Breaking In to Keep Hackers Out: The Essential Work of Penetration Testers

The penetration test process and types of penetration test

It may sound counterintuitive, but organisations actually pay people to break into their networks.

The reason is simple: to catch a thief, you must think like a thief.

Organisations hire ethical hackers – aka ‘penetration testers’ or ‘pen testers’ – to identify weaknesses in their defences before a criminal hacker exploits them. This helps organisations proactively strengthen their security posture and keep up with the cyber landscape.

Ethical hackers use the same methods as malicious actors, but with the crucial difference of operating within the law and not misusing any information they uncover.

But how exactly does ethical hacking work? And how do you know what type of penetration test you need?

Our senior penetration tester Leon Teale explains.

In this interview

Penetration testing process

What does a penetration tester do, exactly? Can you take me through the penetration test process?

Besides traveling and copious amounts of coffee, you mean?

Jokes aside, this isn’t an easy question to answer, as the process depends on the type of penetration test.

To name just a few, we do:

  • Web application testing
  • Internal network testing
  • External network testing
  • Mobile application testing
  • Simulated phishing attacks
  • Physical social engineering

[We discuss the different penetration test types in more detail later.]

Are you able to generalise the penetration test process at all?

You could break it down into three main parts, starting with the pre-test.

That begins with the first call with the customer, going over what they want tested:

  • For those new to penetration testing, we can offer input and advice if they’re not sure about what they need or what to provide.
  • For more seasoned clients, the call is about estimating how long the test will take, based on their new scope, so we can give them a quote.

We have another call, usually a week before testing, to ensure all information gathered for the tester – dates, times, scope, etc. – is accurate and in line with the client’s expectations. That way, we can resolve any issues before starting the test.

What happens after the pre-test?

The actual penetration test – what I think of as the ‘fun part’.

This involves spending an agreed number of days testing the defined scope, which usually starts with reconnaissance. This means we’re getting the ‘lay of the land’, so we can develop a plan of attack.

Attacks usually consist of both automated tools and manual assessments.

The automated testing covers all ‘low-hanging fruit’. It also helps free up our time for the more manual and specific testing that can only be accomplished by a human performing the tests and chaining together attacks.

What do you mean by “chaining together attacks”?

It might mean, for example, finding a weakness or misconfiguration in a host I can exploit to gain a little access, so I can see more than I could previously.

From there, I try to exploit another vulnerability, and another, and another. And then, before you know it, the entire host is compromised and you have solid evidence [‘proof of concept’ or ‘POC’] to include in your report for the client.

I then refill my coffee cup, and find a new target to try to compromise before time runs out.

What is the final part of the process?

The post-test part: writing the report. That means we collect all evidence and notes from the test, and write up our findings.

Though tools exist to speed up the process, writing a report remains a largely manual process.

This ensures every vulnerability included in the report is a real vulnerability – the penetration tester will have weeded out any false positives.

What information does the report include?

For each vulnerability, we outline:

  • The severity
  • The risk; and
  • The potential effect for that specific client.

We tailor that last bit, as the risk likely changes depending on the environment you’re testing.

That’s why we also include proof of concepts. In fact, this is often key to a vulnerability ‘hitting home’ for a client.

Saying an attacker ‘may be able to get access’ to information inside a database due to poor sanitisation of user input is all well and good, but showing how an attacker actually can gain access to that data – with a screenshot of that database to illustrate the point – hits ten times harder.

We also include remediation advice in the report, specific to the vulnerability, along with reference links, so the client can learn more about that vulnerability if they want.

Types of vulnerabilities

What types of vulnerabilities do you check for in a penetration test?

That depends on the type of test.

For example, for an internal infrastructure penetration test:

  • We review open ports and their services to ensure firewalls are configured securely. We also assess available services to ensure they’ve been suitably hardened and aren’t using default configurations.
  • We review misconfigurations that allow network traffic – particularly user hashes – to be intercepted, which can later be cracked offline. We also check for any sensitive network traffic sent in cleartext.
  • We check patches and research software versions to ensure they aren’t affected by any publicly known vulnerabilities and that the vendor still supports them.
  • We check appropriate and secure authentication mechanisms are in place to confirm user identity. We also establish how the authentication process works and use that information to try to circumvent the authentication mechanism – through username enumeration, for example.
  • We assess the implementation of encryption security around the transmission of communications. This includes checking for common weaknesses in SSL/TLS configurations and verifying that all sensitive data is being securely transferred.
  • We review server configurations and examine how the server communicates to identify any information disclosure that could cause a security risk.

