How To Launch A Better Penetration Test In 2025: 4 Golden Tips

 

In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.  I have written man blogs and articles, even published an eBook (through Amazon) and an actual published book about, through CRC Press. 

I have even formed some partnerships with various Cyber vendors offering their Penetration Services as well. Some of them have ranged the gamut from doing manual testing to having it completely automated.

There is a huge debate about this, and in all the writing and discussions I have had about it, I am in the middle of it.  I think certain parts of the Penetration Testing process can be automated through Generative AI, but you need the human component as well, especially when it comes to communicating with and preparing the final report for the client.

But the bottom line is this:  In order to launch a successful Penetration Testing exercise, whoever is doing the offensive work (which is called the “Red Team”) needs to take the mindset of an actual Cyberattacker. 

Normally, a checklist or some kind prepared agenda is followed, with written permission from the client.  But given just how stealthy the Cyberattacker has become, and the interconnectedness of both digital and physical based assets, is simply having this enough? 

Again, there is debate about this, but the consensus from what I have seen so far is that this is “No, it is not enough”.  So, what can be done about it?  Here are some tips that I came across in a recent article:

1)     The Need for Creativity:

In this instance, and I really do hate using this tired quote is to literally “Think Outside of The Box”.  This simply means that the people doing the offensive work need to take a careful stock of what the physical and digital assets of the client are.  Once this has been done, do not prepare a checklist.  Instead, as the question of “Why?”.  “Why is this asset so attractive to me, from the standpoint of breaking into it?”  In other words, the actual Cyberattacker will know that the Red Team in this regard will too often be predictable.  So, it is important here to break away from this trend and become unpredictable.  This will yield even better results in the end.

2)     Avoid “Button Pushing”:

This is the actual term that was used in the article.  This simply means find that fine line between automation and human control.  Just do not simply rely upon Generative AI and canned scripts to do the entire job.  As the Red Team, you need to push the boundaries just a little bit more each time you conduct an actual exercise.  This is where group effort and having a clear line of communication plays a crucial role. From some of the Penetration Testers that I know of, they tend to be introverted and isolationists.  Break away from this mold and “bang heads together” with your team to accomplish this.  Remember two heads are better than one.

3)     Take Notice of Intention:

When things were On Premises, it was clear to find out what the intent hacker would be.  But with a lot of businesses now making it to the Cloud, this has become a murky area to figure out.  To crack this, try to figure out what the intent of an actual Cyberattacker would be.  But just do not look for the obvious things such as theft of passwords and Data Exfiltration, instead try to find those exceedingly small, minute points that the Cyberattacker would be most interested in tapping into.  In this regard, one of their main intentions of them is to launch what are known as Supply Chain Attacks.  This is where a malicious payload can be inserted into one tiny vulnerability and from there a cascading effect will take place that will impact hundreds or even thousands of victims.  We saw this in the Solar Winds hack, and even though CrowdStrike denies it was an actual attack, just one mistake made in their software update tool created havoc around the world.  Remember, the Cloud is still to some degree an undefined territory, especially in Public Deployments.  This is where the Cyberattacker is trying to find those very tiny cracks in which to slip into.

4)     Create The Culture:

This is the role for the CISO of an organization.  They must take the initiative to create a “Hacker Culture” from within their IT Security team.  Meaning, it is not just one person that should try to have this kind of mindset, but rather, everybody needs to.  One of the best ways to do this is to launch simulation exercises, and there are many tools online that you can use to do this.  Or even better yet, engage a true Cyberattacker that has now turned to the “good side”.  Have conversations with them as to what they hacked into in the past, why they did it, and what their primary intention was.  If you trust them implicitly, then it would also be best to have them engage in the actual Penetration Test with your team.  After all they have been in the trenches before, and what more assets can you have?

My Thoughts on This:

Well, there you have it, some tips to launch a better Penetration Test.  In the end, complete automation can only take you so far.  In fact, in my view, these tools are far more vulnerable to making mistakes than what a human being would do.  For example, what if they hit the wrong target by mistake?  Or, what if the results they provide are not even accurate?

The argument here is that with an automated tool, for just one flat annual fee, you can run multiple Penetration Tests as needed.  This is stands in sharp comparison to a manual one conducted by a human team, which can range anywhere from $30K-$40K per test.  But in the end, remember you get what you pay for.

