Penetration Testing 2

by nanggroe on July 2, 2011

Chuck Bianco, FTTR, CISA, CISSP

Penetration testing is not a be-all, end-all for security. Organizations must ?rst perform risk assessments that determine the components of sound security policies and procedures. After the development, approval, and installation of security policies, organizations should install several control mechanisms to measure the success or failure of the risk analysis and security systems. One such control is a properly constructed penetration test.

What Is a Penetration Test?

Penetration testing involves examining the security of systems and architectures. It reviews the effectiveness of the security of the organization’s Internet presence. This includes all the holes and information that might damage the organization. The tester uses his creativity and resourcefulness to behave in the same manner as a hacker would.

The tester uses hacking tools and related techniques to challenge the ef?ciency and competence of the security design. The tester hopes to ?nd problems before the hackers do and to recommend ?xes and solutions to identi?ed vulnerabilities. Although penetration testing assesses security from the Internet side or the organization’s network, it is not a full security assessment or a guarantee that your site is secure.

It is only a complement to a full range of security measures. Your company should already have a complete security policy based on a risk analysis of the data and items you need to protect. If you do not have a security policy in place, you may choose to use penetration testing to assist you in writing the security policy.

The penetration test is simply another security tool to assist in protecting your company’s assets. There are several different types of penetration tests, depending on the depth of the test and the threats measured. Both outsiders and employees or trusted third parties can launch attacks on the company. The testing may be broad-based or narrow, depending on risk assessments, the maturity of security policies, prior testing histories, etc.

You may wish to test your systems from internal attacks or develop specialized penetration tests later.

Why Do It?

Many institutions offer Internet banking and related E-commerce activities. Some offer services through service bureaus and others offer the services on institution-run transactional Web sites. All institutions should ensure that they use all systems in a safe and sound manner. