Unveiling Vulnerabilities: The Power of Pen Testing in Cybersecurity with Christina Annechino, Cybersecurity Analyst at Trava

Jara Rowe: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Penetration tests, or pen tests for short, is the topic of this episode of The Tea on Cybersecurity and if you're anything like me, you have a very general understanding of what these tests are and don't fully understand how it fits into cybersecurity, but we will be tackling all of this during this episode. I have an expert with me that is going to help me understand what penetration tests are, why they're important, who performs them, and so much more. I would like to welcome Christina Annechino to this episode. Hi, Christina.

Christina Annechino: Hi Jara. It's so nice to be here.

Jara Rowe: Fantastic. Will you please go ahead and introduce yourself to our listeners?

Christina Annechino: Yes, absolutely. So my name is Christina Christina Annechino. I'm the cybersecurity analyst here at Trava. My main responsibilities here are that I write vulnerability reports and I do vulnerability management for customers, so providing mitigation strategies and remediation techniques to best help them go through their vulnerabilities and remove them in an efficient way.

Jara Rowe: Yeah, definitely. That's very important for us, but also the customers that you help. Let's jump right into these penetration tests. First question I have for you is, what are they?

Christina Annechino: Yeah. Pen testing is a method of conducting controlled attacks to simulate actual scenarios of how an attacker would try to infiltrate and exploit company data. Essentially it's a way of finding and exploiting various types of vulnerabilities before a hacker does. A company can test their security strength for their applications, IOT devices, also their internal network.

Jara Rowe: Cool. I think this is a term I've read before, is ethical hacking. Is that similar to pen testing?

Christina Annechino: Yeah, so I'm actually going to answer that in a question later on. I like that more in depth with that.

Jara Rowe: Fantastic. You talked a bit about vulnerability testing and things like that just now. Are that the main goal that pen test tried to accomplish?

Christina Annechino: Yeah, so the main goals are to bypass credentials, access sensitive information, basically do anything a hacker would do before they have a chance to do it so that the customer can enact better security practices and be better prepared if and when this happens in the future.

Jara Rowe: Awesome. Just in your previous answers you're giving me, I'm understanding a little bit more of how it fits into cybersecurity, but can you give us a clear view of why pen tests are important to cybersecurity?

Christina Annechino: Yeah, absolutely. Basically it's easier for you to protect your company's assets when you know exactly what your security posture looks like, how many gaps you have that may currently exist within your infrastructure, so where you're at, where your problems are.

Jara Rowe: Yeah, that's really important for sure. Are there different types of pen tests?

Christina Annechino: Yeah, yeah, so there's a few. There's network pen testing, so external and internal and web application pen testing. I'm going to briefly describe these and mention a few at the end. External pen tests or external network pen tests are used to target assets visible to the internet. This would include company websites, domain name servers, and the goal is to gain access and to extract confidential information. In this scenario, the tester does not have proper access and permissions. Having no access and information regarding the infrastructure is actually also known as black box testing. White box testing is when you have full network and system information given to you by the customer. Then gray box is partial knowledge and access, so in between. But to get back to the types, internal pen tests, the pen testers already has a foothold within the network where they're trying to elevate their user privileges to admin to be able to do whatever they want. Web application pen testing, the purpose is to expose web application vulnerabilities to prevent data breaches as well as financial loss and identity theft. The pen tester is also looking for vulnerabilities such as SQL injection, cross site scripting, cross site request forgery, just to name a few. If a company utilizes APIs, cloud environments, there's also pen tests for those as well. Wireless network pen tests and social engineering, those can be done too, so there's a bunch.

Jara Rowe: So much information. Can you explain the difference between the white, black, and gray box again?

Christina Annechino: Yeah, absolutely. This is when the customer is providing what access is being provided to the pen tester. With black box, pen tester has no information or access. They're working with no access or information.

Jara Rowe: Okay.

Christina Annechino: Then white box, you have full access. So that's the opposite. You're provided all the access to the networking system. Then gray box, you have partial.

Jara Rowe: Got it. The black test, it's someone coming in completely from scratch and figuring out how they can infiltrate into the entire system?

Christina Annechino: Yes, absolutely.

Jara Rowe: Got it. So terrifying as well. Okay, so can you walk me through what the steps typically are involved in a basic pen test?

Christina Annechino: Yeah, there are generally five stages. I'm going to go through all of the stages that would be required for a fully in- depth pen test.

Jara Rowe: Okay.