How To Increase The Security Posture Of Your IoT Devices: 5 Point Checklist

 

I think over a week ago, I wrote a blog post about the security that goes along with the Internet of Things (IoT) devices, and especially giving them as gifts this Holiday Season.  In today’s blog, we are going to add onto that and talk about IoT security from the standpoint of business entities. 

There is of course a lot more at risk here, especially if an organization is large, and has employees located in different geographic locations throughout the world.  So, here is a quick checklist as to how you, as a CISO, head of an IT Security team, or even a business owner, can do a Risk Assessment:

1)     Take stock:

By this I mean conduct an inventory of all your digital and physical assets.  Then, rank them according to their degree of vulnerability, using a categorical scale, such as 1-10.  In this case, one would indicate least vulnerable, and ten would be the most vulnerable.  Anything in between would be an increasing level of vulnerability, or decreasing, depending upon how you look at it (such as 2-9, or 9-2, respectively).  Then out all those assets, not only identify the ones that are most vulnerable, but also confirm which one of those are of an IoT nature.  Then, decide upon the appropriate controls, and deploy them.  Or if you already have an existing set of controls, then you and your IT Security team need to produce a plan of action to upgrade them to decrease the level of vulnerability as much as possible.  It is important to note that if you have both legacy and recent systems, trying to determine the right set of controls could be more difficult.  In this case, your best bet would be to consult with an MSP or an MSSP to work this out for you.

2)     Power Consumption:

Because of their level of interconnectivity, IoT devices are known to be extremely hungry for both processing and consumption power.  Therefore, if you do make use of a Vulnerability Scanner, or even doing something in Penetration Testing, make sure that whatever you use is “lightweight” in design.  As a result, this will not put an extra burden on those resources that are powering the IoT devices, and you can still be able to pinpoint any weaknesses or gaps accurately.

3)     Updates:

Just like the importance of a Security Policy, having a reliable Software Update Policy is just as equally or if not more paramount.  This is the one area where most businesses fail, and as a result, they become the victim of a security breach.  Thus, it is important to create a regular schedule when you will be checking for the latest updates that come out from the vendors that you work with and decide upon a good time (preferably after business hours) in which they should be deployed.  But there is one very important caveat to be remembered here:  There could be times that even these patches and updates could have flaws in them.  So therefore, it is important to evaluate them in a sandboxed environment first, before installing them into production mode.

4)     Access:

Obviously, you want to limit access to those end users who need to have entrance into your IoT devices.  Some of the best ways in which to do this is to is to implement Multifactor Authentication, also known as “MFA” for short. This is where you deploy at least three or more different authenticating mechanisms to fully identify the person who wants to gain access.  In this case, try to eliminate using passwords, together, and use something that is much more robust, such as an RSA token, a Smart Card, in conjunction with Fingerprint Recognition and/or Iris Recognition.

5)     Attack Surface:

As a business owner or a CISO, it might be very tempting to connect as many IoT devices together as possible, because the thinking here is that this will increase productivity and offer seamless communications.  While there might be some truth to this, the bottom line is that with all this interconnectivity, you are simply expanding the attack surface for the Cyberattacker.  Through just one point of entry, a malicious payload can be easily deployed and have a cascading effect upon your entire IT and Network Infrastructure.  The moral of the story is just to connect what needs to be absolutely connected, and always keep track if you are adding more, unneeded connections.  This can be easily done by using the various Heat Maps in Microsoft Azure.

My Thoughts on This:

Well, there you have it, a quick list as to what you can do to mitigate risks to your IoT devices, and to fill in those gaps and weaknesses that you discover.  This all requires a 24 X 7 X 365 watch, and although this might seem impossible to do from the outset, you can automate much of this, especially by making use of a DIEM based platform.

How Even The Oldest Threat Vectors Can Bring New Opportunities

 

Very often, I get asked this question: “What is Cybersecurity”?  For those of us that are in the field, we know that this can be difficult to answer, depending upon the context you want to give it in.  But most of the people I come across are the average American citizens, trying to make a go of their lives. 

So, what I tell them is this: “Cybersecurity is the protection of digital assets, no matter where they are located at”.  Given this broad answer, and if I meet the same person again, a follow up question that I get asked is: “What kind of new things are happening in Cybersecurity”?

