What is penetration testing, and how to do it? That was the topic of the third meetup of the Cyber Security Essentials training program, instructed by Laura Kankaala from Detectify and Ossi Väänänen from Sanoma. The free training program is organized by Future Female and HelSec, and it is intended for women who are interested in working in cybersecurity or gaining more in-depth technical knowledge. Nixu is hosting the meetups to support diversity in cybersecurity. For the third time this year, we had a house full of ladies learning technical security with hands-on exercises.
Penetration testing is not the only thing in cybersecurity
Laura started the course by explaining what penetration testing and hacking are. Being a hacker is the mindset of breaking things and doesn't necessarily have to relate to computers. Hacking is just one thing about penetration testing and cybersecurity in general. Ossi continued with explaining penetration testing in more detail and gave tool examples. To back up Laura's message, he showed a diagram from Microsoft's Secure Development Lifecycle where for instance, attack surface detection and fuzz testing, typical activities related to penetration testing, are just a small part of making secure applications.
Pentesting, security audit, vulnerability scan….wait, what?
This is an excellent point to talk about the terminology a bit. You may hear your manager, your colleagues, salespeople, or security consultants, using terms like penetration testing or pentesting, audit, security assessments, or vulnerability scans. Different cybersecurity companies might have slightly different terminology. At Nixu, penetration testing means a security assessment where the tester has pretty much free hands to break into a system or the infrastructure of an organization. The security consultant might use the time available to investigate a particular weak point to get in, but the coverage of the testing might vary. A security assessment typically means checking against predefined and standardized criteria, such as OWASP Application Verification Security Standard. The scope and extent of testing are agreed upon based on what is relevant for the system. It's also typically more important to verify if a vulnerability exists rather than exploit it. Penetration testing and security assessments involve both automated and tool-assisted manual testing. The testers attempt to send malicious traffic to the target, observe the responses, investigate network traffic, error messages, and the behavior of the system to see what is normal and what is abnormal.
Many cybersecurity companies talk about audits only when there is a certification, such as PCI DSS, involved, but in general, audits and assessments are mixed up in talk a lot. However, vulnerability scanning, although it can be a part of the security evaluation, is an automated sweep to find vulnerable components and gives only a glimpse of the security weaknesses that the target can have. So be specific on what kind of testing you want to have.
How to get involved in hacking and pentesting?
A piece of advice from Ossi's talk:
So is this how to be a pentester? Not really. But this emphasizes that to be able to test the security of a system, you need to understand what the target system is supposed to do, find about the technologies it uses – do reconnaissance – and then select the tools useful for that purpose. There are several readymade tools in testing distros such as Kali Linux, but sometimes it's helpful to know some scripting languages so you can make tools of your own or automate your testing. However, as Laura pointed out, programming skills are not necessary for successful white-hat hacking.
Also, learning how to find vulnerabilities and assess the security of computer systems requires practice, patience, and searching for more information when you run into errors, new technologies, or new software. This type of training we were having at the course as well, hands-on. The demos and exercises during the evening covered dumping passwords with sqlmap and getting admin access, and port scanning with nmap to find attack targets.
Would you like to learn hacking? There are several targets that have been made vulnerable on purpose, and you can practice your hacking skills with them at home. You can read more about these targets from our previous blog. It's also a good idea to check your local security related meetups, for example, from the citysec.fi website in Finland, to hear about workshops and CTFs, and to get new hacking buddies.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.