No software is completely impenetrable. New threats are introduced every day. You don’t even need to be a hacker to attack a website. The Internet offers plenty of scripts for an attacker to download and run against a website. Penetration tests help you find common security holes in your web application before hackers find them.
What is a Penetration Test?
Penetration tests are hacking techniques and scripts that run against a website. The idea is that you (or an outside contractor) act like an attacker and attempt to hurt performance or even gain access to unauthorized areas. This can be done using software, but professionals often have their own set of tools to emulate an attack from an actual hacker.
Penetration testing can catch mistakes that your QA people won’t find. They can sometimes find common coding mistakes that give attackers access to sections of the site such as the database, critical server files, user sessions, or flies that render the code on your site. The intent of the hacker is never clear, but you have to think like a hacker to perform an effective penetration test.
The first step is planning. You’re about to launch an emulated attack on your website, which can damage performance, services, and even accidentally deface the site. You need to sit down with managers and let them know that a test will be in action. You also need to understand what’s off limits. You can’t crash your entire web application and disrupt revenue-impacting processes. You need to test the application but within the realm of reasonable vulnerabilities.
One question you should ask is if you should alert staff members. In a true test, you want to see the way staff reacts to a critical cyber attack. When you give them advanced notice, they might act differently. You want the test to perform in a similar way to a real attack. This might mean keeping any notifications from staff to identify if they are able to notice the warning signs and help mitigate the issue.
Some penetration professionals perform social engineering attacks. In this case, you wouldn’t want to tell staff that an attack is in effect. You want to understand your staffs knowledge of social engineering and security.
In the planning stage, the organization must understand that there are risks with penetration testing. It’s beneficial for the organization and the security of the web application, but the attacks can leak data and cause performance issues
Gather Information on the Target
The first step for a penetration testing is to gather information on the target. This information is superficial such as any marketing material, domain registration data, documents found on the web, and just generally poking around for information that could be used for further tests. Some organizations make documentation public without realizing that each bit of information can connect the dots to the bigger picture. The bigger picture is the organization structures, strategies, and security standards.
The tester can use utilities available for free on the Internet and included in most operating systems. For instance, Nmap is a utility available with Windows and Linux. You can also download GUI applications that make it much easier to gather information. This tool helps the hacker scan the network for open ports and services running on the web server.
At this point, the penetration testing doesn’t perform any security attacks. No attempt is made to obtain data or access the system. The idea is that the attacker quietly collects data to later obtain access without alerting the site owner.
Attack on the Web Application
With information in-hand, the attacker (or penetration tester) can perform numerous attacks on the site.
The first attack is usually a DoS (denial-of-service). A DoS attack is a method that floods the web server with forged traffic. A DDoS (distributed denial-of-service) is more common, but this involves hacking personal computers and using them to flood the web server with traffic. Since this would be beyond the bounds of acceptable for a penetration tester, the only option is to attack the site with a DoS attack.
DoS attacks reduce the performance of the web server and the application. If the attack puts the website out of commission, then the penetration tester stops the attack. Your web application fails the test if a DoS is successful. You can mitigate DoS attacks using router configurations.
Another type of attack is a brute force. Brute force attacks send “guesses” to your web application’s login form. If your form doesn’t lock out a user and allows the attacker to continue guessing passwords, your application fails. Even worse, if passwords are weak, the attacker can gain access by guessing the password. Always lock out users after a specific number of login attempts.
Social engineering is another common attack. The penetration tester might wander around your building and see if someone will let him piggyback. Piggybacking is a technique used when the attacker follows an authorized individual into the building after the employee swipes his badge.
The attacker might also ask random employees for information. He might call an employee and ask for passwords. He could ask an employee to give him access to the premises because he “lost his badge.” He could stand by a printer and see if an employee will give him information regarding documents, passwords, or any information that could be used to obtain access to sensitive information. The test determines if any employees are aware of physical threats.
Cleaning Up After the Test
Once the tests are over, it’s time to clean up from any damage and create a report. Cleanup could be removing any files if directory security was breached, delete any data that was dumped from a SQL injection attack, and even discussions with employees should they give the attacker access.
An extensive report is created to help the organization run through any critical security holes. They can then patch any systems including the web applications. Sometimes, the web application passes but server security is poor. The server administrators then need to review and patch the server for any vulnerabilities.
After the penetration tester is finished with the tests, he goes over all areas of vulnerability. The tester also gives you suggestions for what you can do to improve your application’s security. This could be anything from training employees to updating patches to your web application’s software.
Most companies don’t pass a penetration test with flying colors. You’ll need to make changes and re-code some of your application. You might need to add extra hardware or software to the infrastructure. There could be any number of changes to the network. As long as you’re open to areas of improvement, you can safely secure your web application from future attacks.