Also, to keep standards high among penetration testers, we follow best-practice methodologies like SANS Institute, OSSTMM [Open Source Security Testing Methodology Manual] and OWASP [Open Web Application Security Project].

Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.

Which penetration test type is right for you?

We’ve touched on different types of penetration test a few times now. Can you take me through them?

All sorts of things can be pen tested, ranging from ‘generic’ – such as a web application test – to testing specific, bespoke elements of a piece of software or infrastructure.

To give you a sense of the types of test, I personally perform:

And how can an organisation figure out which is right for them?

In an ideal world, everything would be tested – but, of course, that’s often not possible. From a financial perspective, if nothing else.

So, take a risk-based approach. Prioritise the high-risk areas.

For example, if you’re an e-commerce website, chances are your top three priorities are:

  1. Web application test;
  2. External infrastructure test, depending on whether you host the website on your own servers or if you’re using a Cloud service [in which case, the service provider may already have this covered for you]; and
  3. Internal infrastructure test, if applicable.

It’s all about layers of security.

Layers of security

What do you mean by ‘layers’ of security?

Usually, you start with your external perimeter security – your public-facing assets, which anyone on the Internet can see. Things like:

  • External infrastructure – publicly accessible IP addresses, VPNs [virtual private networks], and so on;
  • Web applications;
  • Mobile applications;
  • Cloud infrastructure; and
  • Phishing assessments – testing your users.

The next layer would then be your internal perimeter – your private space, holding assets not accessible to the Internet. That means you need to be on a private network, like a LAN [local area network] or a VPN, to gain access.

[Tip: A network diagram will make it easy for you to see under what layer your assets fall.]

How would you test your internal perimeter?

With penetration tests like:

  • Internal infrastructure;
  • Wireless assessments;
  • Build reviews; and
  • Firewall configuration reviews.

Even physical social engineering has its place here.

Making sure your server is patched and up to date is great, but if someone can just walk into your building, they could walk out again with sensitive documents or other important assets.

They might even plug in a rogue device to an unsecured network port, which can then create a persistent backdoor into the network, which anyone on the Internet could use.

Physical insecurity can put you as much at risk as cyber insecurity.

Test your internal infrastructure

Work with one of the leading penetration testing companies in the UK, offering one-to-one expert advice at any of the engagement.

Have an expert penetration tester like Leon conduct an Internal Infrastructure Penetration Test.

We’ll use advanced testing techniques to ensure your servers, networking equipment and other internal infrastructure are secure.

Identify vulnerabilities within your infrastructure, and act promptly with our prioritised action plan and remediation guidance.

Don’t take our word for it

Here’s what our customers say:

Gordon:

We have used IT Governance for Consulting services and Training; however, when I signed up for the penetration testing, I was surprised at the slightly high price.

However, the consultant was excellent, helpful and very thorough. The report which was clear and easily understood by technical and senior management, who had not realised the potential issues which I had been concerned about.

I will certainly be using IT Governance again for Penetration testing and other consultancy services.

Josh:

We use IT Governance’s pen testing consultants for engagements with high value clients.

We trust their team exclusively. Their work is phenomenal, prove time and again to be one of the most important investments our clients make regarding improving cyber maturity.

Reports are thorough, yet very understandable. The communication during all phases of pen testing activities is superb.

IT Governance is our most trusted partner, and we highly recommend utilizing their expertise for penetration testing.

About Leon Teale

Leon is one of our senior penetration testers. He has more than ten years’ experience performing penetration tests for clients in various industries all over the world.

In addition, Leon has won hackathon events in the UK and internationally, and is accredited for multiple bug bounties. He’s also been featured in various articles in the press relating to cyber security.

We’ve previously talked to him about secure remote working, the CVSS (Common Vulnerability Scoring System), and mega breaches MOAB (mother of all breaches) and RockYou2024.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.

Alternatively, explore our full index of interviews here.

Leave a comment

Your email address will not be published. Required fields are marked *