Put Yourself in the Shoes of an Attacker
In this course, you’ll learn how to attack a web application to find vulnerabilities. In other words, you’ll be doing something very much like a “hacker” does! But do you know where this term comes from?
Originally, it didn’t just refer to people who attacked systems without authorization. In the 1950s, it was used by MIT students to describe a student who had developed an original technical method of using a telephone for anything other than its intended purpose. They were called “telephone hackers”.
As pentesters, when we try to understand how an application is designed to work, we also try to understand how we can use it or manipulate it in ways that meet a need that the developer hadn’t intended or even wanted.
It is this kind of thinking and stance that lies at the heart of what we do.
People often think at first that a pentester’s goal is to find a flaw that no one has found before, whereas our job is much more open-ended and more often than not, involves asking ourselves:
“And what happens if I do this?”
Listen to what these two professional pentesters have to say about their job and how they usually describe their job to people who’ve never heard of penetration testing.
Demonstrate Professional Ethics
We mentioned “cracker” earlier as a term used to refer to a “malicious hacker.”So let’s take a quick look at the different types of hackers:
A white hat is a hacker with good intentions who strives to improve the level of security of the systems they work on, all within a legal framework.
A gray hat is a hacker with good intentions who sometimes engages in illegal activities or behavior, tipping them into this category.
A black hat is a hacker with malicious intentions who aims to compromise a system or application.
Similarly, during your assignments, you may identify previously unknown vulnerabilities in applications or products that a number of your clients use.
Should you publicly disclose these vulnerabilities or not? Is it ethical and acceptable to publicly disclose a vulnerability discovered in an audited product?
No, this is not acceptable because you’re under contract with your client, and they are paying you to find vulnerabilities. Publicly disclosing a vulnerability that you find in a product that several clients use is best discussed with the software company or manager in question.
Responsible disclosure means different things to different people. For our purposes, responsible disclosure means that an organization has reported the vulnerability to the relevant software vendor, which only publicly discloses the vulnerability once it has released a fix for it.
To avoid any ambiguity, some companies have a Vulnerability Disclosure Policy (VDP).
Act Within a Legal Framework
For minor hacking offenses that do fairly little damage, you may be sentenced to a year or less in jail for a first offense. For more serious offenses, including in the case of ransomware, you could be sentenced to between five and 10 years in prison, more if you have prior convictions. You could also be fined up to $10,000. And let’s not forget the damages payable to the attacked company, which can run into millions of dollars.
It goes without saying that, in this course, you’ll be allowed to attack the targets we give you. But not any of the others mentioned!
Learn About Who Regulates the Practice of Pentesting
Offensive security and penetration testing are subject to increasing regulations.
CISA is responsible for proposing guidelines for the security of government information systems and for driving progress in cybersecurity at the national level.
It sets out recommendations in best practice guides, which you can use as a basis for your own recommendations or to clear up any doubts you may have on a subject. NIST sets the requirements for several standards, such as its Cybersecurity Framework and NIST Special Publication 800-115 – Technical Guide to Information Security Testing and Assessment.
This legal framework helps to:
standardize the approach to penetration testing.
improve service quality and system security.
Although there is no formal certification associated with working in these sectors, we do, however, recommend that you take a closer look at CISA’s Critical Infrastructure Training to understand the requirements and activities involved in security audits.
There are other government agencies worldwide who are responsible for understanding and managing risks to their country’s cyber and physical infrastructure:
CSA in Singapore.
BSI in Germany.
NCSC in the United Kingdom.
ANSSI in France.
Some non-governmental organizations, such as the Council for Registered Ethical Security Testers (CREST) and companies like Offensive Security, are also working toward similar goals, certifying partner companies and their auditors according to various levels of expertise (OSCP and OSCE).
Finally, there are standards that “obligate” you to conduct a penetration test in certain regulated sectors:
PCI-DSS in the banking sector
GDPR for any system containing personal data of EU residents
ISO 27001 where the security perimeter is certified, etc.
Let’s Recap!
Conducting a penetration test means first and foremost putting yourself in the shoes of an attacker and thinking like one, all for the benefit of your client.
To conduct a penetration test, you need to understand how the application works, imagine what could go wrong, and know how to make it go wrong.
Be careful, however, to stay “on the right side of the law,” as carrying out a penetration test without the application owner’s consent is punishable by law.
Pentesters with offensive cybersecurity skills typically fall into three categories (white hats, gray hats and black hats).
Many organizations, especially government agencies, regulate penetration testing. In the U.S., CISA (Cybersecurity and Infrastructure Security Agency) provides guidelines and best practices for both companies performing and commissioning penetration tests.
In the next chapter, we’ll be tackling the first stage of a penetration test: defining the scope with the client!