![]()
1 Network penetration testing
This chapter covers
- Corporate data breaches
- Adversarial attack simulations
- When organizations donât need a penetration test
- The four phases of an internal network penetration test
Everything today exists digitally within networked computer systems in the cloud. Your tax returns; pictures of your kids that you take with a cellphone; the locations, dates, and times of all the places youâve navigated to using your GPSâtheyâre all there, ripe for the picking by an attacker who is dedicated and skilled enough.
The average enterprise corporation has 10 times (at least) as many connected devices running on its network as it does employees who use those devices to conduct normal business operations. This probably doesnât seem alarming to you at first, considering how deeply integrated computer systems have become in our society, our existence, and our survival.
Assuming that you live on planet Earthâand I have it on good authority that you doâthereâs a better than average chance you have the following:
-
An email account (or four)
-
A social media account (or seven)
-
At least two dozen username/password combinations youâre required to manage and securely keep track of so that you can log in and out of the various websites, mobile apps, and cloud services that are essential in order for you to function productively every day.
Whether youâre paying bills, shopping for groceries, booking a hotel room, or doing just about anything online, youâre required to create a user account profile containing at the very least a username, a legal name, and an email address. Often, youâre asked to provide additional personal information, such as the following:
Weâve all become jaded about this reality. We donât even bother to read the legal notices that pop up, telling us precisely what companies plan to do with the information weâre giving them. We simply click âI Agreeâ and move on to the page weâre trying to reachâthe one with the viral cat video or the order form to purchase an adorable coffee mug with a sarcastic joke on the side about how tired you feel all the time.
Nobody has time to read all that legal mumbo jumbo, especially when the free shipping offer expires in just 10 minutes. (Waitâwhatâs that? Theyâre offering a rewards program! I just have to create a new account really fast.) Perhaps even more alarming than the frequency with which we give random internet companies our private information is the fact that most of us naively assume that the corporations weâre interacting with are taking the proper precautions to house and keep track of our sensitive information securely and reliably. We couldnât be more wrong.
1.1 Corporate data breaches
If you havenât been hiding under a rock, then Iâm guessing youâve heard a great deal about corporate data breaches. There were 943 disclosed breaches in the first half of 2018 alone, according to Breach Level Index, a report from Gemalto (http://mng.bz/YxRz).
From a media-coverage perspective, most breaches tend to go something like this: Global Conglomerate XYZ has just disclosed that an unknown number of confidential customer records have been stolen by an unknown group of malicious hackers who managed to penetrate the companyâs restricted network perimeter using an unknown vulnerability or attack vector. The full extent of the breach, including everything the hackers made off with, isâyou guessed itâunknown. Cue the tumbling stock price, a flood of angry tweets, doomsday headlines in the newspapers, and a letter of resignation from the CEO as well as several advisory board members. The CEO assures us this has nothing to do with the breach; theyâve been planning to step down for months now. Of course, somebody has to take the official blame, which means the Chief Information Security Officer (CISO) whoâs given many years to the company doesnât get to resign; instead, theyâre fired and publicly stoned to death on social media, ensuring thatâas movie directors used to say in Hollywoodâtheyâll never work in this town again.
1.2 How hackers break in
Why does this happen so often? Are companies just that bad at doing the right things when it comes to information security and protecting our data? Well, yes and no.
The inconvenient truth of the matter is that the proverbial deck happens to be stacked disproportionally in favor of cyber-attackers. Remember my earlier remark about the number of networked devices that enterprises have connected to their infrastructure at all times? This significantly increases a companyâs attack surface or threat landscape.
1.2.1 The defender role
Allow me to elaborate. Suppose itâs your job to defend an organization from cyber-threats. You need to identify every single laptop, desktop, smartphone, physical server, virtual server, router, switch, and Keurig or fancy coffee machine thatâs connected to your network.
Then you have to make sure every application running on those devices is properly restricted using strong passwords (preferably with two-factor authentication) and hardened to conform to the current standards and best practices for each respective device. Also, you need to make sure you apply every security patch and hotfix issued by the individual software vendors as soon as they become available. Before you can do any of that, though, you have to triple-check that the patches donât break any of your businessâs day-to-day operations, or people will get mad at you for trying to protect the company from hackers.
You need to do all of this all of the time for every single computer system with an IP address on your network. Sounds easy, right?
1.2.2 The attacker role
Now for the flip side of the coin. Suppose your job is to break into the companyâto compromise the network in some way and gain unauthorized access to restricted systems or information. You need to find only a single system that has slipped through the cracks; just one device that missed a patch or contains a default or easily guessable password; a single nonstandard deployment that was spun up in a hurry to meet an impossible business deadline driven by profit targets, so an insecure configuration setting (which shipped that way by default from the vendor) was left on. Thatâs all it takes to get in, even if the target did an impeccable job of keeping track of every node on the network. New systems are stood up daily by teams who need to get something done fast.
If youâre thinking to yourself that this isnât fair, or that itâs too hard for defenders and too easy for attackers, then you get the point: thatâs exactly how it is. So, what should organizations do to avoid being hacked? This is where penetration testing comes in.
1.3 Adversarial attack simulation: Penetration testing
One of the most effective ways for a company to identify security weaknesses before they lead to a breach is to hire a professional adversary or penetration tester to simulate an attack on the companyâs infrastructure. The adversary should take every available action at their disposal to mimic a real attacker, in some cases acting almost entirely in secret, undetected by the organizationâs IT and internal security departments until itâs time to issue their final report. Throughout this book, Iâll refer to this type of offensive-security exercise simply as a penetration test.
The specific scope and execution of a penetration test can vary quite a bit depending on the motivations of the organization purchasing the assessment (the client) as well as the capabilities and service offerings of the consulting firm performing the test. Engagements can focus on web and mobile applications, network infrastructure, wireless implementations, physical offices, and anything else you can think of to attack. Emphasis can be p...
