Intro to Penetration Testing Part 2: Adopting a Pen Tester’s Mindset

This is the second post in a four-part pentesting series, focusing on re-evaluating home network security and employing home network security best practices.

Pen Testing at Home

Penetration testing (pentesting) evokes an image of a team of skilled programmers and hackers attacking a corporation’s network security, searching for vulnerabilities to exploit like in the 90’s movie Sneakers. Although you may think of pentesting being done only in the corporate world, the concept of pentesting—strengthening network security—can be applied to your home network. Although you may not be a pentester, you can use the mindset of one to evaluate whether your home network is secure.

We’ll use two scenarios to help you think like a pen tester when it comes to your home network security. In each scenario, Bob the burglar (representing a pen tester) will attempt to break into two houses.

Scenario 1

House A is occupied by John and is Bob’s first target. Bob begins by observing John, his habits, noting the times when John is home and when John is absent. During some of John’s absences, Bob probes the outside of House A—careful to remain unseen—searching for easy access. Bob notices that the front door does not have a deadbolt, the door itself appears to be flimsy, and the door knob is old and loose. He sneaks to the backyard and finds an old sleeping guard dog. Continuing, he finds that the windows on the ground level have no locks. On a different day, he observes that John leaves a spare key under the front door mat. Rather than breaking a window or door, Bob opts for the easiest way into House A by using the key under the mat.

Scenario 2

In this scenario, Bob plans to break into House B that is occupied by Tom. House B is on the opposite end of the spectrum from House A. The first thing Bob discovers is that House B has an alarm system and that all the doors and windows are connected to sensors that will trigger the alarm if he were to force an entry. He finds that the front and back doors are solid and have strong door knobs and deadbolts and the garage has a security pad. Unable to gain entry without tripping the alarm, Bob follows Tom with the hopes of finding some way exploit him. Bob finds that Tom drives to the golf course every Friday where he uses valet parking. Bob decides to use this as his weakness, so he buys a pair of white pants and a white polo to match the valet attendants. Bob gains access to Tom’s car with the valet key and discovers that the pin to the alarm system is taped to the garage door opener on the driver’s side visor. Bob has found his way in.

The Take Away

These scenarios do more than explain how you could go about breaking into someone’s house. They provide a real-world representation of the process a burglar or hacker would go through to find the potential holes in a security system and exploit them.

In both scenarios, Bob first observed his targets. He took note of their habits, found out all he could about them, and looked for the easiest way to break in without getting caught. In the security world, pentesters and hackers do this; they look for weaknesses in their target’s security system. In the first scenario, House A had old, weak doors, door knobs, and no deadbolts. This outdated security technology left House A open to new methods of breaking and entering, making it easy for the burglar to get inside.

Outdated security technology is equally dangerous when protecting against hackers. Many people overlook or underestimate the importance of updating your OS, routers, game systems, and other devices on your network. However, these updates provide the latest security patches and fixes and are crucial to keeping your entire network secure. One security vulnerability could give a hacker a door into your entire network, even if the rest of your devices are up-to-date. Also important is proactive security measures, like firewalls and anti-virus software. These measures (like the guard dog and alarm system) alert you to hackers trying to get in.

But even with up-to-date security technologies and advanced security systems, hackers can still find their way in if you give them the key. Like in the case with House B that has strong doors, locks, and an alarm system, Bob the burglar was still able to find his way in. He figured out how to impersonate someone Tom trusted and gained access to information that Tom had been careless with. Social engineering tactics like phishing emails, spoofed or compromised websites, or digging through social media often yield critical information that someone has simply been careless with, ultimately giving the hacker an easy way in.

Checklist

Bob the burglar achieved his goal in both scenarios. House A was practically defenseless. And, even though House B employed more formidable means of security, it was still susceptible to Bob’s determined efforts. To help you rethink the way you can keep you home network secure, here is a checklist of places you may be vulnerable:

  • Run the latest updates on your OSes, routers, television, game systems, phones, and any other device on your home network
  • Use and run an up-to-date anti-virus software program
  • Use and update your firewall
  • Establish strong passwords for each device and account
  • Re-evaluate the information you post on social media
  • Be on the alert for phishing emails and other social engineering tactics

Part 3: Why Small Businesses Should Conduct Pentests

In next week’s post we’ll discuss reasons that small businesses should do pentesting.