A day in the life of a 2-sec penetration tester
Alexander Drabek is part of our team of expert penetration testers; who “ethically hack” into client’s networks and find any potential weaknesses. We asked him exactly what it is he does, and how he does it.
What skills do you need to become a penetration tester?
Many people think penetration testers are highly obsessive and solitary techies. The opposite is true. To be a good pen tester you need to be able to work in a team and have the communication skills to tell people about the security problems in a way that they understand.
If you can’t tell anyone how you did what you did, what happened and how to fix it, then you’ll be no use as a pen tester. Strong technical writing skills are essential – a lot of time is spent on writing reports for clients – and if your client can’t understand these then they’re worthless.
Of course, you need the technical background, and it’s best to start with researching protocol specifications, guides on implementation, and then interacting with each technology before jumping into any tools. Once the knowledge is acquired in a particular domain, it’s very useful to look around and start learning tools to see if they fulfil your needs or you will need to develop your own ones.
You also need a sense of discipline, attention to detail and passion for the whole subject. I’m always learning in this field – your education never stops.
What type of organisation do you hack into?
Anybody who needs us. Our clients range from FTSE 100 companies, law firms, financial services, companies in the manufacturing industries all the way through to smaller SMEs. We also work with Government agencies. It is always interesting to learn about how attack threats differ from one industry to another and how each company has own unique risk modelling and risk appetite levels.
Is there anything you are NOT allowed to do or to hack into?
Unlike black hat hackers, we are regulated in what we can do because our clients give us specific rules of engagement, what we can target and how to approach the systems.
It’s a very strictly structured environment and we are controlled by a whole raft of ethical and moral guidelines. Moreover, we always try to execute as realistic tests as possible and if we notice additional ways in, we will communicate those to customer and suggest expanding or adjusting the scope.
What’s the biggest mistake a pen tester could make?
First off, not following structured methodology which can lead to hectic testing, and missing the bigger picture of the overall technology in place. Poor evidence keeping practices can become a huge issue on larger projects.
Secondly, it’s possible that an inexperienced pen tester could go outside a project scope and knock a server offline. In doing this, especially in the production environment, they could accidentally destroy the data or impact business operation because they don’t understand what they are doing.
We never go outside the project scope that the client has instructed – it’s unethical to start poking around in systems outside the project boundaries.
Some inexperienced pen testers rely on automated pen testing tools but fail to dig down into the network manually to find the flaws that are beyond the scope of the equipment. You need skills AND experience to be able to do this. It’s very easy to do damage or miss very serious vulnerabilities if you are inexperienced with the technology that you are testing.
What do you do from day to day?
Forget any images of glamorous cloak and dagger activity! Much of the day is working through a range of processes, methodically performing careful analytical tests and reporting in minute detail on results. And many cups of coffee to keep us going…
If not in the office carrying out external testing, we are often with clients during consultancy and gap analysis days, internal penetration testing or cyber essentials audits. Our work is a mixture of the above tasks and each consultant is required to pick up a variety of tasks to make sure they stay fluent in each area.
For instance, an organisation’s first step into cyber security maybe an initial internal visit to discuss becoming Cyber Essential accredited. I really enjoy these, as I can start discussing cyber security from the ground upwards and discuss the steps that a company will need to take to enable us to start preparing for the accreditation. I spend a lot of time in client’s offices – we go where we are needed – so it helps if you like travelling too.
Recently, we carried out an internal penetration testing assignment for a client, where we discovered issues with unfinished configuration of the VOIP server that allowed us to acquire all information about employee and their calls. Essentially metadata about everyone hired and their activity. This information could easily be accessed by criminals to capture information on individuals, and perform targeted social engineering among other types of attacks. We’re glad we found this issue first.
For each tester, it is great feeling when we get domain administration or fully compromise the server. This doesn’t happen always for the most protected resources. However, during a recent internal testing, we managed to compromise a standard user account. Browsing through the internal contact dashboard it revealed that this user was responsible for all finances and managing 3rd party system to pay-out for certain goods. The issue has been flagged straight away to the client. They were very thankful and the process and systems were adjusted to protect the information. I know a cyber-criminal would have loved to exploit this issue by writing themselves a cheque or carrying out a fraudulent money transfer. We’re glad we managed to flag up and solve the problem first.
When conducting an external penetration testing we may find new vulnerabilities, for example our recent discovery of a new vulnerability in a Synology NAS drive.
Our customers are prepared enough which makes it more fun (and more difficult) for us and better value for money for them!
At the same time, we are finding on a frequent basis, web application misconfigurations, which when combined with other discovered vulnerabilities, lead to at least application compromise and user account hijacking and in rare occasions to a full server compromise.
When we have time, we conduct in-depth analysis of recent vulnerabilities, new technology and general research into a variety of topics to actively expand our knowledge and ensure that our clients are protected as much as it is possible.
What’s the biggest danger for businesses?
It’s difficult to answer this question as this depends on sector, geographic location and multiple other factors. It’s important to analyse each case independently providing appropriate guidance. From a technical point of view, it would be easy to say malware or ransomware, but to be honest, poorly trained employees are one of the biggest issues. We see this problem repeatedly. Someone in the accounting team might click on a suspicious link, and unwittingly infect their company’s networks and systems. The organisation is knocked offline, their systems become inaccessible and their reputation is damaged.
Sometimes a company has a draconian password policy (and poor training) which leads employees to physically write down their passwords either on post-it notes or in a word document exposed to multiple other people. This allows for easy compromise and lack of accountability for individual’s actions taken on a system.
Staff training is imperative but companies also need to do the RIGHT training, which includes real life phishing and other social engineering simulations. These measures, if conducted regularly, shows just how responsive your employees actually are, when faced with a realistic example of a fake phishing email or attempt to bypass any of tested security protocols that you have in place.
What’s your biggest piece of advice for UK businesses?
Start taking care of your security wherever you can but please start!
If you have in-house technical expert utilise their expertise to harden your networks servers and end user devices.
If you have a compliance expert or company culture that allows for smooth implementation of new more secure practises and policies in a work place, then do that.
Take action, now before it gets too expensive or too difficult to do it. Once small projects are successful then internally reach out to get tested, trained and to implement ISMS or obtain ISO certifications.