Penetration Testing: DIY or Hire a Pen Tester?
The best approach may be to do both: Hire a pen tester to get started, and learn to do it yourself for ongoing penetration testing. We give you everything you need to know about DIY and third-party pen testing.
A penetration test, when carried out by outside experts, is the best way to establish how vulnerable your network is from a malicious hacker attack.
But while thorough, third-party penetration testing can be expensive and is effectively out of date as soon as you make changes to your infrastructure or as new vulnerabilities that affect it are discovered.
One way to sidestep both of these problems is to carry out your own network penetration tests.
In this article, we'll discuss both how to do your own security testing and conduct internal penetration testing, and how to find the best third-party service should you choose to hire an outside pen tester.
First, what is penetration testing?
Penetration testing, also called vulnerability assessment and testing or "pen testing" for short, is a simulated attack on your organization's network to assess security and determine its vulnerabilities. These "white hat" attacks are designed to do the following:
- Identify network security issues and other vulnerabilities
- Identify policy compliance failures
- Improve employee awareness of proper security practices
- Assess an organization's effectiveness in responding to an attack.
Pen testing is one the quickest ways to find out if your organization's security is up to the challenge, and if not, what the vulnerabilities are that you need to address.
It's important to point out that carrying out your own pen test won't be as effective as hiring an expert, because expert pen testing requires experience, skill and creativity. Those are qualities that only professional penetration testers (and expert hackers) are likely to have.
Even if your security team has penetration testing experience, many experts believe that a third party coming to your network with fresh eyes is more likely to spot potential problems. Familiarity with your own network can actually leave you blinded to possible security vulnerabilities when conducting on-site security testing.
Nonetheless, having the capability to run your own penetration tests is still a good idea because it enables you to run a test whenever you buy new equipment, install new software or make other big changes to your network, alerting you to obvious vulnerabilities you've overlooked.
Penetration testing: the DIY basics in 7 steps
Think of internal penetration tests as walking around your house and making sure you haven't left any windows open before you go out: It's a sensible precaution that costs almost nothing. Here we share a 7-step penetration testing methodology that should prove useful for many organizations.
In the simplest terms, a penetration test consists of a number of steps:
Step 1: Network enumeration and mapping
Step 2: Reconnaissance
Step 3: Network sniffing
Step 4: Vulnerability scanning
Step 5: Exploit launching
Step 6: Further exploitation
Step 7: Phishing/social engineering
This first step often involves port scanning to work out the topology of a network, and to establish which computers are connected to it and the operating system and services they are offering. Perhaps the most popular tool for carrying out this task is the open source Nmap, sometimes accessed through the Zenmap GUI.
This involves contacting the machines on the network and extracting information from them such as the applications they are running. Reconnaissance can also involve Googling for information about the organization being tested, for example, to find out the names of IT staff and executives. This kind of information can be useful for social engineering and phishing exercises (see Step 7 below). Social media accounts for such people can also reveal information such as pet names, which are often used in passwords.
Network sniffing is used to examine traffic flowing over the network and to search for unencrypted data including passwords or VoIP traffic. The de-facto standard for network sniffing is Wireshark, another open source tool.
A vulnerability scan can reveal whether any machines have insecure versions of software or other known vulnerabilities that can be exploited, or whether any wireless access points are open or have weak passwords. A popular open source vulnerability tool is OpenVAS. Other more specialist scanners can also be directed at web servers to look for vulnerabilities such as cross-site scripting (XSS) errors.
Open source scans can be enhanced by proprietary vulnerability scanners that can alert you to vulnerable applications that could be exploited. These include:
- Nessus Professional
- Rapid7 Nexpose
- Qualys FreeScan
This stage of penetration testing attempts to exploit any known vulnerabilities to gain control of a system. It's important to remember that although a vulnerability scan may reveal a vulnerability, not all vulnerabilities can be successfully exploited or necessarily lead to a serious breach. An exploitation framework like Metasploit contains a database of ready-made exploits that it can match to vulnerabilities, as well as tools for creating and launching your own exploits.
Many security systems are aware of and will detect Metasploit exploits, but it is important to note that a real hacker might tailor their own exploits, so don't be tempted to believe that your infrastructure is safe just because your security systems prevent a Metasploit exploit from working.
Once a single vulnerable system is compromised, you can leverage this to penetrate the network further. For example, if it is possible to access a server's password file, a password cracking tool may then yield valuable passwords. Using the knowledge gained from the reconnaissance phase, these passwords can then be used to compromise more systems and access more data.
