must also be familiar with a company’s systems (servers, storage, and telecommunications) and the applications that run on them. This includes operating systems and the services they offer (name resolution services, remote access gateways, and IP address leasing). Pen testing any and all these areas will show up on your reports.
If you run a scan on a Domain Name System (DNS) you may find that it needs to be patched. If the server is a Microsoft Windows Server system, you may be able to download needed patches and apply them based on the report. You may also be running a UNIX or Linux system running BIND, which is a DNS name daemon or service. Either way, both may show up on your report as needing attention. Knowing what they are can help you to direct attention towards not only how to repair them, but also which must be prioritized immediately.
Web applications and web programming are also major areas that are exposed to vulnerabilities based on the logic needed to keep them running. Database servers running the Structured Query Language (SQL) may be subject to injection attacks. Operating systems that the services and applications run on also remain open to attack and need to be scanned and patched.
Mobile and cloud
Mobile technology is also a must-know endpoint technology quickly replacing the desktops and other devices. They also travel to and from locations and absolutely must be addressed — whether the devices are company assets or company software and data used on a personal device. There are challenges with this system, which mobile device management (MDM) solutions help overcome.
You might worry about testing them to make sure they’re secure, but you approach this like you approach all the other systems you’re accountable for — you scan, test, and report based on your findings and handle the risks as you identify them.
Cloud is another boundary IT security pros are trying to cross in the world of security and pen testing. Because cloud technologies fall under the purview of their cloud provider, as long as you’re working in conjunction with the cloud provider’s security team and they’re conducing pen tests, then you have achieved the same goal as if you did it yourself.
Note: You might face the fallout of mistakes or mishaps committed on the vendor side.
Introducing Cybercrime
Cybercrime is the act of conducting criminal activities — for example, data theft, information destruction, and identify theft — using technology such as computer systems and networks. A lot of hacking revolves around cyber activities and cybercrime. Any access to something that is done not with the intention of doing an investigation, including collecting information about access or damage (harm), is in fact against the law. As time has passed, more and more legal aspects of protecting assets has arisen since the earlier 1990s.
Here are some key considerations about cybercrime you should consider before you pen test:
Those who commit cybercrime are usually out to gain information, access, or leverage to create a competitive edge, or gain wealth or information that can be used or sold.
The main way that cybercriminals conduct these criminal activities is by surreptitiously accessing information systems to get resources.
The only way to know how vulnerable you are to cybercrime activities is to test your systems yourself. This enables you to be ahead of the curve in protecting these resources and assets to mitigate risk.
You must be employed, contracted, or given permission to conduct ethical hacking, pen testing, vulnerability testing, or any other assessment where computer technology will be penetrated and exploited to find vulnerabilities. Pen testing can be considered an act of cyberwarfare if you test on systems and networks you don’t have permission to test on. It reverts your ethical hacking procedures into unethical ones with that simple oversight! If you don’t work in the field and/or for a company hired to conduct pen testing, you must have permission to conduct it.
Once vulnerabilities are found, you can use the tools to exploit them. However, you must be careful to analyze what that could impact or other problems it could create. For example, you can overwhelm a buffer on a network card or network switch to test its ability to be exploited, creating an outage in the network or on the system.
You should be careful and assess whether possible irreversible damage can be caused and plan for it. What this means is you might conduct an exploit that could corrupt an operating system and if that happens, it must be restored to get it back to working condition.
You must be careful not to corrupt (or lose) data as part of the host system, storage unit, server, or other storage facility. Make sure a full backup is done prior to testing.
You could expose weaknesses to others you might be working with and that could cause problems with information being leaked about security issues that then impact a company’s reputation. This is why it’s recommended to be very careful with giving any information to anyone who doesn’t need to know.
If you’re the security incident handler (like those on an Incident Response Team, which I discuss in Chapter 2) who’s tracking a cybercriminal, you might be responsible for collecting data and creating a chain of custody of the evidence that can be used in a court of law.
The dark web (or darknet) is where many attackers go to find their tools as this part of the web is normally not searchable with common search engines. Most of these tools are found on peer to peer networks and other means of distribution and are the leading causes of attacks via script kiddies and low level hackers worldwide. Most cybercrime (and cyberwarfare) is conducted using these means.
Cybercrime is also known as cyberterrorism and cyberwarfare and can be considered an act of war, especially with foreign actors. Say, for example, someone in Russia runs a few tools acquired on the dark web to penetrate U.S. businesses — to gain access, for instance. One could consider that an act of war or terrorism.
It can get even worse if those same countries (or others) decide to launch attacks to disable power grids, steal secrets, or gain access to military secrets. This makes pen testing and ensuring assets are secure very important. Just as important is re-testing to ensure they remain secure over time.
What You Need to Get Started
You might not realize it, but you don’t just dive into pen testing. You should take these specific steps before you get into the heart of pen testing:
Make sure you have a thorough understanding of the basics of information technology (IT) systems, networks, and other technologies at the fundamental level. This knowledge aids your career in security, pen testing, and ethical hacking.
Conduct vulnerability tests. A type of pen testing is a vulnerability test. A vulnerability test identifies in advance any potential threats — areas where a hacker could potentially attack a vector — to your systems. An attack vector is a method or pathway a hacker uses to access or penetrate the target system; hackers poke around your systems to find something that’s weak or vulnerable. I discuss vectors in further detail in
