Monday, May 16, 2011

Introduction to Penetration Testing For Non-Technicals

If you are a manager with a different background than IT or if you are a non-technical person wondering whether to conduct a penetration test for your organization, this article might be of help to you.

What's Penetration Testing?
In a penetration test (a. k. a. pentest) penetration testers (a. k. a. pentester) simulate an actual attack on the system being tested to assess the weaknesses of the system(s) and gives recommendations on fixing the vulnerabilities discovered.

Penetration Testing Vs. Ethical Hacking?
Ethical hacking is a buzz word that became popular in information security industry with the introduction of Certified Ethical Hacker exam by EC-Council. Although some argue that penetration testing and ethical hacking are two different things , it's quite hard to identify any difference between the two

Why Conduct a Penetration Test?
Penetration test identifies security vulnerabilities in systems and allows the organization to fix them before an attacker discovers them. By conducting a penetration testing managers show their proactiveness and willingness to safeguard organization assets against threats. It indicates that the managers practice due care and due diligence.

Standards such as PCI DSS mandate that penetration tests or vulnerability assessments are carried out annually. If your organization is planning to become PCI DDS-compliant then the penetration tests will become a must.

Vulnerability Assessment Vs. Penetration Testing
Many people use vulnerability assessment and penetration testing interchangeably, but vulnerability assessment (VA) and penetration testing (PT) are different from each other.. In vulnerability assessment, we identify the possible vulnerabilities.A PT goes a few steps beyond a VA. A PT validates the vulnerability - check if the vulnerability is real or if it's a false positive. Then pen-tester exploits the vulnerability and evaluate the impact of the vulnerability by performing the following tests:
  • Check what kind of privileges that an attacker can gain by exploiting the vulnerability
  • Check if he can gain more privileges
  • Test if this vulnerability can lead to more exploits - does it reveal systems that were previously hidden.
  • Check if sensitive and juicy information are available for attackers

How Does Penetration Testing Differ from System Audits
System audits for the most part are checklist-based. Auditors prepare a checklist based on the information security policies (E.g.: acceptable user policy, disaster recovery policy) or regulations or standards (such as ISO 27001). Checklists include simple questions such as when are backups taken?, are backups protected?, etc. The auditor might also look at certain configurations (technical level) on the systems being audited.

Systems audits are important for being complied with security policies, legislation and standards. However practically it's hard to find application level bugs or configuration errors that can lead to a system compromise through a system audit. Penetration tests are not alternatives to system audits, but they complement system audits and help organizations to protect systems from threats.

Simple Analogy
Lets say that you installed a new front door and a door lock for your house. You are very serious about the security of this door and the lock and decided to give the job to a systems auditor, a vulnerability analyst and a penetration tester.

System auditor might check the aspects such as "is the door lockable?", "is the door lock higher than grade X?", "Is there a door chain installed?". If he gets a certain number of "yes’es"; complied the checklist, he'll conclude that the door complied to the security policy(ies) and/or legislation(s) and/or standard(s).

A vulnerability analyst will check under the rug if you have kept a spare key hidden. He'll also check the make and type of the door lock and see if there any known flaws in this particular make. Lets say there's a known flaw in this particular make of the lock; that it can be opened with a simple hair pin,. he'll not try to open the lock, but will tell you the lock is vulnerable.

On the other hand a penetration tester will actually check if the lock can be opened with a hair pin. If the lock opens then he will check if he can bypass the door chain. If he can get into your house then he will keep on trying the locks inside your house up to the limit that you agreed up on before the pen-test (the scope). Finally he'll tell you that these are the flaws and how he got in and how bad the situation is

What Type of Penetration Test is Suitable for Me?
It depends on what type of information are you trying to protect and from whom. If your concern is external attackers attacking your internet-facing services, then do an external penetration test. If your concern is protecting internal assets from internal threats (such as employees, contractors, business partners, etc), then an internal penetration test is more suitable.

Other than internal versus external there's another categorization of penetration tests.
  • Black box: The penetration tester does not know any information about the system except what it is (typically IP address or a domain name is given). This tests the systems strength against typical outside hacker.
  • White box: Penetration tester has significant knowledge about the system. Typically source code of target applications, operating system versions, database versions are given to the penetration tester. These type of tests are typically carried out for testing applications.
  • Gray box: Pen-tester has partial knowledge about the system. Gay box test simulate an attack by someone with some knowledge about the system, such as an employee, business partners, etc.
Another classification of pen-tests are by the target system.
  • Network penetration test: simulates an attack on network, network resources and services.
  • Application penetration test: simulates an attack on a specific application. E.g: mobile applications, Application servers etc
  • Web Application penetration test: simulates and attack mounted on a web application.
Apart from the targets specified above penetration tests are carried out on various things including, but not limited to the following.
  • Physical security
  • People (social engineering)
  • Wireless networks, VoIP network, telephone systems
  • Embedded systems
  • Cloud environments
  • IPv6-specific implementations

Are Penetration Tests Safe?
There's always a risk of crashing the system when an exploit is run. Therefore it's always better to take backups of the systems that you are going to perform the pen-test on. If someone guarantees you that they can do a penetration test without any risk, then they must be doing a VA - not a pen-test.

If the penetration tester is experienced enough, he'll know which exploit can crash the system. You can discuss with the penetration testing team about the critical systems and how they should be handled. You can also enforce limitation on the scope (up to which extend the penetration tester should exploit).

Always make sure you sign and NDA with the party contracted to carry out any security testing for you and also to issue an authorization letter clearly scoping the assignment as a pre-requisite.

What Do I Get After the Pentest?
You'lll get a report with all the finding in the penetration test. Typically this report will include an executive summary and elaborated findings of the penetration test.

Special Thanks to: Rahal Jayawardene

1 comment:

  1. I have read your blog about "Introduction to Penetration Testing For Non-Technicals" really nice & helful. I will get back here again and again :)
    Application Testing


Please note that comments are moderated in order to stop comment spam. Comments with unwanted links (those who are trying to use blackhat SEO) are reported as spam.