Christina Annechino: I'm list them and then I'm going to go through them. Reconnaissance is number one, scanning and enumeration, vulnerability assessment, exploitation or gaining access, maintaining access, and then covering your tracks and reporting.

Jara Rowe: Okay.

Christina Annechino: Reconnaissance, it's literally recon, so you're collecting information on your target, whether that includes the domain names, sub- domains, network topology, operating systems, valid user accounts. There's two types of reconnaissance, so active and passive. Active is when you're using actual pen testing tools and then passive is when you're gathering information without directly interacting with the target, so using public resources. Google is definitely one that I use the most. Scanning and enumeration is next. This is where you're going to be using a variety of tools to explore the target system and any weaknesses that they may have in their network, from their network to their web applications to map out the attack surface. The next one is vulnerability assessment. This is a minor yet important step that could cut down overall time of the pen test.

Jara Rowe: Okay.

Christina Annechino: Here you're taking all the information that was gathered from the previous steps and you're determining if the potential vulnerabilities can be exploited. The ones that can't be, you can remove them from the testing portion. Exploitation and gaining access, after the vulnerabilities have been identified, the goal is to access the target system and/ or collect as much sensitive confidential information as possible. This is where you're going to be conducting your attacks, in this step. The next is maintaining access. In the cases where you've successfully gained access, you're going to try to maintain it for as long as possible to accomplish and replicate a malicious hacker's goals. You're determining the potential impact of the exploit the longer that you're in the system. Then finally we have covering tracks and reporting, so now what you're going to want to do is you're going to want to exit the target system and then terminate any running attacks in a safe manner. Then you're going to take all the data you've collected during the pen test and you're going to be writing a comprehensive detailed report for the customer to deliver.

Jara Rowe: Okay. Going through all of that sparked a new question for me. When all of this information is uncovered, where the holes are and all the things, who is responsible for keeping track and then fixing said issues?

Christina Annechino: It's the pen tester's responsibility to make a note of all vulnerabilities that have been detected when testing. Within the report, they're going to be providing remediation strategies on how to fix these vulnerabilities and that's what's being presented to the customer.

Jara Rowe: Got it.

Christina Annechino: Not necessarily fixing, but more identifying.

Jara Rowe: Yeah, awesome. Okay. Next question. We've talked a lot about the different cybersecurity assessments and frameworks during the podcast. Do penetration tests work with them? Are they different? How do these things come together?

Christina Annechino: Compared to other security assessments, penetration testing goes a step further. Since you're conducting a real world attack, that's what's being simulated to accurately test how effective the in- place security measures really are, as well as providing that in- depth analysis in the report of the security posture.

Jara Rowe: Mm- hmm. Cool. I just asked this question, so I'm just going to restate it to see if I understand correctly. When it comes to the key deliverables of a pen test getting to the stakeholder, the pen tester actually writes out a report of what the issues are and what needs to be fixed and then they pass it along?

Christina Annechino: Yes, absolutely. They can also include the tools that were utilized, but definitely very important as mentioning all the vulnerabilities that have been identified and then providing the remediation strategies. It's also important to provide the steps that were conducted to identify the vulnerability and then exploit it. That's also important within the documentation. Not only the vulnerability, but also the required steps that you would need to take in order to exploit that vulnerability so that it can be remediated.

Jara Rowe: Okay, cool. When it comes to pointing out the vulnerabilities, how are these prioritized and what needs to be addressed first?

Christina Annechino: Yeah, so looking at the severity of the vulnerability and the magnitude of risk, if that vulnerability was exploited, that's very big, the difficulty of exploiting vulnerability as well, as what the probability is if the vulnerability could be exploited in the near future. Determining the severity, the difficulty, and the probability of exploitation can gauge which one should be prioritized over others.

Jara Rowe: Okay, cool. How does one become a pen tester?

Christina Annechino: Either through training or you can be working on independent projects related to cybersecurity. In my opinion, getting familiar with Linux commands, utilizing bug bountying, Hack the Box, Pentester Lab, PortSwigger has a lot of free labs. There's so many resources out there that you can utilize to become a pen tester, and if you have a knack for it, an interest for it, I definitely vote to give it a go.

Jara Rowe: Cool. Pen testers, are they ethical certified hackers?

Christina Annechino: Yeah, so this is a great question because both terms are sometimes used interchangeably, but their roles are just a little bit different. Certified ethical hackers have a broader role and use tools and tactics just as pen testers do, but their goal is to go beyond hacking and discovering the vulnerabilities. Their responsibility is to encompass and conduct a multitude of attacks as well as different hacking methodologies to build a comprehensive plan of action to the customer. Here, this is where they could potentially also help fix the vulnerabilities, so not just identify the vulnerabilities and exploits, but also help remediate them. An ethical hacker typically needs a little bit more comprehensive knowledge on software programming and experience overall.

