By Mathew Benwell
A Word of Warning!
It is extremely important to understand that the testing about to be discussed is illegal under Australian law unless approval from the target was obtained first. Testing of this nature must have written approval from an authorised organisational representative prior to commencement.
What is a Penetration Test?
A penetration test is a simulated attack, typically against information systems. A penetration test is designed to replicate an attacker to see if systems can be compromised. The primary aim is to identify security weaknesses before real attackers have the chance to. Once security weaknesses have been identified, the organisation can start treating the associated risks.
Penetration tests come in many forms ranging from highly technical attacks against web applications to simple manipulation of natural human behaviour often referred to as social engineering.
An example attack may be targeting a specific service provided to clients over the Internet, such as an online store where the store processes payment cards as a mechanism for purchasing goods. What would happen to the online store if an attacker could redirect payments to another financial institution? Along with the obvious financial losses, there could also be reputation damage as a result of such an incident. Could the store survive? Would you shop there again?
The social engineering aspects of penetration testing are often the most fruitful. People naturally want to help others in need and this form of testing manipulates this basic human behaviour. Have you ever held a secure door open for someone you don’t know? They look like they’re supposed to be there so what’s the harm? Tailgating through a door is a simple method of bypassing building security systems. Attackers know this and will take advantage of it.
Why Conduct a Penetration Test
Penetration testing should be considered an important part of an ongoing security program. While penetration tests cover a finite scope, the results often have a significant impact. These tests can be particularly useful in attracting the attention of senior management. This can help ensure that information security is taken seriously from a high level. In many cases senior management think of information security as an ‘IT issue’ when in reality it is a business issue. The results of a penetration test can show the organisational wide consequences of a breach and help ensure buy-in from all levels of the organisation.
Have you ever heard the saying “An ounce of prevention is worth a pound of cure”? Organisations typically conduct penetration tests with the aim of identifying vulnerabilities which could cause some form of loss. Loss may be specific to each business but there are some forms of loss that can apply to all businesses.
Immediate financial loss is obvious in the case of an attacker being able to remove money from an organisation. However there can also be indirect costs associated with a security incident. For example, the costs associated with employing a specialist to clean up after an incident or the costs of possible regulatory breaches could run into millions of dollars.
Losses are not just financial. An organisation can suffer significant reputation damage as a result of a publicised breach. In an online world people need to have a sense of trust to conduct faceless transactions. A security breach could lead to a decrease in client trust which could then lead on to a drop in sales.
Pre Penetration Test
There are two key steps which need to be covered prior to commencing a penetration test: a well defined testing scope and authorization to perform the test.
A testing scope essentially defines the rules of the game. These rules must be well thought out and clearly documented to ensure that neither party oversteps the mark. Information systems are often intertwined with other systems which can lead to testing of secondary systems. It is therefore important to determine whether the testing of secondary systems should be included in the scope.
The testing scope should include details such as the systems to be tested, systems to be excluded and the types of tests allowed to be conducted. One example of this might be a definition that explicitly states that denial of service tests are not to be conducted.
The second and most important pre testing task is to ensure that you have signed authorization from the client to conduct the tests documented in the testing scope. Do not commence testing if authorization has not been obtained or you could find yourself on the wrong side of the law.
Penetration Test Execution
Penetration testing is typically conducted using a structured approach around the following key phases:
| Vulnerability Mapping
Each phase feeds into the next making it an integrated process.
The discovery phase can be thought of as reconnaissance. The discovery process will aim to map out the attack surface for the test. The discovery phase will highlight possible attack vectors based on the information gathered.
In a social engineering attack, the tester will attempt to identify possible personnel weaknesses which could be exploited to gain further information. An example could be identifying physical building security weaknesses.
A penetration test against a web site would start by identifying key information about the web site, i.e. the IP address of the server hosting the site and the network ports being available on that host.
The enumeration phase will gather more detailed information about the information gathered in the discovery phase. Information such as software product names and versions will be collected.
For example, during the discovery phase it was identified that there was an unknown web server on the system being testing. During enumeration the tester will attempt to identify specific details about the web server. This information would likely identify the web server software version numbers and vendor.
The vulnerability mapping phase will attempt to identify weaknesses in the services/systems enumerated in the previous phase.
Once sufficient detail has been obtained, the tester can identify weaknesses in the system being tested. If we return to the previous example, we may have identified that the web server was an old version of Internet Information Services (IIS). The particular version identified contains a known weakness allowing an attacker to take complete control of the server.
This information could then be fed into the final test phase, exploitation.
The exploitation phase is designed to demonstrate that a security weakness exists and can be used by an attacker. The tester aims to compromise the system using a weakness identified in the previous phases.
In the web server example used previously, this might be as simple as running exploit code against the web server.
In a social engineering example, the testing officer could obtain unauthorised physical access to a facility using non technical means.
Post Penetration Test
The final and most important deliverable to an organisation who has commissioned a penetration test is the final report. The final report is so significant because it conveys and documents the security risks identified during the test in a way that is meaningful to the organisation.
A penetration test report is likely to be read by senior management down through to technical personnel responsible for implementing remedial changes. A good penetration test report will provide information for all the intended audience types.
The following is an example format of a penetration test report:
Executive Summary – this section provides sufficient non technical detail for executive level managers to understand key issues in order to make informed decisions. E.g. business impacts, financial impacts.
Summary – this section provides a summary of the technical detail contained in the report. This should give an overall picture of the security weaknesses in an organisation.
Technical Detail – this section provides all of the technical detail related to the vulnerabilities discovered. Each vulnerability identified should be documented here in extensive detail. The detail should include the issue identified, recommended remedial activities and a risk assessment based on the testers knowledge of the business. Where possible the use of client risk assessment methodologies should be used to ensure risk ratings match the businesses appetite for risk.
Glossary/Appendices – these sections contain an explanation of terms used in the report as well as significant amounts of technical detail not suitable for the report body.
What to Consider Being Penetration Tested
When an organisation decides to conduct a penetration test there are several key points to consider prior to the commencement of the test:
| Use independent information security providers. Independent providers don’t have a secondary wheelbarrow to push. They won’t try and sell you a magical product that will fix all your problems so they are in turn more interested in finding and fixing the key issues;
| Seek demonstration of provider experience. Proven experience will help to understand the providers capabilities and will provide a level of confidence in the providers ability;
| Ensure the testing provider utilises proven testing methodologies. Proven testing methodologies ensure that the tests being conducted will produce consistent and reliable results;
| Never utilise penetration tests as a substitute for a holistic security program. A penetration test is an important part of your security program, not a substitute for one.
A well planned penetration test can help organisations to identify their information security vulnerabilities. This proactive approach can help identify risks before malicious attacks occur and protect an organisation from the post-attack fallout.