PDA

View Full Version : Report shows that most Pentesters are successful



Harold Mansfield
07-26-2018, 11:56 AM
Companies of all sizes hire Pentesters to test the security of their networks, apps, websites, wifi and so on.
Generally they give you parameters and say "See if you can get in". Many times the scope is very narrow either because they're only testing a specific access point, or they're only interested in protecting one thing, one way.

Usually the goal is to expoint weaknesses, and then tell them how you did it so that they can fix those holes.

You might think that Ethical hackers and Pentesters use sophisticated methods, zero day ( not known in any database) exploits and expensive tools to do breach a network. That's not true. Most times the easiest ways still work.

Software not updated.
Guessing easy passwords
Email Phishing
Lax on site security



The pen testers weren't relying on finding novel software exploits; in only one encounter was a "zero day" exploit used, and that was in conjunction with other, previously known vulnerabilities.

Virtually every vulnerability exploited was a well-documented exploit, including SMB Relay, broadcast name resolution, cross-site scripting, or SQL injection.User credentials are the next most exploitable point of entry, with at least one credential captured in more than half (53%) of all the tests, and testers reported that simple password-guessing was the most effective method of gaining those credentials. The guessing game is assisted by users who include the company name (5%), "Password" (3%), or the season (1.4%), in their password — a password that will be 10 characters or shorter 84% of the time.

https://www.darkreading.com/threat-intelligence/new-report-shows-pen-testers-usually-win/d/d-id/1332368

When I'm out and about I will scan around for available networks just to see what people have. Homes, stores and other small businesses. 90% of the time I see multiple networks that I can probably get into. Open wifi, old routers, old security standards and so on. Almost NO ONE out there seems to be very well protected.

Whenever I'm in a business at a desk or at a register I'm frequently face to face with the back of a computer with open USB ports starting right at me. Even in the big box stores.

Whether you have an office or location or work from home, how secure do you think you are against the most basic hacks?
If you know this is something you need to get on, what holds you back from getting started?

Just curious where everyone is.

turboguy
07-26-2018, 03:01 PM
Humm, I had never heard of pentesters. My first thought was that it was someone who came into your business and made sure all your pens worked.

Harold Mansfield
07-27-2018, 12:15 PM
Humm, I had never heard of pentesters. My first thought was that it was someone who came into your business and made sure all your pens worked.
LOL! If that was a thing I would have started a business doing it decades ago.

Basically people hire Pentesters (short for Penetration Testers...gigidy) to test the security of their networks, applications, websites, software...pretty much anything that is tech or web related. It can be remote or on site. On site they're testing not just the security of the network but of the facilities. They want to see how easy it is for you to get into the building and physically access systems, most times without breaking anything. Your job as a Pentester is to basically act like a criminal and do the things that a bad hacker would do to gain access.

The goal is to find holes in the security and offer suggestions or solutions on how to fix them. Large systems to home offices.