Penetration testing is not to be confused with a security assessment
Whereas an assessment is like walking you around your office and pointing out where your security is weak, a pen test is like having a real criminal try to break in. It’s a matter of showing, rather than telling.
“Sometimes you have to have a ‘healthy’ bad experience,” says Matt Wilson, BTB’s Chief Information Security Advisor. “Pen testing is a safe way to get burnt.” While executives may not see a reason to spend more money on IT security, even though you’ve been trying to explain to them why they should, a pen test, which can expose security vulnerability, may be a good way to convince them to loosen the purse strings.
In addition, the best pen testers don’t just illustrate the holes in your security; they tie that to how those weaknesses could hurt the business.
“The most important thing about a penetration test is the very real impact it can have on your business,” says Wilson. “At BTB, we connect whatever issues we find to real-life consequences and share that information with our clients.” If they are in healthcare, for example, HIPAA has some very specific requirements. “We can show them whether they are truly meeting all the requirements of the law.” Regulatory violations, and the fines and tarnished reputations that come along with them, tend to get a CEO’s attention.
The anatomy of a penetration test
A typical BTB pen test includes trying to break into the network from outside the company, both via technology and through social engineering; trying as an unprivileged user to access certain information or systems from the inside; and trying to access physical facilities, both from the outside and from the inside.
Among the most common problems found are weak passwords and faulty configurations. Inadequate training – in both technical and physical security – is also a common vulnerability.
In fact, physical security is easily overlooked, even in the most “locked down” of facilities. BTB was once hired to do a pen test at a company that manufactured an extremely dangerous, toxic chemical. They were so careful about safety that our people had to go through two days of training just to enter the grounds. But when it came time to act like a criminal, we got right into the nerve center of the manufacturing facility. Although surrounded by fencing topped with barbed wire, our man noticed that the 8-foot turnstile entrance to the grounds had no barbed wire. So, he easily climbed up and over the turnstile. He went into the employee locker room and nabbed a hardhat and uniform. He entered a building through an open side door and told the staff he was in IT and needed to fix something. They left him alone, inside what turned out to be the command center, while they took a smoke break outside.
“On paper, this company was doing all the right things,” says Wilson. “But until they had us stress-test those things, they couldn’t see these weaknesses.”
At another company, BTB launched a two-prong attack. They were trying to access a basement server room on a university campus. One person, dressed as a student, tried the elevator, which required a badge in order to go down. The other, wearing a suit and tie, entered the building through an outside door and went down the stairwell. The “student” lucked out when, just as he boarded the elevator, someone called it down to the basement. But when the doors opened, he was confronted by facilities guards. Meanwhile, he saw his colleague in the background, claiming he was IT staff there to fix a technical issue, badged right into the inner sanctum.
So, when you want to get a real-life look at your security posture, a penetration test is the way to go. Make sure, however, that you choose your security partner wisely.
To view our full executive POV on penetration testing, click here, or visit us at https://www.btbsecurity.com/cyber-security-services/threat-assessment-services to schedule a penetration test for your organization.