Security is the heart and soul of all digital businesses. With modern sophisticated technology, it is always possible for a hacker to exploit any type of vulnerability in your system to inflict untold amounts of damage. This is extremely problematic for blockchain-based companies which are usually dealing with humongous amounts of money. In order to protect their investor’s interests, it is their responsibility to make sure that they are taking all steps possible to test and investigate their code thoroughly. This is where penetration testing comes in.
Penetration testing has shown itself to be the best method of discovering any potential security breaches. In this guide, we are going to look into what penetration testing means and how it can help your company.
What is Penetration Testing?
A penetration test is basically a simulated cyber attack against the system in order to check it for vulnerabilities. When it comes to web application security, penetration testing is commonly used to fortify firewalls. The insights from these penetration tests can be used to fine-tune the product and plug up the vulnerabilities.
Now, why is it needed? Well, thanks to this article, we came across some pretty interesting stats.
- Over 69% of the organizations based in the United States do not think that their anti-virus protection or firewalls can effectively protect them from attacks
- The average cost of these breaches for US company has reached almost $7.5 million and it is almost $5 million in the Middle East.
- In 2017, a cyber attack was recorded every 40 seconds which resulted in total losses of $5 billion, a staggering increase from 2015’s $325 million
- It is projected that by 2019, a cyber attack is going to happen every 14 seconds in 2019 with total losses amounting to $21.5 billion.
- The medical and financial industries have suffered the most with losses accounting for $380 and $245 per capita respectively.
The following are the kind of cyber attacks which have been experienced by companies as of August 2017:
The Five Stages of Penetration Tests
The five stages of penetration tests, according to Incapsula, looks like this:
Alright, so now let’s look into each of these steps.
Stage #1: Planning and Reconnaissance
Reconnaissance is the act of gathering preliminary data or intelligence on your target.
It makes sense for this to be the first stage of the test because it helps one learn more about their target and hence decide on the best course of action. There are two kinds of reconnaissance:
- Active reconnaissance: In this case, the tester directly interact with their target and ask them questions to help build up their mode of attack
- Passive reconnaissance: They interact with an intermediary to get their recon information.
In this stage, the tester defines the scope and goals of their test wherein they state the systems that they are going to address and the testing methods that they are going to use.
Stage #2: Scanning
The scanning phase consists of using technical tools to gather intelligence on the target. Think of using a vulnerability scanner on the target network. This stage will help the tester understand how the target will respond to various attack attempts. There are two forms of testing that are done in this stage:
- Static Analysis: This includes inspecting the code of the application to predict how it behaves during runtime. This analysis can be done in a single pass.
- Dynamic Analysis: In this analysis, you inspect the application’s code while it is running. This analysis is much more practical, as it provides a real-time insight into how the application performs.
Stage #3: Gaining access
In this stage, you gain access by taking control of one or more network devices to either:
- Extract data from the target
- Use the device to launch attacks on other targets
This stage uses various methods to uncover the target’s vulnerabilities such as cross-site scripting and backdoors. The testers can exploit vulnerabilities by escalating privileges, stealing data, intercepting traffic etc.
Stage #4: Maintaining Access
This is the stealthy part of the test. In this one, the tester tries to maintain access to the network by taking the steps needed to be able to do so.
So, what is the purpose of this stage?
Well, the tester basically checks if the vulnerability spotted can be exploited to stay inside the Dapp/project ecosystem for a long time. In other words, if the hacker takes advantage of the vulnerability, then how long can they stay in the system without being detected.
Stage #5: Analysis
Alright, so now we are in the final stage.
In this stage, all that the tester needs to do is to cover their tracks to remove all chances of detection. Basically, any changes that the tester has done must return to its original state or a state of non-recognition by the host network’s administrators.
All the results of the tests are then compiled in a report which details the following:
- The vulnerabilities that were exploited
- All the sensitive data that was accessed
- The amount of time that the tester was able to stay in the system undetected.
The report is then studied to check out all the vulnerabilities.
Penetration Testing Methods
Alright, so now we know about the different stages of the penetration test, let’s look at the different testing methods.
- External Testing: Targeting the assets of the company that is visible on the internet. Example of this is the company’s website, the web application itself, the email, and the domain name servers.
- Internal Testing: A tester gains access to the application behind its firewall and simulates an attack that a malicious attacker would do. This attacker could be a malicious employee or it could also be a phishing attack
- Blind Testing: In this test, the tester is only given the name of the enterprise that is being targeted. Doing this will help security personnel to take a real-time look into how an actual attack will take place.
