PENETRATION TESTING
INTRODUCTION AND METHODOLOGY
Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, pricelists, databases and other protected information. Near flawless penetration testing is a requirement for high rated secure systems.
Penetration testing is a form of stress testing which exposes weaknesses. The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested and will be responsible to provide a report. The goal of a penetration test is to increase the security of the computing resources being tested. In many cases, a penetration tester will be given user-level access and in those cases, the goal would be to elevate the status of the account or user other means to gain access to additional information that a user of that level should not have access to. Some penetration testers are contracted to find one hole, but in many cases, they are expected to keep looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important for the pen-tester to keep detailed notes about how the tests were done so that the results can be verified and so that any issues that were uncovered can be resolved. It ̳s important to understand that it is very unlikely that a pen-tester will find all the security issues. As an example, if a penetration test was done yesterday, the organization may pass the test.
PENETRATION TEST
Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organizations will have their own internal terminology (one man ̳s penetration test is another ̳s vulnerability audit or technical risk assessment).
At its simplest, a penetration-test (actually, we prefer the term security assessment) is the process of actively evaluating your information security measures. Note the emphasis on ―active assessment; the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit. The results of the assessment will then be documented in a report, which should be presented at a debriefing session, where questions can be answered and corrective strategies can be freely discussed.
WHY CONDUCT A PENETRATION TEST?
From a business perspective, penetration testing helps safeguard your organization against failure, through:
- Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
- Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
- Protecting your brand by avoiding loss of consumer confidence and business reputation.
From an operational perspective, penetration testing helps shape information security strategy through Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.
Scope of Evaluation
There are several types of penetration tests that will, depending upon the circumstances, affect the scope of the evaluation, methodology adopted and assurance levels of the audit. The individual (appropriate IT management) responsible for safeguarding the organization should evaluate various alternatives, selecting that which provides the maximum level of assurance with the least disruption acceptable to the organization (cost/risk analysis). There should be agreement on the type of penetration testing to be carried out–intrusive or nonintrusive.
EXTERNAL PENETRATION ASSESSMENT TESTING AND VULNERABILITY
Internet
The purpose of Internet testing is to compromise the target network. The methodology needed to perform this test allows for a systematic checking for known vulnerabilities and pursuit of potential security risks. The methodology ordinarily employed includes the processes of:
- Information gathering (reconnaissance)
- Network enumeration
- Vulnerability analysis
- Exploitation
- Results analysis and reporting
Ordinarily followed and should provide a detailed and exact method of execution. In addition, the intricacies of new vulnerabilities and methods of exploitation require detailed study with a history of information to draw upon.
Dial-in: War dialing is the systematic calling of each number in the target range in search of listening modems. Once all listening modems are identified, brute force default password attempts or strategic guessing attempts are made on the username/password challenge (sometimes only passwords are necessary) to gain unauthorized access. Access to the login screen banner is crucial to accessing any system. Some systems require only a password, which can be a vendor-provided default password or just hitting enter. At times of poor configuration, even a login banner does not appear and access is granted directly devoid of any authentication mechanism.
INTERNAL PENETRATION TESTING
Goal:
The goal of internal penetration testing is to ascertain vulnerabilities inside the network perimeter. The testing performed closely parallels that which an internal IS auditor will be assigned to audit, given the size, complexity and financial resources devoted to risk associated with lack of security concerns. The overall objective is to identify potential vulnerabilities within the internal network
and weaknesses in controls in place to prevent and/or detect their exploitation by a hacker/malicious employee/contractor who may obtain unauthorized access to information resources or cause system disruption or a system outage.
The first phase relates to information gathering, which is comprised of public information search, googling, obtaining maximum information about business, employees, etc., thereby profiling the target. For instance this phase may result in obtaining resumes/CVs of employees which may be useful in understanding technologies employed at the attack site. The first testing goal is to ascertain the internal network topology or footprint that provides a map of the critical access paths/points and devices including their Internet protocol (IP) address ranges. This is the network discovery stage. Once critical points/devices are identified within the network, the next step is to attack those devices given the various types of known vulnerabilities within the system and operating software running on the devices (e.g., UNIX, NT, Apache, Netscape and IIS). This comprises the vulnerability analysis phase. Exploitation and notification is the third and final phase.
BENEFITS OF PENETRATION TESTING
- Identify any potential security vulnerabilities in an organization‘s current infrastructure and develop plans to mitigate these weaknesses.
- Determine the degree of exposure to external and internal attacks.
- Provide evidence that verifies the possibility of exploiting the vulnerabilities found.
- Determine the probability that an attacker could compromise the system with access to computers connected to your company’s network.
- Assess the defense systems such as Intrusion Detection System (IDS), firewall etc and check if they are working properly.
- Third-party audits meet government and industry compliance standards.
- Accurate and up-to-date vulnerability knowledge base.
- Comprehensive and easy to user report for management as well as technical team.
- Closing all window of opportunity for intruders.
