PDF
version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.
Penetration Testing and
Ethical Hacking
Copyright 2022, Faulkner Information Services. All
Rights Reserved.
Docid: 00021116
Publication Date: 2210
Report Type: TUTORIAL
Preview
Paying someone to hack your network may seem counter-intuitive, but it is
a legitimate and valuable technique for ensuring the security of the
corporate infrastructure. This report describes the value of penetration
testing and ethical hacking and provides tips for selecting an appropriate
provider.
Report Contents:
Executive Summary
[return to top of this
report]
Taking precautions against hacker attacks is one key security goal, but
determining whether those precautions are effective is an entirely
separate process.
Related Faulkner Reports |
Network Security Best Practices Tutorial |
Cybersecurity Best Practices Tutorial |
That’s where penetration testing and ethical hacking come in. Penetration
testers simulate hacker attacks to evaluate an IT infrastructure and then
report the results and offer suggestions to mitigate risk and protect the
enterprise. In the right hands, these techniques prove or disprove
the efficacy of an enterprise’s security measures.
The term “penetration testing” describes a wide range of activities that
are conducted with the help of various tools, all of which take
significant skill to use correctly. Given this complexity, enterprises
often hire an outside expert for the job. Ethical hacking,
particularly penetration testing, has become a popular specialty among IT
professionals. There are now many formal, in-depth training programs that
focus on the practice. Enterprises can consider formal training and
certifications when choosing an outside tester.
Description
[return to top of this
report]
Penetration testing is the practice of deliberately attempting to
circumvent a company’s security and invade its systems and networks. The
goal is to discover any flaws or vulnerabilities in that security and, if
necessary, fix them. Testing is typically performed by outside security
companies who then present a comprehensive report detailing whether
intrusion was possible, how it was accomplished, and recommendations on
correcting problems.
The people conducting the intrusion tests are known as ethical hackers,
or white hats. They use the techniques and tools of the
criminal hacker, or black hat, to break into customers’ networks
and then help the customer devise defenses against those intrusions.
Penetration testing is not a single action but a range of activities, and
there are various tools that are commonly used to perform them.
Using these tools takes considerable understanding of security, networking,
software, and other topics. The tools are not plug-and-play products that
give users interpreted information and a clear plan of action for fixing any
problems. Instead, they provide raw data that requires a specialist to
understand and use. And since any single tool only examines a limited range
of security issues, often several are needed, and it takes knowledge to
choose a collection of tools that cover all of an organization’s particular
security needs. Because of the skill level needed to perform penetration
tests and how these skills differ from those needed for the everyday
administration of a network, enterprises commonly hire outside experts for
the task.
There are two main types of penetration test: one in which the hacker
works with full knowledge of the network and infrastructure, as an insider
might, and one in which he or she goes in blind, as an external attacker
would, discovering the network layout and structure gradually. In both of
these scenarios, the white hat hacker is hired by the organization and
works with its permission.
NIST Penetration Testing Methodology
As a service to public sector agencies and private sector companies, the
US National Institute of Standards and Technology (NIST) developed a
Four-Stage Penetration Testing Methodology as illustrated in Figure 1.1
Figure 1. Four-Stage Penetration Testing Methodology
Source: NIST
Planning – In the planning phase, rules are identified, management
approval is finalized and documented, and testing goals are set. The
planning phase sets the groundwork for a successful penetration test. No
actual testing occurs in this phase.
Discovery – The discovery phase of penetration testing includes
two parts. The first part is the start of actual testing, and covers
information gathering and scanning. The second part of the discovery phase
is vulnerability analysis, which involves comparing the services,
applications, and operating systems of scanned hosts against vulnerability
databases (a process that is automatic for vulnerability scanners) and the
testers’ own knowledge of vulnerabilities.
Attack – Executing an attack is at the heart of any penetration
test. If an attack is successful, the vulnerability is verified and
safeguards are identified to mitigate the associated security exposure.
Reporting – The reporting phase occurs simultaneously with the
other three phases of the penetration test. In the planning phase, the
assessment plan is developed. In the discovery and attack phases, written
logs are usually kept and periodic reports are made to system
administrators and/or management. At the conclusion of the test, a report
is generally developed to describe identified vulnerabilities, present a
risk rating, and give guidance on how to mitigate the discovered
weaknesses.
