Appalachia Technologies Blog

Appalachia Technologies team is comprised of a diverse mix of IT professionals, some of whom have been on the forefront of IT since the industry’s inception. Through the years, our team has developed a wide array of experience in understanding individual needs and how they relate to your business.

What is Penetration Testing – Finding Vulnerabilities Before the Bad Guys Do (appTECH TALK Ep. 2)

If you are an organization with digital assets to protect, you’ve most likely heard the term Penetration Testing, also known as Pen Testing.  Penetration testing is the process used to find vulnerabilities and leverage them to hack an organization.

Isn’t Hacking Bad?

It certainly can be.  However, professional penetration testers are ethical hackers.  They follow a set of industry-standard guidelines.  These are the good guys that are trained to think like an attacker and simulate how a real-world attack can affect an organization.

What types of Penetration Testing are there?

There are three types of penetration tests that we are going to focus on.  These include External, Internal, and Web Application penetration testing.  What type should your organization pursue?  Well, it depends.  I will explain each one in detail.

External Penetration Testing

External penetration testing is really where an organization should start.  When the term “external” is used, it is referring to any digital asset sitting on the outside, or external interface, of the firewall.  With over 50 billion devices connected to the internet, many of them sit outside of firewalls.  When services sit outside the firewall, they can potentially be accessed from anywhere in the world.  It is important to ensure that only required systems and services sit outside the firewall.  Along with limiting systems, proper patching must be kept up to date.  Default usernames and passwords on any device should be changed.  An ethical hacker that is performing a penetration test will look for vulnerabilities that could allow someone to gain unauthorized access.  After gaining access, the tester will then perform techniques to “pivot” to other portions of the network.  Sometimes this will allow the attacker to gain access to the inside of the firewall if proper controls aren’t in place.  If a choice must be made because of company budget, the external penetration test is typically the place to start.

Internal Penetration Testing

Unfortunately, Internal penetration testing is often overlooked.  This is because of the misconception that anything inside of the firewall is safe.  This isn’t the case.  Eighty five percent of the breaches that happened in 2021 involved the human element.  For example, phishing attacks that happen inside the network have been a big reason for ransomware.  Ransomware usually involves a user clicking a malicious link.  When this happens, this can allow an attacker to gain access directly to that computer which is inside of the firewall.  From there, an attacker can pivot to other portions of the network.  Many attackers can reside on the network, inside the firewall for months before detection.  A penetration tester will test the network inside the firewall to see what vulnerabilities exist on the inside of a network.  For example, if a user in the marketing department clicked a phishing link and allowed an attacker to gain access, would the attacker be able to pivot to accounting?  Controls like these are often tested in an internal penetration test.

Web Application Penetration Testing

It’s this simple.  If your company or organization has a website, you have a web application.  Web application penetration testing is the process of testing the web application (website) to find vulnerabilities.  The tester then uses these vulnerabilities to gain access to the back end of the web application to possibly access another account.  Escalating privileges on the web application may allow an attacker to change administrative settings, re-route pages, steal credit cards, change prices on a website, or even access proprietary information.  A web application penetration test is typically performed against the OWASP guidelines.  OWASP is an organization that has produced industry standard guidelines used for testing.  This ensures that proper techniques are used to find potential vulnerabilities within a web application.

In summary, a penetration test should occur yearly at a minimum.  It is extremely rare that a penetration test has no findings.  Teams should be prepared to mitigate and fix vulnerabilities soon after they are reported.  If this is completed on a consistent basis it will ensure that your organization is performing it’s due diligence on securing your assets.

Mike MillerMike Miller is a cybersecurity professional with 25 years of experience through the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.

After a Penetration Test - The Road to Remediation...
What is the NIST Cybersecurity Framework? (appTEC...
Comment for this post has been locked by admin.


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, May 19, 2022

Captcha Image

News & Updates

Mechanicsburg, PA, February 14, 2022 — Appalachia Technologies announced today that CRN®, a brand of The Channel Company, has named Appalachia Technologies to its Managed Service Provider (MSP) 500 list in the Pioneer 250 category for 2022. CRN’s annual MSP 500 list identifies the leading service providers in North America whose forward-thinking approaches to managed services are changing the landscape of the IT channel, helping end users increase efficiency and simplify IT solutions, while maximizing their return on investment.

Contact Us

Learn more about what Appalachia Technologies can do for your business.

Appalachia Technologies
5012 Lenker Street
Mechanicsburg, Pennsylvania 17050