Walk trough the penetration testing fundamentals

The article is published on the last edition of Pentest Magazine. Enjoy the reading, the magazine is free and to download it you just have to create a free account on www.pentestmag.com.

Why conduct a penetration test?

The penetration testing is a fundamental method for the evaluation of the security level of a computer architecture or network that consists in the simulation of an attack to resources of the system under analysis. Of course the investigation can be conduced by experts to audit the security level of the target but also by cyber criminals that desire to exploit the system.

The penetration testing process is conducted over the target searching for any kind of vulnerabilities that could be exploited like software bugs, improper configurations, hardware flaws. The expertize provided by professional penetration testers is an irreplaceable component for the evaluation of the security of systems deployed in private and military sectors. In many sectors for the validation of any systems or component these kinds of test are requested.

The testing approach has radically changed over the years, similar tests were originally conducted mainly on systems already in production or operation in order to demonstrate their vulnerabilities, today’s test sessions are planned as part of the design phase and assigned to internal or external staff in relation to the type of checks that are to be conducted.

A first classification of penetration tests is made on the knowledge of the technical details regarding of the final target distinguishing Black box testing from White box testing. Black box testing assumes no prior knowledge of the system to test. The attacker has to first locate the target identifying its surface before starting the analysis. Whit the term of white box testing we identify an attacker with complete knowledge of the infrastructure to be tested.

The figure of the pen tester is a critical figure, he must think like an hacker paid to break our infrastructure and access the sensible information we possess, for this reason the choice of reliable and professional experts is crucial.  The risk to engaging the wrong professionals is high and it is also happened in the history that companies have wrongly hires hackers revealed in the time cyber criminals.  The information is power, is money and the concept of “trust” is a fundamental for this kind of analysis.

Over the years it has fortunately increased awareness of the risks attributable to vulnerabilities exploitable in systems and related economic impact, this aspect is not negligible because it has enabled a more robust commitment by management of companies that has requested more and more often penetration testing activities.

An effective penetration tests provides to the company a useful report on the status of their services and its exposure to the main threats known. Don’t forget that many incidents registered last year were related to unknown vulnerabilities of the victims systems and misconfiguration of any kind of appliance.

While the main objective of penetration testing is to determine security level of the company, and in particular of its infrastructures, it can have number of further objectives, including testing the organization’s security incidents identification and response capability, testing security policy compliance and testing employee security awareness.

Main benefits of a well done penetration testing are:

• Identifying and classification of the vulnerabilities of the systems. The aspect of the classification is essential to give right priority to activities needed to improve security and securing infrastructure.
• Identification of those critical components in the surface of attack of a system that while not vulnerable have characteristics that make them susceptible to attacks over time.
• Determining the feasibility of a particular set of attack vectors.
• Helping organizations meet regulatory compliance.
• Identification of the vulnerabilities is the starting point for a deeper analysis made to assess the potential impact on the business of the company.
• Providing evidence of real status of the systems providing a detailed report to the management of a company. It’s the starting point because starting from the report the company must proceed to secure its infrastructures evaluating corrective actions and their impact on actual business. A well-documented penetration test results, helps management to identify the right actions to secure the structures and to size the budget for them.

According the principal methodologies the whole process of a penetration test, from initial requirements analysis to report generation, could be applied to the following areas:

• Information security
• Process security
• Internet technology security
• Communications security
• Wireless security
• Physical security

Standard & Regulations

Activities of penetration testing are being object of regulation also by several standards, for example the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing penetration testing. The PCI DSS Requirement 11.3 addresses penetration testing like the attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.

The standard also include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.

The most important factor for a successfully penetration test is the adopted methodology that’s the reason why the discipline is evolved starting its origin in 1970’s. Professionals during the years have proposed and developed efficient frameworks for conducting a complete and accurate penetration test.

The Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog has become a de-facto methodology for performing penetration testing and obtaining security metrics.

Pete Herzog, OSSTMM creator said :“The primary goal of the OSSTMM is to provide transparency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their prey’s already meager security budget; those who would side-step business values with over-hyped threats of legal compliance, cyber-terrorism, and hackers.”

