A Brief Guide of Nearly Everything Pentesting

Listen to the audio version

A Brief Guide of Nearly Everything Pentesting
11:24

Is my company vulnerable to cyberattacks?

TL;DR: Yes. Because if you cannot secure something with a firewall (which, of course, is not possible with your corporate website or your app, for example) -- you are at risk.

We found a few stats: as many as 30,000 websites are hacked every day (Forbes). And 300,000 new pieces of malware are created daily (Web Arx Security). Research shows that on average, cyberattacks happen every 39 seconds (University of Maryland). Cybercrime will cost the world $6 trillion by the end of 2021 (Cybersecurity Ventures).

So when clients ask us if their businesses are susceptible to cyberattacks, we say yes. As the saying goes, “the most secure computer is one that is turned off.” Thinking your organization isn't a potential target is putting your website, software, or apps at unnecessary risk.

5 laws of cybersecurity

TL;DR: Every company, no matter how big or small, is vulnerable and can be subject to a cyberattack.

Nick Espinosa, an expert in cybersecurity and network infrastructure eloquently outlines the five laws of cybersecurity:

Law 1: If There Is A Vulnerability, It Will Be Exploited

The original definition of the term "hack" is "to cut with rough or heavy blows." (Wikipedia). No matter how secure your environment is, hackers may try to exploit it for multiple reasons including: basic bragging rights, extortion, theft, boredom, sabotage, vandalism, espionage, and blackmail. Regardless of the reason, the typical results of cyberattacks can feel like a heavy blow.

Law 2: Everything Is Vulnerable In Some Way

NASA, The World Health Organization, Yahoo, LinkedIn, Facebook, Apple, Exxon Mobile -- just a few high-profile examples of the organizations that fell victim to cybersecurity attacks. These organizations had cybersecurity measures in place. However, it wasn’t enough to prevent damaging security breaches. But you don’t have to be a large organization to attract the attention of hackers. Accenture’s Cost of Cybercrime Study reports 43% of cyberattacks are aimed at small businesses. Only 14% of those are prepared to defend themselves.

Law 3: Humans Trust Even When They Shouldn't

“It sounds weird to say we need to combat trust, but we do if we’re going to survive against the nonstop hacking that takes place,” Espinosa says. He’s referring to one of the most common types of cyberattacks -- phishing. He further explains that as a society, we cannot function without trust. And that’s why it’s our greatest threat when it comes to cybersecurity.

Law 4: With Innovation Comes Opportunity For Exploitation

Our lives become more dependent on technology every day. We are connected, and our systems are interconnected via IoT. But all these technological advances create more opportunities for cyber exploits. The COVID-19 pandemic, for example, made us increasingly dependent on remote methods of working and communication. Consequently, the four most targeted vulnerabilities in 2020 were related to remote work-related technologies (as reported by the Cybersecurity and Infrastructure Security Agency).

Law 5: When In Doubt, See Law No. 1

‘Nuff said.

If you’d like to view a video version of the 5 laws, it can be accessed here: The Five Laws of Cybersecurity | Nick Espinosa.

Cybersecurity is black and white (and sometimes grey)

TL;DR: Who can stop a black-hat hacker with malicious intent? A white-hat hacker with the know-how.

Black-hat hackers are everywhere. But who are they? How do we define a black-hat hacker? A black-hat hacker is a person who exploits computer systems, such as a website or web application, for malicious purposes (i.e., ransomware or data theft). As a countermeasure to black-hat attacks, you need a white-hat hacker (aka a “good hacker” or an “ethical hacker.”) With your permission – and only with your permission – this person will use the same hacking techniques while performing penetration testing but with the sole intent of uncovering cybersecurity vulnerabilities that black-hat hackers can exploit. Who are grey-hat hackers, then? These guys engage in a blend of both white- and black-hat hacking activities, often looking for vulnerabilities in a system without the owner's permission or knowledge. So, the most effective way to expose vulnerabilities and defend against cyberattacks is for your organization to hire a white-hat hacker, or ethical hacker, to perform penetration testing.

What is pentesting anyway?

TL;DR: A pentest is a hacking attempt performed by an ethical hacker, with the permission of the entity being hacked, for the purposes of straightening security.

Cybersecurity is a broader term used to describe the defense measures against cyberattacks by black-hat hackers. Pentesting is a type of ethical hacking. The best way to improve defenses is to replicate the attacks on one’s own infrastructure. The replicated attacks launched by white-hat hackers (like HubBase 😉) are called penetration tests or pentests (a.k.a. ethical hacking).

