The secrets of cybersecurity: What is pentest and its value for companies?

02/ 03/ 2021

Have you noticed the rapid transition of the world from the physical space to the virtual environment? The anxiety over the recent increase in the price of bitcoin has led to the popularization of cryptocurrencies. Such spheres as Fintech, Payments, and Banking are often subject to cyberattacks aimed at accessing personal information such as emails, credit card numbers, etc. to steal money. To prevent such situations we recommended you to consider the type of computer systems protection called pentest. A penetration test (pentest) is the modelling of cyberattacks on computer systems and mobile and web-based applications for assessing the systems’ security. The test identifies the level of vulnerability of a particular system to cyberattacks. Pentest provides the estimation of the ease of access to characteristics and information of the system by a hacker, the potential number of threats, and analyzes the implications for companies from such attacks. Besides, pentests enable companies to take preventive measures to mitigate risks. Many companies use pentests as a training tool for their information security specialists. Why do companies need pentests?. Often, the leading companies consider their internal information security team qualified enough to address any cyberattack. However, in practice, all companies are vulnerable to cyberattacks. Let us consider the two cryptocurrency exchanges as an example. The first one has conducted the pentest while the second one refused to do it. In September 2020, the global community was shocked by the news about the cyberattacks on one of the biggest cryptocurrency exchanges in the world KuCoin. According to KuCoin, the attack took place due to the leakage of the exchange’s wallet keys. The cryptocurrency assets valued at 270 mln USD were stolen from the exchange. At the same time, the cryptocurrency exchange Kuna has conducted a pentest to identify the product’s vulnerabilities by cooperating with Hacken. The test has revealed the vulnerable elements in the system at early stages and Kuna has prevented material loses and personal data theft. The company has also participated in the bug bounty program (the program that rewards hackers for revealed vulnerabilities in a system or web-application) organized by HackenProof that has gathered more than 5000 hackers representing different countries who assisted the platform in revealing vulnerabilities not identified at the previous stage. Hacken has spent 2 weeks to assess the system’s vulnerability by applying OWASP (Open Web Application Security Project) and PTES (Penetration Testing Execution Standard) methods. Hacken has applied the “Black Box” (more information about this approach will be provided below) approach to test vulnerabilities of the system. This approach is used to model the potential activities of hackers. Hacken has carried out automatic and manual tests of the whole system, accounts, and API. Hacken specialists have assessed the risks that confidential information of non-authorized users may be stolen by hackers. Kuna requires the clients to provide minimal volumes of confidential information and the most important data are strongly protected now. Generally, the pentest conducted by Hacken has confirmed a high level of security of Kuna to carry out exchange transactions and, thus, the clients’ money is in safety. According to cer.live, at the time of the article preparation, the total value of assets held on cold and hot wallets in cryptocurrency equalled 7 mln USD. As a result, the conduct of pentest has allowed Kuna to prevent the loses of crypto assets and theft of clients’ personal information. Hackers can access the databases containing information regarding the company’s clients in case its system has one of the two types of vulnerabilities: SQL injections and RCE (remote command execution). The presence of the first type of vulnerabilities means that hackers can access clients database to steal all information available including credit card data, addresses, personal information, and even the cost of transactions carried out by a client on a particular resource. The presence of the vulnerability of the second type enables hackers to access servers of a particular resource. As a result, there is a risk of information leakage as well as a ransomware attack. In both cases, the stolen databases appear on the black market for further sale. The public becomes aware of such situations and they attract the attention of the regulatory bodies that are authorized to impose sanctions against the companies that own the resources from which information has been stolen for any security and privacy violations caused by their inactivity. In most cases, a fine is imposed in relation to such companies. Even well-known companies-giants have vulnerabilities. For example, let us consider the violation of the General Data Protection Regulation (GDPR) by Google. The tech giant provided misleading information to users regarding their personal data. Google had to pay a fine of 50 mln USD that constituted 4 per cent of the company’s annual profits. Companies often neglect notifications about system errors received from users and, as a result, hackers can access users’ personal information. Consequently, it is more reasonable to prevent an issue rather than deal with its implications. What are the types of pentests?. From the first point of view, penetration tests are always performed following a single algorithm. In practice, depending on the objectives, there are different types of pentests: Social engineering – the method of getting personal information of an individual via phone conversation or social networks. 80 per cent of attacks aimed at stealing personal information are carried out in this way. Web application (Web Pentesting) – the identification of security vulnerabilities of the web applications installed on the clients’ devices or servers; Network service (Network Pentesting) – testing in the form of system hacking to identify the elements vulnerable to attacks from the side of hackers. Clients part –testing of the application installed on the client’s website/application; Remote connection – verification of vpn or similar objects that may access the connected system; Wireless networks – the testing of wireless applications and services including their different components and functions (routers, filter packages, coding, decoding, etc.); SCADA Pentesting – the assessment of the system of automatic data collection. Pentest stages. 1) Collection of information about the target Encompasses publicly available data such as usernames, devices they use, open ports, and the information about the employees of a particular company. 2) Scanning by programs This stage is required to identify the devices with open ports and services that use them. Also, a hacker can always check usernames by default and the passwords of identified devices. 3) Estimation of revealed vulnerabilities The process of information collection is followed by its analysis that is necessary to develop the plan of an attack. 4) Access Upon the conduct of analysis, the most important stage begins: access to systems via an identified vulnerability in the services located in the victim’s network. In case all attempts fail a hacker focuses his attention on the company’s employees. 5) Report The last stage is the generation of the report containing all vulnerabilities identified in the client’s system. The information regarding the ways to address the identified vulnerabilities is provided along with the report. What are the approaches to testing?. Based on the volume of information provided to a contractor about the systems (Black Box or White Box), one of the following approaches to testing are employed: White box – a contractor has access to a large volume of information such as network structure and gets full access to the object of testing. Grey box – the combination of White Box and Black Box approaches. The configuration of the program is only partially known by a contractor. Black box – a contractor has information about the range of external IP-addresses. The information is collected from open sources (this approach is similar to the activities performed by a hacker). What is the price of a pentest compared to the cost of a Ransomware attack?. The companies that conduct a penetration test operate not only abroad but also in Ukraine. For example, in 2020, the company Hacken tested Gate.io and Kuna cryptocurrency exchange platforms. The price of a penetration test ranges between 10 and 20 thousand USD depending on the level of complexity. Thus, the price of such services is reasonable for companies compared to the cost of a ransomware attack (coding of data on the victim’s computer via the use of virus programs) that may reach 50 thousand USD (500 USD per device). Thus, the conduct of a penetration test allows companies to identify all vulnerabilities of the system. Considering the cases mentioned above, the modelling of attacks is a key to ensuring the company’s security. Consequently, companies should decide whether to prevent an issue or deal with its implications.

