Wait...Companies Hire Hackers? Here's Why Pen Testing Is Their Secret Weapon

Have you ever wondered how organisations are able to foresee possible cyberattacks? How is it that all of these large organisations are able to stay secure or at least minimise the number of cybercrimes?

Well, the process of it all is not as simple as you think. Organisations have gone through a number of security testing, in which they have employed or contracted professional hackers to test and break into their systems and applications. This may sound concerning, but these hackers are tasked to do everything in their power to bypass their security controls to find exploitable vulnerabilities to improve the system's structure. We call this activity, penetration testing.

How does it work?

In accordance with ethical and compliance matters, penetration testing is conducted on production environments that allows professionals to work on the organisation's system as would a real world cybercriminal. Penetration Testers, or also called "Pen testers", are tasked to continuously penetrate the system to find as many vulnerabilities as possible without having to focus on specific or limited methodology and attack paths. The goal of pen testers is to be the first to identify and exploit a flaw before cybercriminals do, this way the organisation can remediate the flaw and prevent the attack.

There are various types of penetration testing targeting different areas to assess (Blackduck, 2017):

• Application Penetration Testing: vulnerabilities in applications and systems. e.g. websites, mobile applications, APIs, etc.
• Network Penetration Testing: vulnerabilities in the organisation's network whether internal or external. e.g. switches, routers, firewalls, WiFi, etc.
• Hardware Penetration Testing: vulnerabilities on physical devices that are connected to the organisation's network. e.g. mobile devices, computers, printers, etc.

Last but not least, social engineering penetration testing. This area is crucial as it represents the vulnerabilities that comes from the organisation's employees. These are not tangible vulnerabilities, they are based on human nature and common habits. Most employees are unaware of what they're doing, which they may subconsciously be putting themselves and the entire organisation at risk. We assess these "cyber hygiene" practices and ensure that employees know what must and must not be done, and what to do in response to a cyber attack.

Pen testers often follow this process (Imperva, 2023):

1. Planning and Reconnaissance: Pen testers will need to gather intelligence regarding the target's system and define the scope and goals of the attack.
2. Scanning: Using tools, pen testers will analyse the target's current security and find known weaknesses in the target system.
3. Gaining access: Once ready, the pen testers will deploy the attack, performing all types of techniques they can to exploit the weaknesses.
4. Maintain/Escalate: If successful, the pen testers will maintain the breach and try to escalate their access to extend their attack to the system.
5. Report: The results of the attack will be compiled into a detailed report listing the exploited vulnerabilities, accessed data, the period of attack that was undetected, description of attack, and many more. Often closed with a remediation recommendation.

This may all look complicated, but there are many common tools and methods of penetration testing that most pen testers use, such as but not limited to (IBM, 2023):

• Operating systems designed specifically for hacking. This can simply be a platform with built-in penetration testing tools.
• Password-cracking tools to easily un-hash or provide common passwords.
• Port scanners allow pen testers to remotely scan for open network service ports to breach networks and systems.
• Vulnerability scanners can be used to quickly scan for potential entryways into the system.
• Metasploit is a penetration testing framework that helps automate cyberattacks using prewritten codes.

Can I do this for a living then?

Ethical hacking is a common term found in the cybersecurity world. Not only is it about penetration hacking, but we have several professions and activities that are employed for legitimate purposes like:

• Red Teamers: Offensive Pen Testers employed to identify gaps to specific targets and use sophisticated real-world attacks and strategies, they often work alongside the "Blue Team" defenders. (PricewaterhouseCoopers, 2022).
• Purple Teamers: A combination of Red Team and Blue Team which look at the vulnerabilities and also work out a program to remediate them, so a mix of Red and Blue.
• Bug Bounty: A program designed by organisations for the public to detect and report bugs in exchange for a reward.

So, whether you're a customer or a responsible organisation, it is important to continuously maintain your organisation's security. As we can never know the potential growth of hackers. With the immense growth of technology, it has become increasingly concerning and without proper protection the losses would be indefinite. Threat actors are getting smarter even with the current incident response strategies for current trends of real-world hacking, there will always be more and sophisticated attacks.

Do you know if your organisation's secured? Are you worried about being the next victim? Let us help you assess and protect your security!

References

Black Duck. (2017). What is Penetration Testing and How Does It Work? https://www.blackduck.com/glossary/what-is-penetration-testing.html#E

Imperva. (2023, December 20). What is Penetration Testing | Step-By-Step Process & Methods | Imperva. Learning Center. https://www.imperva.com/learn/application-security/penetration-testing/

IBM. (2023, January 24). Penetration testing. What is penetration testing? https://www.ibm.com/think/topics/penetration-testing

PricewaterhouseCoopers. (2022, August 4). Red Teaming and Penetration Testing - What’s the difference? PwC. https://www.pwc.com/mt/en/publications/technology/red-teaming-and-penetration-testing.html