How penetration testing has moved on and why it is such an important part of Internet security – by network security firm IDSec, exhibitors at Infosec 2005 in April.
A lot of people think they know what penetration testing is, or to be more specific, what is involved. However, many of these people have a very loose understanding of what penetration testing should cover in order to be truly effective. Penetration testing needs to cover all aspects of a company’s network and Internet vulnerability and, most importantly, help it put in place the strategies and processes to stop attacks happening in the future.
A quick primer
Penetration testing is all about making sure that the various ‘back doors’ into a company are as secure as possible and this can cover a variety of aspects. For example, IDsec provides penetration testing for: Internet gateways, Web applications, internal networks and dial-up modems (‘war dialling’). As this demonstrates, penetration testing can be fairly broad and typical activities might include: attempting to ‘hack’ into the network via the Internet gateway, testing Web applications for vulnerable areas, carrying out audits of internal networks and checking dial-up modems, which can be one of the most risk-prone elements of all.
Why bother?
The obvious question is: why is penetration testing needed in the first place? After all, surely most companies have a firewall and therefore, are reasonably well protected? The fact is that any system connected to the Internet is at risk to a greater or lesser extent. The cost of having a system compromised can range from simple inconvenience, through embarrassment and bad publicity, to real financial loss.
Also, any network’s infrastructure or set-up changes over time, whether regularly or intermittently and this may have an impact on the company’s security. Of course, this may be realised at the time, but it is easy for details to become lost within the whole picture. Penetration testing is, in essence, a kind of audit: companies carry out financial audits to ensure that everything is being managed correctly and to minimise exposure to risk, so why not apply the same principle to security?
The risk of not carrying out penetration testing will vary from company to company. For example, a company that offers a range of services via the Internet, hosted on a Web server and permanently connected is at more risk than a company not offering any services and using occasional access only. Well-known companies are typically more likely to be targeted. Then there are internal issues, such as the overall architectural structure and operational competence. Companies also need to calculate the value of the risk: in some cases, it will not be the end of the world if security is compromised. However, for companies holding sensitive information on a live server, faced with a particular malicious attack, the consequences of attack can be dire.
It should be pointed out that regular testing alone cannot guarantee that a system will never be successfully attacked, but it is an important part of the process of ensuring business continuity. Penetration testing should be viewed as an integral part of a company’s overall security strategy, often enabling them to understand areas of vulnerability that, if not dealt with, may lead to problems in the future.
Different approaches: ex-hacker versus consultants
There are two main approaches: using ex-hackers to attack the network, and employing security consultants to devise broader penetration testing procedures. Both have their merits, but how do they differ?
A lot of publicity has been given to the ‘reformed hacker’ approach. The idea is to use someone who has a background in breaking into people’s networks, either for fun or profit, in other words, the ‘poacher turned gatekeeper’. This has a lot of attractions, not least of which is the fact that ex-hackers are often a cheap option. They are also likely to make use of the latest technology, because the ‘bad guys’ tend to know about the loopholes before the security industry itself.
However, this approach does have its limitations, because it tends to concentrate on finding one way into the target system and then exploiting this entry point. This does not consider security in the broader sense and nor does it take a methodical approach to all the possible vulnerabilities that might exist. Reformed hackers can be classified as the ‘depth’ approach, whereas consultants usually embrace ‘breadth’ as well as ‘depth’.
To put this into context, take the everyday analogy of house burglaries, where the hacker is the equivalent to the reformed house-burglar and the consultant equates to the security specialist from the local police station. If a homeowner employed an ex-burglar to test his house’s vulnerability, the burglar would spot that that the bathroom window is open, climb up the drainpipe, get in through the window and tell the homeowner that he was able to open the front door and take away the TV, PC, jewellery in the dressing table and cash in the teapot. This ‘depth’ approach finds one area of vulnerability and puts considerable effort into exploiting the opportunity.
