- Updated at
The constant rise in cybercrime has surely pushed companies to take their cybersecurity more seriously, and many have turned to penetration testing as a way to combat multiplying threats. Although this established practice is highly effective, there are still many necessary improvements to help scale it to the current needs of the tech ecosystem.
CyberNews sat down with Adrian Furtuna, our Founder & CEO, to talk about the ins and outs of penetration testing. Here’s why Adrian believes that no matter how advanced the technology is, some aspects still need a human approach.
From launch to lift-off – our abridged story
I started Pentest-Tools.com almost a decade ago as a personal side project while I was working as a penetration tester in a big four company.
The idea came from a couple of problems I constantly ran into at my day job:
As a pentester, I had to use multiple tools from various suppliers (open source and commercial). They were difficult to manage and update, and I felt the need to operate all of them from one place.
I was doing penetration testing from my company’s laptop and there were lengthier scans that extended after working hours. I needed a way to run scans from a system that was always on, so I could leave them running overnight and get the results in the morning.
Reporting was – and still is – a big pain point for most penetration testers. Back then we were doing .docx reports manually and it was terribly time-consuming to aggregate results from multiple tools, add evidence, write executive summaries, create the risk matrix, formatting, etc.
To address these issues, I started Pentest-Tools.com, the first cloud-based penetration testing platform. The project grew organically and started to have more traction among like-minded users who enjoyed running scans from a remote location.
Now we have more than 35 employees and are still growing organically as a bootstrapped company.
We are thankful to have lots of customers from all around the world who appreciate our work and use our platform every day.
The full pentest setup that supports productivity and growth
Pentest-Tools.com enables security professionals to perform end-to-end penetration tests from a single location. As one of our customers said, they can use the platform to build a “library of pentests” with lots of key elements they can reuse and fine-tune to make their work better and more effective.
The platform embeds more than 25 proprietary and open source tools for reconnaissance, vulnerability scanning (web and network), and exploitation. All these tools produce results in a standardized format, which means pentesters can do all their reporting 80% faster.
Besides the tools, the platform has some key features that make it unique:
scanning automation using pentest robots
automated Attack Surface mapping and visualization
scanning internal networks through VPN
option to create editable DOCX reports
API access to manage our cloud-based scanners and get the results they need
Shared Workspaces & Items to help teams streamline collaboration and uphold the same quality standard while also retaining individual workflow preferences.
Combining automation with unique human logic
The entire platform provides a full setup for a pentester who aims to both do great work and continue to improve their skills and know-how.
From my 10+ years of experience as a penetration tester, I firmly believe that human-based security testing cannot be fully replaced by an algorithm and achieve the same high-quality results.
While there are many elements of this activity that can – and should – be automated, there are others that definitely need a human touch:
understanding the logic of an application
differentiating between the impact of two apparently similar vulnerabilities
understanding the interaction between the target system and other systems or humans
knowing when to stop and when to push further, and so on.
To create more space in the workflow for these uniquely human abilities to shine, you need to automate some parts of the penetration tester’s activity. It just so happens that these are some of the most repetitive tasks too: discovering the attack surface, first-hand scanning for vulnerabilities, trying automatic exploitation where possible – and repeating all these whenever necessary.
For these types of tasks, we have created a feature called ‘pentest robots.’ This is a custom scanning flow that a pentester can configure so it runs specific tools with custom options in a certain order, to cover the boring but necessary tasks in their routine.
By offloading this tedious work, the penetration tester has more time to focus on the interesting part of the engagement (e.g. exploitation) which requires more advanced skills.
Similar attack methods, but against weaker targets
Regarding the operating mode of threat actors, I don’t think there was a significant change since they were already working from home.
However, their targets have probably shifted – from attacking the target organization directly to attacking individual employees who are now working remotely. So the security of the home network becomes more and more important as it essentially constitutes the entry point to the corporate network.
