Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What is pen-testing? Meet the security pros breaking into your business for cash

Tamlin Magee | June 27, 2016
A day in the life of a duo cracking corporate security for a living

Penetration testing: Starting a career as a pen-test pro

Both Aleks and Steven were software developers first. Steve's road into penetration testing was through his involvement in Open Web Application Security Project(OWASP), first introduced to him through a colleague, while Aleks had a strong personal interest in security.

Their goal is to recreate the attacks that hackers with a criminal agenda are engaging in on a daily basis, and report their successes or failures back to their clients.

That also means a lot of paperwork, and the resulting screed can often present a brutal education in the realities of cyber-security.

The two encounter different technologies and challenges for every case, from new web apps to relatively ancient systems. Their work varies from SQL injections, placing a query into a database that allows you to manipulate it maliciously; phishing; vishing, where you impersonate someone over the phone to gain information, like keys or a password; XSS attacks and everything in between.

Other firms offer physical penetration testing - that's a dressed-up way of saying breaking into company buildings and compromising everything they've got.

"Reconnaissance in the web is the most basic exercise we can do," Aleks says, referring to 7Safe's social engineering efforts. "We can do phishing and 'vishing' attacks, and we have a system which can collect information about all those clicks."

Penetration testing: Identifying security weaknesses

Aleks recounts a case where his pen-testers made a copy of their client's website, created a form, and sent out legitimate-looking emails to lure them in - designed to fool workers into voluntarily disclosing very sensitive information.

"One of the people on the target list was a guy - he was the only one in the company responsible for the maintenance of this website," Aleks says. "Only he had access to it. He saw the email, clicked the link, filled in the form, pressed the submit button - only afterwards did he ask himself: 'Who the hell created the form?'"

"This is hilarious," he says. "But it's a serious thing. It perfectly demonstrates how deeply we are ingrained in our daily routines. We just click whatever comes."

It's also a prudent example of an often-overlooked weak point: trust.

Beneath the surface of our daily interactions and you'll find a surprising degree are fundamentally based on trust. And when this basic human element is manipulated, it opens opportunities for attackers.

"It is our innate nature to be helpful to people," Steven says. "When you say: 'Please can you help me with this,' your first instinctual reaction is 'maybe I can mean something to them,' rather than 'who are they and what do they want?'"

The nature of the web means there are plenty of opportunities for recon: adding people on Facebook, phoning utility companies for personal information, creating elaborate and believable background stories.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.