Password cracking tools include the offline John the Ripper, for processing password files that are exfiltrated from the network you are testing, or the online open source tool Hydra, a parallelized login brute forcer which can attempt to log in to services such as ftp by trying multiple login/password combinations in a very short space of time.
No penetration test is complete without seeing what access is possible by tricking employees. That means sending out phishing emails or simply phoning them up to try to entice them to reveal login details or other confidential information.
Penetration testing tools, training and Linux distros
No penetration testing tutorial would be complete without a guide to useful pen testing tools. To carry out a penetration test manually you'll need a number of tools including the ones mentioned above. The best way to access all the tools you need in one place is to download an open source Linux security distribution. Recommended distros include:
These distros contain hundreds of other open source tools for network reconnaissance and enumeration, vulnerability scanning, password cracking, wireless security auditing and much more.
The problem with these distros is that if you are not familiar with the tools they contain, it can be difficult to know where to start. One solution is to complete training with some of the tools that you'll find on security distributions.
Some penetration testing training options include the following:
- Penetration Testing Training with Kali Linux. A self-paced online penetration testing course designed for network administrators and security professionals who want to take a serious step into penetration testing. The training is provided by Offensive Security, the creators of Kali Linux and one of the top penetration testing training and certification organizations.
- Metasploit Unleashed. The Metasploit Unleashed ethical hacking training course is provided free of charge and is probably the most complete and in-depth guide available for the famous Metasploit Project penetration testing tool.
- InfoSec Institute's Penetration Testing Online. InfoSec Institute's Penetration Testing Online is a comprehensive online penetration testing course containing over 100 modules and over 100 hours of online training. Because of the amount of material available, most students take a full 60 days to complete the course.
For more open source penetration testing resources, see 10 Open Source Pentest Tools.
Consider automated penetration testing tools
An easier way to carry out your own penetration test is to use an automated penetration testing tool, which will carry out some or all of these steps for your with minimal intervention, or use wizards to guide you.
The benefit of this approach is that it can reveal more straightforward problems on your network. An additional benefit is that less skilled hackers may use some of these tools as well, so by running them before hackers do you are in a position to mitigate any problems found before hackers find them.
Most automated penetration software is supplied as a commercial product. These products include:
- Rapid7 Metasploit
- Immunity Canvas
- Core Impact Pro
The risks of DIY network penetration testing
Before you think about carrying out your own network penetration tests, be aware of what can go wrong. Penetration tests, whether manual or automated, involve unleashing scans and probes onto your network. These could slow it down, make your computers run sluggishly for a time or even crash one or more of your systems, potentially disrupting your business. Because so much can potentially go wrong, get all the training you can – and consider at least starting off with a third-party pen tester.
How to find the right pen testing company
A penetration testing company will use techniques similar to those used by cybercriminals to search for - and attempt to safely exploit - vulnerabilities in your infrastructure. It will then provide a report highlighting any security problems that it discovers.
However, a pen test is only as good as the person carrying out the test, and it's only of value if the penetration tester looks at the right things and reports back to you in a way that's useful.
So how do you choose a penetration testing company?
Establish a company's qualifications
"Lots of IT service companies will say that they can carry out penetration tests for you, but you need to find a credible company that is qualified to deliver them," said Pravesh Kara, a managing consultant at pen testing specialist Perspective Risk.
It's critical to look for a company with specialist penetration testers, and to establish the penetration testing credentials of the person or people who will conduct the test. There are many good qualifications to look out for, including CHECK team leader, Offensive Security Certified Professional and Mile2 Certified Penetration Testing Consultant or Certified Ethical Hacker. Certified pen testers will help you get the vulnerability information you need, and they're also pretty good certs for IT security pros to have in general.
Testimonials or references from customers are also useful to help you establish a penetration testing company's credentials.
Scope the penetration test
Scoping the penetration test will often be defined by your motivation for getting a pen test in the first place. "There is always a driver for a penetration test, and often that is a regulatory requirement or something required by a customer. In that case, the driver defines the scope," Kara said.
For example, if you handle customer credit card information, the Payment Card Industry Data Security Standard (PCI DSS) has a method for testing, so the scope can be defined from that.
But you may decide it is wise to have a penetration test carried out for less well-defined reasons. For example, perhaps you have acquired another company and taken on responsibility for a pre-existing IT infrastructure. "In that case, a good penetration testing firm should be able to help you scope a test," says Mike McLaughlin, a senior penetration tester at First Base Technologies, a penetration testing company.
