This article highlights the benefits of penetration testing from technical testing (both automated and custom) and the role an experienced security consultant plays in providing a higher level of security against inevitable attacks.

An enterprise IT environment can never be completely secure, but by taking prudent steps to minimize your vulnerabilities, you can greatly enhance your security posture. By having a confidential, independent assessment of your IT environment, you can provide a higher level of security against inevitable attacks and help prioritize your finite IT resources.

Security Risks in Today’s Interconnected World

Securing your corporate IT resources requires due diligence and determining the level of exposure of your IT assets is not a trivial exercise. It requires an iterative security methodology that includes vulnerability assessments combined with penetration testing. Penetration testing is a method of probing and identifying security vulnerabilities in your network and pinpointing where your IT environment can be exploited by a hacker. The threats can be both internal and external and security industry experts recommend performing both internal and external penetration tests.

While some portions of technical penetration testing can be automated, it is recommended that all tests be augmented with the empirical knowledge of security consultants. Consultants offer perspective on industry standards, coding practices, malware and attack trends, and a knowledge of current known vulnerabilities.

Man and Machine

As you evaluate how best to thwart attacks and secure your enterprise you will find many automated scanning tools available. A word of caution, the limitation of several of these tools is their inability to interpret data in terms of the relevance to an organization or more succinctly, learned context. By using the automated scans exclusively you are getting an incomplete or distorted view of your vulnerabilities.

For example, when a scanner finds a 13 or 16 digit number, how does it know what the relevance of that number is? It could be an ISSN number or it could be a credit card number. While credit card numbers do have some identifying characteristics that may be detectable in a programmatic fashion, there are many examples of numbers that cannot. Account numbers, reference numbers, and ABA routing numbers are all indistinguishable from ordinary numbers to scanning programs. There are also many forms of information, such as personal data, which are even more confusing to automated systems. Security specialists can easily identify and decipher the importance of these types of data and use their industry knowledge to determine the true level of risk the detected vulnerabilities represent.

Logical Grouping

Another element of learned context is logical grouping. Most automated scans produce laundry lists of missing patches or vulnerable services, but fail to group them logically in a manner meaningful your business. Organizations such as MITRE and many commercial companies provide default ratings for various vulnerabilities based on the overall level of danger represented; however these ratings will not apply to every instance found. In some cases when choosing among several “critical” threats, learned context will dictate which threat has an obvious priority over others. Human common sense prevails in instances when a particular vulnerability is being more aggressively exploited or if the vulnerability resides on a mission critical system. A security specialist can make an appropriate judgment call and prioritize a vulnerability correctly.

Take for instance the OpenSSH vulnerability of 2008. This dangerous vulnerability meant that attackers could brute force their way into protected systems using a limited number of guesses. The risk was high. Assessing the OpenSSH vulnerability and making an informed decision in an automated fashion is difficult because of the small finite number of threat levels given to vulnerabilities. What should a business do if this vulnerability is listed among other “critical” vulnerabilities in an audit? Common sense would dictate that this vulnerability should be remediated ahead of others unless mitigating circumstances were found. In this instance, human invention improves the decision making process. It allows real-time risk assessment of the possible damage, as well as the sensitivity of the assets involved.

Above and Beyond, the Extra Step

Security specialists are, among other things, highly trained differentiators capable of quickly assessing the validity of a tool’s results and consolidating the different reporting formats into a cohesive prioritized summary. In addition, in many instances, testing dictates that custom assessment tools be written on behalf of your business. This can be because of an in-house application or a network configuration that confuses an off-the-shelf tool. The flexibility to tailor your testing to your specific environment in an iterative fashion is the most compelling reason to bring in a security consultant armed with an array of specialized security assessment tools. Hackers have the advantage of human intervention, shouldn’t your security measures benefit from the same advantage?

360° View

Remember, knowledge is power and by emulating a hacker attack, your business will be more prepared to withstand attack. Security specialists can use the absolute best of breed open source and commercial tools to feed their analytical process. Their approach can be holistic; collecting data from different angles with specialized assessment tools, thus increasing the validity and depth of your test results.

A byproduct of using a variety of tools is a lot of different and incompatible reporting formats. In addition, there is also a good chance that more than a few of those results are false positives. An experienced security assessment team will never simply append reports together in some indecipherable manner for their client. They will take the time to eliminate the false positives, interpret the data, contextualize the results, and give you a prioritized actionable summary with step-by-step recommendations based on security best practices for your industry.

Understanding your Enemy

Most tests operate on the assumption that the consultant will have zero knowledge of the target. This gives an “attacker's perspective” of the application and provides you with knowledge of how easily others can deduce weaknesses in their security posture.
In contrast, informed tests allow consultants to quickly assess what functionality is critical and test whether that functionality is available from non-administrative or unauthenticated accounts. The goal of this process is to discover and remediate threats as soon as possible, before attackers exploit them. By jumpstarting the learning curve, a security specialist can quickly determine whether appropriate access controls are in place. But in reality that is really only Phase 1. A thorough security assessment should model possible threats and test the likelihood and risk of those potential threats.

