Your First Penetration Test
by David
Piscitello
Having an independent accounting firm perform a thorough audit of your organization’s
financial records is customary; in fact, for a publicly held company, it’s required. In
today’s connected society, it's equally important to conduct independent testing to assure
that your organization's security policies adequately cover your assets (ahem) and are
correctly implemented in your security systems. A penetration test or security audit
provides an assessment of the vulnerabilities in your security. Moreover, a
well-conducted penetration test, performed by a competent organization, will help you determine
whether your operational practices, equipment, and policies are up to the task.
Why Invite an Outsider?
Anyone can scan your network perimeter and probe your services -- um, isn’t that one of the
problems? So why pay an outsider to do it? Here's why: a penetration testing consultant or
organization (the “auditor”) employs staff trained in anti-hacking, and provides comprehensive
reports and recommendations to help you improve your security measures. They use a well-conceived
test plan that can be repeated (a) to verify that corrective measures you take following an
initial "base-line" report are properly implemented, and (b) to distinguish between new
vulnerabilities versus deviations from the baseline that are legitimate policy changes.
Zero- or Partial Knowledge Penetration Tests
Many penetration testers believe a zero-knowledge attack—one where you begin with no
information or assistance from the client—is best, because the tester will work under
the same conditions as an attacker. However, you may also choose to provide information
to, and work with, the penetration tester from the outset of the security auditing
process. In such a partial knowledge test, you provide an auditor with the kinds of
information a motivated attacker finds anyway, and hence, you save time and expense.
You can also choose a partial knowledge test if there's a specific kind of attack you
want to have the auditors focus on, or a specific target. The knowledge you provide
the auditor may include policy and network topology documents, asset inventory, and
valuation information. This information helps the auditor develop a sense of what
your company imagines its assets to be, and how vulnerable you think you are. The
auditor may want to speak with system and network administrators to learn about
undocumented practices. A partial knowledge penetration test is helpful if you
want to see and supervise the activities of the testing organization. This should
not be an issue of trust: you’d typically choose this alternative if you were
interested in acquiring knowledge and art in security auditing practices.
Contractual Matters
Many aspects of a penetration test are unobtrusive, but some are not. Some may cause
damage to your equipment or data, and some -- for example, a simulated Denial of Service
attack -- may disrupt Internet connectivity. Some aspects are outright illegal: for example,
an attempt to bypass physical security or pick a door lock; or the automated dialing of
blocks of telephone numbers in search of auto-answering modems (wardialing, outlawed in
some states). Be prepared to sign an agreement with the party who performs your penetration
test that he or they be held harmless and not (criminally) liable for unintentional
interruptions and loss or damage to data and equipment. (Consult your lawyers before signing such a
release, realizing that this step -- though necessary -- will delay and complicate the
actual testing).
It’s a good idea to archive system configurations and sensitive information before
you schedule a penetration test. Good auditors will recommend you also archive critical
assets prior to a penetration test, if they conclude that part of the testing you request
might place such assets in jeopardy.
What to Expect
Penetration testing services vary, so before you begin an audit, ask the auditor for a
document that explains the entire process, step by step. Zero knowledge penetration tests generally
begin with information gathering.
Based on the information gathered through your Web sites and mail servers, public records and
databases (Address and Name Registrars, DNS, Whois, EDGAR), and perhaps from
social engineering
(seemingly innocent extraction of information from your employees), the tester will attempt to
map your network, using tools such as ping,
traceroute,
nmap and other address
and port scanning tools.
If you want the test to simulate real world attacks and also want to minimize responses to false
alarms and panic across your organization, testers can work in stealth mode, mapping your network
and enumerating services, shared file systems, and operating systems nearly unobtrusively.
Wardialing, if legal within your state and within the scope of the project, can also be performed
this way. To avoid any legal difficulties, provide the tester with the phone number range you wish
to have scanned for listening modems.
Trojans
(e.g., BackOrifice, pcAnywhere, NetBus). Testers will also try to identify application
vulnerabilities -- easily compromised CGIs, Web forms and scripts.
Deliverables
A competent security auditing organization will provide a detailed description of
the entire testing process. All information gathered during the testing should be turned
in to you, including:
For example, if a port scan reveals that you are permitting inbound access to systems
or services your security policy explicitly prohibits, the report will recommend you
modify your Firebox configuration to block these ports. The report(s) might also
enumerate operating systems that require security patches, hot fixes and configuration
changes to achieve the best possible server security. It may also identify weak or
compromised user accounts and credentials.
If you use the security auditing service periodically, ongoing reports should identify changes from past testing, and should call particular attention to vulnerabilities that have been introduced to equipment previously considered more secure.
Choose Carefully for Maximum Benefits
There are many competent security auditing companies willing and able to perform penetration tests for you. You can find some of the most competent testers in some of the smaller companies. Investigate carefully. You have a right to inquire about the backgrounds of the company’s employees. I strongly recommend you decline authorizing penetration tests by anyone with a prior criminal record. Choose the company that will take time up front to describe the testing process thoroughly, in plain-speak, until you are comfortable. When budgeting, factor in the cost and effort of following through with the recommendations the auditor makes.
Remember, security is an ongoing process. Penetration testing provides you with a snapshot of your security well-being. It’s like an X-ray of your teeth, which reveals information about dental problems you have at the moment the X-ray was taken. The dentist can repair what the X-ray shows him, but he can’t anticipate future problems. Your network will evolve; new vulnerabilities will be identified and possibly exploited. In spite of the most diligent efforts by a penetration tester, and even if you implement all the security measures identified by the tester, you could be hacked minutes or months after the "fix." A penetration test is not a magic bullet. But it indicates whether you've got everything buttoned down tightly, or whether your network is low-hanging fruit for attackers. Either way, you're better off finding out under controlled circumstances.