Penetration testing: Is your cybersecurity strategy working?  

Listen to this article

On Monday, Sinclair Broadcast Group said it was the victim of a ransomware attack that disrupted operations at several television stations. Earlier this summer, the largest beef supplier in the world, JBS, paid $11 million in ransomware to hackers who breached its computer networks. 

Malicious hacks are becoming increasingly more frequent, with a hack occurring every 39 seconds, according to Security Magazine. Fortune Magazine found that 66% of businesses do not believe they could recover from a hack.  

In the world of cybersecurity, is there such a thing as an “ethical hack?” According to the experts, such a thing does exist, and this type of hack can help companies identify weaknesses in their security measures. 

Penetration testing, also called a “pen test,” is a type of ethical hacking that involves an intentional cyberattack to test strategies and tools used to secure computer systems, websites, applications and networks. 

Designed by “white hat” hackers, the main objective of a pen test is to identify issues and weaknesses that could be exploited in order to put additional security controls into place. This type of testing is used only after a cybersecurity plan has been developed and implemented and, while advantageous to major companies, it may not be the best or first choice for the typical small business. 

What exactly is pen testing? 

“Penetration testing is where we go in, and we find weaknesses in systems, virtual and physical, and we see if we can get away with exploiting them in order to simulate what a real attacker would do,” said Tanner Shinn, security team lead for Alias.

Alias is an Oklahoma cybersecurity firm that specializes in advanced cybersecurity offerings including penetration testing, compliance assessments and incident response.  

“We have a team of trained with white hat hackers that act like attackers in order to find weaknesses that a real attacker could exploit and do some real damage with,” Shinn said.

Companies like Alias specialize in testing a company’s systems in order to find weaknesses and vulnerabilities. Different from a vulnerability scan, a penetration test actually simulates what malicious hackers could do. 

Different types of pen tests include: 

• Physical testing – Testers go on to a company’s physical site to attempt to breach security measures. For instance, they may attempt to enter a data center’s server room to install a device that can be used for hacking, or they may attempt to take something from the president or CEO’s office. 

• Internal testing – The “white hat” hackers plug into a company’s network directly to see how many ways they can get into the system and completely “own” it. 

“At some point, somebody’s going to get in. You could have an employee who has a little bit of cybersecurity knowledge and has the ability to do some bad stuff,” said Shinn. “So that’s what we’re trying to emulate. We’re trying to see what all can happen from that perspective.” 

• External testing – The testers hack the company from the outside to see what kind of vulnerabilities the company doesn’t know about. This test emulates what an off-site hacker could do from outside the company. 

• Red team engagements – These are an adversarial emulation of an ATP, or advanced persistent threat, targeting the company. 

“We’ll do anything an attacker would do,” Shinn said. “We’re also sending phishing emails; we’re calling people and pretending to be somebody who has some business calling and trying to get them to give us some information or to click on a link or go to a website or something like that. Anything a bad guy would do is what we’re trying to emulate.” 

What are the threats? 

Timothy Fawcett, director of cybersecurity consulting for Oklahoma City’s Guernsey, said cyberattacks have two main flavors for most organizations – fraud using computers and exploitation of vulnerabilities. 

“So let’s talk about the first flavor, where bad actors use deception to execute a confidence attack. These are the types of attacks that many of the ‘famous’ hackers are known for,” he said. “They use forged systems or email to trick people into making bad decisions.” 

A common scheme now is for perpetrators to send an email, targeting HR or accounting, saying that banking information has changed in order to gather access and information, ultimately stealing money.  

The second type of attack, he said, is extortion, sabotage and espionage. The hackers may use social engineering or exploit a weakness or, in some cases, take advantage of complicated campaigns to get access to systems. 

“They usually will go after data, either to steal intellectual property or to ransom data. They do this by encrypting files, exfiltrating information and extorting companies to pay,” Fawcett said. “This is becoming so lucrative because of U.S. companies’ willingness to pay the ransoms. They are going after all companies, not just the ones that are capable of paying millions.” 

Does a company need penetration testing?  

In the past, hackers used worms and different viruses using automated scripts that some person wrote to find vulnerabilities to exploit. Those simple days are over, and today’s hackers are acting in real time. 

“These are people who really know what they’re doing and do this for a living. They have their hands on the keyboard and can totally compromise environments, so it’s not like it used to be,” said Shinn. “There are a lot of really advanced threats, and they’re not discriminatory in who they target.” 

However, experts are divided on if all businesses should conduct pen tests. 

“My philosophy on pen testing is that there is a time and a place, but that place is rarely small businesses, and the time is always after you put in a security program,” said Fawcett. “I know there are a lot of cybersecurity people who are really focused on the pen testing, and they have a lot of really smart guys who go to hacking school. I think it’s more important to protect yourself from the hackers than to hire a hacker.” 

According to Fawcett, cybersecurity, at its most basic, comes down to good administration and a series of risk mitigation procedures and practices.   

“There are a handful of configurations and processes that every company should have, but what a specific organization should be doing really depends on the risks at that organization,” he added. “Security is not an on/off thing; it is a series of layers that includes configuration, administering and monitoring. Pen testing is just one small part of those layers of processes. You should have a number of security processes in place already before even thinking about pen testing.”  

What a company with hundreds of employees does to protect its systems may not be reasonable for a 50-person manufacturing plant, he added. “Once you have identified this as a risk, then decide the best way we can mitigate the risk, which is different depending on your resources.”