Penetration testing, or how to take care of cyber security

Spectacular bank robberies with a gun in hand and a stocking on the face are history. Modern criminals moving into cyberspace use much more sophisticated ways to make a profit. If we do not focus on regular pentests and do not take care of the proper security of the website or network edge, we can painfully find out about the effects of cyberattacks on our own skin.

How to protect yourself from hackers? Don’t let them overtake you and… hire one of them. Of course, it is about an ethical hacker (white hat hacker) who tests the vulnerability of systems to threats using pentesting techniques for this purpose.

Penetration testing service at Grandmetric

Pentesting – what is it?

A pentest is an ethical hacking attack carried out in a controlled manner, at the request of the owner of the ICT infrastructure, network or application.

It is used to detect errors that threaten the security of the tested system. The most common causes of security errors are:

• outdated software or its components
• wrong configuration
• software or hardware vulnerabilities
• insufficient security procedures
• technical shortcomings
• carelessness of users

Pentesters play the role of hackers in this situation, but they work “in white gloves” with the task to discover system vulnerabilities and to indicate places vulnerable to a potential attack.

How is pentesting performed?

Pentests should be carried out in a systematic manner and may have a different scope, most often they are part of the audit of IT systems and infrastructure. Their main purpose is to examine how resistant a given network is to hacking and how effective the security measures are. An essential part of each test is a report that describes the identified problems. It should always contain recommendations aimed at their effective elimination.

The vulnerability of the system to threats is determined on a scale of 1-10 using CVSS standards (The Common Vulnerability Scoring System).

Pentests – types

Pentests differ in the level of knowledge about the tested system that is made available to pentesters by the client. We distinguish:

• white box or crystal box tests with the full knowledge of pentesters, who have at their disposal documentation of the infrastructure project, information on the configuration of network devices or the source code of the website. White box pentesting is used to analyze errors at the system construction level, omitting the end user’s perspective

• black box tests with minimal knowledge of pentesters – they best reflect a real cyberattack and require a lot of work on the part of testers, whose knowledge may be limited only to the address of the website whose security they are testing. Black box pentesting is used to analyze errors at the level of how the system works. They make it possible to identify behavioral errors that are difficult to detect by developers, and with a creative approach, it gives a wide field of action

• gray box tests, which are a hybrid of both of the above mentioned methods; in their case, the knowledge of the pentesters concerns only some part of the examined area. Gray box pentests enable a comprehensive analysis of errors both at the level of construction and operation of the system, as well as end users based on authorization data from the client

White box, black box and gray box – comparison of penetration tests

White box	Black box	Gray box
Structural testing	Functional testing	Structural and functional testing
Knowledge of the internal structure of the system	Lack of knowledge of the internal structure of the system	Partial knowledge of the internal structure of the system
Knowledge of system functionality	Lack of knowledge of system functionality	Partial knowledge of system functionality
Focused on analyzing the source code	Analyzes the external characteristics and operation of the system	Analyzes both the source code and the operation of the system
Requires programming knowledge and in-depth knowledge of the code responsible for the tested area	Can be carried out by testers with little knowledge of programming, which allows them to approach the perspective of an “ordinary user”	Requires programming knowledge and knowledge of the source code language
The high level of automation allows you to quickly test large parts of your code	Partially automated and/or manual testing can be time consuming	Testing is time-consuming due to its complexity
Identifies errors “from the inside” at the level of code logic, bypassing the end-user perspective	Allows you to identify behavioral errors that are difficult to detect by developers, and with a creative approach, it gives a wide field of action	Allows you to detect both structural (code-level) and functional (use-level) errors
Medium level of detail, medium comprehensive approach	Low level of detail, not a comprehensive approach	High level of detail, most comprehensive approach

About pentesting methodologies

Pentesting methodologies are a kind of guides (especially valuable for novice pentesters) describing what procedures should be followed and what actions to take.

Different methodologies (frameworks) are useful depending on the area we want to test, including:

• OWASP (The Open Web Application Security Project) – concerns testing web and mobile applications, contains a detailed compendium of information about security errors in web applications

• PTES (The Penetration Testing Execution Standard) – general concept to be applied to any type of test

• OSSTMM (The Open Source Security Testing Methodology Manual) – is a comprehensive standard with universal application

However, we will not find technical details or testing algorithms in them. This is why the experience, creativity, perseverance and knowledge of the pentester who conducts it is crucial to the success of the pentest. His role requires a wide range of competencies, not only technical but also communication and management.

How to check the competence of a pentester?

The technical competence of pentesters is confirmed by certificates, such as:

• OSCP (Offensive Security Certified Professional) – confirms general technical competence to conduct pentests

• OSWP (Offensive Security Wireless Professional) – confirms technical competence in testing wireless networks

• eWPT (eLearnSecurity Web application Penetration Tester) – confirms technical competence in the field of pentesting web applications

• CEH (Certified Ethical Hacker) – confirms competence in testing systems using the same knowledge and tools as a malicious hacker, but in a legal manner

Pentesting – FAQ

What are the phases of a penetration test?

1. Reconnaissance – a key stage consisting in collecting as much data as possible necessary to conduct the test
2. Scanning – checking existing security mechanisms
3. Exploitation – an attempt to break the security of the system, i.e. a service or an application
4. Escalation – an extension of privileges and further steps in the network or system
5. Report – contains a detailed description of the methods used in the cyberattack simulation, detected errors and vulnerabilities, and recommendations for actions to eliminate them

What are the benefits of performing pentesting?

• Verification of the effectiveness of system security
• Examination of the vulnerability of the system to a potential cyberattack
• Obtaining recommendations for improving system security
• Avoiding the huge costs associated with system disruption in the enterprise

How often should pentests be performed?

The best way to take care of cybersecurity is to conduct penetration tests periodically, at least once a year, and also when changes are made to the systems. After the pentest phase, it is also worth performing a re-test, i.e. verification of the introduced changes (checking whether they have been implemented correctly and have not led to the creation of new security holes).

How long does a penetration test take?

Depending on the type, size and complexity of the tested structure, the pentest may last from several days to several weeks.

Summary

Steve Morgan, editor-in-chief of Cybercrime Magazine, estimates that in 2025 global cybercrime will require $10.5 trillion (!) to repair losses.

Many factors contribute to these year-on-year costs – data loss or destruction, business disruption, theft of money or intellectual property, criminal investigations, restoration or removal of compromised data and systems, and loss of customer trust.

Our audits show that the most common mistakes are those that can easily be avoided by keeping your software up to date and properly securing your network.

Everything indicates that prevention is by far the most profitable. And if we want to take care of our cybersecurity, prevention is better than cure.