Each pentest is unique in its own way (but the technique can be same). Many factors make it unique, but mostly people, a team of specialists, whose style is certainly influenced by the company where they work.
So, for example, only for one company are important pentest and its results, they make money only on this. The second company wants to create specific disadvantages during the pentest in order to sell its protective solution. The third focuses more on disrupted business processes in order to raise a whole layer of problems and propose ways to solve them.
By working in System Admins, we will talk about the features of our pentests for external customers. The specificity is next:
- We are not interested to make a “pentest for pentest” and work on it for several months.
- Testing is done in the shortest possible time, and the results are aimed at identifying the real picture of the customer’s information security.
- It is necessary to highlight the problematic business processes of information security by testing key infrastructure points. So, if an outdated operating system is detected on 20 out of 20 computers, then what’s the point of showing another 200? Full coverage is often not required, and who can guarantee it at all?
According to the results of the pentest, the company can immediately offer to make an audit, build business processes, propose protective wayss, implement them, accompany and monitor. But, not many companies have such a set of opportunities.
This is convenient when the whole package of services can be provided by one company with vast experience in such project, like System Admins.
From the employee’s point of view, a system administrating company is a multitude of projects of all types of work with small and very large customers. And of course, it is working side by side in a team with auditors, implementation, maintenance engineers, vendors, etc.
REAL working days of a pentester
Imagine that you are already working as a pentester. What will your working days look like?
From Monday to Friday you are making an “external pentest” for the Customer 1 together with a colleague. Work is done on the basis of personal experience and international methods, taking into account the specifics of the customer. You launch scanners, compile a map, check with checklists, correspond with a colleague about discovered vulnerabilities.
At the same time, another team begins phoning the customer’s employees, posing as a security service, sending out formidable letters with malicious attachments, someone even leaves to throw give USB drives and put up posters on the customer’s territory.
It is not competition, interesting vulnerabilities are not always found here, people do not always report passwords over the phone, and protective equipment is not always set up “weak”, so only a list of work performed can go to the report, but don’t worry, because every pentest teaches you something new and shows interesting human factors.
A couple of times after customer fuzzing of input data, the serviceability of services degrades and work is suspended. After adjustments to the restrictions, they continue. Everything is okay. Write a report.
Then you are assigned to the “internal pentest” for the Customer 2 with a business trip to the city of N, one of your colleagues gets to test the mobile application. Upon arrival, you will be escorted to a separate office, with a provided workplace. You calmly connect the network cable to the laptop and start an “internal pentest”, according to the stated agreement. Perhaps you catch the domain controller 3 hours after the start of work through ms17-010 and collect other vectors the rest of the days. Perhaps you have been trying all week to “play” with “Kerberos delegation of authority” on a pair of received accounts. IB employees will from time to time come to you and ask if something was found. Already after 15 minutes, you expect the question: “Well? Did you manage to crack something? ”, while nmap didn’t even“ warm up ”. In any case, you usually have something to surprise the security people with, and even with an account from the printer, you can get exchange server backups. Further reports, stories about the “great journey” to colleagues, the surprise of the customer, many recommendations and even more clarifications, but in the end the company really begins to understand that security is a process, not a one-time action, and you will be pleased from the work done.
Then you are assigned to a red team, you drive with a colleague in a car, park next to the bank. Launch an attack on Wi-Fi using a laptop and a special antenna. You are not the FBI, you can really “get a headshot” from the unpredictable guards, so the antenna is hidden, and you have a legend that you are waiting for friends.
But now the corporate Wi-Fi handshake is received, and your colleagues in the office have already unblocked it and went through the Internet to the top manager’s mailbox. It is a success. Further collection of information, reports, presentations.
Further on weekdays you write scripts to optimize part of your work. Read the news and test new techniques at the stand. In parallel, old customers send you questions about the work a month ago.
For few hours on Saturday (overworking hours are paid) is planned load testing by the customer, you drop the site 10 minutes after the start, and guess what? Write a report about the results.
Soon there will be an interesting new pentest and a trip to the IS conference at the expense of the company. You drop a tear of happiness and insert a quotation mark in a new web form.
The topic of pentests is not new, it is written a lot about it and in different ways, appropriate disciplines start to appear in universities, competitions are organized between specialists, various conferences are held, but the staffing “hunger” is increasing every year. In addition, the maturity of the information security of many companies is growing, more and more information protection tools are appearing, and high and versatile competencies are required from specialists. It will be useful for every IT specialist (at least information security specialists) to participate in a real pentest at least once.