- Double Blind Testing: In this case, the application will have no prior knowledge as to when the attack by the tester is going to take place. This simulates real-world conditions wherein an attacker won’t let the company know of their attack beforehand
- Targeted Testing: In this scenario both the tester and the company work together to keep each other in the know about their movements. How is this helpful? Well, it provides the company with real-time feedback from a potential hacker’s point of view.
Different Kinds of Penetration Testing
Penetration testers need to do several tests and checks. Let’s go through some of the common tests that the pen testers do when it comes to blockchain based companies.
#1 Consensus Algorithm Testing
One of the most important things that must be tested is the consensus algorithm as it is probably the most crucial part of the blockchain. The consensus algorithm must be checked to see if it is vulnerable to the 51% attack or not.
In a network like Bitcoin which uses Proof of Work, it is extremely expensive to launch the 51% attack. However, that is not the case with several of the new coins. Let’s look at the theoretical cost of a 51% attack on several networks that implement Proof of Work.
Image Credit: ICO Crowd
Remember one thing, the attack cost here does not include the block rewards that the miner will receive for mining. In some cases, this can be quite significant, and reduce the attack cost by up to 80%.
#2 Keys and Wallets
One of the most important components of these projects is the security of the user’s wallets via the use of private keys and passwords. There are two tests that a tester needs to execute to make the wallets more secure:
- Checking Password Strength: The strength of the password is absolutely crucial as it is required by an attacker along with the private key to access the user’s wallet. A straightforward brute force and dictionary attack can be done to attempt to break the password. If the password is cracked easily then it means that it is weak.
- Key Storage: Private key storage is extremely important and is one of the heart and soul of modern-day cryptography. Obviously, there are multiple methods of storage. People prefer hot and multi-signature wallets, however, it is much preferred to use cold wallets such as hardware wallets. Having said that, they are not free from hacks themselves. Penetration tests make sure that the key storage is done in as secure a manner as possible.
#3 Synchronisation Testing
Since a blockchain’s network consists of peer-to-peer nodes, it is extremely important that they are able to synchronize between themselves. This is why it is extremely important to test synchronization between nodes to make sure that the process is fast and efficient.
#4 Redundancy Testing
This test reveals any and all issues with redundancy around data sharing across nodes. Such tests reveal the impact of multiple nodes failing at the same time.
#5 Timejacking Attack
Whenever a node joins a network, they need to keep track of time AND it needs to be in synch with its other peer nodes. The way it does that is by keeping an internal clock system which happens to be same as the computed median clock time of all its peers. If this median time differs by a huge amount from its system time, then the internal clock readjusts and reverts to the system time.
So, if a malicious node does enter the network with an inaccurate timestamp, they will have the ability to alter the network time counter. This could lead to issues like double spending and mining resource wastage.
#6 Blockchain API Testing
API is extremely important since it helps users to interact with the blockchain. Pen tests are done to make sure that the API endpoints are free from all vulnerabilities.
#7 DDoS Attack
DDos or Distributed denial of service attack is one of the deadliest attacks out there. It includes sending a large number of similar requests to clog up the network and deny the network from conducting any form of operations. Tests need to be done to make sure that the applications are free from potential DDos attacks.
Penetration Testing Case Study
An interesting case study has been presented by the isecurion blog.This case study shows the benefits of penetration testing. So, let’s take a look.
The subject in question was a cryptocurrency exchange based in India. The challenges for the testers were as follows:
- Client’s key business goal was to provide its customers with a safe and secure trading platform.
- The client wanted assurance that the website and the mobile application was secure and contained appropriate security controls.
- The client had provided crypto coins such as Bitcoin, Ethereum, and Litecoin & Ripple for trading on their platform.
- Client expectation was to go beyond the basic proof of concept for identified vulnerabilities and they want to know if anyone can have access to wallets containing cryptocurrency in order to steal from them.
- Combination of Black box & Grey box testing methodology was used to mimic all possible attack scenarios.
- Identified all the entry points to the web & Mobile Platform.
- Performed different scenarios based attacks on the exchange.
- At the initial stage of testing they found that during KYC process in which a user can uploads documents such has the user’s social security details were vulnerable to malicious file upload and we were able to execute shell code on the server.
