PENTEST-a practical guide for SMEs

Penetration test of your IT systems: a practical guide for SMEs

This article has originally been written in french and then translated with tools. The translation should be on point, but please forgive us if some parts are not perfect.

One of the most common misconceptions is that SMEs are too small to be of interest to hackers. If my company isn’t a target, I’m safe, right?

We’d like to say yes, but unfortunately, it’s not that simple. Your business could be used to gain access to one of your more “important” customers, or you could simply be attacked at random; hackers also like to fish with dynamite… Think of the phishing e-mails you receive all the time, for example.

If you’re reading this guide, you understand the importance of protecting your business. Or maybe a potential investor or customer has challenged you about your security measures, right?

You’ve been asked the fateful question “Have you carried out a penetration test?”, then ended up on Google searching for “penetration test” without really knowing what to look for in the background. Maybe that’s how you ended up on this page. And that’s just as well, because we’re going to help you sort it all out and make you an “informed customer”.

For those in a hurry, here are the sections of the guide to help you quickly access the information you’re looking for (the guide is intended to save you time for the rest, so we still recommend reading it all 🤓):

What is a penetration test?

According to the Office Québécois de la langue française, a penetration test can be defined as: “A test designed to reproduce, in a controlled manner, the real conditions of an attack on a network or information system, in order to detect security flaws and assess their exploitability with a view to correcting them.”

In short, we act like hackers attacking your company, but instead of ransomware, you leave with a report to correct your flaws.

You’ll hear other terms for penetration testing, but they all mean the same thing: pentest, penetration test, computer intrusion test, technical security test (to be validated, but we’ve heard it before).

In practice, penetration testing consists of two services: vulnerability scanning and penetration testing.

Vulnerability scanning

This is the automated portion of the test, using a tool to perform the scan. Here’s the Wikipedia definition: “In computer security, a vulnerability scanner is a program designed to identify vulnerabilities in an application, operating system or network.”

The aim? To automatically identify all known vulnerabilities on the system. Then you can apply the necessary patches to enhance your level of security.

💡 This service is the first step in penetration testing, but it’s also good practice to do them continuously so you’re always aware of new vulnerabilities, we’ll talk about later in the guide.

Penetration test

This is the manual part of the test, the part that most closely mimics a real attack. The consultant comes to exploit the identified flaws to penetrate your system, just as a hacker would. Of course, an ethical hacker won’t do any damage, he’ll stop short.

The two approaches are truly complementary, as they communicate different information. Vulnerability scanning provides quantity (your IT guy is going to have a great job patching the list), and penetration testing is more of a logical approach – we’re going to show you how we got in.

Very important point: although vulnerability scans are highly relevant, they are no substitute for a real penetration test. When you ask for quotes, be careful: make sure that when you ask for a penetration test, the test proposed is not a simple scan. We say this because, unfortunately, it’s a practice we’ve seen on several occasions.

Why carry out a penetration test?

According to a report from Kaspersky Lab, 73% of successful breaches in the enterprise sector are due to the penetration of vulnerable web applications.

We could go on with more statistics to illustrate our point, but we’ll save you some time (the link above is a mine of stats, if you want to push further). Your web application, your internal network, your API or your website are vulnerable. By performing a penetration test, you’re protecting your business by identifying your security flaws before the hackers do.

If that’s reason enough for you, great. You can move on to the next section. If, on the other hand, you still have some doubts about the relevance for your company of carrying out this type of testing. Here are some other common reasons:

At the request of a third party

The request may come from your customers, investors, partners, suppliers, insurers and so on. Being challenged on the security measures in place will become commonplace. Individuals are increasingly aware of cybersecurity issues, and this is now a requirement. The request can be very precise as to the scope of the tests, but it can also be as vague as “to have carried out a penetration test in the last XX months”.

Compliance certification and industry regulations

Many industry regulations or compliance certifications also require organizations to undergo regular penetration testing. The most common examples are ISO 27001, PCI DSS and SOC2 Type II. These standards specify the tests required at different levels of detail, but even the most specific ones don’t specify exactly how or what to test, as this depends on the scenario in question. For this reason, it is often accepted that the company under test is best placed to determine the level of security testing that is appropriate for its scenario. The following tips can help you determine what and how to test.

If you’d like to read more on the subject, and also see how penetration testing can help you make money, here’s our article: Penetration testing: a competitive advantage

What’s my main risk?

