When it comes to organizational cybersecurity, sometimes the only way to know your weaknesses is to exploit them. This can be accomplished through a unique form of social engineering – known as penetration testing – which exposes a system’s biggest vulnerability: the people operating it.
Researchers have demonstrated that some of the most successful breaches aren’t carried out by sophisticated cyber attacks against the technology itself. Surprisingly, hackers can often get further in obtaining valued information with just a clipboard and a smile. That’s why penetration testing is such a valuable exercise.
What Is Penetration Testing?
Penetration testing is a form of ethical hacking. Organizations use penetration tests to identify and correct security weaknesses in their computer systems, networks, and applications.
Each individual organization has its own set of security risks, so no two penetration tests are exactly the same. But the primary structure for the process involves gathering information about the organization’s weaknesses, identifying potential entry points, and attempting a break in.
In short, the good guys try to expose potential problems before the bad guys get the chance to. Think of Nicolas Cage stealing the Declaration of Independence in the film National Treasure. He didn’t do it because he wanted to; he did it to protect it.
The same concept reigns true when it comes to penetration testing. Information is collected about security weaknesses and then passed along to the organization’s management team, ensuring that strategic provisions can be made to dispel any chance of a future break in.
How Is a Pen Test Performed?
Ideally, a penetration test (also referred to as a “pen test”) is performed once a year by a trained white hat hacker – someone who uses their hacking abilities for good. These ethical hackers use the same methods of breaching as black hat hackers (the bad guys), with one key distinction: they’re hired by the owner of the system and perform the attack with permission.
Pentesters typically use automated tools, such as Nmap and Wireshark, that quickly scan software for vulnerabilities that could undermine entire systems. Many of these tools also categorize vulnerabilities based on their severity and generate detailed logs that can be used to improve security.
There are several types of simulated attacks that can be run. In targeted testing, the organization’s IT team works in tandem with the pentester and a “lights on” approach is used – everyone in the organization can see the test in action.
Then there are blinds tests, where only one or two people in the entire organization are aware that a test is being conducted. This can be taken further by performing a “black box test,” where the tester doesn’t receive any helpful information from the organization in advance, such as IP addresses.
Tests can be either internal or external. External tests are geared toward an organization’s visible assets, such as their email and web servers. Internal tests mimic threats from the inside that may come from users with access privileges.
Each of these techniques put employees tasked with protecting cyber systems to the test. Once they’re completed, the real work can begin.
A Day in the Life of a Pentester
Pentesters aren’t dressed up like James Bond in a tuxedo, somersaulting under lazer beams and ducking behind walls. They tend to be normal men and women wearing street clothes or suits, blending into the crowd like just another average Joe.
Jayson Street is one of them. A white hat hacker who uses a variety of techniques to expose systems’ vulnerabilities, Street has been a master penetration tester for years. He’s robbed banks in Beirut, compromised insurance agencies in Boston, and even hacked the U.S. Department of the Treasury.
You name it, Jayson Street has probably broken into it. And for most of his jobs, he’s worn jeans and a sweatshirt. He’s one of the best-known penetration testers among businesses and organizations all over the globe, using anything from bash bunnies to rubber duckies and honeypots to pineapples as his “office equipment.”
But there’s something different about Street that makes him unique in the pen testing field. Instead of simply writing up a report detailing the vulnerabilities exposed, like many other pentesters, he takes it a step further. By the end of a job, Street hopes to actually get caught so that he can directly educate those he’s compromised.
“During a job, I will spend the first two days being the worst thing that has ever happened to this business or company,” he explains, “but then on the last day I’ll actually try to get caught. And I’m one of the only people that will take it that far, because I want to talk to every single person I’ve compromised, tell them what went wrong, and educate them on what to do in the future.”
Street is on a mission to stop criminal hackers with education. His work has not only helped countless businesses around the world, but also the individuals he interacts with, by teaching them about the threats that could compromise their home life.
He believes in the power and effectiveness of penetration testing, because he’s seen it work first-hand. “One of the best engagements I’ve ever been on was this year,” says Street. “I’d pen tested the company the year before, and this year, they caught me. Several times. That shows me that my job I did last year worked.”
Street is proof that hacking can be used for good. While it may come to many organizations as a shock how easily he can penetrate their system with a few fibs and a USB drive, it’s better to expose security problems before a bad actor gets the chance.
“When you’re living in a dumpster fire, you’ve got two choices. Go get marshmallows and watch it burn, or try to put it out,” Street describes. “That’s what motivates me. Not just showing where it’s broken, but showing people how to make it better.”