Penetration test text among binary code.

What Game of Thrones Can Teach You About DIY Penetration Testing

Whether you’ve seen the hit series or not, right about now you’re probably thinking, “What does Game of Thrones have to do with network security?” It’s a bit of an odd comparison, surely.

It’s true. George R. R. Martin’s mythical characters have never needed cybersecurity. But many of them know a thing or two about protecting what they value.

Take the Night’s Watch, for instance. The Night’s Watch is a military order dedicated to guarding the Wall, an immense fortification that makes up the northernmost border of Westeros. The Wall was built to protect the citizens of Westeros from the White Walkers and wildlings that lie beyond it.

The structure itself is strategically designed so that those defending it can easily target enemies who attack it. And it’s armed with weapons of its own. Its defenses are robust. And the Night’s Watch works actively defend the Wall, keeping threats outside of Westeros.

Now for the real-world connection: you want to defend your network like the Night’s Watch defends the Wall. Well…

To do this, you’ve got to know which potential threats you’re up against. The Night’s Watch stays aware of what dangers to arm against in order to protect the Wall. You must do the same to safeguard your network.

Enter penetration testing (also known as pen testing).

Essentially, penetration testing is when you or an outside security consultant exploit your network’s vulnerabilities. The goal is to find all of the holes in your defenses and discover how to properly address them.

There are both free and paid penetration testing tools on the market. However you decide to pen test your network, here are the steps to follow to explore gaps in your fortifications.  

1. Know What You’re Getting Into

Before you start to carry out a penetration test, you need to think about the potential consequences. Penetration tests involve scanning and probing your network. During the test, it may become sluggish, make your computers run more slowly, or crash your system.

All of these can potentially lead to downtime. So it’s good practice to get proper training on how to run a test. Or to enlist the help of a professional who has experience and skill in avoiding the potential pitfalls of pen testing.

2. Go on a Reconnaissance Mission

Once you decide to undertake penetration testing on your own network, you need to scan it and extract as much information as possible. Open Source programs like Nmap or Lansweeper will be able to map your network and scan all of its open ports. You’ll learn which computers and devices are connected to your business network, what applications they’re running, what operating systems they’re using, and any end users running unauthorized services. You’ll also discover any unauthorized devices connected to your network.  

Additionally, you want to identify information about your staff that can possibly be used to personalize a cyberattack. For instance, the names of IT staff, company executives, and staff social media accounts. These can reveal nicknames and personal information often used in passwords.

3. Run a Vulnerability Scan

The next step is to run a vulnerability scan on your network. This scan will show which machines have outdated software versions or missing security patches and whether any wireless access points are open. You’ll also learn which communication measures lack security and how strong passwords are.

Tools such as OpenVAS and Qualys FreeScan are quality scanning programs that will give you valuable insight into your specific network vulnerabilities.

4. Exploit Your Findings

Next, you’ll exploit the vulnerabilities found during the scan in an attempt to gain unauthorized access to your business network. A database such as Metasploit allows you to match potential vulnerabilities to pre-programmed exploits. It also contains tools that allow you to create your own attack scenarios.

Once a system vulnerability is identified, you can use it to penetrate your network and uncover sensitive business data. You can even go so far as to compromise said data. For instance, if you can access a server’s password file, you may then be able to use a password cracking tool to find passwords. You can likely then use these passwords to access more confidential business information in other areas of your network.  

It’s imperative to document your entire process so you can refer back to what you discovered and how.

5. Talk with Employees

If you want to go the extra mile, and we suggest you do, you need to attempt to trick your employees. What we mean is, you should send out a phishing email or two or give them a call and try to entice them into revealing login details or other company information.

While it may seem like you’re pulling a fast one on them, the truth is that 66% of data protection leaders admit employees are the weakest link in an organization’s security posture. You need to know if your employees are going to compromise your network. If they do, it’s something to subsequently address through proper training.

6. Take Action

This last step may seem obvious. However, if you know your network’s vulnerabilities but don’t work to fix them, you aren’t doing yourself any good. Use what you’ve learned in your penetration testing to bolster your network security.

In the past year, a whopping 75.6% of organizations have been victims of a cyberattack. Had these organizations properly secured their network, this number would be a lot lower. Being proactive in preventing hackers from entering your network is crucial to avoid reputational damage, loss of resources, and downtime.

That’s why, whether you do it yourself or hire a security consultant, it’s a good idea to regularly run penetration tests.