"Alternatively, you should be able say, 'Here's my budget, tell me how you can use that best'," he said.
Establish expectations for pen test report
Finding someone with the suitable qualifications to carry out a penetration test and ensuring that the scope of the test meets your needs are two key requirements, but don't underestimate the importance of the deliverable at the end of the process: the penetration testing service's report. A penetration test is only valuable if it provides information that can help you improve your security, so the quality of the report is essential.
"At the very least, you should expect a description of every vulnerability discovered and information on how to fix each one," McLaughlin said. "Some firms will also provide a 'management report' of one or two paragraphs of non-technical speak outlining the problems and the risks to the business."
These can help non-technical senior executives appreciate the seriousness of some security vulnerabilities and understand why resources need to be made available to fix them, he said.
Make penetration testing a regular event
A penetration test report is only a snapshot of your IT infrastructure at a single point in time, and it can become out of date very quickly. That means that a penetration test should be a regular event rather than a one-off exercise.
"You should have a pen test at least annually, but the frequency should be decided as an output of a risk assessment," said Kara. "If you have a sensitive system and you make a change, you should test it to ensure that there are no low-hanging fruit."
It is possible to check for very obvious security vulnerabilities yourself using vulnerability scanners and automated penetration testing tools, but these should not be seen as a replacement for a full-blown penetration test carried out by a skilled tester. Automated penetration testing tools won't find less obvious vulnerabilities that require a degree of creativity to exploit.
Another problem with testing your own infrastructure, according to Gartner analyst John Pescatore: "There is an issue when internal people test things, because they fall into a pattern of testing and tend not to find paths through less valuable assets."
Penetration testing pitfalls
This highlights a potential problem with penetration testing companies, too. If you stick with the same penetration testing service for too long, its staff could also fall into "a pattern of testing," as Pescatore puts it. If that happens, they may fail to spot problems which may be more obvious to a fresh pair of eyes.
So should you change your penetration testing company regularly? "A decent pen testing provider will have enough testers to rotate so you can use a different consultant each time for a few years before changing a company," Kara said.
But First Base Technologies' McLaughlin is not so sure that is necessary. "A degree of familiarity with your systems can help, because we are trying to simulate cyber attacks, and criminals won't go in blind," he said. "Cycling suppliers can be a good thing, but if a tester knows your systems, then that can keep the cost of the test down and it can help them focus their energy."
Should you keep staff in the pen test loop?
An important thing you need to decide before a penetration test is whether to let your security and other IT staff know when the test is scheduled.
"If we are doing a check-box test and have administrative access to servers, then everyone should be aware," McLaughlin said. "But if we are simulating an unexpected attack - a so called 'red team exercise' - then you wouldn't let your staff know so you can see how they react."
Minimizing penetration test disruptions
One worry that you may have is that a penetration test could lead to disruption, crashed servers or denial of service for employees or even customers. It's a possibility, Kara said, but worries are probably overblown. "It rarely happens, and we try to do tests without affecting the production environment, but by its nature a pen test is probing the unknown and it can have unknown effects."
This risk can largely be mitigated by good communication, McLaughlin said. "Our tester is always in contact with the client, so if we notice that a server is slowing down, we would notify the client, and vice versa."
The questions you need to ask a penetration testing company
Summing it all up, here are 13 questions to ask when evaluating a penetration testing service:
- What industry certifications does the company have?
- How many penetration testers does it employ?
- Which named individual(s) will carry out the penetration testing?
- What professional qualifications and certifications do they have?
- How experienced are they?
- What assistance can the penetration testing company provide in scoping the tests?
- Does it offer social engineering and phishing testing?
- Can it follow these up with security awareness/anti-phishing training?
- How would it carry out a penetration test, and on what time scale?
- What will the test cost, and under what circumstances might the final cost increase?
- What steps do penetration testers take to minimize possible effects on your business?
- What reports and recommendations will be provided after the test, and how much detail will they include?
- Can the penetration testing company provide testimonials or references from other customers?
Penetration test pricing
One final thing to mention is penetration test pricing. Both Kara and McLaughlin recommend getting at least three quotes for pen tests that are clearly scoped so you know what you are paying for.
Like many things in life, don't forget that when it comes to penetration testing companies, you often get what you pay for. Going for the lowest-cost option with a tester who is under qualified or inexperienced is unlikely to lead to the best outcome.
List of penetration testing companies
Here are a few of the companies offering penetration testing services:
- Perspective Risk
- First Base Technologies