Current View
[return to top of this
report]
A Growing Demand
The demand for ethical hacking services is growing. This demand is being
driven largely by the increased number of attacks being launched and by
their rising tendency to focus on committing serious financial or national
security damage. Describing this evolution, Sean Lim of the International
Council of Electronic Commerce Consultants (EC-Council), says that while
once attackers mostly sought notoriety, “more and more we see two types of
hackers: one financially motivated, and two state-sponsored, which means
countries that want a cyberwar because they want to gain an upper hand on
where they stand globally. Many of these hacks, we notice, are very complex
and [it is] quite difficult to imagine a group of hackers would have access
to such technology and money that would fund such technology.”2
Demand is also being driven by the fact that some standards, such
as the Payment Card Industry Data Security Standard (PCI DSS), require
regular testing of security systems.3
Ethical hacking services are being used in a variety of industries. From
a youth employment perspective, many young people get involved, putting
their hacking skills to the test. In 2019, a 19-year-old white hat hacker
named Santiago Lopez became the first person to exceed $1 million in
bounty awards.
Training and Certification Programs
One challenge of hiring an ethical hacker is separating the good guys
from the bad. Employing a dishonest hacker to do penetration testing is
the equivalent of paying a crook to rob your house. One way to
differentiate is through certifications from reputable organizations. One
prominent certification is CEH (Certified Ethical Hacker).
Administered by the EC-Council, the CEH credential is intended to
demonstrate a certificate owner’s proficiency in ethical hacking.
CEH candidates must pass an exam encompassing the following nine domains:
- Information Security and Ethical Hacking Overview
- Reconnaissance Techniques
- System Hacking Phases and Attack Techniques
- Network and Perimeter Hacking
- Web Application Hacking
- Wireless Network Hacking
- Mobile Platform, IoT, and OT Hacking
- Cloud Computing
- Cryptography
A candidate must have completed CEH training, or have two years of
approved work experience in information security.
Outlook
[return to top of this
report]
As cyber criminals have become more skilled and more devious, they have
shifted from visible intrusions for the purpose of earning a reputation to
concealing their activities so they can continue to harvest information or
make use of the victim’s systems to perpetuate their activities. This
means that enterprises and ethical hackers alike must continually hone
their skills and enhance their safeguards just to keep up.
While the demand for cybersecurity experts – penetration testers included
– has never been higher, there has been a vast shortage of such
professionals. This has been a growing problem for years and can be due to
any number of factors, including that cybersecurity skills sets need to
evolve every few years to handle the complexity of newer attacks; a lack
of qualified talent in the workforce; burnout among current cybersecurity
professionals; and difficulty retaining employees. Whatever the reason,
penetration testing and ethical hacking are a bit different in that many
organizations hire a third party outside of the company.
Physical Penetration Testing
While most penetration testing involves digital security, with a
penetration tester trying to hack into an enterprise network, penetration
testing can also be performed on a physical level, with a physical pen
tester attempting to gain unauthorized access to enterprise work spaces.
Depending on the scenario, a pen tester may try to:
Penetrate a building perimeter by scaling a
surrounding fence and eluding video detection (most video surveillance
systems have “blind spots”).
Persuade an employee or business partner to
grant access to an enterprise facility through cajolery or other mental
means.
Determine the willingness of employees or
business partners to tolerate “tailgating” and, in the process, determine
the willingness of employees to ignore well-established security
protocols.
Attempt entry to a facility using counterfeit
credentials – credentials that experienced security guards should
recognize as false even under casual scrutiny.
Carry contraband into a facility despite a
physical inspection of one’s person and property by a security guard.
Similarly, remove an object like the laptop
from a facility (again, by avoiding detection by a security guard).
Deposit a suspicious package within a facility
and measure the time it takes for someone to discover and report the
finding to security; also, the number of individuals who ignore the
package’s presence.
Collect confidential information from employee
desktops (or other areas in plain view).
Engage in “dumpster diving” to measure
compliance with document disposal policies.
Openly photograph enterprise personnel and
assets (in clear violation of enterprise policy).
Deploy and activate a hardware tool, like a
special-purpose wireless access point or wireless router, that a true
practitioner of industrial espionage might employ to gather enterprise
intelligence.4
Perform a second-level incursion by
penetrating a computer room, laboratory, or other sensitive space. Even in
facilities featuring multiple perimeters, there can be a bias in favor of
someone who has already negotiated entry to the outer perimeter. Once
inside a facility, even a stranger can assume the characteristics of an
employee or other “insider”. Consultants, for example, often achieve such
status.
