Penetration testing is vital as it helps identify vulnerabilities in a system or network, allowing organizations to proactively strengthen their security and protect against real-world cyber threats, ultimately safeguarding sensitive data and assets.
The penetration test, or pentest, is a controlled intrusion into the software system to reveal and eliminate vulnerabilities. Nowadays, the pentest is the closest model to the regular cyber attack and the best means to prevent it.
The need becomes more and more crucial: the statistics of 2022 demonstrates a 40% growth of new vulnerability number compared with 2021, 21,000 to 13,000. 21,000 vulnerabilities per year are invisible for scanners but can bring multimillion losses.
That’s why both principles of penetration testing and text cases themselves make the researchers consider the unique vulnerabilities as valuable precedents and analyze the pentest reports in detail.
Company to Deal with and Its Risks
The zero stage of the pentest is collecting a full package of background information about the reviewed company and the breach if it happened. Let’s model a regular supposed cryptocurrency company, let’s name it Ultimo Chain, which faced the exploit of the native exchange. For better illustration, Ultimo’s model combines features of several real cryptocurrencies, bridges and exchanges, attacked in 2021-2022.
Ultimo relies on original blockchain encryption and never passed a test before. But penetration testing success stories teach that a middle or large company needs it crucially. The main company features and risks according to the checklist of OUR SITE experts:
- Industry. As a cryptocurrency IT business, Ultimo is more interesting for cybercriminals than industrial manufacturers.
- Market cap. A high-skilled intruder may consider a market leader as a beneficial target despite the complex security system. Ultimo is a medium company with a 150+ ranking on CoinMarketCap with a capitalization under $150M, so it’s a decent trophy.
- Original system. Software of most middle or bigger businesses is a unique combination of apps, services, connections and client interfaces. A breach in one component may disclose others to malicious actors. Ultimo uses the original coin, stablecoin and exchange, based on their blockchain, several bridges between Ethereum and other altcoins.
- Data access policies and staff instructions. Ultimo is an open-source project, and anyone can review its codes on GitHub. The data about financial transactions are encrypted with blockchain and stay in secured clouds. Meanwhile, all communications and supportive information are provided by regular messengers, emails and outer storage. Ultimo has 50+ remote workers with 3 levels of access for partners, regular developers, managers and architects.
After the exploit, the exchange was robbed. Due to further investigation, a hacker took away all native stablecoins (25% of all supply) from the Ethereum pair, sold them on external DEX and covered the tracks in a crypto mixer.
Main Sectors for Vulnerability Detecting
The Ultimo pentest not only aims for software and several technical supplements but also closely looks for human errors. The research has to detect:
- data leak sources;
- hardware malfunctions;
- sustainability of connections;
- system errors and wrong settings;
- weaknesses in the code and encryption;
- vulnerabilities related to staff and management.
The specifics of this case study in penetration testing is that its core code is public. However, the GitHub code doesn’t include visible vulnerabilities and was excluded from possible data leak sources.
The pentest team has to pay attention to the following elements:
- Core software — services and processing software on servers or in clouds, resilience to data leaks, errors and crashes during malware intrusion.
- Websites — page displaying, navigation and script procedures during DDoS attacks or corruption by malware, encryption and coding against web page data stealing, reliability of redirecting from multinational sites to local mirrors.
- Networks — reliability of connections and protocols for data transfers, vulnerabilities within local company networks and during remote access.
- Client apps — options and probability of virus invasion, interface misconfigurations, vulnerabilities related to application access and cashed private data.
- Remote access software — possibilities for malware intrusion in the VPNs and forging IP addresses.
- Wireless webs — reliability of Internet connection software (routers, encryptors, filters).
- Hardware functioning (SCADA) — reliability and risks of controlling software in sensors and transmitters. This type relates to power, temperature or pressure equipment, including one inside the servers.
- Human factor — possibilities for staff, clients or partners to corrupt software or cause data leaks (management of data access levels, fishing and similar hacking techniques).
Most penetration testers are narrow but experienced specialists who analyze the separate categories of vulnerabilities. Then the team discusses the results in complex.
Vulnerability Hunt Step-by-Step
The professional pentest passes by a certified methodology in these steps:
- Primarily scanning for common vulnerabilities with security scanners (Kali Linux and Rapid7 Nexpose).
- Additional manual testing for original vulnerabilities.
- Severity level attribution for vulnerabilities according to standard calculations (NVD by NIST).
- Test exploitation, including specially written software.
- Summarizing the research in generated (Cyver Core) and manually complemented reports.
- Choosing ways to eliminate vulnerabilities.
Security testing professionals may also consult related sources for additional information. In the Ultimo model, the pen specialists review the exchange transaction history. The Ultimo blockchain scanner demonstrates that every recent purchase was cancelled because of a lack of validation nodes. However, after the cancellation, the exchange currency was redirected to the fraudster’s wallet instead of the exchange one.
How and Why to Classify Vulnerabilities
Vulnerability detection is the first stage of penetration testing case study. The test team detects regular weaknesses with scanners to shorten the time of audit and to allow the experts to focus on manual detecting of special things.
As a result, the company Ultimo received comprehensible metrics of system weaknesses, the most severe among them relating to:
- Possibilities for access level manipulation.
