Cybersecurity Consulting
August 25, 2022
5 minutes
When an organization needs experts to help them identify and protect its network vulnerabilities, they enlist the help of network penetration testers. But what is network penetration testing?
In this blog, we will discuss what a penetration tester does, what a test looks like, and what kinds of insights penetration testers share with company leaders.
We are joined by DOT Security penetration testers, David Konstant and Nathan Golick, who share some of their observations working in network environments. They use their expertise to proactively identify and correct vulnerabilities before they can be exploited.
David: Network penetration testing is a cybersecurity service in which we try to mimic threat actors.
We identify vulnerabilities and ways to exploit organizations. We then present that information to organization leaders and help them fix those issues to better protect themselves from actual bad guys.
Nathan: We are trying to find as many different ways that attackers could take advantage of the network as possible.
We're not looking for just one quick path in and we're done. We're trying to enumerate all the paths into a network. We look under every rock—if you will,—and find as many different things the client should fix before bad actors target them.
Cybercriminals are always developing new ways to hack into networks and search for vulnerabilities. What tools do you use to stay updated?
Nathan: It's a personal hobby of mine to keep up with them. I follow Twitter accounts and blogs where people put out a lot of their research.
There's the blue team side which is the threat intelligence people, watching active attacks. They're publishing information on what they're seeing about how attackers work. We study it and use it in our techniques.
There are a lot of other penetration testers developing their own public tools. So it is like a part-time job—if you will,—to keep up with it. It's not easy, but we have a passion for it.
Related Blog: The Evolving Cybersecurity Landscape and Your Business
David: We definitely find a lot of personal information that's confidential; that employees and clients wouldn't want to be made public.
We're talking about Social Security numbers, W2 forms, passwords or files with lists of passwords to employee's banks or social media accounts. We have seen everything just on a text file.
Nathan: Essentially, one of the sections of our risk audit talks about data loss prevention (DLP) and that's where we can show our client what someone could find if they breached into their network.
This type of data loss could lead to a data ransom or a damaged business. It depends on the client, but there are often sensitive corporate documents on the network.
David: For example, we've done risk audits for engineering firms where we found confidential CAD drawings. These companies wouldn't want that leaked because somebody could use it to replicate their products.
David: We write a report and we have a meeting with stakeholders to present our report to them.
That way, we can meet with the organization leaders and explain everything to them. We break the report down into the important parts because reports can be very long and very technical.
We make sure that the the C-Suite level stakeholders who make decisions also understand the gravity of what we did and and what they need to address.
David: We use almost exclusively open source software that is publicly available to threat actors. It depends on the engagement, but there are public repositories with common tools out there. It's pretty endless.
Nathan: This allows the client to be able to replicate our findings. Using open source tools means it's free to hack into a network. You can just go on the Internet, download, and use them.
Clients can easily see how their networks are exposed. Not all our tools are like that, but the vast majority are.
David: We also send out a phishing campaign to the company employees. A majority of actual hacks start with human error. For example, somebody might click on a malicious link in an e-mail, and that's where it all begins.
In addition to the technical element, we also launch these phishing campaigns to find how aware and careful the users are.
David: Often it is not looking at what page links lead to or not checking where an e-mail is actually coming from. The text in a link can look official, but if you hover over the link, you can see that it might lead you to a different page.
Nathan: Also, storing personal information on corporate owned machines. We have seen people store personal documents like passports, drivers licenses, all their passwords, and their kids' tax information on company-owned laptops.
If somebody were to get into that device, not only is the company compromised, but any individual user could be compromised too. I see that on every engagement, it's very common.
Related Blog: 5 Qualities of a Reliable Cybersecurity Company
Nathan: I enjoy decrypting passwords. We reverse them into clear text, so we can often see the clear text version of a number of company passwords. It’s interesting to show the client, how many users have easily-cracked passwords. That’s part of the human element of staying secure.
Passwords of up to 16 characters are relatively easy to crack.
David: For me, it’s enjoyable to demonstrate risk. That is, finding new ways to perform a campaign or getting additional access from different types of attacks.
I think it’s cool to identify these vulnerabilities for the client and show them. We are not hacking to steal any data, but rather to help them stay secure. We are white hat hackers.
Related Blog: Why Small Businesses Have High Cyber Risk
Penetration testers mimic the actions of a threat actor to find as many vulnerabilities in an organization’s network, so that an organization's data can be secured.
They work to collect findings such as weak passwords, network entry points, and others, to develop a report they can share with company leaders. The majority of the tech they use is available to the public, which means bad actors could use it to compromise a network.
Our DOT Security penetration testers helped us define what is network penetration testing, as well as show us their journey developing a penetration campaign, working with stakeholders, ethically hacking into networks, and providing clients with helpful recommendations.
Penetration testing is a great way to find your business's vulnerabilities. To get started on your own cybersecurity program, use our Cybersecurity Checklist: How Covered is Your Business?