- On 8. Apr 2019
With the GDPR taking effect some time ago, a lot of companies are still in deep water trying to both comply with the statutory provisions as well as harmonize internal processes. The stakes are high, and individuals seem to be more aware of the value and privacy of their own data, than ever before.
And as vulnerabilities in everyday products such as smart appliances, routers and other connected devices often make the news, users start to question the underlying procedures (or lack thereof) to secure their private information.
An important and efficient method to improve the security level of networks and various applications is penetration testing. Our SEC Consult senior security experts and ethical hackers here have answered a few of our questions on how pentesting works:
- What is Pentesting?
- What does a pentest reveal?
- When to test?
- What to test?
- What does it cost?
- General recommendations
What is Pentesting and who needs it?
As you may guess from its name, a pentest is a specialized type of information security assessment that inspects how a technology (applications, software components and infrastructure) can be infiltrated by simulating a cyberattack. Expert security practitioners use purpose-built tools and procedures to identify vulnerabilities that can be dormant and undetected simply because software developers and vendors have other goals and employ a different way of thinking than a motivated and skilled hacker.
Today, penetration testing (in short: ″pentesting″) has become a well-established best practice. While this approach was common practice a few years ago, especially in IT-heavy industries such as the finance or telecommunications sectors, pent-up development is advisable or even necessary for all sectors as digitalization progresses.
The goal is to find as many security relevant configuration issues and known vulnerabilities as possible, in addition to previously unknown security issues (so called zero-day vulnerabilities), as in a set amount of time. This approach is called a “timebox” and is generally based on budget, timing and process.
A real attacker does not necessarily stop after infiltrating a certain technology. Personal, classified or other data worth protecting are his grail before he turns to installing malware and gathering all the worthwhile resources he can for later exploit. Needless to say, all of which could jeopardize your company’s image and lead to severe financial and reputational loss.
It is advisable to provide the pentester with sufficient time and to repeat pentests at certain intervals. After several thousand penetration tests, it is clear that there is “always something to be found”.
As security is a non-functional requirement, the service or software may work as designed on its own but still contain a large amount of vulnerabilities that make its use dangerous for any service provider and/or user. These vulnerabilities can originate from the software product itself or result from of misconfiguration of the underlying infrastructure. A pentest reveals what could possibly go wrong in the case of an attack. Every organization, regardless of its size, that processes data or uses digital methods of communication is prone to such a cyberattack. In a digital world like ours, the question arising is then not IF there will be an attack but WHEN.
Are all pentests created equal?
For every request, a pentest. While the goal to penetrate a system in a certain scope might be the common intention, depending on the amount of information provided and the accuracy of that information, each conducted pentest will be customized. When pentesting “blind” – aka “Black Box” testing – the tester has no previous knowledge of the testing environment and would act as your common hacker according to public information available.
In case of “White Box” testing, the hacker – thanks to an insider’s help or information gathered by a previous hack- will gain access to a complete set of documents including accounts with advanced privileges prior to his attack. Combine the two approaches, and we say the pentests are conducted in a “Grey Box” environment.
Thanks to the company’s in-depth expertise gathered over the years and over 800 pentest audits performed every year, SEC Consult has been able to developed an enhanced pentesting method, the “Glass Box”. Particularly sensitive areas are, for example, database connections, registration procedures, integration of external sources, central input and output validation and much more. By giving access to the source code, it offers the best depth-to-effort ratio for optimized results.
What is a glass box test?
The vast experiences across all manner of customers, technologies and breaches have led SEC Consult to the development of the “Glass Box” test. In order to carry out the most detailed risk analysis possible, the pentester is proviced with as much information about the application beforehand. Ideally, auditors have complete information about the application and even the source code of the relevant parts within a set scope.
A Glass Box security audit is a pentest with a manual review on the most safety-critical parts of the scope of the associated source code. Among the particularly sensitive parts, we find database connections, login procedures, integration of external sources, central input and output validation. This procedure offers a very high quality of results according to clearly established costs.
What does a pentest reveal?
The majority of pentesting offerings on the market are related to the exploitation of known vulnerabilities thus concentrating mainly on known breaches. But new previously unknown vulnerabilities in your information system may result in its emergency shutdown or loss of data until remediation is complete. A SEC Consult pentest will also uncover previously unknown, undocumented vulnerabilities known as zero-day vulnerabilities.
A security check is already particularly effective during the decisive stages of development and development.
