I’ve been doing penetration tests for 30 years and here are 3 things that have stuck with me.
I’ve been doing penetration testing for around 3 decades now. I started doing security testing back when the majority of the world was dial-up access to systems. I’ve worked on thousands of devices, systems, network and applications – from the most sensitive systems in the world to some of the dumbest and most inane mobile apps (you know who you are…) that still have in-game purchases.
Over that time, these three lessons have stayed with me. They may not be the biggest lessons I’ve learned, or the most impactful, but they are the ones that have stuck with me in my career the longest.
Lesson 1: The small things make or break a penetration test. The devil loves to hide in the details.
Often people love to hear about the huge security issues. They thrill or gasp at the times when you find that breathtaking hole that causes the whole thing to collapse. But, for me, the vulnerabilities that I’m most proud of, looking back across my career are the more nuanced ones. The ones where I noticed something small and seemingly deeply detailed. You know the issues like this, you talk about them to the developer and they respond with “So what?” and then you show them that small mistake opens a window that allows you to causally step inside to steal their most critical data…
Time and time again, I’ve seen nuance vulnerabilities hidden in encoded strings or hex values. Bad assumptions disguised in application session management or poorly engineered work flows. I’ve seen developers and engineers make mistakes that are so deeply hidden in the protocol exchanges or packet stream that anyone just running automated tools would have missed it. Those are my favorites. So, my penetration testing friend, pay attention to the deep details. Lots of devils hide there, and a few of those can often lead to the promised land. Do the hard work. Test every attack surface and threat vector, even if the other surfaces resisted, sometimes you can find a subtle, almost hidden attack surface that no one else noticed and make use of it.
Lesson 2: A penetration test is usually judged by the report. Master report writing to become a better penetration tester.
This is one of the hardest things for my mentees to grasp. You can geek out with other testers and security nerds about your latest uber stack smash or the elegant way you optimized the memory space of your exploit – but customers won’t care. Save yourself the heartbreak and disappointment, and save them the glazed eyes look that comes about when you present it to them. They ONLY CARE about the report.
The report has to be well written. It has to be clear. It has to be concise. It has to have make them understand what you did, what you found and what they need to do about it. The more pictures, screen shots, graphs and middle-school-level language, the better. They aren’t dumb, or ignorant, they just have other work to do and need the information they need to action against in the cleanest, clearest and fastest way possible. They don’t want to Google technical terms and they have no patience for jargon. So, say it clear and say it in the shortest way possible if you want to be the best penetration tester they’ve seen.
That’s hard to swallow. I know. But, you can always jump on Twitter or Slack and tell us all about your L33T skillz and the newest SQL technique you just discovered. Even better, document it and share it with other testers so that we all get better.
Lesson 3: Penetration tests aren’t always useful. They can be harmful.
Lastly, penetration tests aren’t always a help. They can cause some damage, to weak infrastructures, or to careers. Breaking things usually comes with a cost, and delivering critical failure news to upper management is not without its risks. I’ve seen CIOs and CISOs lose their jobs due to a penetration test report. I’ve seen upper management and boards respond in entirely unkind and often undeserved ways. In fact, if you don’t know what assets your organization has to protect, what controls you have and/or haven’t done some level of basic blocking and tackling – forget pen-testing altogether and skip to an inventory, vulnerability assessment, risk assessment or mapping engagement. Save the pen-testing cost and dangerous results for when you have more situational awareness.
Penetration testing is often good at finding the low water mark. It often reveals least resistant paths and common areas of failure. Unfortunately, these are often left open by a lack of basic blocking and tackling. While it’s good news that basics go a long way to protecting us and our data, the bad news is that real-world attackers are capable of much more. Finding those edge cases, the things that go beyond the basics, the attack vectors less traveled, the bad assumptions, the short cut and/or the thing you missed when you’re doing the basics well – that’s when penetration tests have their biggest payoffs.
Want to talk more about penetration testing, these lessons or finding the right vulnerability management engagement for your organization? No problem, get in touch and I’ll be happy to discuss how MicroSolved can help. We can do it safely, make sure it is the best type of engagement for your maturity level and help you drive your security program forward. Our reports will be clean, concise and well written. And, we’ll pay attention to the details, I promise you that. 🙂
To get in touch, give me a call at (614) 351-1237, drop me a line via this webform or reach out on Twitter (@lbhuston). I love to talk about infosec and penetration testing. It’s not just my career, but also my passion.