Jara: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Penetration test or pen test for short is the topic of this episode of The Tea on Cybersecurity, and if you're anything like me, you have a very general understanding of what these tests are and don't fully understand how it fits into cybersecurity, but we will be tackling all of this during this episode. I have an expert with me that is going to help me understand what penetration tests are, why they're important, who performs them, and so much more. I would like to welcome Christina Annechino to this episode. Hi, Christina.

Christina: Hi, Jara, it's so nice to be here.

Jara: Fantastic. Will you please go ahead and introduce yourself to our listeners?

Christina: Yes, absolutely. My name is Christina Annechino. I'm the cybersecurity analyst here at Trava. My main responsibilities here are that I write vulnerability reports and I do vulnerability management for customers, so providing mitigation strategies and remediation techniques to best help them go through their vulnerabilities and remove them in an efficient way.

Jara: Yeah. Definitely, that's very important for us but also the customers that you help, so let's jump right into these penetration tests. First question I have for you is, what are they?

Christina: Yeah. Pen testing is a method of conducting controlled attacks to simulate actual scenarios of how an attacker would try to infiltrate and exploit company data. Essentially, it's a way of finding and exploiting various types of vulnerabilities before a hacker does, so a company can test their security strength for their applications, IoT devices, also their internal network.

Jara: Cool. I think this is a term I've read before is ethical hacking. Is that similar to pen testing?

Christina: Yeah. I'm actually going to answer that in a question later on. I like to go more in depth with that.

Jara: Fantastic. You talked a bit about vulnerability testing and things like that just now. Are that the main goal that pen test tried to accomplish?

Christina: Yeah. The main goals are to bypass credentials, access sensitive information, basically do anything a hacker would do before they have a chance to do it, so that the customer can enact better security practices and be better prepared if and when this happens in the future.

Jara: Awesome. Just in your previous answers you're giving me, I'm understanding a little bit more of how it fits into cybersecurity, but can you give us a clear view of why pen tests are important to cybersecurity?

Christina: Yeah, absolutely. Basically, it's easier for you to protect your company's assets when you know exactly what your security posture looks like, how many gaps you have that may currently exist within your infrastructure, so where you're at and where your problems are.

Jara: Yeah, that's really important for sure. Are there different types of pen tests?

Christina: Yeah. Yeah. There's a few. There's network pen testing, so external and internal, and web application pen testing. I'm going to briefly describe these and mention a few at the end. External pen tests or external network pen tests are used to target assets visible to the internet, so this would include company websites, domain name servers, and the goal is to gain access and to extract confidential information. In this scenario, the tester does not have proper access and permissions. Having no access and information regarding the infrastructure is actually also known as black- box testing. White- box testing is when you have full network and system information given to you by the customer, and then grey- box is partial knowledge and access, so in between. But to get back to the types, internal pen tests, the pen testers already has a foothold within the network where they're trying to elevate their user privileges to admin to be able to do whatever they want. Web application pen testing, the purpose is to expose web application vulnerabilities to prevent data breaches, as well as financial loss and identity theft. The pen tester is also looking for vulnerabilities such as SQL injection, cross- site scripting, cross- site request forgery, just to name a few. If a company utilizes APIs, cloud environments, there's also pen tests for those as well. Wireless network pen tests and social engineering, those can be done too. So, there's a bunch.

Jara: So much information. Can you explain the difference between the white, black, and grey- box again?

Christina: Yeah, absolutely. This is when the customer is providing what access is being provided to the pen tester. With black- box, pen tester has no information or access. That's how they're working with no access or information. And then, white- box, you have full access, so that's the opposite. You're provided all the access to the networking system. And then, grey- box, you have partial.

Jara: Got it. So, the black test, it's someone coming in completely from scratch and figuring out how they can infiltrate into the entire system?

Christina: Yes, absolutely.

Jara: Got it. So terrifying as well. All right. Okay. So, can you walk me through what the steps typically are involved in a basic pen test?

Christina: Yeah. There are generally five stages. I'm going to go through all of the stages that would be required for a fully in- depth pen test. So, I'm list them and then I'm going to go through them. Reconnaissance is number one, scanning and enumeration, vulnerability assessment, exploitation or gaining access, maintaining access, and then covering your tracks and reporting. Reconnaissance, it's literally recon, so you're collecting information on your target, whether that includes the domain names, subdomains, network topology, operating systems, valid user accounts. There's two types of reconnaissance, active and passive. Active is when you're using actual pen testing tools. And then, passive is when you're gathering information without directly interacting with the target, so using public resources. Google is definitely one that I use the most. Scanning and enumeration is next. This is where you're going to be using a variety of tools to explore the target system and any weaknesses that they may have in their network, from their network to their web applications, to map out the attack surface. The next one is vulnerability assessment. This is a minor yet important step that could cut down overall time of the pen test. Here you're taking all the information that was gathered from the previous steps and you're determining if the potential vulnerabilities can be exploited. The ones that can't be, you can remove them from the testing portion. Exploitation and gaining access, after the vulnerabilities have been identified, the goal is to access the target system and/ or collect as much sensitive confidential information as possible. This is where you're going to be conducting your attacks in this step. The next is maintaining access. In the cases where you've successfully gained access, you're going to try to maintain it for as long as possible to accomplish and replicate a malicious hacker's goals. So, you're determining the potential impact of the exploit the longer that you're in the system. And then, finally, we have covering tracks and reporting. Now, what you're going to want to do is you're going to want to exit the target system, and then terminate any running attacks in a safe manner, and then you're going to take all the data you've collected during the pen test and you're going to be writing a comprehensive detailed report for the customer to deliver.

