* The content and opinions expressed in this post ARE NOT THOSE OF OLENDERFELDMAN, and instead are those solely of the author. This post IS NOT LEGAL ADVICE AND IT HAS NOT BEEN REVIEWED FOR ACCURACY BY OLENDERFELDMAN.
Playing Offense. Frequently Asked Questions on External Penetration Testing
What is a penetration test?
A penetration test (“pen test”) is a cybersecurity exercise that simulates the malintent or nefarious activities of a hacker to identify vulnerabilities in your IT systems or applications. The aim of conducting a pen test is to understand what vulnerabilities exist in your business systems, how they could be compromised, and what the organizational impacts would be if a hacker was successful.
A pen test goes beyond scanning an organization for vulnerabilities that potentially could be exploited to gain a foothold into a network. During a test, we are actively searching for weaknesses in the organization’s security measures, and then attacking them. We are simulating a real-world attack. This goes beyond pointing out technical deficiencies like patching is needed. We are also searching for sensitive documents available to the public, finding information on the staff to conduct social engineering attacks such as spear phishing, and a lot more.
A great penetration test uses hands-on keyboards, creativity, skills, and more. Great penetration tests involve listening to what the clients’ objectives are, producing actionable remediation recommendations, and making the process easy for the organization being tested.
What is the external penetration tester looking for when conducting the pen test?
The company performing the pen test should look for technical weaknesses in the organization such as an unpatched server, services that are misconfigured, credentials associated with the organization from historical third-party breaches and elsewhere, sensitive documents that are exposed to the public internet, and whatever else can and will be used against the organization to compromise their systems and people.
Why would someone want to perform an external pen test?
Some industries require it to meet regulations and industry standards. For example, NY DFS 23 NYCRR Part 500 is a regulation that requires most insurance companies to have quarterly vulnerability assessments, and at least one external pen test be performed each year. These requirements are intended to help ensure that the organization is aware of its information security weaknesses so it can continuously improve its defenses and protect its customers’ information.
Apart from legal requirements, almost all organizations stand to gain by having better cyber-protection, and stand to lose if their defenses fail. One of the first steps to hardening an organizations’ defenses against accidental or intentional breaches is to determine its weaknesses. That’s where a pen testing comes in.
How long does a pen test take to complete, from the start of the engagement, until completion?
This depends on the scope of the engagement. A pen test typically occurs in phases: passive reconnaissance, active reconnaissance, testing, and reporting. The whole test can take anywhere from 2 weeks onward based upon its size and complexity.
Will the person or people doing the external pen testing need to come onsite to work in our offices, or can this be done remotely?
An external pen test does not require the tester to be on-site. Rather, it can be performed entirely remotely.
What does the customer receive when the external pen test is complete?
The customer will typically receive a document that details the tester's evaluation of the environment, attacks carried out, and remediation recommendations. This document should contain a list of vulnerabilities found including details on the IP addressed, hostnames, and ports involved. Remedial action to fix the vulnerabilities should also be provided.
Will we need to shut down our network to conduct the external pen test?
No. The penetration tester will be in communication with the customer. To ensure as close to a real-world attack is simulated, it is recommended to conduct business as usual. The customer must be mindful of the consequences of alerting staff, especially IT staff and affiliated IT support companies, of a planned test. The penetration test is going to test the customer’s staff, IT services company or MSP, and other parties’ reactions as much as it will test the customer’s technical controls.
Should we expect or plan for outages during the external pen test process?
There should be no services outages except to the extent the test involves attacks such as Denial-of-Services and/or and Distributed-Denial-of-Service. Of course, these types of attacks should not occur unless requested by the customer.
Is a pen test required to obtain cyber liability insurance?
Many carriers are now requiring external controls testing on an annual basis.
Will our employees need to know that we are performing an external penetration test?
No. Social engineering is included in the exercise. Therefore, you do not want your employees to know unless completely necessary for business reasons.
What software tools are used in an external pen test?
Without giving away all of the secret sauce, some tools include: Nmap, Tenable Nessus, Burp SuitePro, Metasploit, Maltego, theHarvester, CobaltStrike, and more.
The preceding is a guest post from Daniel J. Haurey. Mr. Haurey is a Certified Information Privacy Technologist (CIPT) and founding member of Partners in Regulatory Compliance (PIRC) PIRC is a cybersecurity consulting firm that provides innovative answers to the growing, complex need for cybersecurity in businesses facing regulatory compliance controls. By addressing the full range of digital and human threats to create a compliant, secure environment, PIRC ensures customers are meeting their professional and ethical commitments to protect the sensitive data they work with and store on behalf of their clients.