A penetration test (pentest) is the modelling of cyberattacks on computer systems and mobile and web-based applications for assessing the systems’ security. The test identifies the level of vulnerability of a particular system to cyberattacks.

Pentest provides the estimation of the ease of access to characteristics and information of the system by a hacker, the potential number of threats, and analyzes the implications for companies from such attacks. Besides, pentests enable companies to take preventive measures to mitigate risks. Many companies use pentests as a training tool for their information security specialists.

Why do companies need pentests?

Often, the leading companies consider their internal information security team qualified enough to address any cyberattack. However, in practice, all companies are vulnerable to cyberattacks. Let us consider the two cryptocurrency exchanges as an example. The first one has conducted the pentest while the second one refused to do it.

In September 2020, the global community was shocked by the news about the cyberattacks on one of the biggest cryptocurrency exchanges in the world KuCoin. According to KuCoin, the attack took place due to the leakage of the exchange’s wallet keys. The cryptocurrency assets valued at 270 mln USD were stolen from the exchange.

At the same time, the cryptocurrency exchange Kuna has conducted a pentest to identify the product’s vulnerabilities by cooperating with Hacken. The test has revealed the vulnerable elements in the system at early stages and Kuna has prevented material loses and personal data theft. The company has also participated in the bug bounty program (the program that rewards hackers for revealed vulnerabilities in a system or web-application) organized by HackenProof that has gathered more than 5000 hackers representing different countries who assisted the platform in revealing vulnerabilities not identified at the previous stage.

Hacken has spent 2 weeks to assess the system’s vulnerability by applying OWASP (Open Web Application Security Project) and PTES (Penetration Testing Execution Standard) methods. Hacken has applied the “Black Box” (more information about this approach will be provided below) approach to test vulnerabilities of the system. This approach is used to model the potential activities of hackers. Hacken has carried out automatic and manual tests of the whole system, accounts, and API. Hacken specialists have assessed the risks that confidential information of non-authorized users may be stolen by hackers. Kuna requires the clients to provide minimal volumes of confidential information and the most important data are strongly protected now. Generally, the pentest conducted by Hacken has confirmed a high level of security of Kuna to carry out exchange transactions and, thus, the clients’ money is in safety. According to cer.live, at the time of the article preparation, the total value of assets held on cold and hot wallets in cryptocurrency equalled 7 mln USD.