The police’s security specialist, however, would note that the open bathroom window and the proximity of the drainpipe, but would then move on to other possibilities, such as checking if there is a key under the flowerpot, whether the ladder in the garage is chained up or not and whether the security light comes on if a thief were to enter via the neighbour’s drive and under the hedge. In summary, there is some benefit in using ethical hackers, but they should be viewed as part of an overall penetration testing project, not a solution in themselves.
A security consultancy will carry out a much more structured audit than a ‘reformed hacker’, using methods that have been developed over years and ultimately, have their origins in banking practices and government security procedures. The audit approach not only gives more breadth to penetration testing, it will also provide the results in a form that can be more easily handled by corporate IT and security managers. By taking a broader view, the audit approach may have more lasting value, in that some of the wider findings may remain valid, even if technical changes are made to the individual platforms.
Selection criteria
As might be expected, a full audit is likely to cost considerably more than using an ethical hacker, largely because more work is involved. However, it does pay to ‘shop around’. For example, some large security consultancies may send their top people to the pitch, but the actual work will be carried out by raw graduates.
When selecting a security consultancy to carry out penetration testing, it is important to apply the following selection criteria:
What is the consultancy’s track record and can it provide third party references?
Is it vendor-independent?
Does it use appropriate staff for each testing assignment – what expertise do they have?
Is its approach flexible enough to match the company’s requirements?
How much is it charging for the service?
The scope of penetration testing
It is vital to define the scope of the penetration testing project from the outset and this can prevent quite a challenge, both to the client company and the security consultancy. On the one hand, it is a good idea to look at the business as the whole. In other words, rather than just focusing on the corporate firewall, testing should cover internal networks and unauthorised modems sitting on users’ desks, as well as wireless networks. IDsec would always recommend thorough, broad testing, wherever appropriate.
However, it is futile spending money on penetration testing unless it can bring real benefits to the business. For a start, there is little point anyone commissioning penetration testing unless they are subsequently able to push through any recommendations based on the results. This may sound like commonsense, but IDsec has worked with companies where the distance between the security policy people and the operations staff was so wide that no actions were carried out following the results of penetration testing. Someone within the organisation has to be given specific responsibility for keeping the system in good condition in the future.
Similarly, timing can be all important: there is no point testing a system too early in the development cycle, as the results may become out-of-date almost immediately. If the testing is left too late, it may be that commercial imperatives – such as launch dates – mean that there are no opportunities to fix problems. Once again, this is a situation IDsec has encountered on a number of occasions.
Problems can also occur when the scope of the work is not clearly defined from the very beginning of the project, or if the system being tested does not work properly in the first place, meaning that the tester cannot achieve consistent results.
Automated versus manual testing
A common complaint levelled at penetration testers is "they just ran some tools, printed out the results, gave them to me and left". Automated penetration testing does have its place – indeed, testing would not be possible without using some tools – but is only part of the whole exercise. For example, after running a tool, it is important to check for false positives, in other words, vulnerabilities that have been identified by the software, but which do not really exist. Eliminating false positives requires a combination of experience, knowledge and common sense and therefore, has to be conducted manually. The same principle applies to false negatives, where the tool has failed to pick up a real threat.
Companies also want detailed reports, focusing more on clear recommendations for problem-solving, rather than a long list of vulnerabilities. Again, this has to be produced manually. A key point here is that when a tool gives a long list of security holes, the number of actual fixes needed may be much smaller: one service pack or firewall rule change can often eliminate a whole raft of vulnerabilities.
Of course, automated testing is much cheaper than manual testing and is therefore an attractive prospect for many companies. A realistic balance is to commission a full penetration test when a new site is being set up, or when major changes are being made. On an on-going basis, companies can then have fully automated penetration testing running in the background, focusing on key systems that are most vulnerable.
Penetration testing
Since 1997, IDsec has carried out dozens of penetration tests for a range of companies. Work includes testing at the network level, application testing, internal network audits and modem scanning (‘war dialling’).
