PEN TESTING, OR ETHICAL HACKING – WHAT IS IT?
PEN TESTING, OR ETHICAL HACKING, IS A VITAL PART OF MAINTAINING TOP NOTCH CYBERSECURITY.
Every company that uses digital tools is vulnerable to hackers. No matter how big or small you are, there are actors out there looking to gain access to your system and exploit it for their own purposes. Maybe they want to hold you to ransom, or steal your intellectual property, or exploit your mailing list.
That’s why cybersecurity is such an important topic these days.
But you can’t fix your vulnerabilities until you know what they are. That’s where the job of a pen tester comes in. Pen (short for penetration) testing is the act of looking for vulnerabilities in a network, or computer system, or application that could potentially put a company at risk.
Pen testers are sometimes ex-hackers who bring a wealth of knowledge about how criminals think, or they are simply security professionals who enjoy the hunt of looking for vulnerabilities and pointing them out. It’s a highly specialised and very valuable skill to have on your team.
A bigger organisation with a dynamic web presence may have a pen tester on their team full-time, but it’s more likely that they work independently and are hired for a limited period of time to find the vulnerabilities that a client has not noticed.
Their job investigate all aspects of the client’s website and applications, find vulnerabilities and report back to them on how they got in and what they should be doing to patch up their defences.
A day in the life of a PenTester…
In an interview with the Dark Reading blog, pen tester Gisela Hinojosa explained what a typical day might look like. ‘ Mornings are usually pretty busy, she says, as that’s when the testing starts. If she’s doing an internal pen test, she’ll set up the tools she needs and start by collecting open source intelligence (OSINT), which she can use to launch attacks. Alongside meetings where she reports back her findings, Hinojosa says that ‘ The typical engagement lasts about five days but can be shorter or longer depending on the project.’
Another pen tester recently opened up about the way that he works, and it also offers great insights. ‘Day to day, I will usually be working in a team creating simulations. So for example, we send out phishing simulations where we select a sample of employees and send a phishing email to see how people respond. From this, we can monitor for clicks and see if people are downloading malware and picking up infections. We can then make suggestions on how to improve security measures.’
Broadly speaking, pen testers divide their work into two distinct categories: external and internal:
The external tests focus on digital assets that are accessible to the public and could be breached by anyone. These are usually IP addresses, or downloadable applications, emails, websites – typical places where hackers might begin their break in.
Once they find a vulnerability, they move on to the internal testing phase. “That’s when we find the most loot,” Hinojosa tells Dark Reading, ‘”But it’s also a lot more work, especially with reporting, because that’s when you have the most findings.”. It’s safe to say that external tests are more basic but that the real difficult work is done during the internal testing.
One of the most important aspects of being a pentester comes in the reporting. Clients need to be kept informed at every step of the way; what you are doing, what you are finding, what needs to be secured etc etc…Pentesters need to have good communication skills and need to be able to keep detailed notes about what they are doing.
Another term that you may hear for pen testing is ethical hacking. This talks to the fact that the hackers are doing similar work but for good reason. It’s a very specialised profession and requires a lot of research to keep up with trends in cybercrime and the latest technology that hackers are using.
But it’s good to know that there are good guys out there who are using the same tools and techniques as the bad guys as they try to make the internet a much safer place for the rest of us.
How can 2|SEC help?
Get in touch with 2|SEC today and let us appraise your security system and inform you of the vulnerabilities you probably don’t even know you have.