Before getting down to the heart of the matter and discussing penetration testing, we need to think strategically. While testing your security level can never do any harm, it does represent a certain budget. A risk assessment is therefore a key step in understanding your needs and choosing the right test(s).

Your business is unique: what you do, your team, your structure, the tools you use. As a result, the cyber risk incurred by your company is not necessarily the same as that incurred by the company next door. Of course, there are simple ways of identifying which risks apply to your company. Here are some questions to ask yourself:

1. If I store sensitive data

Is your business based on the use of customer data? You have a major stake in this, as it’s your responsibility to protect this information. Here are a few examples of industries that are generally concerned: law firms, accountants, marketing, e-commerce or web applications. There’s a legal as well as a reputational issue at stake, so you need to do everything you can to limit the likelihood and impact of a cyber attack.

The first step is to identify on which of your systems this data is stored. If they’re all in one place, is the system really isolated, or can it be accessed by other means?

Here are three examples:

Web application offered to your customers

Obviously, the first step is to check whether an attacker with no account can access your data (we’re talking about anonymous tests here). But what would happen if a malicious standard user tried to access another customer’s data, or even your administration console? In this context, we recommend that you run “authenticated” tests. If there are several roles in your application, it’s a good idea to identify which ones are to be tested (examples of roles: users, administrators, employers, employees, etc.).

Companies handling sensitive information internally

No sensitive data is directly exposed to the Internet? Does your team handle it directly on your internal network? In this context, your website may be less relevant to test. Your main risk is illegitimate access to your internal IT network. A scenario that plays out all too often is one of your employees clicking on a phishing e-mail, thereby giving access to a hacker. We therefore carry out an internal penetration test to validate whether an attacker could gain access to your sensitive data. We always start with an anonymous approach, but we’ll ask you for standard access (the access level of the majority of employees) to test the scenario of phishing or a stolen laptop.

If you offer a financial service

If your company handles money, you become a prime target for hackers, and even for ill-intentioned employees or customers. The approach will be the same as in the previous case, but we strongly recommend continuous vulnerability scans and full penetration tests at regular intervals (frequency to be defined according to the case).

2. If I don’t store particularly sensitive data

This is one of the main reasons why companies don’t see the point of testing their security. If they don’t have anything “valuable”, why invest in protecting it.

The first piece of advice we’d give is to make sure you really don’t have any sensitive information.

Maybe your company doesn’t collect any personal information or credit cards. But do you have your employees’ personal information? Intellectual property? Your application’s source code? What would be the consequences if this information were stolen or destroyed?

If your answer doesn’t change, and you still think that the consequences of an attack wouldn’t be that serious, you can choose to go ahead with a simple vulnerability scan. The investment will be lower, but it will enable you to ensure a minimum of security on your systems. Concentrate on systems exposed to the Internet, such as remote access (VPN), firewalls, websites, web applications and APIs.

3. My company has a production line

Let’s cut to the chase here: how much does an hour’s downtime on your production line cost you? There are lots of different figures online, but the cost quoted ranges from $100,000 to $500,000 CAD. In short, it’s a scenario to be avoided at all costs. A production line stoppage can be the result of a breakdown, but it can also be the result of a cyber attack. If a hacker takes control of your network, it’s game over: he can stop your production line.

In this context, you need to carry out a complete penetration test of your internal network. We’ll be testing the same scenarios as in the previous point (companies handling sensitive information internally). The objective here is more to validate whether a hacker can get to the domain controller(s) of your production chain. We strongly advise you to test your wifi network too, and ask your supplier to help you brainstorm about your plant’s network architecture. It’s quite possible that one of the test recommendations will be to upgrade equipment, but it’s not possible to upgrade certain industrial machines. So you’ll need to “think outside the box”, and look at ways of mitigating the risk by isolating certain equipment from the network, for example.

4. My company has no online presence

Does your company have no online interaction with its customers? For example, do you have an independent physical store with no online presence, and no customer data stored on your computers? We could tell you that penetration testing is always a good idea, but given the investment it represents, we’re not really comfortable with it. Instead, we’d advise you to check that all your workstations (and servers, if any) have anti-virus software, to update your software and to use long and different passwords (a password manager is game-changer, here’s one we highly recommend: https://1password.com/fr/).

If your company is growing or if you decide to use the web to develop your business, read this guide again, you may be in another category ☺

What is my IT environment?

