Penetration Testing: It's Not Just for the Big Companies Any More

A penetration tester has many roles to perform in order to get the job done correctly. There are different types of penetration testing. A full, unknown test where the tester knows the company name and that's it and the company of course has contracted for this tester to try and penetrate their network. However, usually only a handful of company employees know of the test and its parameters. The purpose of a test like this is to see if the company's perimeter and data can be breached by an outsider. This type of "pen test" as it's commonly referred to is a long term test that should set off internal company alerts and procedures if they have a solid policy in place and if these controls are in working order. The second kind of testing is from the inside - out. This happens when the pen tester knows the network architecture, has been afforded some level of internal access already and is simply looking around at network devices, servers and storage facilities and the people managing these to see if there are software or policy holes that can be compromised. Of course, the first scenario is the sexiest of them all, and all penetration testers really enjoy the challenge of a "hack", especially when also being paid to perform the service. Let's take a few minutes to talk about the penetration test and how one would work. We'll also discuss how much something like this would cost.

So your company contacts a Certified Penetration Tester (CPT) or a Certified Ethical Hacker (C|EH) to see how well your network would withstand an attempted data breach. The pen test has several components, and often will last 3-6 months, depending on the size and scope of your network, employee strength and how in-depth the test is going to be. The pen tester will start out with no current knowledge of the network, not its name, layout, anything. They will start the process with looking up publicly available information from many sources such as Dun & Bradstreet, Google, Yahoo Finance, Domain Registration searches, etc. The purpose of this information gathering is to see what the company does (to ascertain the value of the data) and to see what information about network names, IP addresses, corporate officers and other important information is readily available. This gives us a base as to where to start. The next step of many pen testers is to attempt some social engineering. This is where we call different, targeted people in your office and try and trick them into giving us information. A common ploy is to call and say "this is John from tech support/help desk and somehow we messed up your login account. What was your log in ID? Did you have beagle as your password? No? Dang it, sorry about that, what did you have so we can reset that for you?"

Now, to many of us in the IT field, or just with common business acumen, we think we'd hear something like those statements and immediately know not to give out that information. The reality is, many people are tied up in their day, busy with things on their mind and the last thing they want is to think they're going to have troubles logging in and out of their computer to get their job done. On those occasions where someone is smart enough to not give out this information, the tester would simply call someone else within the company and continue to try and glean this information. What also should happen, though, is the person who did not give out information should be contacting their information technology department to alert them of the attempted social attack, which should set off policies or procedures the company should have in place to defend against such attacks.

Now, social engineering isn't the only step in information gathering. There are other methods used to glen information from people, such as posting to public bulletin boards online as a disgruntled employee to see if others will join in and give you information. You may also get a current employee to log on and defend the company, giving you another target of social engineering. Another method is to hang around the company lobby ride the elevators up and down to potentially overhear corporate conversations that shouldn't be held in the elevators in the first place. Pen testers have also been known to follow employees for lunch to listen to their lunch time complaining sessions to also see what information can be gleaned. So as you can see, this part of the process can be quite time consuming and lengthy, but is what a "black hat hacker" would do (a black hat is someone who is out to steal your data for profit, a white hat hacker is a certified professional who is trying to help you, such as your pen tester or CEH).

The next step is to start mapping out the network. There are many tools available to "footprint" your network, the most commonly used being NMAP. This tool in the wrong hands can be deadly to your network, as it not only maps out your network, it can be used to launch attacks as well. Once your network topology is mapped, then the process of trying to break into the data begins. If we already know a user id/password from our social engineering session, we simply try that and see if we can get it. If not, we try and download the SAM file (security file in a windows server holding credential information) and see if we can crack it for the information that it holds. There are also other methods of gaining access to a server, or at the very least, denying you, the rightful owner, access to the machine. In some cases where a hacker is not successful in breaking into the server, there are methods such as MIB walking, SMB walking, etc that can afford the hacker the opportunity to make a change in the server so hard to discover, yet takes the server out of commission. While he may not have access to your data, at that point you don't either. Without a valid data backup, you're in just as much trouble. Both times, the attacker was successful in some way and your company lost money. This part of the process on paper looks easy, but in fact cracking password files with a high end computer can take weeks or months even in some cases, and trying brute force attempts at breaking into servers also are time consuming.

One thing is this; the hacker doesn't have to spend his time constantly trying to get in. Once he has a certain level of information about you, and about your company, he can set software to do the work. While the ongoing attack against passwords, he can also be continuing his social engineering attack against your company's employees to try and gain more access. Some employees can access things that others cannot on your network. The more information the hacker has and the more login ID's he has to try, the better his chances are at getting into something critical.

The most common thing that I hear from companies is this: "We don't have anything a hacker could use so no one would want to break into our system". Let me clear this up right now, EVERY company has something a hacker wants and that is information. You probably have your payroll or employee records computerized, which is great for ID theft of your employees ID. You might have customer information, again great for ID theft.

How much does a penetration test cost the client? Depending on size and scope, they could run from $3k or $4k up to $100k. One thing I would caution a company to be wary of is this: how much would a data loss or network breach cost you in real money having things fixed, or in customer faith in you that you can keep your data private if the breach were to become public knowledge. Ask many of these banks if a $50K pen test would have been worth the money instead of all the negative publicity they received from people knowing their accounts could have been compromised or were compromised.

Let me tell you a quick story to end this article. A security professional was called in to help a police detective figure out how and who stole money from a small concrete business. Over $50k was stolen from a bank account with checks made payable to someone they didn't know. The police suspected a clerk in the office had printed these checks up and was cashing them. They wanted the security professional to track the movements of the employee on the network to prove they had accessed the system and printed out these checks.

During the security audit, the professional found that indeed the login id/password of the suspected employee had accessed the accounting software and had these checks printed. What was overlooked by the police, however, is the IP from which the employee was logged in, and the time and data stamps had been modified. It was ultimately proven the employee was guilty of nothing more than having a weak network password that had been compromised by an attacker. That attacker gain access to the appropriate software and was able to create a fake employee into the system, and the automatic payroll complete with direct deposit to an offshore account was created. The company had been paying this fake employee a salary for almost 3 months at a very high wage and no one questioned it simply because "he was in the computer so it must be right". As you can see no data was stolen, in fact data was added to the company. But some very real money was stolen. The hacker who did this has never been caught to date and much of that is because the company thought they had nothing worth stealing in their computers, and they didn't have the appropriate logging methodology and safeguards in place.

What does your company have to steal? You may contact the author if you need guidance and assistance.