The challenge for Day Seven is – Learn one or more things about Penetration testing.
I ran a quick google search for Penetration Testing definition and found this tidy video:
To me, penetration testing looks like one of the coolest branches of testing.
Getting paid to play hacker/spy and commanding some of the tastiest pay brackets the industry can offer sounds fantastic.
Often organisations are well equipped to deal with an external party trying to hack in to their network, or defending against attacks on the code/network.
However, hacking people’s trust, expectations and curiosity seems to be a pretty safe way to go.
These two surprised themselves with a similar experiment somewhere in the USA
And this Australian comedic duo demonstrate the power of carrying a ladder
Theses examples may seem harmless but imagine doing the same and saying “just need to get these boxes to the server room, mind holding the door?”
In some cases physical access might not even be required.
Loading a trojan or keylogger etc on a USB drive and putting a sticker on it labelled “O-Week Costume Party” , “Amsterdam 2017” or “Payroll 2015” etc could be enough bait for a curious staff member to plug the device into a PC giving access to a hacker.
With the rise of the Internet of Things, it’s important to check that default credentials have been reset
Company policy and training is one way to combat this, but performing semi-regular penetration tests are a really solid way to check that the training has been taken on board.
EDIT: Turns out what I was describing was “Red Team Engagement” rather than Penetration Testing – oops!
Pen testing is usually planned and well defined, and doesn’t usually contain physical and social engineering attacks. Another key point is that the organisation and staff members are made aware of the attacks. Red Team engagement sounds much more open and intense
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!