In some cases, a client may require a pen tester to locate and extract a
particular asset, like a document containing enterprise plans or trade
secrets. In other cases, a client may instruct a pen tester to pursue
targets of opportunity, the pen testing equivalent of a jewelry store
“smash and grab.” In either case, the client wants to know what the pen
tester – or surrogate thief – is capable of accomplishing despite
supposedly stringent security.
Recommendations
[return to top of this
report]
Penetration testing by trusted ethical hackers is preferable to the
alternative – penetration of a network by criminals looking to steal
information or use corporate resources to launch attacks on others. A
penetration test is one part of the routine security evaluations that
should take place within an organization at regular intervals, both to
protect its infrastructure and to fulfill obligations to shareholders,
regulatory agencies, and other stakeholders. Without adequate proof that
risk analyses were performed and all possible precautions were taken to
mitigate vulnerabilities, any breach could have wide-ranging
consequences, from financial and regulatory problems to lost customer and
shareholder confidence. The follow-through is as important as the testing.
And because networks and computer systems are continuously evolving and
new software is added, testing needs to be conducted on a routine basis.5
And the scope of penetration tests needs to evolve too. Recently,
the Internet of Things, mobile devices, and Wi-Fi networks have in
particular been more commonly targeted by penetration tests.
It is also important to note that if a company hires a penetration
tester, he or she should follow a code of ethics. This helps to ensure
that the hacker isn’t breaking the law and has the client’s best interest
in mind. The EC-Council established a strong code of ethics with 19
pillars and it is recommended that penetration testers observe this code
in their work.6
Once on board, the penetration tester and the client should sit down and
carefully document a project scope and what goals are expected to be
achieved. Security researcher Roger A. Grimes recommends that the proper
questions need to be asked ahead of the actual penetration testing so that
all stakeholders are informed of exactly what needs to be done. Among
these questions are:
- What computer assets are in scope for the test?
- Does it include all computers, just a certain application or service,
certain OS platforms, or mobile devices and cloud services? - Should testers try their best to avoid causing service interruptions,
or is causing any sort of problem a real attacker can do, including
service interruptions, a crucial part of the test? - Is the purpose of the penetration test simply to show that the tester
can break into a computer or device? - Is a denial-of-service condition considered an in-scope goal?7
Remember that penetration testing is just one aspect of security, not a
substitute for other monitoring and design practices. An enterprise needs
a multi-layered security strategy that includes penetration testing as
just one element.8 Testing aims to spot problems after an
enterprise has taken all other steps that it can in order to protect
itself. Therefore, plans for penetration testing can only be made and
carried out after an enterprise develops its core security strategy.
References
1 Karen Scarfone, Murugiah Souppaya, Amanda Cody, and Angela
Orebaugh. NIST SP 800-115: “Technical Guide to Information Security
Testing and Assessment.” US National Institute of Standards and
Technology. September 2008:5-2,5-3,5-4,5-5.
2 Aimee Chanthadavong. “Ethical Hackers: How Hiring White
Hats Can Help Defend Your Organisation Against the Bad Guys.” TechRepublic.
June 20, 2016.
3 “Payment Application Data Security Standard, Version 3.2.”
PCI Security Standards Council.
4 John Sawyer. “Tech Insight: Three Hardware Tools For
Physical Penetration Testing.” Dark Reading. September 2,
2011.
5 Warren Perez Araya. “Why, When and How Often Should You
Pen Test?” IBM Security Intelligence. August 21, 2018.
6 “Code of Ethics.” EC-Council.
7 Roger A. Grimes. “What Is Ethical Hacking? Penetration
Testing Basics and Requirements.” CSO Online. January 24,
2018.
8 Michael Kassner. “Determining Whether Penetration Testing
Is Effective.” TechRepublic. February 12, 2015.
Web Links
[return to top of this
report]
- EC-Council: http://www.eccouncil.org/
- PenTest magazine: http://www.pentestmag.com/
- SANS Institute: http://www.sans.org/
- US National Institute of Standards and Technology: http://www.nist.gov/
About the Author
[return to top of this
report]
Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.
[return to top of this
report]