Monetization opportunities – the big incentive for cybercrime
It is ironic that many of the common attack techniques nowadays have been commonplace for at least 10 years:
taking advantage of old/unpatched software
cracking weak passwords
exploiting common web application flaws like SQL injection, arbitrary file reading, improper access control, etc.
What is different is that cybercriminals have found a novel way to monetize these attacks in the form of ransomware. This threat is real and we’ve seen time and again the damaging operational and financial impact it has on the target organization.
Often, if an attacker gains access to a database of sensitive information, they can easily sell it on the black market and make some good money.
Bad actors have the motivation, the methods, and plenty of opportunities to use both in the form of high-risk, widespread vulnerabilities that linger in systems for years before organizations manage to patch them.
Why penetration testing is not the first step towards security maturity
Penetration testing (a.k.a. pentesting) is a proactive method to verify the effectiveness of the security mechanisms implemented in a company’s IT environment. This evaluation involves simulating an adversary’s attempts to discover and exploit vulnerabilities (e.g. missing patches, weak passwords, insecure configurations, programming faults, etc) with the final goal of gaining access to sensitive data and compromising the target systems.
In terms of tech or security maturity, a company should contract a penetration test only after it has tried to implement basic security measures. It makes no sense to pay somebody to check if your front door is safe if you already know that it is unlocked.
In terms of the company profile, any organization that deals with confidential data or must protect digital can benefit from discovering its weaknesses before attackers do.
For instance, given their unique information security requirements, financial institutions are required to run penetration tests on a regular basis. They also have internal processes that turn a pentesting report into action points for the entire company. It’s one of the reasons you don’t really hear about banks getting breached in spite of being the most targeted organizations out there.
Lay out your defenses (before going on the offensive)
Penetration testing is just one among a set of measures that contribute to maintaining a good cybersecurity posture in a company.
Defensive security measures are even more important than penetration testing. Companies need at least the basic security measures in place, such as regular software updates, regular backups of critical data, antivirus software, inbound and outbound traffic filtering mechanisms (e.g. WAF), SSL/TLS and VPNs to protect data in transit, and encryption to secure data at rest. The list is long, but, thankfully, much easier to tackle due to the abundance of solutions and skilled specialists who can implement them.
Taking existing security skills online
I think the best ‘tool’ for individual users to improve their personal cybersecurity posture is to work on their cyber education and awareness and then put it to good use.
Similarly to how we strive to protect our physical assets (our home, our jewelry, our car, etc.), we need to learn how to protect our digital assets (email account, cloud storage, social media profiles, etc.) since their importance is continuously increasing in our lives.
Simple things anyone can do are keep software updated, avoid unlicensed software (since it’s full of malware), don’t visit shady websites, be extra critical with the links they click, install apps only from trusted sources, and run a robust antimalware solution.
The fewer apps we use, the less we compromise our security. The less we expose our data on the Internet, the safer our digital footprint is. Keeping it simple really works for personal security on the internet.
What’s next for Pentest-Tools.com?
Pentest-Tools.com has evolved into a complete penetration testing platform. It now enables users to perform the entire flow of a pentesting engagement from a single destination: reconnaissance, vulnerability detection, exploitation, and reporting.
Now that we’ve reached this point of maturity in the platform’s development, our goal is to make it as useful as possible for pentesters who deal with new vulnerabilities that seem to be overflowing into the tech ecosystem.
This involves updating our vulnerability scanning tools with detection for the latest critical vulnerabilities as soon as possible. It means adding automatic exploitation capabilities that help pentesters validate truly vulnerable targets fast. And it entails doing that while keeping the platform in the service of its users, without overburdening them with admin work.
That’s why we invest a great deal of effort into creating a better user experience for our customers and in improving testing flows to maintain simplicity.
We want Pentest-Tools.com to be the go-to place for IT and security professionals who want to run comprehensive penetration tests from a reliable, always up-to-date, and optimized platform that allows them to grow.
[This interview was initially published on CyberNews.com.]