Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Penetration Testing Explained, Part I: Risky Business

3 min read
Published September 23, 2015
Last updated October 27, 2021

In most of the security standards and regulations that I’ve been following there’s typically a part titled Risk Assessment. You can find this requirement in HIPAA, PCI DSS, EU GDPR, NIST, and SANS, to reel off just a few four- or five-letter abbreviations.

What is risk assessment? It’s the process by which you decide where the vulnerabilities are in your system, the likelihood of the holes being exploited, and then the potential impact on your business.

The Art of Risk Assessment

If you want a more formal definition, here’s how the folks at the Payment Card Industry (PCI) define it:

Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

Risk assessment, though, is more than just an item you check off after chatting with your IT admins. Yes, there are formal methodologies to help you come up with your own assessment plan — see for example Octave.

Generally, these methodologies ask you to do something that goes a little like the following:

  1. Inventory your digital assets: locate key IP, customer PII, files, routers, servers, and apps and other software that keep your business going.
  2. Discover the threats or “threat agents” to your assets: foreign governments, criminal cyber gangs, hacktivists, employees with grudges, and executives who want to steal your IP and start their own company
  3. Probe the system for vulnerabilities or weaknesses that can be exploited by threat agents: weak passwords, insecure web software, poor BYOD policies, etc.

The last one, #3, is the field work part of the assessment process. Organizations have, until recently, based their security preparedness on a static list of vulnerability checks—“we passed a port scanner test, our anti-virus signatures are up to date, and our employee passwords are six characters and longer so we’re done!”

This is where the penetration (“pen”) tester comes into the picture. With a dynamic threat environment that involves sophisticated players, risk assessment requires a pro who knows what’s been seen, as testers say, “in the wild”.

Enter the Pen Tester

IT security teams can’t keep up with officially published CVEs, let alone new zero-day exploits and phishing techniques heard on the grapevine. So you need someone who’s completely focused on breaking into your system, to put it bluntly.

In fact, the people who write the standards have gotten the message. With the release of PCI DSS 3.0, the credit card folks have upped the bar on their penetration testing requirements. NIST, who’s been recently tasked with coming our nation’s cyber security framework, has also been talking up penetration testing and continuous risk assessments.

What Do Penetration Testers Actually Do?

This is an enormous topic, but researchers have organized their activities into four broad phases: planning, information discovery, attack, and reporting.

Pen testers, by the way, do more than just look for software vulnerabilities. They’re thinking like hackers: after they get into your system, their real work begins. They’ll continue to do more discovery and then base new attacks on what they learn as they navigate through folder hierarchies.discovery-attack

And that’s what makes pen testers different from someone hired to just to find vulnerabilities by using, say, port scanning or virus sniffing software.

Metadata Era readers know that today’s attackers are very good at getting around perimeter defenses through phishing and other social engineering. They’ll continue to do more discovery work and then base new attacks on what they learn as they navigate through folder hierarchies.

A Taste of Post-Exploitation

Over the next few posts, I’ll be examining the attack phase after initial access. In the pen tester’s terminology, we’ll be focusing on “post-exploitation”—what hackers see and do after they’ve entered through the front door.

I’ve already written about some of the tricks of the trade here — Pass the Hash, password cracking, and exfiltration.

In the next post, I’ll take on RATs (remote access terminals — or Trojans) to gain a hacker’s eye view. A form of advanced persistent threat (APT), RATs have two parts. The server side is embedded in the payload of a phish mail, or it can be manually installed by the hacker. The RAT server hides itself within other common software — say Windows Explorer—on the victim’s machine.

The client part is used remotely by the attacker to browse directories, search for patterns in files, and then upload and install additional malware.

With RATs  the hackers are not explicitly logged into the system! Hackers communicate with the RAT server module as needed. As a result, security monitoring tools searching for unusual app activity will not necessarily spot anything.

You can think of the RAT as the way hackers get a small foothold in a system, allowing them to take their first post-exploitation baby steps.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Meta's $1.3B Fine: What can Happen if you Don’t Monitor Your PII
Continuous discovery and data monitoring critical to identify misplaced PII.
HIPAA Compliance: Your Complete 2023 Checklist
Is your organization ready to comply with 2023 HIPAA updates and changes? Ensure HIPAA compliance with your comprehensive 2023 checklist.
Australian Privacy Act 2022 Updates
A series of stunning data breaches in 2022 has prompted lawmakers to begin making changes to the 1988 Australian Privacy Act in the form of the new Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
The 12 PCI DSS Requirements: 4.0 Compliance Checklist
Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) is right around the corner. Prepare with our PCI DSS compliance checklist.