- Sending data from the exchange to external apps.
- Fishing probabilities on personal computers of remote workers because of unsecured messengers and storage.
During the further case study of penetration testing, the found vulnerabilities obtain a category of severity due to their danger levels and potential negative consequences:
- Critical — The vulnerability is open and can be used by malicious actors at any moment. It allows the malware to run within the organization soft and needs immediate fixing.
- High — The vulnerability is also available without additional conditions. It doesn’t allow changes within the company’s software, launching of malware or deleting of data. But the actor still can intercept any protected information.
- Medium — The vulnerability allows the stealing of only low-priority information and only after the actions of the medium-level specialist. The malware can’t be launched. Most of these cases are due to errors in software configurations.
- Low — The vulnerability menaces with data leaks and is caused by software configuration, particularly data access levels and company data policies. Using this type of vulnerability requires social engineering and, sometimes, additional software exploits.
The analysis allows the team to qualify the Ultimo vulnerabilities as medium and low. But they seem to be the weaknesses used by the hacker.
The next stage is a practical attack on the researched system but without damage. The pentest team exploit the software only after backups and by agreement with the organization. The main steps:
- The cyber security team develops several scenarios that involve all found vulnerabilities.
- The testing system embodies them and records all successful intrusions.
- The reports go to the company managers with commentaries.
- The cybersecurity team models the consequences if a malicious actor exploits the same sectors or achieves the same data.
- The company and pen-testers evaluate the probability of each scenery and calculate possible losses.
The practical deeds adjust the theoretical results. Some vulnerabilities interfere with others and get higher severity levels. Some are offset by other program components and are considered low-risk. The practice often reveals missed weaknesses and unexpected consequences of an exploit.
The penetration testers try to recreate the scenery of the Ultimo exploit as the main one. It combines the detected vulnerabilities, social engineering and data from the blockchain scanner:
- The tester rewrites and compiles an open-source code to get a binary file.
- Then, the expert creates a classic fishing email trap, involving a fake Google authentication, uses saved passwords in the target’s browser and gets access to the Ultimo designer’s account at the external storage.
- The specialist uses a popular hacking solution to get the third level of access and, as a result, reads the project manager’s database of developers’ information in the common documents.
- With the received accesses, the tester can enter the site server (even without a proxy), replace the purchase binary file with the forged one and relaunch the exchange.
The checking transaction of a small amount shows that the exploit was successful, and the tester backed the replaced file. The used scenery allows not only stealing money but also deleting the whole exchange, source codes and all supportive materials (except backups on the staff computers).
Strategies and Recommendations to Overcome Security Problems
After discussing vulnerabilities and related risks, the testers offer ways to solve them. The company compares their reliability and necessary expenses for choosing the best solutions for this penetration testing and test cases.
Additionally, the pentest team advises how to prevent similar troubles during the renovation of software and expansion of business processes. By the company’s wish, the team describes the signs of danger and general ways that can lead to it.
These are general recommendations for Ultimo, which will suit any organization:
- Creation of the security software list for obligatory installation by remote staff.
- Using secured data rooms or similar business solutions instead of regular storage.
- Monitoring and notification of leading developers of all server changes.
- Using one-way data encryption and doubling for databases.
- Integration of biometric identification for the second and third security levels in storage.
- Registration of all involved devices by the administrator.
These steps contour the security update plan, but exact solutions must be developed for and together with an individual company only.
Mutual Collaboration for the Best Results
The pen-testing team consults the researched company while implementing the offered changes. They control the quality of the work and adjust algorithms if the direct implementation faces inconvenience.
Due to penetration testing success stories, the team and company must share clear results and control each other’s work. The testers list all vulnerabilities, the company notifies the testers about all implementation nuances.
Ultimo is also recommended to pass the penetration test periodically because the company:
- make frequent global upgrades of both blockchain and apps;
- integrates new cryptocurrencies and fiat payment methods;
- develops apps for smart TVs and desktops.
In short, not only major leaks but any global change should be accompanied by a new professional pen test.
Benefits for Pentested Companies
Despite the best-quality blockchain, the modelled cryptocurrency company failed in supporting factors, especially related to data storage and human errors. Elimination of these vulnerabilities helps Ultimo to prevent:
- data leaks;
- new money and time losses;
- decreasing company market value.
- further spoiling of reputation and losing of clients;
In total, the pentest fosters Ultimo in increasing its market sustainability and advancing competitors. The costs of both pentest and improving the company’s security pay off especially quickly in the case of the trendy crypto industry.
Pentest: Way to Forget about Intruders
Penetration test with further upgrades is the best way to cut losses on hacks and overcome their consequences of high quality and a unique way. That’s why the results of each case study of penetration testing are so valuable.
As any modern company has a unique software complex, common solutions do not suit it. Only manual testing with a customized plan and hands-on exploit can reveal all security weaknesses. Finally, the pentest services are a safe and affordable way to advance the competitors and secure the company’s market future.
- The Most In-Demand Freelance Skills for 2023
- Top Certifications for Network Security Administrators
- We Need Smarter Smart Contracts To Prevent DeFi Hacks
- Penetration Testing And Their Methodology In Cybersecurity
- 5 Proven Cyber Security Certifications That Will Boost Your Salary