I am working on a number of “Letter to My Younger Self” posts, so here is my first edition, kind of just my small effort to pass along some wisdom / knowledge to up and coming professionals / students in my areas of interest. Cross Posted with my website.
My Letter About Pen Testing
Yo Gumby (one of many nicknames when I was growing up),
Hey you little punk, think your going to be so hot at Pen Testing? Listen Up!!
Here is just a few things I have learned from performing and being involved in what my industry calls a “Pen Test”, there are a lot smarter people in this domain then me, this is just what I have learned, in no particular order, so listen to this old geezer:
Pen Testing is about changing a client’s belief system, not about getting the trophy. You don’t change their belief system your ROI is slim.
Make sure your audience is prepared for the results, before you sign up
The top most important rules of a pen test: 1. Defining scope / goal / “the period” / rules / time limits 2. Getting your “Get out of jail free” Card ahead of time 3. Providing SOLUTIONS to what you learn 4. Make sure the right people are aware.
Pen Testing can be fun unless you break rule #1 above so have fun, but realize you are there to learn just as much you are there to “win”. Learning doesn’t get you paid, “win” knowledge for the client, that is why you get paid.
If you get found or found and stopped, honor the defenders openly, they weren’t lucky, they were good. Calling them lucky is disrespectful.
You break the rules, you may be a felony or at a minimum a show-off
If you can’t provide operationally practical solutions (not just more consulting hours), don’t sign up to do a pen test.
Anyone can plant a bomb or break a window or other criminal activity, if you are resorting to these type of findings, #fail
You can test your own organization and get good results, you don’t have to hire someone, but make sure you are skilled in the art and science and techniques.
Getting found is not the same as getting stopped
Pen Testing should always include technical, physical, and human targets, tools, and techniques
Pen Testing is not about a tool, its about a process and skill and use of your knowledge and wisdom all rolled into one small window of time and scope.
Pen Testing is about vulnerability detection, vulnerability discovery, incident response validation, intrusion detection, intrusion discovery, intrusion prevention, security operations process validation, training, mentoring, asset discovery, supply chain security, sales (there I said it), and much more.
There may be times, where you find things so egregious, you should just stop before you reach the goal. You may even find violations (of policy or law). Stop.
Your professor or Pen Test teacher are wicked smart people, but they are no replacement for your own studies, interning, listening, or plain ol’ hard work at 2:00am.
The Testing Ideas
Have a junior person documenting your steps and successes but don’t limit their participations, you will learn something from them, smarty pants. By the way, be glad you are that “junior person” sometimes.
Consider a strong link analysis diagram, makes for a great summary picture at the end!!
Pen Testing is not the same as vulnerability scanning, a cron job can do a vulnerability scan dude.
If you are too textbook / academic in your approach, you may miss the obvious and huge holes right under your nose.
First data acquisition target? Floor plans and company telephone directory, not a scan of a IP range. Hey what if the entire scope involves no IP addresses or URLs?
Develop a “calling card” that you place in interesting places (physically / electronically) so you can show you have been there.
Learning about the company and its structure, employees, supply chain may be much better “intel” then some vulnerability scan.
Public information like Shodan, whois, reverse phone lookups, etc. are a gold mine for intel gathering, don’t try to make this too difficult.
Conference room cabinets and trash cans should be part of the scope.
Social Engineering / Pre-Texting are great tools for pen testing, but they may be illegal, and takes a special skill, don’t use unless you are great at these tools.
If you are pen testing electronic systems, better know how to code and script things.
Watch Hollywood’s pen testing / social engineering movies to get “it worked in the movies” out of your brain: Sneakers, War Games, Catch Me if You Can, Ocean Eleven, etc.
Screen shots or calling cards or pictures are great evidence
100% “physical security” test can still be a “pen test”
The Bottom Line
Make you are know and agree with your client on how you both MEASURE success
It is NOT about the quantity of findings, its about quality of solutions
If you can’t provide proof a vulnerability was exploited, its a theory dude, don’t use it/write it up. “We could have gotten in”, “We found a system that is vulnerable” are not words you should be using in communicating the results of a pen test.
If you can’t find a way in or don’t get to the goal, honor the organization with a strong warning. Pen Testing is a moment in time.
The good or bad results of your testing can very likely be out of date the second your finish your testing.
You find process problems, your solutions can provide long term value, you find a vulnerability that can be mitigated, the value of the finding could last only as long as a patch is installed (minutes).
Remember the audience of your final report/presentation will have a variety of emotions, get over it. Some will hate you, laugh at you, appreciate you.
Want a great end report, take the stressed out sysadmin/network admin for lunch before your report goes “up the chain”. Ask him/her what resources they need you to recommend to help them. They may know of other dark secrets that help you.
Just a few random thoughts young man, enjoy, retain, never stop learning
This was not training or a replacement for formal training, boss won’t pay for your training, that’s your personal budgeting problem not your boss’ problem.
Pen Testing Rule #0 is operating with ABSOLUTE INTEGRITY and total transparency (to the right people), honor people, pass out business cards, building relationships, but its okay having a little fun scaring the client just a little.