Here are some things to consider
By D. Greg Scott, Author of Bullseye Breach and Virus Bomb
Do you like tearing software apart and putting it back together again, stronger and better?
When you watch a dramatic live TV news story from a war zone, does the news report get your attention, or do you wonder about all the ways to hack the video transmission?
If you’re a Star Trek fan, when they beam aliens onto the Starship Enterprise, do weak access controls on the ship make you crazy?
Do you laugh at the Hollywood hacker scenes in books and movies and want to grab the producers’ shirt collars and show them how the technology really works?
If you answer yes to questions like that, you might be a natural penetration tester.
Penetration testing (pen testing) means probing for weaknesses in IT networks and finding ways to exploit them before real attackers do it. Like all testing, the exercise is part science and part art-form.
Most organizations declare a successful test when the system being tested demonstrates its capability. Testers know this is backward. To a tester, a successful test means the test found a problem. Which means a successful pen test means the test uncovered a vulnerability. This is a cause to celebrate.
The best pen testers drive developers, system admins, and corporate managers nuts because they’re so good at finding problems. Which also makes them worth more than their weight in computer chip precious metals.
But pen testers need to overcome a challenge.
I surveyed a sample of pen tester job postings recently. They all want people who know a bunch of systems and languages. Some want people who know how to use the organization’s favorite tools and perform system admin functions. Excellent diagnosis and analytical skills is a common requirement. Certifications are often in the mix. And they all want somebody with strong communication skills who can work in a team.
Those skills are all important, but the job postings all miss that intangible quality, that ability to sniff out weaknesses and break things. It’s a shame today’s automated resume scanners don’t have a way to capture it. It’s hard to package in a resume.
So, how does a pen tester job candidate get past the automation? Fair or not, today’s resume scanners look for keywords. So, make the scanners happy and put the appropriate keywords on your resume. This should not be a problem for any experienced tester. Pass the automation gate and score an interview.
The interview is where you shine. Instead of regurgitating all your experience from your resume, apply it. Ask every interviewer a zillion questions about how their departments function. For the HR rep, ask about how the HR process works. Who has permission to look at your resume? What happens if somebody unauthorized looks at it? Who protects it from tampering? For a technical hiring manager, ask about network topology, audit rules, how they store information, who has access to what, and anything else that might seem relevant. How do the right people know the network traffic coming out of here is all legitimate? How do they maintain the encryption keys for sensitive databases? What if somebody gets inside a public-facing web server and starts querying the customer database? How would they find out? Use your creativity.
Their goal is to find out about you. Your goal is to learn about how stuff works around here, or how it works with a typical customer if you’re interviewing with a company that does external pen-testing. The more you find out about how things work, the more you can demonstrate your knack for finding vulnerabilities.
During the whole interview process, you’re running your own verbal penetration test. Smart interviewers should recognize and appreciate it. Especially if you uncover a vulnerability. And the not-so-smart interviewers—if your questions turn them off, better to find out now they’re not serious about finding problems, rather than later.
Does the world need you?
The short answer is, yes.
Here are a few statistics from fall 2019.
- The IT Governance blog reported more than ten billion records lost to cyberattacks in the first nine months of 2019. Source: https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-september-2019-531-million-records-leaked
- A 2017 Clark School study at the University of Maryland found that somebody attacked computers they exposed to the internet every 39 seconds on average. Source: https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds
- My own anecdotal experience over more than fifteen years of setting up custom firewalls suggests automated probes come in from around the world at least every five seconds.
- The SafeAtLast blog says ransomware attacks generated at least $1 billion in revenue for attackers and cost victim organizations more than $8 billion in 2018. Source: https://safeatlast.co/blog/ransomware-statistics/
The statistics are easy to find. They tell an ugly story.
But forget statistics. Just listen to Warren Buffet, when he said, “I don’t know that much about cyber, but I do think that’s the number one problem with mankind.” (Source: https://www.businessinsider.com/warren-buffett-cybersecurity-berkshire-hathaway-meeting-2017-5) More recently, he said, “Well, I think cyber poses real risks to humanity.” (Source: https://finance.yahoo.com/news/warren-buffett-cyber-attacks-131445079.html).
Typical Pen test Engagement
Great, you landed the job and now you’re leading a pen test engagement. This is when it gets real. Before going any farther, make sure everyone agrees on the scope of the project.
Scoping is critical. Let’s say you’ve been asked to probe, say, the HR system, and you find something that leads to, say, Manufacturing, and you follow the lead. And then something bad happens in Manufacturing. The acronym, RGE, for “resume generating an event,” comes to mind. Without proper scoping, this could be one of those events. Or worse. You’re in a position of trust, and your stated mission is to find out how to make systems break. So, make sure everyone agrees on the scope of the project, and then stay in scope. If something leads beyond the scope, protect yourself by obtaining permission before following it.
