Republished with permission from WatchGuard Technologies, Inc.

WatchGuard LiveSecurity

 

Your First Penetration Test
by David Piscitello

Having an independent accounting firm perform a thorough audit of your organization’s financial records is customary; in fact, for a publicly held company, it’s required. In today’s connected society, it's equally important to conduct independent testing to assure that your organization's security policies adequately cover your assets (ahem) and are correctly implemented in your security systems. A penetration test or security audit provides an assessment of the vulnerabilities in your security. Moreover, a well-conducted penetration test, performed by a competent organization, will help you determine whether your operational practices, equipment, and policies are up to the task.

Why Invite an Outsider?

Anyone can scan your network perimeter and probe your services -- um, isn’t that one of the problems? So why pay an outsider to do it? Here's why: a penetration testing consultant or organization (the “auditor”) employs staff trained in anti-hacking, and provides comprehensive reports and recommendations to help you improve your security measures. They use a well-conceived test plan that can be repeated (a) to verify that corrective measures you take following an initial "base-line" report are properly implemented, and (b) to distinguish between new vulnerabilities versus deviations from the baseline that are legitimate policy changes.

Zero- or Partial Knowledge Penetration Tests

Many penetration testers believe a zero-knowledge attack—one where you begin with no information or assistance from the client—is best, because the tester will work under the same conditions as an attacker. However, you may also choose to provide information to, and work with, the penetration tester from the outset of the security auditing process. In such a partial knowledge test, you provide an auditor with the kinds of information a motivated attacker finds anyway, and hence, you save time and expense. You can also choose a partial knowledge test if there's a specific kind of attack you want to have the auditors focus on, or a specific target. The knowledge you provide the auditor may include policy and network topology documents, asset inventory, and valuation information. This information helps the auditor develop a sense of what your company imagines its assets to be, and how vulnerable you think you are. The auditor may want to speak with system and network administrators to learn about undocumented practices. A partial knowledge penetration test is helpful if you want to see and supervise the activities of the testing organization. This should not be an issue of trust: you’d typically choose this alternative if you were interested in acquiring knowledge and art in security auditing practices.

Contractual Matters

Many aspects of a penetration test are unobtrusive, but some are not. Some may cause damage to your equipment or data, and some -- for example, a simulated Denial of Service attack -- may disrupt Internet connectivity. Some aspects are outright illegal: for example, an attempt to bypass physical security or pick a door lock; or the automated dialing of blocks of telephone numbers in search of auto-answering modems (wardialing, outlawed in some states). Be prepared to sign an agreement with the party who performs your penetration test that he or they be held harmless and not (criminally) liable for unintentional interruptions and loss or damage to data and equipment. (Consult your lawyers before signing such a release, realizing that this step -- though necessary -- will delay and complicate the actual testing).

It’s a good idea to archive system configurations and sensitive information before you schedule a penetration test. Good auditors will recommend you also archive critical assets prior to a penetration test, if they conclude that part of the testing you request might place such assets in jeopardy.

What to Expect

Penetration testing services vary, so before you begin an audit, ask the auditor for a document that explains the entire process, step by step. Zero knowledge penetration tests generally begin with information gathering. Based on the information gathered through your Web sites and mail servers, public records and databases (Address and Name Registrars, DNS, Whois, EDGAR), and perhaps from social engineering (seemingly innocent extraction of information from your employees), the tester will attempt to map your network, using tools such as ping, traceroute, nmap and other address and port scanning tools.

If you want the test to simulate real world attacks and also want to minimize responses to false alarms and panic across your organization, testers can work in stealth mode, mapping your network and enumerating services, shared file systems, and operating systems nearly unobtrusively. Wardialing, if legal within your state and within the scope of the project, can also be performed this way. To avoid any legal difficulties, provide the tester with the phone number range you wish to have scanned for listening modems.

Trojans (e.g., BackOrifice, pcAnywhere, NetBus). Testers will also try to identify application vulnerabilities -- easily compromised CGIs, Web forms and scripts.

Deliverables

A competent security auditing organization will provide a detailed description of the entire testing process. All information gathered during the testing should be turned in to you, including:

  • the detailed results of the testing performed,

  • what the results indicate, and

  • recommendations on the kinds of remedies you should implement.

For example, if a port scan reveals that you are permitting inbound access to systems or services your security policy explicitly prohibits, the report will recommend you modify your Firebox configuration to block these ports. The report(s) might also enumerate operating systems that require security patches, hot fixes and configuration changes to achieve the best possible server security. It may also identify weak or compromised user accounts and credentials.

If you use the security auditing service periodically, ongoing reports should identify changes from past testing, and should call particular attention to vulnerabilities that have been introduced to equipment previously considered more secure.

Choose Carefully for Maximum Benefits

There are many competent security auditing companies willing and able to perform penetration tests for you. You can find some of the most competent testers in some of the smaller companies. Investigate carefully. You have a right to inquire about the backgrounds of the company’s employees. I strongly recommend you decline authorizing penetration tests by anyone with a prior criminal record. Choose the company that will take time up front to describe the testing process thoroughly, in plain-speak, until you are comfortable. When budgeting, factor in the cost and effort of following through with the recommendations the auditor makes.

Remember, security is an ongoing process. Penetration testing provides you with a snapshot of your security well-being. It’s like an X-ray of your teeth, which reveals information about dental problems you have at the moment the X-ray was taken. The dentist can repair what the X-ray shows him, but he can’t anticipate future problems. Your network will evolve; new vulnerabilities will be identified and possibly exploited. In spite of the most diligent efforts by a penetration tester, and even if you implement all the security measures identified by the tester, you could be hacked minutes or months after the "fix." A penetration test is not a magic bullet. But it indicates whether you've got everything buttoned down tightly, or whether your network is low-hanging fruit for attackers. Either way, you're better off finding out under controlled circumstances.