Jara: Okay. Going through all of that sparked a new question for me. When all of this information is uncovered, where the holes are and things, all the things, who is responsible for keeping track and then fixing said issues?

Christina: It's the pen tester's responsibility to make a note of all vulnerabilities that have been detected when testing. Within the report, they're going to be providing remediation strategies on how to fix these vulnerabilities, and that's what's being presented to the customer.

Jara: Got it.

Christina: Not necessarily fixing, but more identifying.

Jara: Yeah. Awesome. Okay. Next question, we've talked a lot about the different cybersecurity assessments and frameworks during the podcast. Do penetration tests work with them? Are they different? How do these things come together?

Christina: Compared to other security assessments, penetration testing goes a step further since you're conducting a real- world attack. That's what's being simulated to accurately test how effective the in- place security measures really are, as well as providing that in- depth analysis in the report of the security posture.

Jara: Cool. I just asked this question, so I'm just going to restate it to see if I understand correctly. When it comes to the key deliverables of a pen test getting to the stakeholder, the pen tester actually writes out a report of what the issues are and what needs to be fixed, and then they pass it along.

Christina: Yes, absolutely. I mean, they can also include the tools that were utilized, but definitely very important is mentioning all the vulnerabilities that have been identified, and then providing the remediation strategies. It's also important to provide the steps that were conducted to identify the vulnerability and then exploit it. That's also important within the documentation. So, not only the vulnerability, but also the required steps that you would need to take in order to exploit that vulnerability, so that it can be remediated.

Jara: Okay. Cool. When it comes to pointing out the vulnerabilities, how are these prioritized in what needs to be addressed first?

Christina: Yeah. Looking at the severity of the vulnerability and the magnitude of risk if that vulnerability was exploited, that's very big. The difficulty of exploiting vulnerability, as well as what the probability is if the vulnerability could be exploited in the near future. So, determining the severity, the difficulty, and the probability of exploitation can gauge which one should be prioritized over others.

Jara: Okay, cool. How does one become a pen tester?

Christina: Either through training or you can be working on independent projects related to cybersecurity. In my opinion, getting familiar with Linux commands, utilizing bug bounty, Hack The Box, PentesterLab. PortSwigger has a lot of free labs. There's so many resources out there that you can utilize to become a pen tester, and if you have a knack for it, an interest for it, I definitely vote to give it a go.

Jara: Cool. Pen testers, are they ethical certified hackers?

Christina: Yeah. This is a great question because both terms are sometimes used interchangeably, but their roles are just a little bit different. Certified ethical hackers have a broader role and use tools and tactics just as pen testers do, but their goal is to go beyond hacking and discovering the vulnerabilities. Their responsibility is to encompass and conduct a multitude of attacks, as well as different hacking methodologies to build a comprehensive plan of action to the customer. Here, this is where they could potentially also help fix the vulnerabilities, so not just identify the vulnerabilities and exploits, but also help remediate them. So, an ethical hacker typically needs a little bit more comprehensive knowledge on software programming and experience overall.

Jara: Okay. So, they do similar things, but they're not the exact same because ethical hackers take an extra step in help fixing the issues.

Christina: Yes, absolutely.

Jara: Got it. I'm learning. I love it. All right. What are the tools and/ or techniques that pen testers commonly use during these tests?

Christina: Yeah. Kali Linux is definitely a very popular Linux- based operating system, which is where you're going to be running all your attacks within that operating system. It comes with a bunch of pre- installed tools, but you could easily install any tools as well, within Kali. I've used Kali so much and I really think that it's a great operating system, so definitely worth the use. Metasploit, that's a pen testing framework that has a large number of exploit modules to test for security vulnerabilities, enumerate networks, and even execute attacks. I've used Metasploit a bunch to conduct attacks, and I think it can be used from experience low to very experienced. So, Metasploit is a very good tool to be knowledgeable about and learn. Burp Suite is another one. It's kind of in the name. It's a suite of application security tools, so the Burp Suite proxy makes it easy to conduct man in the middle attacks between a web server and a browser., So if that's something that you're interested in, that can be done with Burp Suite. Burp Suite also has just a lot of stuff in it, so another great tool to use. Packet sniffing software, Wireshark is the one that I've used a lot. You can monitor and analyze data traffic, so if that's also something you're looking to do, Wireshark is definitely the way to go. And then, just some various other tools like Nmap for network scanning, SQL map for SQL injection. In terms of techniques, I always try to look at an attack from different angles and use different tools to get different results and hopefully run a successful exploit, so trial and error is definitely the way to go. Don't be afraid, in my opinion. If you don't get the exploit right away and don't run a successful exploit, try again.