Now that you’ve identified your main risk(s), and been given an initial idea of the tests you should undertake, it’s time to define what you want to test. In cybersecurity, we talk about “penetration test scope”.

So, in other words, what assets do you want to test? If you’re one of the few companies that has an (up-to-date…) inventory of its assets, this is a document that can help you. The idea is to have a good understanding of your environment as a whole before determining the scope of testing. You may decide to test your entire infrastructure, but it’s also possible to choose to focus on just one part of it.

NOTE: Si on fait rouler un scan de vulnérabilités sur votre infrastructure, un bonus pour vous c’est que le scanner va faire un « auto-discovery » et répertorier toutes vos adresses IPs. Vous pourrez utiliser cette information pour créer ou mettre à jour votre inventaire. On dit ça, on dit rien ☺

Here are two quick examples:

For the internal and external network:

“We have a building where our internal network is concentrated. Our 85 employees use laptops, we have 2 physical servers and 4 virtual servers (VMWare), our Active Directory is hosted locally, our Wifi network is made up of 2 SSIDs (one employee, one guest). Most of our tools are in SaaS products that don’t belong to us, and we store our data on Sharepoint. We have 5 IP addresses exposed on the Internet, but only 2 are used.”

For a web application:

“Our HR application is used by recruitment professionals. The platform is sold to a company, which then gives different accesses to its team. So we have at least 2 roles per customer: administrator and recruiter. Each company has its own tenant, with data stored in separate databases. We also have an administrator platform to manage the application as a whole, acting as a super admin.”

How do I define the scope of my penetration test?

Penetration tests must always have a well-defined scope. It must have been discussed with the supplier, and it must be mentioned on the service offer.

Why is this important?

  • Clarify the expectations of each party. If you tell a hacker, no matter how ethical, that you want him to non-exhaustively test your network, you’re going to be his new best friend. That said, your banker may not agree. Testing every possible means of penetrating your network could take months of work, so impressive is the list of vulnerabilities and tools available. Clarifying the scope of testing reduces the attack surface to be tested, and therefore the time and cost required. For example, one way of limiting costs is to sample equipment that would be found in large numbers, but which are all configured in the same way (you might choose to test a sample of 20 workstations out of 150, for example).
  • Avoid unwanted impacts on your business. Are there any systems to avoid? Is the test performed on an application test environment or directly on the production environment? DDoS (Distributed Denial of Service) attack tests are very often excluded from the scope, as the impact is too great (the network is brought down in short…).
  • Enable the provider to estimate the costs required to carry out the test. How many hours are required? Whether you’re testing 2 or 5 roles on a web application, the time or depth of the intervention is obviously not the same.

Just as it’s important to list what will be in the scope, we do the same for what will be excluded:

  • Depending on the decisions made with your supplier: which types of tests will not be carried out: physical penetration test (someone tries to get into the server room), phishing test, etc.?
  • Depending on the need: exclude such and such servers because they’re going to be decommissioned next month, a certain section of the web application is going to be redone, so it’s time to test it afterwards, etc.
  • Depending on rights: the transactional part of the website is managed by another company, so we can’t run tests on their platform without their consent.
  • Depending on your budget: you may need to limit the scope of test scopes for budgetary reasons.

Determining the range is a potentially trickier step, especially if these are your first tests.

💡 This is a good time to evaluate your potential supplier: you’re the one who knows your network, but is he trying to understand your real need? Does he brainstorm with you to choose the best approach? Does he automatically try to sell you the most complete test without validating its relevance to you? In short, you get the idea. This is a good time to see if there’s a fit with your potential supplier. You should work on this step as a team. If you don’t, it’s a red flag 🚩

When and how often to carry out a penetration test?

Security standards such as NIST and ISO27001 recommend continuous vulnerability scanning of your assets, and one full penetration test per year.

Of course, if your business is very high-risk, or you’re making significant changes to your network or application, one a year may not always be enough.

Vulnerability scanning

Running a continuous vulnerability scan is an excellent way of staying informed about vulnerabilities on your network. We don’t want to play the fear card, but there are over 10,000 new vulnerabilities every year. So you’ll understand that even if you perform a vulnerability scan and start patching them, there’s a good chance that the following month, there will be new ones. Without regular scans, you won’t be able to know this and act accordingly.