Furthermore, penetration testing is a controlled attack simulation that helps identify susceptibility to application, network, and operating system breaches. By locating vulnerabilities before the adversaries do, you can implement defensive strategies to protect your critical systems and information.

Why do I need a pentest

TL;DR: You need a pentest to ensure your digital properties are not compromised. Pentests allow for risk mitigation to protect client data, IP, corporate finances, and your company’s reputation.

The purpose of pentests is to help businesses identify cybersecurity weaknesses before exploitation by malicious hackers. Running pentests allows for a safe and proactive way to spot vulnerabilities before cybercriminals can exploit them.

Pentesting should be on everyone’s mind for several reasons:

  1. No doubt you’ve heard about ransomware. It’s a type of malware that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid (thank you, Wikipedia!). U.S. Department of Justice lists penetration testing as one of the steps in securing your organization against ransomware attacks.

  2. Pentests can save you a lot of money -- security gaps, if identified earlier in the software development process, are much less costly than if they are discovered later in the development life cycle.

  3. Cyberattackers may not only compromise your sensitive data, such as patent information and trade secrets, they can also compromise your customers’ sensitive data, potentially leading to loss of customers and causing serious damage to your brand and reputation. Penetration testing can help you avoid reputation-damaging security breaches.

  4. Last by not least, VCs have cybersecurity on the checklist. Are you looking to raise more funds and take your company to the next level? Trademarks, technology details, and financial projections aside, cybersecurity now often comes up during fundraising conversations. Doing your due diligence and performing penetration testing can help you stay ahead of the competition.

Information security is the law

TL;DR: Some organizations operate in industries that have established cybersecurity regulations in place. Pentesting can help these organizations identify vulnerabilities, improve their cyber defense, and comply with the required regulations.

U.S. Department of Health and Human Services (HHS) developed the Health Insurance Portability and Accountability Act (HIPAA) way back in 1996, intending to protect the privacy of patient health information gathered by health organizations. The security guidelines are constantly being updated to cover the ever-evolving cybersecurity space, and for good reason: the healthcare industry continues to be one of the top listings on the most vulnerable industries lists.

The Payment Card Industry (PCI) Data Security Standard is another security standard that is required by l any organization that processes, stores, or transmits cardholder data. The financial industry, much like the healthcare industry, also tops the most vulnerable to cyberattacks lists. The PCI Security Standards Council, a government-wide body, has detailed penetration test guidelines.

Other sectors, like insurance companies and energy organizations, have their own cybersecurity regulations that must be met. All businesses that provide services to the Department of Defense, for example, have to comply with the Cybersecurity Maturity Model Certification or CMMC cybersecurity standard. More information on this can be found in this Brief Guide to US Cybersecurity Regulations by Industry.

The European Union’s Data Protection Authority (DPA) is the agency within each European Union country that is responsible for General Data Protection Regulation (GDPR) enforcement. The main goal of the GDPR is to allow individuals more control and rights over their personal digital data.

In the U.S., there’s no equivalent of DPA, and multiple organizations (both governmental and non-governmental) develop and monitor cybersecurity standards for different industries. U.S. National Institute of Standards and Technology (NIST) is one of them. NIST develops cybersecurity standards, best practices, and guidelines for federal agencies and the broader public. DOD, NSA, DOJ, and other departments are some of the key players responsible for the Nation’s cybersecurity efforts.

No matter which industry you are in and regardless of the regulations you need to follow, a pentest can help you identify vulnerabilities, set up measures to improve the defense, and ensure compliance with the corresponding regulations.

Pentesting is a part of offensive security

As the name suggests, offensive security is a proactive approach to defending your web properties. This is where vigilance plays a key role. When it comes to protecting websites and web applications, offensive security refers to the act of testing various systems to check for problematic website vulnerabilities. You can think of it as an “active” defensive strategy. Because sometimes, the best defense requires a good offensive strategy.

Offensive security methods such as vulnerability assessments and website pentesting are performed to get a deeper understanding of flawed systems within websites or web applications. Offensive security can help businesses and organizations better prepare for and defend their websites and web apps against cybersecurity threats. Programmers, engineers, and skilled cybersecurity professionals engage in aggressive tactics and ethical hacking to identify and exploit system bugs, actively break into computer programs, and find errors in code to gain access to web-based digital assets. By mimicking cyberattacks, cybersecurity professionals learn to exploit website and web app vulnerabilities and proactively solve them before a real-life attack happens. It certainly helps to be one step ahead of the game.

Looking to perform a pentest on your website or mobile app? Let's connect!