Jara: Is it common to use multiple tools during one, I guess, project?

Christina: Yeah, absolutely.

Jara: All right. Yeah. It totally makes sense. Okay. If I were a business leader and I wanted to run an internal pen test, what are some best practices for me as the business owner?

Christina: There are pros and cons. Definitely, a lot of research is going to be needed. If you're opting out of hiring a professional, it'll possibly require the employees that will be conducting the internal pen testing to maybe complete a certificate. So, pen testing is such a efficient way of identifying weaknesses in security, but to minimize any business disruption, possibly a professional may be the way to go.

Jara: Yeah, that totally makes sense. Definitely, if the internal team aren't professional testers, that totally makes sense just to hire it out. Again, Christina, I know that you have some experience in pen testing, so do you have any interesting or memorable stories or examples that you can share with the listeners?

Christina: Yeah. During my capstone, I majored in cybersecurity and I worked with a partner for my capstone, and my main responsibility was to run penetration testing attacks on his device and network. One of the attacks that I ran, it was with a password cracking tool called inaudible, and I was able to successfully, with a very detailed word list, crack one of his passwords on his device, which was very cool.

Jara: Yeah, that's cool. I didn't even know. Again, it totally makes sense, but it's never crossed my mind that people actually hack passwords.

Christina: Yeah.

Jara: So terrifying. All right. I have a set of lightning round fun questions for you, but it's not completely related to pen testing but still cybersecurity. Are you ready for this round?

Christina: I'm so ready.

Jara: Okay. What's the most bizarre cybersecurity myth you've ever heard?

Christina: I think that cybersecurity is expensive and not worth the investment. I heard that a bunch. It can't be farther from the truth.

Jara: Yeah. I've learned a lot from this podcast that it's very important and I really hope that our listeners understand that, especially from listening and learning with me that it's super important and we all need to take it super seriously. All right. Next question, what's the best password you've ever seen? I guess without really giving the password away, if you can at least explain it to us.

Christina: Yeah. No, absolutely. I mean, I have to do a bit of boasting. I think my passwords are pretty great. Always when I'm coming up with passwords, the most random, the better. I will jumble letters, numbers, characters. I obviously try to make it, so that I'll remember it, but a random password is always the most secure password, nothing that can be guessed or can be figured out by a potential attacker.

Jara: Cool. All right. Do you ever get tired of telling people not to click on a suspicious link?

Christina: I actually don't because this is super important. Clicking on a suspicious link, you could accidentally download malware. You could be directed to an unfamiliar site where you accidentally enter confidential information. So, it's super important. Don't click on suspicious links.

Jara: I'm not going to lie though. I get a little annoyed with my mom when she gets these weird text messages and she's like, " UPS just sent me this and they told me to click on the link." I'm like, " You didn't even order a package.

Christina: I know.

Jara: Don't click on it. You know that someone's tricking you." All right. If you could create a cybersecurity superhero, what would their powers be?

Christina: Oh, my gosh, that's actually a really good question. I don't know. I feel like I would want to fly around and just shout advice to everybody, just provide insight and advice to as many people as I can.

Jara: Yeah. Don't click on the link.

Christina: Yeah, right.

Jara: Use a random password. Yeah.

Christina: Absolutely.

Jara: I love it. All right, Christina, before I let you go, is there anything else you would like to drive home on pen testing or just cybersecurity in general?

Christina: I mean, I got into pen testing through my master's program and I didn't know anything about pen testing during the program, and I learned so much in a short amount of time. And I really feel like if you're really into problem solving and you have an interest in it, I would say to go for it. Don't be deterred. Definitely, if you're interested, it can be done.

Jara: Fantastic. Well, I definitely learned a lot from you during this episode, and that wraps another episode of The Tea on Cybersecurity. Now, that Christina helped us spill the tea on pen test, it's time to go over the receipts. I learned so much more and have a very clear understanding of what pen tests are and how they fit in cybersecurity, so let's go over some of the key things that I pulled out. First, what are pen tests? Pen tests when you look at it really are hacks and attacks, but these are done, controlled in a way that simulates how an actual attack would happen, and it helps identify gaps and vulnerabilities and even exploits the vulnerabilities and helps identify what information can be taken if an unethical hacker was to do an attack. Second is why are pen tests important to cybersecurity? These tests are important because it helps identify gaps that are there for someone to exploit, and it gives you a better chance at fixing them because you're actually able to understand what is out there for someone to weasel into. I asked Christina about ethical hackers and pen testers and if they were the same, and she let me know that they are similar, but there are major differences, as in an ethical certified hacker not only finds the vulnerabilities and exploits them, but they also give ways to mitigate these issues. The last takeaway, the last receipt that I have is when Christina talked about the different forms of penetration testing. We have black- box, white- box, and grey- box. With the black- box, those pen testers go in dark. They aren't given prior access or anything, so they have to figure out how to infiltrate the systems on their own. With white- box, they are supplied with some access and some knowledge of what they are going to be testing. And then, grey- box is just slightly in between that. Well, I hope you learned as much as I did about penetration testing. I will see you on the next episode of The Tea on Cybersecurity. That's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.