Sometimes a technical patch is needed, sometimes the flaw is a consequence of an organizational shortcoming. By investing into regular security assessments and continuous training of their employees, technology-driven and security-aware companies aim to minimize the amount of critical risks, a crucial issue in the early stages of design and development.
How about a real-life example?
On any ERP-System, an intruder is not only able to extract corporate secrets, but can also gather and disclose employees, customers and partners’ sensitive information. Consequently, the targeted organization would not only have to face a large amount of privacy complaints but also a PR nightmare. The damages may not stop at theft and disclosure though, a skilled hacker might also be tempted (or paid) to manipulate entries in your database such as mutually agreed contract details, retail pricing and discounts. When such corruption comes to light, if it ever does, the ripple effect might have disastrous consequences on your organization and/or your own career.
Other examples from everyday life include quick-pay terminals at supermarkets and charging stations, smart locks and smart home technology in general. It is the vendor’s responsibility to not only provide secure products and their implementations, but also to make the users aware of potential risks, linked to default/weak passwords, internet-accessible configurations, etc., when using this technology.
When is the best time to do a pentest?
Pentests can be done at all stages in the development or deployment of any IT service. Typically, pentests on individual systems are carried out in the course of the acceptance test shortly before going live.
Is there a bad time to execute a pen test?
At SEC Consult we strongly recommend to not schedule a (first ever) pen test at the last available minute. Essentially, there are two factors against a (first-time) review shortly before the systems are supposed to go live. On the one hand, at this stage, every team is pressed for time to add the finishing touches, as such there is no time left for deep investigation. On the other hand, as the last weeks of any IT project are usually very hectic, any additional security review might lead to more delay (because identified vulnerabilities have to be fixed in time). In case of any architectural problems, you might be looking at a total rework!
In an ideal world – where practical pen tests are employed in logical phases: execute the first pentest after the prototype or staging of the Minimum Viable Product. The second phase is then carried out after finalization of the release candidate and a recheck can be added in the production environment before going live. This phased approach represents Best Practice in the industry and is proven to be the most cost-effective method for minimizing risks associated with application development.
How to decide what to test?
If you are new to pentesting, during your initial consultation our SEC Consult expert will talk you through the process in order to help you define your best timeline and budget. According to the then predefined timeline, you will decide the level of depth you wish us to investigate and which scenario to focus on (e.g. targeted phishing emails). Critical vulnerabilities are generally the les easy to find. As such, investigating every layer of code is essential. Keep in mind that the overall objective of a pentest isn’t to just look over everything superficially and confirm that at first sight all looks good. Most customers want to find what is not so obvious but can have a huge impact down the line of their organization.
A pentest can confirm a CTO’s gut feeling
An expert system administrator usually knows what needs to be improved, in theory, but lacks the practical know-how for issues that don’t have a simple solution or fix. The juicy vulnerabilities are the “soft” ones, that you can approach in different ways In general, a pentest is a powerful tool to assess any given security issues objectively, so that the IT team can document a concrete security strategy informing the next management level how and why found issues need to be addressed.
What does a pentest cost?
Time and Money
The more complex and critical the application, the higher the budget for the pentest. When establishing your budget, bear in mind that a security audit requires a certain amount of configuration and coordination efforts before testing even starts.
A system with financial data relevant to financial transactions should (hopefully) have a larger budget than the canteen’s static HTML website.
Any skilled attacker would put all his effort and expertise to work, to find your sweet spot. In average, pentesting a web app might be done in a couple of days while pentesting a customer service helpdesk of a big telecom company might take weeks. In that case, size matters. A 360° pentest for a DAX company may easily last up to a three-digit amount of days. It really depends on the company and the project itself. Consider the criticality of your application, add the usual daily rates in the IT industry of your country and you have a rough estimate of what to expect.
Summary & recommendations
A pen test is a quick, well-planned and relatively inexpensive measure to analyze the security of a systems at a specific time. It offers the needed transparency and objectivity when handling potential security risks. It is a starting point to evaluate and improve the security status of applications and often required to meet legal compliance.
To find possible loopholes takes time, in testing, as well as preparation. Keep in mind, that an air-tight security is frustrating for hackers, so they will lose interest and move onto an easier target (which isn’t you, hopefully).
Any test is a snapshot in time
A pentest, in particular, is not a proof of absence of security vulnerabilities or finding everything there is (as it is always bound to a time constraint). Changing (ancient) processes and develop awareness for security throughout the company can be very challenging but rewarding on the long run. Regular pentests, a firmware assessment and an appropriate risk management process in your company is a good place to get started.