The cost of running a recurring vulnerability scan can be an issue for some companies, we understand. Our recommendation would be more to limit the scope of testing than not to do any at all. Thanks to the previous sections, you should have a better idea of your main risks and your most sensitive assets. You may choose, for example, to scan only your SaaS application, or just a portion of your internal network.

This is the kind of discussion you can have with your supplier. They’ll be able to advise you based on your budget and the issues at stake.

Penetration testing

A penetration test should generally be carried out once a year, ideally in addition to a continuous vulnerability scan. As a reminder, a penetration test is a manual test in which the expert plays hacker and tries to exploit your vulnerabilities to penetrate your systems (without breaking anything, rest assured 😉 ).

What is the added value of a penetration test versus a scan? The expert goes further than simply listing vulnerabilities. By seeking to exploit them, he’ll be able to uncover more complex weaknesses, linked to your architecture for example. To give you an idea of what he might try to do, here are a few examples:

  • Access customer data other than their own account
  • Modify prices on your website
  • Access your database
  • Become a domain administrator (i.e. have full rights over your network, enabling them to deploy ransomware)
  • Etc.

To help you think about frequency, you can relate your business momentums to your risks. Here are a few examples:

  • You’re ready to launch your application: validating its security beforehand can help you avoid surprises.
  • If you’ve just overhauled your network architecture, check that it hasn’t created any new vulnerabilities.
  • If you’re releasing new functionalities for your application, remember to include security testing in your process. Remember to check with your supplier that it’s okay to proceed with iterative testing, without automatically billing you for a full penetration test each time.

An annual test, if you make few changes to your system and your level of risk is low, should be fine. Again, if you handle money or highly sensitive and coveted data, a quarterly is the minimum.


💡 Finally, security testing is a very good practice. However, vulnerabilities still need to be corrected. If you test regularly, but don’t apply any recommendations, you’re unfortunately wasting your money.

Conclusion

We hope this guide has helped you demystify penetration testing a little. We understand that it’s not easy, but we wanted to give you a better understanding of your needs and how to store for a supplier in an informed way.

This guide could be much longer and more detailed, but we didn’t want to discourage anyone with a guide that never ends. If you’d like even more information, our blog section is all yours 🤓

If we had to sum it all up in a few lines: penetration testing means discovering the vulnerabilities in your systems before the hackers do. All the tools we use as White Hat (ethical hackers) are also used by Black Hat (malicious hackers). I think we can all agree that you’d rather be the one to discover your vulnerabilities first, right?

What’s next?

If you’ve stumbled across this guide by chance, we’re the Yack team. We specialize in offensive security, so penetration testing is all we do all day long.

If you’re at the stage of looking for a supplier, don’t hesitate to contact us. We’ll be happy to help and guide you.

If you’re not ready to start your project yet, but you liked what you read, feel free to follow us on social networks. We’re not the spammy type, we promise 🤓

Finally, whatever your situation, if you’ve enjoyed our guide, if you think it can help others understand penetration testing better, you can share it. Live, on social networks, it doesn’t matter. As long as it helps someone, we’re happy 😊

Peace ✌️

Cyndie & Nicholas

    Why Yack?

    First, for those of you who don't know, the yak is an animal. The energy it radiates (chill with its toupee, but we wouldn't want to piss it off with its horns...) represents us well, and the nerdiest among you might see the little nod to Linux 😉. Of course, Yack's resemblance to Hack is no mere coincidence. It's also a short, punchy name that, once again, sounds like us. Finally, it's a word that earns you 24 points in Scrabble (hello Office de la langue française). Why did you choose .one? In offensive security, all it takes is one attack..."
    A little more about us

    "Pourquoi Yack?

    First, pour ceux qui ne le savent pas, le yack est un animal. L'énergie qu'il dégage (chill avec son toupet, mais on ne voudrait pas l'énerver avec ses cornes...) nous représente bien, et les plus nerds d'entre vous verront peut-être le petit clin d'œil à Linux 😉. Bien sûr, la ressemblance de Yack avec Hack n'est pas une simple coïncidence. C'est aussi un nom court, qui punch, et qui encore une fois, nous ressemble. Enfin, c'est un mot qui te rapporte 24 points au scrabble (bonjour office de la langue française). Pourquoi avoir choisi .one? En sécurité offensive, il suffit d'une (one) attaque..."
    Un peu plus sur nous