Penetration Testing Toolkit for experts and newbies in Japan

Cyberattacks have taken off in great speed considering the pandemic with companies having started deploying software and networks for remote working. Companies are re-evaluating their security strategies and understanding the importance of finding the weak points across their assets, systems, services, and products.

As such, we have seen a tremendous growth in investments within the cyber sector, given that it has generated flourishing business opportunities. This is especially so for the Penetration Testing (pentesting) market.

 

Great potential for growth in the Asia-Pacific region

Countries in the APAC region such as China, India, and Japan among others are expected to display significant growth prospects in the future due to high economic growth forecasts along with huge population statistics who are online.

Our recent Tokyo Cyber Security Meet Up uncovered the world of pentesting by bringing together like-minded experts as well as tech enthusiasts who are keen on joining the community. Joining us are esteemed experts from CORE – Wayne Shaw, Founder and Managing Director, and Babak Esmaeili, Chief Technology Officer. 

Moderated by Thomas Glucksmann and Gino Bautista, our discussion was centered around  how they ventured into this specialised field, as well as top tips for those who are thinking of breaking into this market.

If you have missed the session, you can watch the full recording of it below.

 

What is pentesting?

 There are two types of cybersecurity tests that are recommended when it comes to keeping your company off the radar of cyber attackers, namely – red teaming and pen testing.

While red teaming only consists of emulating a main targeted attack and avoiding detection, pentesting tests the overall cyber readiness and defences of the targeted company. This is a crucial process for companies to test the status of their cyber defences from an external body attack.

Pentesting provides insight to company’s internal infrastructure and determines the goal of the attack. It identifies patterns that occur across applications and attempt to break the security system.

 

Why should you conduct a pentest?

It is known that the consequences of a cyberattack can cause great losses to a company. An attack alone can compromise confidential data, which can severely impact the trust and loyalty with your customers, resulting in a significant reputation loss. Pentesting helps prevent these costs from incurring and stops potential compromises to the credibility of your company.

Our guest speakers stated that the process also gives you an oversight of risk levels that your company has, which in turn allows you to fix the vulnerability straight away. It can also identify problems you probably do not know about, assures your company is fully compliant with regulations such as GDPR. Overall, this can help your organisation prioritise budgets and spending on security and gives your team a better idea on how to perform incident responses.

Technology will continue to grow, and with majority of the world’s population being online, attacks will continue to thrive.  

 

What is the situation like in Japan?

“Japan is in a quagmire of security readiness, that stems from a lot of basic things that are important to security”, shared Wayne.

Types of vulnerabilities and attacks prevalent include:

1. Advanced Persistent Threat (APT) attacks

These are very successful and will become more common in 2021 but on a larger scale due to its high success in 2020.

 

2. Attacks that target privileges

Babak shared that attacks that make changes to privileges such as denial of service attacks, http request smuggling attacks will be prevalent in the cyberspace – this occurs more often in japan than other type of attacks.

 

3. Social engineering attacks

Many APT attacks are done through this and this is done by infecting the systems of employees through tunnelling in the network undetected and affect privileges.

Attackers will make use of the system and turn it against the targeted company by re-engineering it for sinister purposes. It is difficult to detect as no one would suspect the tool that they are comfortable with using.  

 

Other common threats include attacks on IoT systems which implicates infrastructure industries. Attacks at executive-level employees are also prominent given the weight of their decision making in signing off huge monetary transactions. It is deemed a highly effective attack, and this will continue to persist in 2021 and beyond.

 

What are some of the tools for pen-testing toolkit?

Pentesting is the first one in a four-step process:

  1. Planning the goals of attacks
  2. Discovering and gathering information
  3. Scanning at two stages, namely static port scanning and dynamic port scanning
  4. Reporting on the incident

During the session, we asked what the recommended tools are that newbies and experts can utilise to familiarise themselves with pentesting.

Babak shared a list of tools, his favourite tool being Sn1per, an advance tool that can be downloaded for free on GitHub. On the other hand, Wayne’s top tool would be Bash Bunny.

*For a comprehensive list of tools* you may access this tool catalogue by Babak, referenced from Kali Tools, most of which consist of open-source software.

 

What skills and qualifications do you need to become a pentester?

It is crucial to possess enough knowledge about one programming language Python, C++ etc.. You will also need to read up on how the network works and discover how web applications interact through servers and clients.

Babak’s top advice: “Start reading up on bug bounty reports to get new ideas of different types of attacks. Pentester Land is a recommended site for articles and resources. Try playing with vulnerable web applications have a go at hacking into them. Create a lab for yourself to explore and upgrade your skills as this would help you in real-world scenarios.

Wayne’s top advice: “You must get your hands dirty to begin understanding how to hack. Sign up to a school or a training course to get comfortable with hacking. Before you can become a pentester, you need to train yourself to think on your toes as not everything will play out as you planned. Real-world experience training is the way for you to feel comfortable, and of course, learning how to write scripts.”

 

There is no right or wrong way to begin

Ultimately, there is no right or wrong method to start your journey but being proactive and gaining the relevant knowledge and experience is key. If you do need more information, our consultants at Computer Futures Japan are ready to give you as much advice and guidance as you need.

Here at Computer Futures, we work with companies of all sizes which means we have access to some of the most in-demand IT jobs. So, if you are looking to find a new opportunity within the sector, or interested to look at IT job salary benchmarks, we can help.

You can either use our job search or sign up for a job alert by registering your CV, so we can notify you whenever a role comes up that suits what you are looking for. You can also sign up for our upcoming webinars on our website here and be in touch with experts in the field.