7 Common Penetration Testing Mistakes
Introduction
There is no question working as a pentester is one of the coolest cybersecurity-related jobs. Think about it: pentesters are legally paid to break the rules, use advanced techniques to circumvent security controls (the same ones used by cybercriminals!) and — whenever possible — remain undetectable. Hollywood also played a role in painting pentesters as keyboard ninjas of sorts, something that is further helped by the fact coworkers, family and friends imagine ethical hackers are able to invade any computer in a matter of minutes.
What should you learn next?
A nice way to put things into perspective is to ask a seasoned professional pentester how they feel about their work. No doubt he or she will tell you about the endless, tedious hours doing reconnaissance or scanning, the frustration of failing repeatedly due to some small configuration mistake when exploiting a vulnerability and the hopelessness and near despair felt when finding a main target seems unbeatable.
However, they’ll also tell you about the infinite joy of discovering the tenacity was not in vain after a nearly impossible, yet successful, intrusion. Ask any real pentester and they will tell you, without a doubt, it is one of the coolest, most challenging and rewarding types of work — and that does not even include the fact it also pays really well.
In truth, the road to becoming a master pentester is quite a journey and, as expected, it includes failing several times before that much-deserved success. It is through this process that experts acquire most of their knowledge. Learning from one's own failures is a very good thing, as it is much less painful to learn from other people's errors.
Here are seven common mistakes every pentester should avoid.
1. Forgetting About Professional Ethics
The key difference between an ethical hacker and a common cybercriminal is, aside from the obvious distinction between the ultimate goals of each party, legality. Performing a pentest is an activity that requires an elevated level of technical ability, and an even higher level of professional ethics.
During this type of work, it is quite common to gain access to sensitive or confidential information, including details of security breaches that can expose an entire corporation to real attacks with a high level of destructive potential. Again, aside from the technical expertise, a good pentester can handle aspects such as confidentiality, privacy and legality quite seriously.
Unfortunately, it is not uncommon for companies or professionals to rely on abusive tactics such as executing an unsolicited (and most likely unauthorized) intrusion test, reporting the exploited vulnerabilities to a potential customer and then requesting a payment for the details of how the problem can be fixed. This is unethical behavior and should be completely avoided.
2. Breaking Something Without Proper Authorization
What is the key difference between an ethical hacker and a common cybercriminal? As mentioned before, pentesters are usually paid to break the rules. A frequent problem with many professionals starting in this area is forgetting even while breaking the rules there are...rules that must be followed!
For example, an inexperienced pentester eager to demonstrate his knowledge and abilities may lose focus on the real assessment objectives and create situations with an impact similar to a real attack, such as crashing a critical system. If the test is being executed in a non-productive environment, such as a development instance, the impact may not be so high. However, it is important to remember some intrusion tests are executed in a live production environment. Sometimes, such as in a blackbox testing scenario, not everyone on the customer team will be aware of the tests.
This type of situation can be handled by combining pentesters with different levels of experience, but this is not always possible. So, in any situation, it is very important to remember the rules of engagement must be formally registered and approved by the client. This includes defining a clear scope for the assessment; explicitly mentioning which systems or assets must not be touched; what type of tests can be performed; the time windows for execution; and a clear communication channel for emergency situations.
3. Not Taking Good Care of Evidences
Collecting and adequately storing evidence is a very important task during intrusion testing; after all, this will form the basis for the final report.
Throughout the pentesting process, it is important to have a clear definition of the type of evidence that must be kept, including information such as what vulnerability was successfully exploited; a timestamp; examples of activities that could be performed (i.e., unauthorized file copy or modification); if there was any sort of detection by the client team; or even the number of unsuccessful tries. Collectively, all this information is very helpful when it comes to building a fact-based report, which brings us to the next common mistake.
4. Not Accepting a System Might Actually Be Secure
I used to joke pentesters have one of the few jobs in the world that, even when they are not successful, the customer is still satisfied.
In truth, the focus of an intrusion test is not the intrusion itself, but rather assessing how well protected a target is against the techniques used by hackers and cybercriminals.
Therefore, if a target was thoroughly tested and still shows no signs of successful intrusion, it is perfectly acceptable to inform the client the system is secure. Many beginner pentesters do not have this insight and end up spending time and resources when it is no longer necessary.
5. Relying Exclusively on Tools for Doing the Job
There are many tools that can make a pentester's life easier. Simple software such as Nmap or Wireshark help in reconnaissance activities like target scanning, traffic capture and vulnerability assessment, while solutions like Metasploit that can streamline the process of building custom exploits. There are several free Linux distributions completely dedicated to intrusion testing, and professional solutions that can automate most pentesting tasks. The range of solutions a pentester can adopt is quite comprehensive.
Of course, knowing how to properly use those tools is important when executing a pentest, but that is completely different from becoming dependent solely on tools to perform all the work. In many cases, even the best solutions will require a skilled professional to define what to scan or how to build a context-specific exploit. Simply knowing how to use hacking tools may not be enough; a resourceful pentester knows the concepts behind an intrusion test. This will provide a level of flexibility that helps in cases when specific software is not available.
6. Not Developing Report Writing Skills
The final pentest result is a report providing information on every activity performed and whatever findings were discovered throughout the process. A common mistake with inexperienced pentesters is creating a report that is essentially the output of an automated tool. Sure, there are a lot of pentesting tools that can help a lot during the entire process and even automate a good deal of report writing, but to deliver real value to a customer, you have to take it one step further.
An experienced professional will be able to create meaningful reports that are actually pertinent to the client’s business context. This includes being able to elaborate on aspects such as specific laws and regulations, different sorts of business impacts (i.e., operational, financial, legal and reputational) and, while still providing a good deal of technical details, explaining the main findings in a way a non-technical person can understand. This sort of skill is highly sought after, and works like a charm in terms of career advancement.
7. Relying Exclusively on Self-Learning
As mentioned before, a basic characteristic of a good pentester is having the resilience to fail multiple times and learn from mistakes. Many professionals develop their talents by reading books, participating in discussion groups, or even creating labs where they learn hacking techniques based on trial and error. All these methods are extremely valid, which is not to say you should depend solely on them.
One way to quickly gain knowledge is participating in one of the many intrusion testing trainings and boot camps available on the market. A word of advice: confirm the instructors are professional pentesters with proven practical experience before enrolling. This way it is possible to create a good mix of theory and hands-on learning, and prepare for certifications such as the EC-Council Certified Ethical Hacker (CEH) or Licensed Penetration Tester (Master), GIAC Penetration Tester (GPEN), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) and Offensive Security Certified Professional (OSCP). All of these are high-value certifications that can put you ahead of your competition.
What should you learn next?
If you're interested in online certification for hackers, check out InfoSec Institute's Training boot camps.