Well, once again, this can be a difficult one to answer.  So, depending upon the background of the person, I usually tell them that opportunities are usually dictated by what is new on the Cyber Horizon, meaning the threat variants. 

And, if they prove even deeper, I usually start with Phishing as an example.  I tell them that this is the oldest threat vector that is out there, having its originations back in the early 1990s. 

The first true Phishing attack then happened in the late 1990s, with the victim being America Online (AOL).  Then I usually get into how Phishing has become much more sophisticated over time, and just how it is close to impossible to tell if an email message is authentic or not. 

This is driven by ChatGPT, which almost eradicates all the telltale signs of a Phishing message.  If the conversation with this person goes on even deeper and longer, I give them further examples of this:

*The rise of Ransomware Attacks, especially those that are Extortion based.

*The boom in Business Email Compromise (BEC) Attacks (this is where a fake invoice is sent, and the Cyberattacker coerces the victim into wiring a hefty sum of money to an offshore account).

*The boom in Smishing Attacks, where a Phishing based text message is sent to your smartphone.

*And so forth.

So, what I am trying to get at here is that even the oldest of threat variants can still pose new opportunities for people in Cybersecurity as now fast track into 2025.  Another question I get asked is about Robocalls. 

I tell them if they ever get a phone call from a number that they do not recognize, it is best to simply delete it.  If it is real and important enough, the person making the call should leave a voicemail.  These kinds of calls are based upon the concepts of Social Engineering.

This is where the Cyberattacker preys upon the emotions of the victim, and once they feel that they are vulnerable enough, they will move for the proverbial “kill”.  This could range anywhere from having the victim tell them their login credentials, or even those people that are associated with them. 

Social Engineering also goes back an exceptionally long time, well before Phishing was born.  But today, it still presents new opportunities.  For example, from some of the Penetration Testers I know, they often engage in Social Engineering exercises by visiting the actual, onsite premises of the client.

They will then assume the role of a legitimate employee (of course they are not, though) and see how easily they can get into the client’s business, by trying to bypass as many of the security checks as they can.  Heck, on a podcast once, a Penetration Tester told me of a case where they actually launched a non-intentional against some people from within the client’s business.  Over time, they were able to build a very convincing dialog with the victims, who otherwise would have fallen prey if it was the real thing.

In fact, just some time ago, one of my best friends asked me about what Trojan Horses were all about.  To keep things simple, I told them that it was a form of Malware, which when deployed covertly onto your computer, will function as a legitimate application. 

But on the inside, is a different story.  It could be ready to set a malicious payload and detonate it at a preset time, or it could even be a be a Keylogging software that is covertly recording your keystrokes to capture your passwords.

I also told him that Trojan Horses have become so sophisticated that even the newest of the Anti-Malware software packages cannot detect them, because the attack is more targeted towards the CPU and memory of the device  I even mentioned that there is really nothing new about Trojan Horses, they go as far back as I can remember.  Heck, there were even around when the TRS-80 computers from Radio Shack first came out.

Even an old threat variant like this one pose new opportunities, especially for that of the Threat Researcher, who is trying to determine these kinds of signature profiles.  Finally, I have even been asked about the recent Crowd Stike incident. 

I usually tell people that this is technically known as a “Supply Chain Attack”, whereby a Cyberattacker can deploy a malicious payload through just one point of entry, which in turn, can impact thousands of people, even on a global basis.

If they are interested even further, they then ask me this: “How can so many people be impacted all at once”.  My standard answer for this one is that it is because of the increase of connectivity of just about everything. 

One backdoor that is left open can trigger a cascading effect.  But once again here, the issue of secure connections goes back a long time as well, especially with our aging Critical Infrastructure.  Some of the recent attacks have led to our water supply being almost poisoned, the flow of natural gas being completely disrupted on the East Coast.

My Thoughts on This:

In case you are wondering, my entire purpose of this blog is to simply illustrate that even the oldest attack vectors can still bring in new opportunities for an IT Security team and the CISO to probe into.  By doing this, critical thinking and research skills will be further refined.  In the end it is not all about Generative AI.  True, it is here to stay and will be forever, and it too brings its set of plusses and minuses to the table as well.

But now it is time that we get out of this hype and start getting back to basics in Cybersecurity.