Today, penetration testing is more or less a kind of trend in the IT industry. As the process of penetration testing is the key factor in safeguarding your organizations computer and network systems against malicious attacks, it is imperative for us to know about it. This article explains the general aspects of penetration testing with respect to ethical hacking.
Today penetration testing is an often confused term. Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organizations will have their own internal terminology, as a matter of fact—one man’s penetration test is another’s vulnerability audit or technical risk assessment.
At its simplest, a penetration-test (we can also refer this term as a security assessment) is the process of actively evaluating your information security measures. Note the emphasis on ‘active’ assessment; the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit. The results of the assessment will then be documented in a report, which should be presented at a debriefing session, where questions can be answered and corrective strategies an be freely discussed.
The Term
Penetration testing is the security-oriented probing of a computer system or network to seek out vulnerabilities that an attacker could exploit. The testing process involves an exploration of the all security features of the system in question, followed by an attempt to breech security and penetrate the system. The tester, sometimes known as an ethical hacker, generally uses the same methods and tools as a real attacker. Afterwards, the penetration testers report on the vulnerabilities and suggest steps that should be taken to make the system more secure.
The Process
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.
Black box vs. White box
Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. There are also several variations in between, often known as gray box tests. Penetration tests may also be described as "full disclosure", "partial disclosure" or "blind" tests based on the amount of information provided to the testing party.
The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.
The services offered by penetration testing firms span a similar range, from a simple scan of an organization's IP address space for open ports and identification banners to a full audit of source code for an application.
Underlying Principle
A penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any Internet facing site, before it is deployed. This provides a level of practical assurance that any malicious user will not be able to penetrate the system.
Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of the system.
Why conduct a Penetration Test?
From a business perspective, penetration testing helps safeguard your organization against failure, through:
-
Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
-
Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
-
Protecting your brand by avoiding loss of consumer confidence and business reputation.
From an operational perspective, penetration testing helps shape information security strategy through:
What should be tested?
Ideally, your organization should have already conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats. If you haven’t conducted a risk assessment, then it is common to start with the areas of greatest exposure, such as the public facing systems; web sites, email gateways, remote access platforms etc.
Sometimes the ‘what’ of the process may be dictated by the standards that your organization is required to comply with. For example, a credit-card handling standard (like PCI) may require that all the components that store or process card-holder data are assessed.
Risks
Penetration testing can be an invaluable technique to any organization's information security program. Basic black box penetration testing is often done as a fully automated inexpensive process. However, white box penetration testing is a labor-intensive activity and requires expertise to minimize the risk to targeted systems. At a minimum, it may slow the organization's networks response time due to network scanning and vulnerability scanning. Furthermore, the possibility exists that systems may be damaged in the course of penetration testing and may be rendered inoperable, even though the organization benefits in knowing that the system could have been rendered inoperable by an intruder. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated.
The Benefits
While a great deal of technical effort is applied during the testing and analysis, the real value of a penetration test is in the report and debriefing that you receive at the end. If they are not clear and easy to understand, then the whole exercise is of little worth.
Ideally the report and debriefing should be broken into sections that are specifically targeted at their intended audience. Executives need the business risks and possible solutions clearly described in layman's terms, managers need a broad overview of the situation without getting lost in detail, and technical personnel need a list of vulnerabilities to address, with recommended solutions.
Methodologies
The Open Source Security Testing Methodology Manual is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. OSSTMM is also known for its Rules of Engagement which define for both the tester and the client how the test needs to properly run starting from denying false advertising from testers to how the client can expect to receive the report. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
The National Institute of Standards and Technology (NIST) discusses penetration testing in SP800-115. NIST's methodology is less comprehensive than the OSSTMM; however, it is more likely to be accepted by regulatory agencies. For this reason NIST refers to the OSSTMM.
The Information Systems Security Assessment Framework (ISSAF) is a peer reviewed structured framework from the Open Information Systems Security Group that categorizes information system security assessment into various domains and details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. The ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. It includes the crucial facet of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that might exist. The ISSAF however is still in its infancy.
Tips for Successful Penetration Testing
Defining the scope: The scope should be clearly defined, not only in the context of the components to be (or not to be) assessed and the constraints under which testing should be conducted, but also the business and technical objectives. For example penetration testing may be focused purely on a single application on a single server, or may be more far reaching; including all hosts attached to a particular network.
Choosing a security partner: Another critical step to ensure that your project is a success is in choosing which supplier to use.
As an absolute fundamental when choosing a security partner, first eliminate the supplier who provided the systems that will be tested. To use them will create a conflict of interest (will they really tell you that they deployed the systems insecurely, or quietly ignore some issues).
Detailed below are some questions that you might want to ask your potential security partner:
-
Is security assessment their core business?
-
How long have they been providing security assessment services?
-
Do they offer a range of services that can be tailored to your specific needs?
-
Are they vendor independent (do they have NDAs with vendors that prevent them passing information to you)?
-
Do they perform their own research, or are they dependent on out-of-date information that is placed in the public domain by others?
-
What are their consultant’s credentials?
-
How experienced are the proposed testing team (how long have they been testing, and what is their background and age)?
-
Do they hold professional certifications, such as PCI, CISSP, CISA, and CHECK?
-
Are they recognized contributors within the security industry (white papers, advisories, public speakers etc)?
-
Are the CVs available for the team that will be working on your project?
-
How would the supplier approach the project?
-
Do they have a standardized methodology that meets and exceeds the common ones, such as OSSTMM, CHECK and OWASP?
-
Can you get access to a sample report to assess the output (is it something you could give to your executives; do they communicate the business issues in a non-technical manner)?
-
What is their policy on confidentiality?
-
Do they outsource or use contractors?
-
Are references available from satisfied customers in the same industry sector?
-
Is there a legal agreement that will protect you from negligence on behalf of the supplier?
-
Does the supplier maintain sufficient insurance cover to protect your organization?
Certification
The process of carrying out a penetration test can reveal sensitive information about an organization. It is for this reason that most security firms are at pains to show that they do not employ ex-black hat hackers and that all employees adhere to a strict ethical code. There are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.
Three certifications have been produced by the International Council of E-Commerce consultants (EC-Council). These included the Certified Ethical Hacker course, Computer Hacking Forensics Investigator program, License Penetration Tester program and various other programs, which are widely available worldwide. These certifications have received endorsements from various American government agencies including the US Federal Government via the Montgomery GI Bill, and the US Government National Security Agency (NSA) and the Committee on National Security Systems (CNSS) certifying EC-Council Network Security Administrator (ENSA) program for meeting the 4011 training standard for information security professionals.
Government-backed testing also exists in the US with standards such as the NSA Infrastructure Evaluation Methodology (IEM). For web applications, the Open Web Application Security Project (OWASP) provides a framework of recommendations that can be used as a benchmark.
Standards Compliance
here are a number of good standards and guidelines in relation to information security in general, for penetration tests in particular, and for the storage of certain types of data. Any provider chosen should at least have a working knowledge of these standards and would ideally be exceeding their recommendations.
Notable organizations and standards include:
PCI: The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.
ISACA: ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.
CHECK: The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.
OSSTMM: The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organization concerns, such as the corporate profile of the penetration-testing provider.
OWASP: The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.
The key areas of relevance are the forthcoming Guide to Testing Security of Web Applications and Web Services and the testing tools under the development projects. The Guide to Building Secure Web Applications not only covers design principals, but also is a useful document for setting out criteria by which to assess vendors and test systems.
—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore.
|
