In conversations regarding network or infrastructural security, the word “pentester” often pops up. But who really is a pentester, and what is it that they do? In simplest terms, a pentester, a contraction for penetration tester, is an individual who identifies security flaws within a network or system. They are often external consultants, authorized by a company to perform security audits on their IT ecosystem, and identify any potential cybersecurity risks. Normally, a pentester begins by conducting reconnaissance on their client’s systems, looking for any potential vulnerabilities. Then, they try to infiltrate the systems by exploiting these vulnerabilities, and eventually gain access to critical data.
The Importance of Pentesters:
Pentesters are becoming increasingly relevant in the modern world. This is primarily because the average cost of a data breach has reached an all-time high ($3.86 million), and companies know that they can no longer take cybersecurity lightly. It seems more prudent and cost-effective to hire a consultant for thousands, than to incur millions in losses, after being compromised.
Pentesters make it easy for IT managers and technology officers to convince their bosses to approve security budgets. They can do so because we still live in a world where security isn’t considered a fundamental requirement, rather a supplementary feature. For example, let’s say a developer identified a potential security flaw in a payment gateway, which could allow an experienced hacker to obtain sensitive user data. He goes to his supervisor and makes him privy to the information. The supervisor estimates a spending of $5000 to add a new authentication mechanism, which could mitigate the issue. He knows that the company’s budget is a bit tight these days, so it would be hard to convince his boss to approve the budget, without concrete proof. So, he hires a pentester instead, and asks him to perform the scheduled security audit of the system. The pentester finds the vulnerability and gets his hands on the credit card data of all the company’s users. The supervisor goes to the boss and takes the pentester’s report with him; he now has a sales pitch up his sleeve, that the boss can’t possibly say no to.
What Kind of Vulnerabilities does a Pentester look for?
There can be many different kinds of vulnerabilities within a system; including missing data encryption, OS command injection, SQL injection, missing authentication, missing authorization, reliance on untrusted inputs, buffer and stack overflows etc. Depending on the level of freedom that the company gives to the pentester, the type and number of scanned and exploited vulnerabilities can differ. If there are no limits imposed by the client, a pentester has the liberty to go to any lengths; from performing a social engineering attack, to using a Wi-Fi sniffer, to making a denial-of-service attack.
However, generally, pentesters have to work within some limits or boundaries set by the client. Directives from client can range from “Can you try to gain access to our administration portal?” to “Can you please try to get inside our data center network? You are free to use any resources that could be available to a potential hacker” For the former, the pentester would normally just use any website penetration tools, and won’t be able to utilize their social engineering skills. For the latter however, they will be free to send phishing emails to employees, meet them at bars, and even try to sneak a USB into the actual data center.
Types of Penetration Testing:
There are three main types of penetration testing, namely: Black box testing, white box testing, and grey box testing. Which one you should choose typically depends on the extent of information you are willing to share with the pentester. Let’s take a look at all three in more detail:
In black box penetrating testing, the pentester is given no knowledge about the network or the system that they are supposed to test. They basically have to work with a black box. This type of pentesting is relevant when the company wants to simulate an attack made by an outsider.
Conversely, in white box penetration testing, the company shares all the information regarding their infrastructure with the pentester. This includes IP addresses of database servers, OS specifications, source code, and even login credentials etc. This might seem counter-intuitive, but since the whole purpose of this type is to simulate attacks made by an insider, it makes sense.
Lastly, a grey box penetration testing is followed by a company providing partial knowledge of the network and system to the tester. This type of testing simulates attacks made by a hacker who somehow got access to some internal network/software specification documents.
Stages of Penetration Testing:
There are four main stages of any penetration testing effort:
- Planning: Scope and strategy of the project is decided and documented.
- Discovery: At this stage, the pentester scans the system rigorously and repeatedly to find any useful information, like usernames, passwords, encryption keys etc. This process is also known as fingerprinting. These days, a lot of fingerprinting tools are used for this purpose, e.g. BlindElephant and Wappalyzer. In addition to this, the pentester also identifies any potential vulnerabilities during this stage.
- Attack: The pentester simulates a bunch of relevant attacks on the system during this stage.
- Reporting: Finally, audit reports are compiled, documenting security flaws and suggestions that can help revamp system security.
Pitfalls of Penetration Testing:
No good thing comes without its pitfalls, and penetration testing is no different:
- Even though a pentester will try their best, some security flaws might still remain undetected. There is no guarantee that your system will be completely impervious to potential attacks after the audit.
- Penetration tests take time, and since they are carried out on the core system/network, chances are that your business activities will get disrupted.
- Penetration testing is a labor and time intensive task, so high costs can be associated with it.
An experienced pentester can help a company in identifying vulnerabilities that can otherwise cause a lot of reputational and financial damage. Regardless of whether you want to simulate an insider attack, or one made by an experienced external hacker, a pentester can do the job for you!