As a result, the conduct of pentest has allowed Kuna to prevent the loses of crypto assets and theft of clients’ personal information.

Hackers can access the databases containing information regarding the company’s clients in case its system has one of the two types of vulnerabilities: SQL injections and RCE (remote command execution). The presence of the first type of vulnerabilities means that hackers can access clients database to steal all information available including credit card data, addresses, personal information, and even the cost of transactions carried out by a client on a particular resource. The presence of the vulnerability of the second type enables hackers to access servers of a particular resource. As a result, there is a risk of information leakage as well as a ransomware attack. In both cases, the stolen databases appear on the black market for further sale. The public becomes aware of such situations and they attract the attention of the regulatory bodies that are authorized to impose sanctions against the companies that own the resources from which information has been stolen for any security and privacy violations caused by their inactivity. In most cases, a fine is imposed in relation to such companies. Even well-known companies-giants have vulnerabilities. For example, let us consider the violation of the General Data Protection Regulation (GDPR) by Google. The tech giant provided misleading information to users regarding their personal data. Google had to pay a fine of 50 mln USD that constituted 4 per cent of the company’s annual profits. Companies often neglect notifications about system errors received from users and, as a result, hackers can access users’ personal information.

Consequently, it is more reasonable to prevent an issue rather than deal with its implications.

What are the types of pentests?

From the first point of view, penetration tests are always performed following a single algorithm. In practice, depending on the objectives, there are different types of pentests:

Social engineering – the method of getting personal information of an individual via phone conversation or social networks. 80 per cent of attacks aimed at stealing personal information are carried out in this way.
Web application (Web Pentesting) – the identification of security vulnerabilities of the web applications installed on the clients’ devices or servers;
Network service (Network Pentesting) – testing in the form of system hacking to identify the elements vulnerable to attacks from the side of hackers.
Clients part –testing of the application installed on the client’s website/application;
Remote connection – verification of vpn or similar objects that may access the connected system;
Wireless networks – the testing of wireless applications and services including their different components and functions (routers, filter packages, coding, decoding, etc.);
SCADA Pentesting – the assessment of the system of automatic data collection.

Pentest stages

1) Collection of information about the target

Encompasses publicly available data such as usernames, devices they use, open ports, and the information about the employees of a particular company.

2) Scanning by programs

This stage is required to identify the devices with open ports and services that use them. Also, a hacker can always check usernames by default and the passwords of identified devices.

3) Estimation of revealed vulnerabilities

The process of information collection is followed by its analysis that is necessary to develop the plan of an attack.

4) Access

Upon the conduct of analysis, the most important stage begins: access to systems via an identified vulnerability in the services located in the victim’s network. In case all attempts fail a hacker focuses his attention on the company’s employees.

5) Report

The last stage is the generation of the report containing all vulnerabilities identified in the client’s system. The information regarding the ways to address the identified vulnerabilities is provided along with the report.

What are the approaches to testing?

Based on the volume of information provided to a contractor about the systems (Black Box or White Box), one of the following approaches to testing are employed:

White box – a contractor has access to a large volume of information such as network structure and gets full access to the object of testing.
Grey box – the combination of White Box and Black Box approaches. The configuration of the program is only partially known by a contractor.
Black box – a contractor has information about the range of external IP-addresses. The information is collected from open sources (this approach is similar to the activities performed by a hacker).

What is the price of a pentest compared to the cost of a Ransomware attack?

The companies that conduct a penetration test operate not only abroad but also in Ukraine. For example, in 2020, the company Hacken tested Gate.io and Kuna cryptocurrency exchange platforms.

The price of a penetration test ranges between 10 and 20 thousand USD depending on the level of complexity. Thus, the price of such services is reasonable for companies compared to the cost of a ransomware attack (coding of data on the victim’s computer via the use of virus programs) that may reach 50 thousand USD (500 USD per device).

Thus, the conduct of a penetration test allows companies to identify all vulnerabilities of the system. Considering the cases mentioned above, the modelling of attacks is a key to ensuring the company’s security.

Consequently, companies should decide whether to prevent an issue or deal with its implications.