Penetration testing is an effective way of finding out your site’s weaknesses and vulnerabilities. It lets your security team assess the level of your site’s protection against any type of threat. Moreover, regularly using a penetration test on your website can expose any exploitable vulnerabilities your site might have.
Finding out your weaknesses and vulnerabilities will help you put in place more robust security. A website’s security, after all, is an important concern for any business that has a digital presence. Unfortunately, the increase in organizations having a digital presence also caused cybercrime to increase. In 2021, cybercrimes cost companies around the world more than USD$6 trillion. No wonder the threat of cybercrime is at the top of the things business leaders worry about. (1) (2)
That’s why cyber security professionals recommend using security measures like penetration testing to help strengthen your website security.
An overview of the penetration test
There are several popular methods of securing a company’s web applications. One of the most popular is penetration testing—a pen test. A pen test, also known as ethical or white-hat hacking, is a cybersecurity exercise where a team of “white-hat” hackers simulates an attack against your site to expose weaknesses in your web security. The test can reveal weak spots and potential avenues of attack with which black-hat hackers can take advantage.
This test is similar to hiring an expert thief to try to steal valuable paintings and other objects in a museum. If the hired thief bypasses the alarms and other security measures and manages to steal a valuable painting, then security needs to be beefed up. The hired “thief” will then provide details on how security can be improved to prevent actual thieves from succeeding.
Guide on how to perform a penetration test on your website
A pen test can also be done on a web-based and a non-web-based system. But how do you conduct a pen test? Below is a guide on how to do this.
- Planning and gathering intelligence
The first stage is planning and designing a simulated malicious attack on your website. It’s vital that the attack results in getting as much information as possible from your system, so it’s designed to do just that. The scope and the test’s goals are also defined in the planning stage and the testing methods the team will use. For a pen test, intelligence gathering consists of collecting information about the target like digital footprints, IP addresses, sub-domains, mail server, DNS records, server information, etc. (3)
Your ethical hacker will inspect the system during this stage. They will also record the vulnerabilities and how your company’s technology infrastructure responds to breaches in your system. This stage typically takes the most time, as some teams use gathering methodologies that can be pretty comprehensive. The more information they can collect about the target, the more they can understand the system and the better they can solve any vulnerabilities.
- Scanning
The white-hat hackers use scanning tools at this stage to investigate any network weaknesses. They’ll target applications and find out how they react to the different intrusion attempts. The testers usually do this using pen test tools for initial vulnerability scanning. Testers use two types of tools: dynamic analysis security testing (DAST) and static analysis security testing (SAST).
The dynamic analysis examines an app’s code as it runs, providing real-time monitoring of its performance. It analyzes the app by executing the app. On the other hand, static analysis analyzes the binary or source code without execution. It examines the app’s code to predict its performance during an incursion attempt. This stage can reveal your system’s vulnerabilities and potentially exploitable weaknesses during an attack.
- Getting system access
After the analyses, the pen testers would now know your system’s vulnerabilities. They then try to exploit these vulnerabilities and use web application attacks, like SQL injection and backdoors, cross-site scripting, etc., to manipulate and expose the target’s weak spots.
The testers would then do a privilege escalation, a common cyber-attack used by bad actors to gain entry into systems. They’d also try intercepting traffic, stealing company data, and others. These are done to determine the damage caused by attacks through vulnerabilities the team uncovered.
- Persistent access
The objective is to find out if bad actors can exploit the security vulnerabilities to maintain a continuous presence and secure in-depth access to the system. The testers will seek to mimic persistent threats that could potentially remain inside the target’s infrastructure for months, which can make data theft possible and other malicious attacks.
During this stage, the pen testers can demonstrate the effects of a successful cyber-attack on your organization.
- Analysis and submitting the report
This stage is where the testers prepare their report detailing the whole pen test process. The report also includes specific exploitable vulnerabilities, the data accessed, and the time the white-hat hackers remained undetected while in the system. The testers will also note the severity of the risks that can result from the exposed vulnerabilities and which tools can be used for a successful intrusion.
The testers will also note areas where the security was correctly implemented and how to prevent future bad-actor security intrusions. The report is of particular importance and will be perused by the security team to guide them in configuring the web application firewall (WAF) settings, patching vulnerabilities, and other security solutions.
As the report is expected to be read by IT personnel and non-tech managers, there should be a technical report for the IT people’s consumption and an executive report for others.
Common vulnerabilities found during a penetration test and how to remediate them
The testers’ reports include the vulnerabilities they discovered during the test. The vulnerabilities listed below are two of the most common ones that the testers find, and how to remediate them:
- Password reuse
Users who reuse passwords on different platforms are susceptible to being hacked when the password is compromised. This situation is quite a common problem, unfortunately. This vulnerability is relatively easy to avoid, yet it can cause gaping holes in your security system if left unfixed. Vulnerabilities like these make hacking as easy and trouble-free as a stroll in the park.
This weakness can be remedied by using unique passwords on every switch, IP camera, router, etc. However, remembering all the passwords used can be difficult. Admins should, therefore, consider using password storage solutions. These solutions should have automatic password rotation for added security. For end-users, personal password managers are highly recommended. (4)
- Pass-the-Hash (PtH) attack
Hashing means converting the value of a string of characters into a shorter one that stands for the original string. A user’s credentials, for example, are converted by the system into hashed data. Hackers don’t need to “steal” the plain text version of the user’s credentials. Instead, they just target the hashed data using the Pass-the-Hash attack, a program written to intercept a user credential’s hashed data and use it to fool authentication and gain access to the system.
Password hashes, unfortunately, don’t usually change even if the plain text version of the password is changed. So, once in, hackers who successfully used this type of attack to gain entry into the system have ample time to make a lot of mischiefs.
A few security steps can help mitigate a PtH attack’s impact, such as employing the Principle of Least Privilege (PoLP), limiting the attack’s impact by giving users only the minimum level of access required to do their jobs. Fewer people with admin rights reduce the threat of PtH attacks. Also, if your organization uses Single Sign-On (SSO) that enables users to log in to different apps and sites, you can use multi-factor authentication instead. (5)
Final thoughts
Penetration testing is a popular method to strengthen a website’s security system. It simulates an attack on a website, exposing the weaknesses and vulnerabilities an organization has. After the test, the testers submit a report detailing these vulnerabilities and how to patch and remediate them. Knowing how these tests are performed can give you an idea of what’s at stake and what to expect from your testers.
References
- “Allianz Risk Barometer 2022: Cyber perils outrank Covid-19 and broken supply chains as top global business risk”, Source: https://www.allianz.com/en/press/news/studies/220118_Allianz-Risk-Barometer-2022.html
- “Global cost of cybercrime topped USD 6 trillion in 2021: Defence firm”, Source: https://www.newindianexpress.com/world/2022/may/11/global-cost-of-cybercrime-topped-usd-6-trillion-in-2021-defence-firm-2452371.html
- “Information Gathering in Penetration Testing”, Source: https://infosecwriteups.com/information-gathering-in-penetration-testing-770e01bab326
- “Password managers: A cheat sheet for professionals”, Source: https://www.techrepublic.com/article/password-managers-a-cheat-sheet-for-professionals/
- “What is the Principle of Least Privilege (POLP)? A Best Practice for Information Security and Compliance”, Source: https://digitalguardian.com/blog/what-principle-least-privilege-polp-best-practice-information-security-and-compliance