In main opinion transparency and an efficient methodology are essential for the study and the assessment of every system.

Just to give a complete view on the standards and methodologies in penetration testing we can remind the others guidelines available worldwide recognized:

• Standards for Information Systems Auditing (ISACA), introduced in 1967. This ISACA organization provides the basic and the most important among the audit certifications useful to demonstrate to the market mastering the concepts of security, control and audit of information systems.
• OWASP: The Open Web Application Security Project (OWASP) is an open source community project developing software tools and knowledge based documentation that helps people secure Web applications and Web services.
• NSA Infrastructure Evaluation Methodology (IEM)

How effective are our system, how efficient are our processes? We never going to know until we run drills and exercises that stress out the platforms and perform the analysis. Simulate the possible attacks, measuring the level of response of our architecture is fundamental, we have learned by the events how dangerous an unpredicted incident could be.

Conducting a pen test is a good opportunity to test the level of security of an environment but also to evaluate the response of the company to an intrusion or to an incident. Using this methodology it is possible to stress and analyze a system or an application discovering its vulnerabilities and the impact of every possible attacks or malfunctions on the overall architecture and on related systems. It’s happened that during a penetration test discovered mutual vulnerabilities between components, for example the exploit of a first Web service could cause the block or better an exploit in a related system that use the services provide.

Several years ago, during the period I conducted penetration testing for a major company I observed during a test session that some components were intentionally excluded because the administrators of the platforms were informed regarding the vulnerabilities. That behavior it’s really dangerous, excluding weak systems during a penetration test it’s a common wrong practice that prevents an efficient analysis of the system.

In this way we will never be able to measure the impact of the vulnerabilities on the overall security despite how the risks are addressed and recognize by the management of a firm. In a past experience I have had the opportunity to audit a company ISO 27001 compliant, its management was perfectly aware regarding some known vulnerabilities accepting the related risks. Few months later, an external attack damaged the company due a vulnerability not known correlated to a well non problem not tested.

Penetration Test , a widespread need

If the practice to carry out a penetration test is recognized and requested by the major standards that we examined in a private environment, it becomes crucial in critical environments such as military and government.

In these areas information management are extremely sensitive and it is essential for the environments to be tamper-resistant. For this reason, every device, component and infrastructure must be subjected to rigorous testing in time for the purpose of assessing the level of overall security. Particularly critical are all those heterogeneous environments where components are provided by different providers and whose iteration enables the delivery of services. It is this type of environment, together with those characterized by openness to the outside, are a real thorn in the side of management bodies as these architectures are more exposed to external threats.

In recent years there has been a dramatic growth of the attacks perpetrated against successful private companies and government agencies, a phenomenon in constant and growing concern.

Demonstration projects conducted by groups of hacktivist like Anonymous, warfare operations conducted by foreign governments for purposes of offense and cyber espionage and an unprecedented increase of cyber criminal activities have attracted the attention to the security requirements of any IT solutions. The verification of the effectiveness of the solutions mentioned in defense has become a significant activity that has led to an increased demand of figures such as the penetration tester, which is multidisciplinary and multifaceted professional with the ability to analyze and study a system identifying its vulnerabilities.

Of course in critical environment, like a military one, the governments due the secrecy of the solution analyzed have preferred to promote internal born group of experts trained to execute penetration test. In these  sector nations such as China, Russia and the US are at the forefront.

Also bring as example such systems within critical infrastructures, related vulnerabilities are alerting the security world community. The case of Stuxnet virus has taught the world how dangerous a cyber weapon capable of exploiting vulnerability in a system might be. The only possibility we have facing these cyber threats is to thoroughly test each individual component of the systems we are going to deploy. The method of soliciting such infrastructure through penetration tests is essential, unique opportunity to identify critical vulnerabilities that if exploited could affect their security posture.

Penetration tests are a precious opportunity to protect our infrastructure that must be integrated in more articulated testing policies, a good example has been provided by the Special Publication 800-42, Guideline on Network Security Testing published by the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce.

Let me conclude with phrase that I’ve read several time on the Web that resume the purpose of penetration test methodology:

“Protecting your enterprise by breaking it”

Pierluigi Paganini

Share On