Pen tests. Conduct, automate or not worry?

Pen tests. Conduct, automate or not worry?

Pen tests. Conduct, automate or not worry?

he statement that prevention is better than cure also applies to the health of your company’s IT infrastructure and cybersecurity. This approach allows for appropriate prevention against hacker attacks that use existing vulnerabilities of the targeted enterprise. Cybercriminals aim to steal data, sell it to their competitors, act on behalf of competitors or their goal is to immobilize IT infrastructure or to undermine credibility and ruin the company’s image. In addition, you must remember that we have a lot of computer viruses and malware on the Internet that can harm any organization that uses the Internet.

Pen tests, exploits and vulnerability scanners

One of the processes enabling the detection of these vulnerabilities is pentesting, also known as penetration testing, pen test, or ethical hacking. It consists of conducting a controlled attack on an ICT system, aimed at a practical assessment of the current security status of such system, in particular, the presence of known vulnerabilities and resistance to attempts to breach security.

Checking the resilience of applications, systems, servers, and services can be performed by pen testers, in other words “ethical hackers” in a non-automated manner, but it is worth remembering that information about vulnerabilities, new “backdoors,” and new software updates appears every day and protection of this type should be an ongoing process.

It is worth explaining the term “exploit” at this point. It is a piece of code, an entire program, or an attack type that exploits a security flaw in the operating system or specific software. An infrastructure component (e.g., servers, computers, network devices, and systems) can become infected during the “vulnerability window,” that is, from the first use of an exploit to the date of its removal, i.e., implementation of the so-called security patches (e.g., software upgrades). As more and more organizations look for these types of holes in software, they arrange “bug bounty” programs (cash rewards are given for finding vulnerabilities or gaps) or look for vulnerability brokers who offer significant sums of money for detecting specific vulnerabilities in infrastructure and software.

The other side of the coin are tools that are specific platforms using exploits during illegal information gathering and breaking security by specialists and hackers. The Pegasus system is an example of this type of a tool.

Vulnerability scanners are specialized tools that allow you to check networks and servers for hidden vulnerabilities and holes. The task of vulnerability scanners is to monitor everything that is happening in the infrastructure and detect suspicious activity. Thanks to this approach, an organization is protected against the breach.

Hackers also scan

We must be aware that hackers are also armed with similar tools — only that their purpose is not to detect vulnerabilities, to “patch” and eliminate them, but to use them to hostile attacks and take over sensitive data.

An additional category of the IT security tools are hybrid security scanners. These scanners combine the advantages of automatic safety tests with the work of a team of pen testers, who verify the effects of the tool in terms of the so-called false positive, i.e., reports that do not pose a threat to the organization but can distract specialists from the actual threats to the infrastructure.

The next generation: hybrid vulnerability scanner

The operation of the hybrid vulnerability scanner will be presented based on the ReconMore solution. The basis for starting cooperation is determining the scope of the tool’s operation: domains, network resources and other infrastructure elements that are to be scanned. Based on information from external websites, certificate providers’ websites, analysis of archives, data extraction from the network and the use of techniques in the DNS area, a reconnaissance of the infrastructure indicated by the customer, which is located behind the domain, is carried out. Based on the data detected in the first stage — any resources, subdomains and searches are potentially exploitable places. The result of the second stage is the transfer of the detected sites of exposure to exploitation by cybercriminals. The exploitation stage consists of the analysis of new vulnerabilities detected in various security aspects. The results of these works are transferred to a team of pen testers to carry out retests of selected areas. The last stage is verification by the team of pen testers, removal of false positives from the report, prioritization, as well as forwarding the report of new vulnerabilities with the proof of their occurrence and examples of their exploitation to the end user of the tool. Pen testers prepare recommendations for removing vulnerabilities and support them in the process of eliminating vulnerabilities. Despite these complex parallel operations, the software scanner itself continues to run so that infrastructure protection is continually performed.

Traditional vulnerability scanning is usually based on tools that not only require a compiled implementation and configuration process but can also significantly burden the infrastructure subjected to scanning. In addition, if an organization uses a scanner without the support of a team of pen testers, despite the investment in this type of tool, a team of specialists is still necessary to analyze the effects of the software’s work in terms of the importance of individual scanning effects and potential reports of the so-called false positive.

A scanner like an explorer

What types of vulnerabilities appear most often? Typically, an SQL injection in the context of websites or web applications. Often, the effects of the scanner’s work focus on the effects of human errors, e.g., deeply hidden resources, forgetting about temporary subdomains that were used only for a while and now can be a source of data allowing breaches into the infrastructure and illegal acquisition of data, e.g., log files with sensitive data, or account data of service users that allow access to an online store. Often there are abandoned copies (“dumps”) of databases from which an efficient cybercriminal can obtain sensitive data. In addition, when it comes to IT industry companies, especially software houses, by failing to use appropriate procedures for writing and maintaining their own source codes, irresponsible exchange of these codes among employees results in the possibility that the achievements of development teams, if not the entire company, will be taken over.

The human dimension

Why is it worth to look for hybrid solutions? These types of services allow for the use of pen tests and the implementation of recommendations following their use as a “black box” solution. In effect, as a result of the hybrid security scanner’s work, we get selected information on the most dangerous vulnerabilities along with the proposed problem solutions prepared by experienced specialists, without the need to employ them in your own organization.

As a result, the subscription includes not only the software itself, which constantly checks the condition of our infrastructure with respect to its resistance to cybercriminal attacks, but also the competences of pen testers supervising the effective use of such software’s effects.

Are vulnerability scanners a must? It is a rhetorical question. For every organization working on its infrastructure or offering its systems to its clients, they are now a necessity. Let us be vigilant and ensure our safety. The vulnerability scanners have become indispensable elements of the security ecosystem.

Author: Przemysław Kucharzewski

About Przemek Kucharzewski

Co-founder and VP Sales in Cypherdog Security Inc. – a vendor of solutions for encrypted communication. Przemek has 26 years of experience in building sales channels, marketing, and commercialization of IT solutions. In recent years, he has been focusing on cybersecurity and cloud solutions. In the past, he mainly worked for the largest IT distributors in the CEE region. He worked as Interim Manager for IT system integrators and vendors in advanced solutions selling​​. He is the author of many articles in the IT & business media, speaker, lecturer, and podcaster.