This is the first blog post in a four-part series about penetration testing. In the series, we will be discussing penetration testing, security best practices for home users, why small businesses should perform penetration testing, and considerations for choosing a penetration testing provider.
In the world of sports, a team or an individual's weaknesses are taken very seriously and made up for with grueling hours of practice and exercise. Take boxing, for example.
While training a boxer, the coach will teach the fundamentals of footwork, punching, and blocking. During a training session, time is set aside for the fundamentals to be put to the test by sparring. The trainee will use what he has learned against a sparring partner. These sessions are important in the development of the boxer because the coach can see the boxer's strengths and, more importantly, the boxer's weaknesses. Each sparring session reveals what needs to be worked on in subsequent training sessions.
Sparring sessions are critical. It would be absurd to train a boxer for an upcoming fight without ever having had him test his skills in the sparring ring first. As absurd as that is, it is equally ridiculous to think that a network's data security defenses are fine without ever having them tested in a penetration test.
Penetration testing or pentesting is to data security what a sparring session is to the individual boxer and coach: a pentest is how you identify security vulnerabilities that a hacker could use to get sensitive information or to get access to your network’s systems.
Sometimes pentesting is confused with vulnerability scanning. A penetration test is performed by a team of skilled individuals with the goal of identifying and exploiting vulnerabilities to demonstrate how an existing weakness or combination of weaknesses could lead to a real-world attack. Pentesters may use an automated scan, such as a vulnerability scan, to rule out a long list of low hanging data security fruit so their time can be better spent finding vulnerabilities the scan will miss. But the vulnerability scan is merely a tool and not the entire pentesting process. Scans are useful and they have their place in every network security's defenses—but regardless of how effective or sophisticated a vulnerability scan may be it is not as good as a team of experienced pentesters.
There are two main ideologies in penetration testing: black box testing and white box testing.
In black box testing, a company contracting a pentesting team will give little or no information to the pentesters. Going back to our boxing analogy, this test would be like taking a boxer to a sparring session with an opponent they know nothing about; the boxer will have to learn what they can during the fight. Both boxers might circle each other, watching for weaknesses and the fight may progress slowly as each fighter gathers information on what works in the fight and what doesn't.
Similarly, in a black box test, all the information the testers have is what they can gather on their own. This type of test mimics what a real-world attack from a hacker might look like and how effective such an attack would be. This would be useful if the company would like to know what information about their company a hacker could find on the Internet, like through social media or other means.
This type of testing is on the opposite end of the spectrum. Unlike the boxer who knows nothing about their opponent before the sparring session, in this scenario the boxer and his coach would have prepared for the fight. They may watch and analyze videos of their opponent fighting, looking for weaknesses they could exploit.
White box testing is similar to that approach. Here the penetration testing team is given access to the source code and other relevant information that the company provides. This type of testing is useful because the testers can easily find and exploit vulnerabilities without having to get the information first. Because penetration testing can be costly, white box testing is the best bang for your buck because testers can focus more on testing network security, applications, and source code instead of spending time/money on finding information on their own.
In boxing, a coach teaches each boxer according to their unique build and ability and different stances are taught for different body types. But one thing every coach teaches is how the boxer can defend himself (blocking, dodging, slipping a punch, etc.). Why? Because a boxer who doesn't know how to block a punch to his head may end up on the floor of the ring—at the very least with a wounded ego and at the worst waiting for a stretcher. If seasoned boxers were asked if boxers should be taught defense, they would reply with a resounding “Yes.”
As we have already pointed out, network security defense should be seen with the same importance. So the next question is “Who should do penetration testing?”
If you say yes to one or more of the following questions, you should consider doing a penetration test.
There are many more reasons to do a penetration test in your environment. But it all boils down to this: do you want your customer or your company's information to be stolen? If not, you should test your network security defenses with a penetration test.
In next week's post we'll be discussing ways home users can do simple penetration tests with the help of a friend to better improve their home security.