How pentesting absolutely makes you forget about the operation’s failure — CyberForged
Let’s start quickly: Who hasn’t ever been in a critical project that needs to be released as soon as possible and suddenly the cybersecurity team has said that it can’t be released without passing a pentesting? This is a very normal situation and due to the lack of information, it usually provokes a feeling of betrayal or uselessness towards the pentesting process itself.
The fact is that, feelings aside, going through the pentesting process before releasing any system to the wild world of the Internet is inevitable, or at least it should be. It is an absolutely crucial process for the proper development of any software-based project.
Cool. Ok. That’s fine. But… WHAT THE HELL IS PENTESTING?
Let’s explain it a little bit at a time 😉
WHAT THE HELL IS THIS
Pentesting is a testing process in which the system is subjected to predefined attacks that it is supposed to suffer in a real environment. We can take it as a kind of rehearsal of a theater play before the general public comes to see it: First, we show it to theater experts, we see what they say and what they criticize, we solve it and then we go out to the general public and wait for that great ovation that we deserve.
Precisely for this reason, pentesting is a totally indispensable tool for a project to expose its systems to the public: What we do is try to attack the system in real ways, with attacks that mimic real-world hackers, hoping to find some vulnerability or weakness in the system. If we find them it will mean that there are things we need to fix before the world at large (Internet) can make use of the system.
Sounds simple, doesn’t it? If we have a list of automated attacks, it’s almost a matter of pressing a button and waiting for the results. Well, nothing could be further from the truth. The process of pentesting is only as good as the white hat hackers who do it. It’s almost an art.
The art of pentesting
Let’s imagine the following: we want to get a haircut because due to the COVID-19 quarantine we haven’t had a chance to go. The thing is that we have recently moved, and we do not know the quality of services in the area, so we just go to the first one. We stand at the door and we see how they cut hair, and how the people are leaving the store with the cut hair.
Would you go in if you saw people coming out with strands of hair hanging down the sides of their heads? You wouldn’t, would you? You would think that the people inside working, even if they are hairdressers, are not very good.
Well, it’s the same in pentesting: A white-hat hacker may be a hacker by name, but if he doesn’t do his job well, it’s exactly the same as doing nothing. The hired hacker must do much more than just hit a button on a tool, he must also perform manual testing in order to push the system to the limit and discover what is normally overlooked by anyone that is not in the cybersecurity field.
This situation of not just pushing a button is accentuated when we think that EVERY MINUTE hackers in the real world invent new ways to attack our systems. Automated tools are not updated with the speed of the real world, so it is extremely important to make sure that the hacker (or team of hackers) that is testing our system, is a professional and not just a “script kiddie” (which is what they call hackers who only know how to do that, push buttons without thinking about anything).
Well, now that we understand what pentesting is, and that a hacker must be very professional and not just a “script kiddie”, how does pentesting work?
The phases of a pentesting
I think a picture is worth a thousand words, so let’s take a look at the next one:
- Planning: The participants in this phase are both the managers and technicians working on the project, as well as the hacker(s) who will perform the pentesting process. In this phase the technical conditions are agreed (for example, in what hours it is going to be done) and economic (amount of money per hour, incentives if vulnerabilities are found…) of the pentesting and above all, the limits of this. It is very important to define the limits, to which objectives and machines the pentesting should be directed and how far it should go. It is not the same that the hacker finds a vulnerability and is able to burn the server than agreeing that if the hacker finds a critical vulnerability, simply report it to us. Once we are all on the same page, we move on to the next one.
- Information gathering and discovery: From here until the reporting phase, only the hacker has work to do. In this phase, the hacker will try to get as much information as possible from the servers to attack. It should be noted that this information can be public (on the Internet) but he can also ask the project or even use social engineering techniques to extract what he needs.
- Vulnerability scanning: Cool. Now that he has all the information he needs about the systems, he goes on to recognize them. In this phase, he will try to discover, thanks to automated tools and his knowledge, the vulnerabilities that exist in the systems.
- Exploitation: When the hacker finds vulnerabilities, he must exploit them. That is to say, it is not the same thing to find something that to really show that this something (the vulnerability) is dangerous and that it really has an impact on the system. There are many times that vulnerabilities are discovered, but because of the characteristics of the system, there is no way to make those vulnerabilities active or useful to a hacker, so those vulnerabilities, although present, do not pose a direct threat to the system. This phase will also depend on what was agreed upon in the planning phase and the limits of the pentesting.
- Reporting: Along with the planning phase, the most important phase of the pentesting process. In this phase, the hacker prepares a document with all the discoveries he has made (vulnerabilities, exploits…) and presents it to the project. If there are critical vulnerabilities, the project will have to solve them in order to start the pentesting process again to validate the solutions provided.
And that’s it. If we have arrived here, it means that our system would be ready to go out to the Internet.
CAUTION: There is a widespread belief that if a pentesting process has been passed, the system is free of risks. This is not true for two reasons: The first is that the Internet world invents new ways to break systems every day, so pentesting must be periodic. The second is that, in the world of cybersecurity, there is never 0 risk, since, for example, the hacker who has done the pentesting may have been more absent-minded than usual and may not have seen certain vulnerabilities that a real-world hacker could see. For this reason, cyclic pentesting should always be planned based on the criticality of the system.
So that’s it for today. I hope you liked it; do you have any comments? Leave it in the comment box below!
Originally published at https://cyberforged.com on February 19, 2021.