.
Engaging certified and experienced penetration testers
This isn’t an area where organizations or security teams have to shoulder the burden on their own.
There are many reputable consultants and vendors ready to provide regular pen testing based on your needs and the most likely cyber threats your organization faces.
Just make sure to ask about certifications such as CompTIA’s Pen Test+ or Certified Pen Tester (CPT).
Implementing a regular penetration testing schedule
Sometimes pen tests are scheduled as a development project ends and new software is deployed. However, some organizations also run continuous penetration testing based on feature updates, new software releases or a cadence that aligns with their patch management schedule.
How LastPass is Protecting Your Data with Pen Testing
Even the top names in security use pen testing as part of their defense strategy – including LastPass
Emerging threats and vulnerabilities
While LastPass has a proven track record in protecting organizations of every size across multiple industries, there is always more work to be done. New threats and vulnerabilities are emerging all the time, which is why we continuously improve our defenses.
Routine audits
LastPass frequently engages with trusted third parties, for example, to conduct pen tests and regular audits on our product, which is all part of our responsible disclosure process. It’s just one more reason to start your LastPass trial today.
FAQ
What tools are commonly used in penetration testing?
Pen testers or ethical hackers use a wide range of tools for each of the five stages of the penetration testing process (the following isn’t a comprehensive list).
1. Reconnaissance and information gathering
- Burp Suite or ZAP to identify vulnerabilities in web applications
- Wireshark to capture network traffic and identify open ports
- OSINT (open-source intelligence) tools to compile comprehensive information about the target system
2. Target discovery (scanning) and vulnerability assessment
- Nmap to scan networks and identify available hosts, the services they offer, and the operating systems running
- Nessus to scan for vulnerabilities in apps, operating systems, and other network resources
3. Exploitation
- Metasploit to run exploit code on target systems or simulate attacks against networks, applications, and devices
- John the Ripper to carry out credential-based attacks
- Sqlmap to exploit SQL injection vulnerabilities
4. Escalation
- XM Cyber to automate APT attacks
- Picus to simulate real-world lateral movement, data exfiltration, and ransomware attacks
5. Post-exploitation cleanup and reporting
- Obsidian to organize information gathered about vulnerabilities and suggested remediations
- Microsoft Word or Google Docs for the final report
Is penetration testing illegal?
No, penetration testing isn’t illegal. In fact, it’s required by several privacy laws for organizations in finance, government, and ecommerce.
- The GLBA (Gramm-Leach-Billey Act) requires financial institutions to perform annual penetration testing to ensure security safeguards for consumer data are working as intended.
- PCI DSS 4.0 emphasizes penetration testing to ensure cardholder environments are entrusted with the appropriate protections to meet Report on Compliance (RoC) requirements.
- FedRAMP requires cloud service providers to conduct penetration testing in compliance with NIST SP 800-115, NIST SP 800-145, NIST SP 800-53, and NIST SP 800-53A.
How much does penetration testing cost?
According to eSecurity Planet, organizations pay an average of $18,300 for penetration testing. However, costs may exceed $100,000 depending on factors like the type of test, scope & scale of testing, and compliance requirements.