Assessing your Risks

Threat Modeling begins by identifying the assets that exist in your computer environment using both soft and hard approaches. Soft approaches include tactics such as "Google hacking". Google hacking involves using the extensive index of search engines to find recorded names of hosts matching those you own. Other information such as application type and technology can often be inferred in this way without sending a single packet to your network. Hard approaches involve sending packets to the actual network in question. Unlike soft approaches, this tactic will be noticed by sensors if they are deployed, but far more information can be gleaned using a hard approach such as server types, version numbers, entry points and tactical value that make being discovered worth the risk for hackers wanting to penetrate your network.

Know your Vulnerabilities

Reverse engineering the network or application involves breaking the target down into known areas of vulnerability using information from the reconnaissance phase. Penetration testers mimic the same approaches that an attacker would use but with the ethical boundaries of a responsible consultant. The most fertile areas for a hacker or penetration tester include unpatched servers, non-essential ports and unauthenticated access. For Web applications vulnerable areas include cross site scripting, SQL injection, buffer overflows, over privileged processes and weak or custom encryption.

Once the hacker or penetration tester has identified your known areas of vulnerability the next step is to identify individual threats in the exposed areas. This step is often conducted using open source and commercial tools designed to reveal these flaws. Vulnerability scanners are effective in giving a broad sweep of network assets as well as determining points of entry susceptible to publicly known exploits. These tools generally work well against off-the-shelf software but not custom products. Penetration testers must have the ability to write custom code that will analyze these scenarios using common building blocks that lead to hacker entry vectors or adapt open source tools to the task. Web application scanners are used to map out entry points in traditionally written code. Newer code, e.g. Web 2.0 applications, can be a little more difficult to analyze using an off-the-shelf tool. Custom code and manual analysis are often far more effective at finding vulnerabilities in these newer applications.

Closing the Loop

The last and most important step in the assessment is the documentation and verification of threats found in the previous steps. The verification of threats eliminates false positives as well as discovers any mitigating circumstances involving the execution of the exploits. There are several ways to validate threats including deployment of exploits on live services. Not all businesses prefer this method as it does involve some level of risk when customers are using those services. Therefore some organizations prefer that live exploits are used only on staging servers. This allows a reasonable replication of the live environment without the risk of down time.

Penetration Test Suites

A full-service security consulting team will utilize the multi-step Open Source Security Testing Methodology (OSSTMM) to assess your security posture. Marrying the results of these tests with the consultants’ experience gives you a comprehensive view of your vulnerabilities. Below are examples of the types of assessments performed as part of a penetration test. This is meant to be representative. When you engage a security assessment team for an internal or external penetration test, they will tailor the test suite to your business and specific computing environment.

Network and Operating Systems: A network penetration test will look for exposures in network devices and operating systems. This test is a well-established process that covers small to large quantities of IP addresses. The goal of network penetration testing is to discover vulnerable and undocumented services, protocols, and authentication within the scope of your network. This test is good for mapping out undocumented network space as a precursor to deeper tests on particular services or as a follow up to previous engagements to verify remediation. This is particularly true of companies with disparate offices in multiple countries who don’t always communicate network changes or additions. Companies are particularly vulnerable after a merger or acquisition because two relatively unknown networks are expected to mesh and interoperate. It is common practice to evaluate a soon-to-be-acquired company’s network to gather information on the level interoperability between the companies.

Wireless Security Audits: Wireless networks security audits are similar to a network penetration test with a few notable differences. Security consultants must be on site to access the wireless network signal with the main objective being to reach the internal network. Modern network defense deployments rarely harden assets inside firewalls as well as they do in respect to outside threats. This leaves the computers inside the firewall particularly susceptible to known vulnerabilities. Security specialists can often break simple encryption on poorly configured wireless network access points such as WEP. Armed with professional tools and programs, a consultant can usually break more advanced encryption within a short amount of time simulating a hackers potential access. In addition, security consultants can also help find rogue access points installed by careless or unwitting employees. Remember, even if you have sufficient protocols in place to encrypt your wireless signal, a single access point installed in an empty cubicle can allow attackers to access the internal network from a lobby or parking lot.

Web Applications: Due to the ever-evolving nature of Web applications, penetration tests for Web applications are not as well established as those for the network layer. Every day new attack vectors for hackers are opening as a result of architectural changes implemented when adding AJAX powered features and a new set of Web technologies known as Web 2.0. As a result, the landscape of corporate IT environments has changed significantly since the days of static, but more secure Web pages. Now, Web 2.0 and AJAX are the de facto development technologies used to create the latest, greatest, interactive Websites. And, to compound the problem, the rush to implement these new technologies has increased the amount of insecure code as well as improper defensive practices.

Even companies who employ vulnerability scanners may be at risk due to the difficulty in finding flaws in Web applications in an automated fashion. Web applications are often custom pieces of software or highly modified versions of open source software and an experienced security consultant in tandem with a vulnerability scanner designed to evaluate Web applications is your best defense.

Conclusion

Understanding your business to apply relevance to the data collected is the biggest differentiator that allows security consultants to create more highly targeted and rated tasks for remediation. Targeted remediation lists enable security resources to optimize their time addressing the top threats to their networks.

—By: Tas Giakouminakis, Chief Technology Officer, Rapid7.