- While testing SQL injection they found that USER-AGENT header was Vulnerable to blind sql injection which gave complete access to database.
- During the Android Mobile Application testing, they were able to bypass the login mechanism and access other user’s wallets and were able to transfer the cryptocurrency to our wallet.
- User complete details such as Bank A/C no, IFSC code and complete details of users were stored in mobile in clear text.
- The mobile application was Vulnerable to Two-factor authentication bypass.
- The users’ cryptocurrency was stored in a hot wallet on the server it means that their private keys are stored on the server so anyone who obtains the private keys could have stolen their coins.
- ISECURION minimized security risks by assessing the customer’s application vulnerabilities and recommended solutions with proven methods to enhance security.
- The depth of coverage that was carried by the team and the deliverables submitted helped the client to not only identify technical and process related vulnerabilities but also assisted them in knowing how to fix them.
- Complied with all regulations, gained the ability to focus on just the high-risk events and take immediate action.
Vulnerability Assessment vs Penetration Testing
Before we go any further, it is important to know the differences between vulnerability assessment and penetration testing. Let’s do a comparative study.
Penetration Test Cost
According to hacken, the average cost of a penetration test can vary from $4,000 to $100,000. The reason for the price is:
- You are hiring a specialist or a team of specialists to run tests on your project
- You also receive a recommendation with regards to the discovered vulnerabilities.
- Penetration tests must also be done regularly to ensure that all possible run-throughs are made and no vulnerabilities come to surface. These repeated tests beef up the price
Instead of specialists, you can also get penetration tests done via software which can cost from $1000-$2000. While this is definitely a cheaper option, the checks aren’t that thorough plus only a specialist can advise you on how to plug up the holes in the system.
Even if you hire specialists, there are some factors which can determine the pricing of your tests:
- The degree of complexity in your system. The more complex your system, the more expensive penetration testing will be.
- The size of your network. More work will be required of the testers if the size of the network is big
- If any additional tools are required of the testing, then it can bump up the price of the test. In fact, let’s expand on these tools so you can have a better grasp of the pricing.
Here are the types of tools that you can use:
- Static tools to exploit known vulnerabilities in the code
- Dynamic tools to simulate crash tests on the system to find out vulnerabilities during runtime.
- Interactive analysis tools to run an agent on a server or a built-in code library for easier detection of vulnerabilities.
These tools can create a humongous amount of data for the tester to process and so they should be customized to meet the needs of the company.
Advantages of Penetration Testing
As you can see, there are plenty of advantages to penetration testing. Let’s go through some of them:
- Helps us determine what kind of attack vectors could affect the application
- Helps us discover the point of vulnerabilities
- Identifies the large vulnerabilities that could be unearthed because of a combination of several low-risk vulnerabilities
- Identifies the true impact of successful attacks on the business and general operations.
- It also reveals how good the security of the system really is
- Conversely, if the system is easily broken into, then it shows the company that they need to invest in better security measurements
- Because of the report gained post penetration testing, the company can make all the necessary adjustment to make their operations and business better.
BountyOne: The Penetration Test Experts
A pen test should always be performed by a certified specialist with a proven track record. As you can imagine, they are hard to find, always in high demand, and expensive.
However, what if we had a platform, which brought all these testers together, and incentivizes them economically to do the best job they could possibly do? That is exactly what BountyOne is about.
Think of BountyOne as the “Uber” of penetration testers. Any tester can choose to work on any contract that is currently active on the platform. Each and every one of these testers are vetted extensively by us. They go through a detailed application process which makes sure that only the best testers get on our platform.
You can check out this infographic to learn how the entire process works. To sum it all up:
- The testers can decide to work on the project that they want to.
- All the work that has been done by the testers is triple checked by other members of the ecosystem
- If the testers do not do a good job, then their stake is slashed and they miss out on all their money
So, why should you select BountyOne over another auditing/pen testing platforms? Well, let’s take a look:
- It is cheaper because we do not have a full-time tester that we must pay hundreds of thousands of dollars to keep. They have other solidity development jobs and just do this on the side like an Uber driver.
- We pay them based on performance and not simply for saying they read the code. This is the reason why the testers are economically incentivized to do the best work possible.
- The testers risk losing all their staked money if they do not do a good job and don’t submit their work in time. This makes sure that there are no unnecessary delays.
- Also, the community (including other testers) can make a significant amount of money by disproving the works that others have done.