The saying, "If it isn't broken, don't fix it," doesn't necessarily line up with the idea of network penetration testing, where a tester breaks into something typically to fix it.
Understanding that foundational aspect is critical to learn network penetration testing skills. While pen testing benefits various systems, networks are especially critical to secure and protect. Enterprises and large organizations have expansive attack surfaces, and with significant remote workforces, those surfaces only grow and are at a greater risk for a detrimental attack. Network penetration testing can help secure these networks, according to author Royce Davis.
Davis' book, The Art of Network Penetration Testing, delves into skills he learned through his career as a "professional hacker," he said, and explores the penetration testing process step by step so anyone can learn network penetration testing and fix networks before hackers break into them.
Editor's note: The following interview was edited for length and clarity.
What is network penetration testing, and why is it important?
Royce Davis: Probably everybody understands security from a concept of defending or protecting something. What people might not understand as intuitively is this concept of offensive security or securing something by attacking it.
You could get 100 different definitions [of penetration testing] if you talk to 100 different people. I try to be as high level as I can when I say that we're trying to determine if something could be attacked or breached. When we say 'breach,' we mean if the security controls of that thing could be bypassed in some way. You could run a penetration test against a mobile application, website [or] physical building.
My expertise is network penetration testing, typically targeting an enterprise or company. We attack companies, specifically using computers, in an effort to identify where and why the company is weak or susceptible to some form of penetration so we can give the company a recommendation on how it can strengthen that asset -- usually, a computer system.
Companies are well aware attackers are all over the place, and anyone who's paid attention to the news has heard lots about corporate breaches. So, penetration testing at the enterprise level is important and relevant, given the huge attack surface or threat landscape.
What common mistakes do newcomers make as they learn network penetration testing?
Davis: The easiest way to make a mistake is to not pay attention to the statement of work. Earlier on in my career, I used to call myself a 'professional hacker.' I was proud of getting paid to break into computer systems, and that's all I wanted to do. For that reason, I wasn't always paying attention to exactly what was in the statement of work -- what the customer wants out of the engagement.
To be really good at this, you have to focus on your clients and what they want. They want a report that's actionable so they can strengthen their environment. They don't necessarily care how many times you were able to hack them or how skilled you were at breaking in.
That's a mistake a junior pen tester can make -- focusing too much on the cool hacks, which is super fun and probably why they're in the field, but they're getting paid to provide a service that ultimately should have value to the customer.
What tips do you have for IT teams involved in network penetration testing?
Davis: In my book, I talk about when a penetration test is least effective. When do you need one? Because, let's be honest, a penetration test is a service. This is a service business, and service businesses have salespeople who are compensated based on the revenue they generate. Sometimes, there's a penetration test sold to a company; then, you find out it's got default passwords all over the place and missing patches. That organization probably didn't need a pen test to begin with.
I would tell IT folks: There are things to make sure you're doing right out of the gate before you think about pen testing, and one is asset cataloging. Can you tell me every single system that should be on your network? What's its IP address? What's its hostname? What operating system is running on that system? What ports and services should be open and listening? What applications should be present on those systems? Can you tell me all that information reliably, at any given time?
An asset catalog, as simple as that sounds, is something I see people struggle with, and if they did a better job of that, they'd be more secure.
Will the situation with SolarWinds change how businesses approach network penetration testing and network security?
Davis: I'm not privy to any specific knowledge regarding the SolarWinds attack. But, from public information on the internet, attackers found systems with weak passwords. It wasn't necessarily next-generation, zero-day exploits that allowed them to gain access.
Could network penetration testing have prevented this? Maybe. My hypothesis is SolarWinds does penetration testing, because everybody does. And, probably, these systems were reported on but may or may not have been remediated.
Is this going to change how companies go about this? Absolutely. This is a supply chain attack. If you want to go after Company XYZ, there are a bunch of good ways you could do that, and you might succeed if you're skilled. But it's more lucrative to you, as an attacker, if you can penetrate an organization like SolarWinds, which deploys software to thousands of companies, including Company XYZ.
What we're starting to see now -- and what we'll see more of -- is companies doing more due diligence about vendors they do business with. If you go into any modern enterprise's network, you'll find a bunch of systems it bought from somebody else. For example, everybody uses Microsoft Windows or [Mac] OS X and assumes Microsoft and Apple have done some securing of those products. And people buy all sorts of other applications to do their jobs -- HR, IT and so on.
More companies are realizing that, before they can deploy something into their network, they have to scrutinize it, do their own security risk assessment against products and have more isolation.
I've seen tons of times where a company bought a product from another company and said, 'This needs to run as administrator or domain administrator.' That company has a system in its network that it doesn't manage -- their vendor manages it. But it's insecure, and if it were breached or attacked, it contains privileged credentials [hackers] can use to access other systems. So, segmentation will be a big deal as well, in terms of controlling what systems can talk to.
Keep in mind: Security, in general, is a thing people do after the fact. … There are a lot of systemic, architectural flaws in enterprise networks from the way they grew organically -- not thinking about security from the beginning. They thought about it after the business evolved into something, and it's hard to go back and reengineer it.