![]()
1 Network penetration testing
This chapter covers
- Corporate data breaches
- Adversarial attack simulations
- When organizations don’t need a penetration test
- The four phases of an internal network penetration test
Everything today exists digitally within networked computer systems in the cloud. Your tax returns; pictures of your kids that you take with a cellphone; the locations, dates, and times of all the places you’ve navigated to using your GPS—they’re all there, ripe for the picking by an attacker who is dedicated and skilled enough.
The average enterprise corporation has 10 times (at least) as many connected devices running on its network as it does employees who use those devices to conduct normal business operations. This probably doesn’t seem alarming to you at first, considering how deeply integrated computer systems have become in our society, our existence, and our survival.
Assuming that you live on planet Earth—and I have it on good authority that you do—there’s a better than average chance you have the following:
-
An email account (or four)
-
A social media account (or seven)
-
At least two dozen username/password combinations you’re required to manage and securely keep track of so that you can log in and out of the various websites, mobile apps, and cloud services that are essential in order for you to function productively every day.
Whether you’re paying bills, shopping for groceries, booking a hotel room, or doing just about anything online, you’re required to create a user account profile containing at the very least a username, a legal name, and an email address. Often, you’re asked to provide additional personal information, such as the following:
We’ve all become jaded about this reality. We don’t even bother to read the legal notices that pop up, telling us precisely what companies plan to do with the information we’re giving them. We simply click “I Agree” and move on to the page we’re trying to reach—the one with the viral cat video or the order form to purchase an adorable coffee mug with a sarcastic joke on the side about how tired you feel all the time.
Nobody has time to read all that legal mumbo jumbo, especially when the free shipping offer expires in just 10 minutes. (Wait—what’s that? They’re offering a rewards program! I just have to create a new account really fast.) Perhaps even more alarming than the frequency with which we give random internet companies our private information is the fact that most of us naively assume that the corporations we’re interacting with are taking the proper precautions to house and keep track of our sensitive information securely and reliably. We couldn’t be more wrong.
1.1 Corporate data breaches
If you haven’t been hiding under a rock, then I’m guessing you’ve heard a great deal about corporate data breaches. There were 943 disclosed breaches in the first half of 2018 alone, according to Breach Level Index, a report from Gemalto (http://mng.bz/YxRz).
From a media-coverage perspective, most breaches tend to go something like this: Global Conglomerate XYZ has just disclosed that an unknown number of confidential customer records have been stolen by an unknown group of malicious hackers who managed to penetrate the company’s restricted network perimeter using an unknown vulnerability or attack vector. The full extent of the breach, including everything the hackers made off with, is—you guessed it—unknown. Cue the tumbling stock price, a flood of angry tweets, doomsday headlines in the newspapers, and a letter of resignation from the CEO as well as several advisory board members. The CEO assures us this has nothing to do with the breach; they’ve been planning to step down for months now. Of course, somebody has to take the official blame, which means the Chief Information Security Officer (CISO) who’s given many years to the company doesn’t get to resign; instead, they’re fired and publicly stoned to death on social media, ensuring that—as movie directors used to say in Hollywood—they’ll never work in this town again.
1.2 How hackers break in
Why does this happen so often? Are companies just that bad at doing the right things when it comes to information security and protecting our data? Well, yes and no.
The inconvenient truth of the matter is that the proverbial deck happens to be stacked disproportionally in favor of cyber-attackers. Remember my earlier remark about the number of networked devices that enterprises have connected to their infrastructure at all times? This significantly increases a company’s attack surface or threat landscape.
1.2.1 The defender role
Allow me to elaborate. Suppose it’s your job to defend an organization from cyber-threats. You need to identify every single laptop, desktop, smartphone, physical server, virtual server, router, switch, and Keurig or fancy coffee machine that’s connected to your network.
Then you have to make sure every application running on those devices is properly restricted using strong passwords (preferably with two-factor authentication) and hardened to conform to the current standards and best practices for each respective device. Also, you need to make sure you apply every security patch and hotfix issued by the individual software vendors as soon as they become available. Before you can do any of that, though, you have to triple-check that the patches don’t break any of your business’s day-to-day operations, or people will get mad at you for trying to protect the company from hackers.
You need to do all of this all of the time for every single computer system with an IP address on your network. Sounds easy, right?
1.2.2 The attacker role
Now for the flip side of the coin. Suppose your job is to break into the company—to compromise the network in some way and gain unauthorized access to restricted systems or information. You need to find only a single system that has slipped through the cracks; just one device that missed a patch or contains a default or easily guessable password; a single nonstandard deployment that was spun up in a hurry to meet an impossible business deadline driven by profit targets, so an insecure configuration setting (which shipped that way by default from the vendor) was left on. That’s all it takes to get in, even if the target did an impeccable job of keeping track of every node on the network. New systems are stood up daily by teams who need to get something done fast.
If you’re thinking to yourself that this isn’t fair, or that it’s too hard for defenders and too easy for attackers, then you get the point: that’s exactly how it is. So, what should organizations do to avoid being hacked? This is where penetration testing comes in.
1.3 Adversarial attack simulation: Penetration testing
One of the most effective ways for a company to identify security weaknesses before they lead to a breach is to hire a professional adversary or penetration tester to simulate an attack on the company’s infrastructure. The adversary should take every available action at their disposal to mimic a real attacker, in some cases acting almost entirely in secret, undetected by the organization’s IT and internal security departments until it’s time to issue their final report. Throughout this book, I’ll refer to this type of offensive-security exercise simply as a penetration test.
The specific scope and execution of a penetration test can vary quite a bit depending on the motivations of the organization purchasing the assessment (the client) as well as the capabilities and service offerings of the consulting firm performing the test. Engagements can focus on web and mobile applications, network infrastructure, wireless implementations, physical offices, and anything else you can think of to attack. Emphasis can be p...
