Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Penetration Testing Explained, Part I: Risky Business

In most of the security standards and regulations that I’ve been following there’s typically a part titled Risk Assessment. You can find this requirement in HIPAA, PCI DSS, EU GDPR,…
Michael Buckbee
3 min read
Published September 23, 2015
Last updated October 27, 2021

In most of the security standards and regulations that I’ve been following there’s typically a part titled Risk Assessment. You can find this requirement in HIPAA, PCI DSS, EU GDPR, NIST, and SANS, to reel off just a few four- or five-letter abbreviations.

What is risk assessment? It’s the process by which you decide where the vulnerabilities are in your system, the likelihood of the holes being exploited, and then the potential impact on your business.

The Art of Risk Assessment

If you want a more formal definition, here’s how the folks at the Payment Card Industry (PCI) define it:

Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

Risk assessment, though, is more than just an item you check off after chatting with your IT admins. Yes, there are formal methodologies to help you come up with your own assessment plan — see for example Octave.

Generally, these methodologies ask you to do something that goes a little like the following:

  1. Inventory your digital assets: locate key IP, customer PII, files, routers, servers, and apps and other software that keep your business going.
  2. Discover the threats or “threat agents” to your assets: foreign governments, criminal cyber gangs, hacktivists, employees with grudges, and executives who want to steal your IP and start their own company
  3. Probe the system for vulnerabilities or weaknesses that can be exploited by threat agents: weak passwords, insecure web software, poor BYOD policies, etc.

The last one, #3, is the field work part of the assessment process. Organizations have, until recently, based their security preparedness on a static list of vulnerability checks—“we passed a port scanner test, our anti-virus signatures are up to date, and our employee passwords are six characters and longer so we’re done!”

This is where the penetration (“pen”) tester comes into the picture. With a dynamic threat environment that involves sophisticated players, risk assessment requires a pro who knows what’s been seen, as testers say, “in the wild”.

Enter the Pen Tester

IT security teams can’t keep up with officially published CVEs, let alone new zero-day exploits and phishing techniques heard on the grapevine. So you need someone who’s completely focused on breaking into your system, to put it bluntly.

In fact, the people who write the standards have gotten the message. With the release of PCI DSS 3.0, the credit card folks have upped the bar on their penetration testing requirements. NIST, who’s been recently tasked with coming our nation’s cyber security framework, has also been talking up penetration testing and continuous risk assessments.

What Do Penetration Testers Actually Do?

This is an enormous topic, but researchers have organized their activities into four broad phases: planning, information discovery, attack, and reporting.

Pen testers, by the way, do more than just look for software vulnerabilities. They’re thinking like hackers: after they get into your system, their real work begins. They’ll continue to do more discovery and then base new attacks on what they learn as they navigate through folder hierarchies.discovery-attack

And that’s what makes pen testers different from someone hired to just to find vulnerabilities by using, say, port scanning or virus sniffing software.

Metadata Era readers know that today’s attackers are very good at getting around perimeter defenses through phishing and other social engineering. They’ll continue to do more discovery work and then base new attacks on what they learn as they navigate through folder hierarchies.

A Taste of Post-Exploitation

Over the next few posts, I’ll be examining the attack phase after initial access. In the pen tester’s terminology, we’ll be focusing on “post-exploitation”—what hackers see and do after they’ve entered through the front door.

I’ve already written about some of the tricks of the trade here — Pass the Hash, password cracking, and exfiltration.

In the next post, I’ll take on RATs (remote access terminals — or Trojans) to gain a hacker’s eye view. A form of advanced persistent threat (APT), RATs have two parts. The server side is embedded in the payload of a phish mail, or it can be manually installed by the hacker. The RAT server hides itself within other common software — say Windows Explorer—on the victim’s machine.

The client part is used remotely by the attacker to browse directories, search for patterns in files, and then upload and install additional malware.

With RATs  the hackers are not explicitly logged into the system! Hackers communicate with the RAT server module as needed. As a result, security monitoring tools searching for unusual app activity will not necessarily spot anything.

You can think of the RAT as the way hackers get a small foothold in a system, allowing them to take their first post-exploitation baby steps.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

wyden’s-consumer-data-protection-act:-preview-of-us-privacy-law
Wyden’s Consumer Data Protection Act: Preview of US Privacy Law
The General Data Protection Regulation (GDPR) has, for good reason, received enormous coverage in the business and tech press in 2018. But wait, there’s another seismic privacy shift occurring, and...
5-things-privacy-experts-want-you-to-know-about-wearables
5 Things Privacy Experts Want You to Know About Wearables
There’s been a lot of news lately in the health and fitness wearables space. Apple just announced they’re releasing an app, called “Health,” as well as a cloud-based platform “Health...
post-davos-thoughts-on-the-eu-nis-directive
Post-Davos Thoughts on the EU NIS Directive
I’ve been meaning to read the 80-page report published by the World Economic Forum (WEF) on the global risks humankind now faces. They’re the same folks who bring you the once...
how-to-discover-gdpr-data-with-varonis
How to Discover GDPR Data With Varonis
GDPR goes into effect in less than 85 days – but there’s still time to prepare. The first step in getting ready for the upcoming deadline is to discover and...