The best engagements and the ones you’ll remember forever are the ones where you find a vulnerability so big, they have to stop the whole company to fix it. Everyone will be mad at you at first, but if you do your job right, you’ll end up a hero.
Probe wide first, and then probe deep. Deliver your report and do it all over again.
A few useful tactics
No pen test would be complete without a simulated social engineering attack. Start an email campaign offering free coupons and screensavers. Email people in Accounting about bogus invoices. Email people in shipping about messed up deliveries, with a click-here-for-more link. Tell people their password is compromised and click here to update it. Spear phish a few people. Use your imagination—and then run a seminar about phishing after you catch a few.
Most managers’ eyes glaze over when I talk about port scans. But it’s critical that people understand what they are, and so I try to explain it using physical metaphors. I also use the Gibson Research “Shields Up” test at https://www.grc.com/x/ne.dll?bh0bkyd2.
This is how I describe it.
“Don’t let the word, port, freak you out. Port might be one of the most overused words in the English language. In this context, think of a port as kind of like a topic of conversation. Maybe Alice approaches Bob and says, ‘Hey Bob, let’s talk about websites.’ Except with computers, we give topics of conversation a number. If we want to talk about websites, that’s topic number 80. Secure websites are topic number 443. But we don’t use the word, topic, we call it a port, and we have room for 65,535 of them. The first 1024 are well known, and no, I don’t have them all memorized. I only know a few.
“Anyway, now let’s put Bob in his house and Alice knocks on the front door. That’s’ kind of what happens in computer conversations. So Alice knocks on Bob’s door and says, ‘Hey Bob, let’s talk about websites.’
“If you’re Bob, you have 3 choices on what to do with that request.
You can acknowledge it. ‘Sure, Alice, let’s talk about websites.’
You can say no, or actively deny it. ‘No Alice, not interested.’
Or you can ignore it.
“What do you think is the worst of those choices? It’s actively denying it, because Bob just told Alice he’s home and doesn’t want to talk. Gibson presents those with purple ‘Closed’ buttons. You don’t want that. If you don’t have whatever Alice wants to talk about, you want to ignore it. Don’t give your adversary any feedback because they’ll use it against you.”
When you’re onsite selling your service and you run this test and find those “closed” boxes, use those as a teaching tool. The customer probably has a misconfigured firewall somewhere, which means the odds are reasonable your proposed pen test will also find other problems.
To run a proper port scan, every pentester should become familiar with Nmap. It’s one of the most versatile weapons in the arsenal. Here’s a tactical tip. Some firewalls “hide” after a few probes and don’t respond to anything when they detect an intrusion attempt. Workaround this by using the “-T0” switch, which Nmap calls paranoid slow. Port scans will take a long time but will be most accurate. See the Nmap documentation pages for more.
After probing wide with a port scan, probe deep into anything interesting the port scan finds. There are scanning tools for pretty much every application, complete with databases of the latest vulnerabilities.
When probing into systems hosted at a cloud service—and this will get more and more common—also dig into the cloud service itself. You care about the thing you’re probing, but you also care about the environment in which it lives. Maybe the cloud service around the app you’re probing will have some juicy vulnerabilities. If somebody had done that with AWS and Capital One, that would have stopped a major data breach incident before it started. But make sure you stay in scope.
Whatever it is you’re probing, whether it’s in a cloud or on-premise, first find out how it works, recon it, and then poke at it to make it break. Find problems, so organizations can fix them before the rest of the world finds them. That’s what pen testers do. The world needs more of you.
About the Author
Greg Scott is a veteran of the tumultuous IT industry. After surviving round after round of layoffs at Digital Equipment Corporation, a large computer company in its day, he branched out on his own in 1994 and started Scott Consulting. A larger firm bought Scott Consulting in 1999, just as the dot com bust devastated the IT Service industry. A glutton for punishment, he went out on his own again in late 1999 and started Infrasupport Corporation, this time with a laser focus on infrastructure and security. In late summer, 2015, he accepted a job offer with an enterprise open-source software company. He is the author of two novels. Bullseye Breach: Anatomy of an Electronic Break-in shows how independent IT contractor, Jerry Barkley, fought back after Russian mobsters penetrated fictional retailer, Bullseye Stores, over a busy Christmas shopping season and stole forty million customer credit card numbers. In Virus Bomb, Jerry Barkley discovers a hostile country attacking the United States over the internet as a prelude to a biological attack, and finds himself again in a position to act. Real superheroes are ordinary people who step up. Even when they don’t to. Find more information at https://www.dgregscott.com/books/. Both novels are available everywhere books are sold. He lives in the Minneapolis/St. Paul metro area with his wife, daughter, and two grandchildren. He holds several IT industry certifications, including CISSP number 358671. Greg can be reached via email at firstname.lastname@example.org, or dregscott on Twitter. Also check out his Youtube channel, “Greg Scott Public Videos.” His author’s website is https://www.dgregscott.com.