Jara Rowe: Okay, so they do similar things, but they're not the exact same because ethical hackers take an extra step in help fixing the issues.

Christina Annechino: Yes, absolutely.

Jara Rowe: Got it. I'm learning. I love it. All right. What are the tools and/ or techniques that pen testers commonly use during these tests?

Christina Annechino: Yeah, so Kali Linux is definitely a very popular Linux- based operating system, which is where you're going to be running all your attacks within that operating system. It comes with a bunch of pre- installed tools, but you could easily install any tools as well within Cali. I've used Kali so much and I really think that it's a great operating system, so definitely worth the use. Metasploit, so that's a pen testing framework that has a large number of exploit modules to test for security vulnerabilities, enumerate networks, and even execute attacks. I've used Metasploit a bunch to conduct attacks, and I think it can be used from experience low to very experienced. Metasploit is a very good tool to be knowledgeable about and learn. Burp Suite is another one, so it's kind of in the name. It's a suite of application security tools. The Burp Suite proxy makes it easy to conduct man in the middle attacks between a web server and a browser. If that's something that you're interested in, that can be done with Burp Suite. Burp Suite also has just a lot of stuff in it, so another great tool to use. Packet sniffing software, Wireshark is the one that I've used a lot. You can monitor and analyze data traffic, so if that's also something you're looking to do, Wireshark is definitely the way to go. Then just some various other tools like Nmap for network scanning, SQL injection, SQLmap for SQL injection. In terms of techniques, I always try to look at an attack from different angles and use different tools to get different results and hopefully run a successful exploit. Trial and error is definitely the way to go. Don't be afraid, in my opinion, if you don't get the exploit right away and don't run a successful exploit, try again.

Jara Rowe: Is it common to use multiple tools during one, I guess, project?

Christina Annechino: Yeah, absolutely.

Jara Rowe: All right, yeah, it totally makes sense. Okay. If I were a business leader and I wanted to run an internal pen test, what are some best practices for me as a business owner?

Christina Annechino: There are pros and cons. Definitely a lot of research is going to be needed if you're opting out of hiring a professional and possibly require the employees that will be conducting the internal pen testing to maybe complete a certificate. Pen testing, it's such a efficient way of identifying weaknesses and security, but to minimize any business disruption, possibly a professional may be the way to go.

Jara Rowe: Yeah, that totally makes sense. Definitely if the internal team aren't professional testers, that totally makes sense just to hire it out. All right, Christina, before I let you go, is there anything else you would like to drive home on pen testing or just cybersecurity in general?

Christina Annechino: I got into pen testing through my master's program and I didn't know anything about pen testing during the program, and I learned so much in a short amount of time. I really feel like if you're really into problem solving and you have an interest in it, I would say to go for it. Don't be deterred. Definitely if you're interested, it can be done.

Jara Rowe: Fantastic. Well, I definitely learned a lot from you during this episode, and that wraps another episode of The Tea on Cybersecurity. Now that Christina helped us spill the tea on pen test, it's time to go over the receipts. I learned so much more and have a very clear understanding of what pen tests are and how they fit in cybersecurity. Let's go over some of the key things that I pulled out. First, what are pen tests? Pen tests, when you look at it really are hacks and attacks, but these are done, controlled, in a way that simulates how an actual attack would happen and it helps identify gaps and vulnerabilities and even exploits the vulnerabilities and helps identify what information can be taken if an unethical hacker was to do an attack. Second is why are pen tests important to cybersecurity? These tests are important because it helps identify gaps that are there for someone to exploit and it gives you a better chance at fixing them because you're actually able to understand what is out there for someone to weasel into. I asked Christina about ethical hackers and pen testers and if they were the same, and she let me know that they are similar, but there are major differences, as is an ethical certified hacker not only finds the vulnerabilities and exploits them, but they also give ways to mitigate these issues. The last takeaway, the last receipt that I have is when Christina talked about the different forms of penetration testing. We have black box, white box, and gray box. With the black box, those pen testers go in dark. They aren't given prior access or anything, so they have to figure out how to infiltrate the systems on their own. With white box, they are supplied with some access and some knowledge of what they are going to be testing, and then gray box is just slightly in between that. Well, I hope you learned as much as I did about penetration testing. I will see you on the next episode of The Tea on Cybersecurity. That's The Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.