The SolarWinds hack has generated a lot of interest in the networking and cybersecurity spaces, particularly concerning penetration testing, or pen testing. Business and technology managers perform pen testing to ensure their systems are secure. Paradoxically, the SolarWinds hack was discovered when the perpetrators used the breach to steal FireEye’s pen testing software.
What is pen testing?
At its simplest, a pen test is a systematic test suite used by ethical hackers to break into networks and systems. The results are used to shore up the defense systems so malicious hackers are prevented from getting in. More sophisticated enterprises employ their own people to do this function, using a red team approach, borrowed from Cold War military jargon.
External companies, such as FireEye, offer red teaming as a service, which is why the theft of FireEye’s red team tool set was such a big deal. It was a world leader in advising companies on security and led in its red team approach to security assessments.
Beyond providing software-based pen testing systems, some pen testing firms test physical security as well. One provider even has brown trucks and uniforms to resemble a well-known package delivery service. After only a few minutes on LinkedIn, testers can address packages to key company personnel. When the delivery person in brown shorts comes up to a secure facility entrance with hands full, guards sometimes leave their secure locations and open the door for the tester. A request for bathroom access is almost always granted.
The tester can often find time to install a small device to hack into the Wi-Fi or leave behind a USB device in hopes someone plugs it into a PC or laptop. The packages can also contain devices that recipients may plug in, such as USB keys and Wi-Fi-enabled picture frames.
To a high-end pen testing firm, everything is a test.
Enterprises interested in implementing network penetration testing can follow the seven steps outlined below.
Step 1. Decide penetration type and level
Over the past year, much of the industry has focused on software-based pen testing and avoided physical testing. Taking a software-only approach could be a mistake, as the perimeter has exploded due to industries worldwide migrating to a work-from-home model. Security was relaxed as a result, and malicious hackers know this well. People don’t have guards or mantraps in their homes.
Physical pen testing. Enterprises interested in pen testing need to decide whether to include physical security testing and, if so, can consider using an outside firm.
Software pen testing. If enterprises want to conduct pen testing as a software red team exercise, they can involve an outside firm or set aside personnel and funds to create their own red team.
In either case, enterprises that hire a firm can skip to step 5.
Step 2. Establish a red team
Typically, enterprises looking to create a red team should pick a few younger network and security engineers and one senior staff member. It needs to be a small team, and management has to accept that they will be off their regularly scheduled work. Those that can hire should look for engineers with programming and automation skills. Many certifications are available, such as Certified Ethical Hacker, that management can use as hiring criteria or to train existing staff.
Step 3. Select the tool set
Enterprises can purchase software systems that assist in the whole, or part, of the network penetration testing process. On the automation front, Ansible has tons of contributed content available for a DIY strategy. Teams can also purchase red team software from firms like AttackIQ or Pcysys to lower the workload.
Some systems can scan a company’s external footprint. Firms like BitSight and SecurityScorecard act like credit scoring companies that look at third-party risk and show partner scores.
Step 4. Run tests
A pen test can be done all at once or in pieces. When teams set up the program, they can work through the environment one element at a time. For example, looking at employee VPN access first might provide some quick hits to prove value. While the rest of the staff remediates any discovered issues, the red team can take on the company’s business partner portal or e-commerce footprint.
Step 5. Review the results
While chief information security officers and CIOs will want to see pen testing results, so too will the highest management levels — chief risk officers, CEOs and, increasingly, the board of directors. So, it’s important for teams to look at this as they would an internal audit for financial controls.
As a result, teams should appoint an executive and a project manager to oversee the following processes:
- assess the report from a risk viewpoint;
- prioritize the remediation work; and
- schedule a follow-up pen test.
Consider both a red team and outside help
Pen testing is a necessary part of any competent network and cybersecurity strategy. Many firms employ internal red teams to scan and improve their system regularly. However, just like with financial audits, a mix of internal and external processes is usually needed. Companies should consider doing both, with an active internal red team that works continuously and an outside firm that conducts annual penetration tests.