Not All Penetration Tests Are Created Equal

by Sarah Harvey / September 18th, 2018

When you vet a company or an individual to perform penetration testing on your organization, what do you look for? Price, certifications, experience? Those are all important aspects, but you must also consider the quality of the penetration testing you will receive. All too often, we see organizations who pay for a penetration test and are expecting a thorough service receive a vulnerability scan labeled as a penetration test from a misleading firm, giving security officers a false sense of security.

Even if you’ve been undergoing penetration tests for years, how sure are you that your employees can withstand a social engineering attempt? Social engineering is creative, it’s cunning, and it’s a form of penetration testing. Social engineering leverages and manipulates human interactions to compromise your organization. The stories that come out of social engineering engagements can be shocking to security officers who believe that the outcomes or situations in these stories could never happen to their organization. Here’s your wake-up call: they absolutely could happen to you.

Social Engineering Stories from the Field

“You won’t be able to do that.”

“You will never get into that secure area.”

“We will see the traffic.”

“None of our employees will give you that type of access.”

We’ve heard it all. It’s hard to convince organizations that our team of penetration testers will be able to manipulate its employees or environment until they see the results. What are some of our stories from the field?

Tailgating is an easy way to enter secure areas with minimal effort. We’ve had employees hold a door open for us to re-enter their building after hours. Because they’re so ready to leave at 5:00, they don’t ask questions. Once we’re in the building, it’s easy enough to tailgate through doors or hallways with some type of access system. We could act like we’re talking on the phone while waiting for an employee to use that same door or hallway, then walk in after them. Doesn’t look suspicious, right? From there, the penetration tester would have access they need.
If not tailgating, how about just waiting? We’ve been known to wait in a restroom stall or some other remote area until no one else is in the building, and then we have the access we need to find a network jack and hook our device to it.
What could happen when administrators aren’t present to ensure employees are following policies and procedures? We’ve sent our team into our clients’ offices with fake work orders and deceived their way into a data center, where they’re then left alone. Easy enough to find a switch in a data center while no one’s watching, right?
What could happen during business hours? We’ve seen clients with network jacks in open areas, like next to a public coffee station or restroom. It’s easy enough to plug a device in without anyone seeing or questioning it.
What could happen while you’re physically with a penetration tester? If you’re the data center manager and you’re at dinner with a penetration tester, is there any possible way he/she could copy your badge? It’s happened before.

At KirkpatrickPrice, our goal in penetration testing is to make the test as real of an experience as possible for the client. When we say “simulate a real-world attack,” we mean it. If a hacker is determined to attack you, how far will they go? What methods will they use? We will think outside the box to make our security testing more real. Our penetration testers will work all hours to find the perfect attack window; they’re going to work 5:00 pm to 5:00 am, not 8:00 am to 5:00 pm. They will hack while sitting in your parking lot overnight, not in your conference room. We will enlist as many team members as needed to find your areas of weakness. Penetration testing, and especially social engineering, is at the core of why KirkpatrickPrice operates the way that it does. Hackers are intelligent and sneaky, and organizations need to be ready for whatever threat comes their way.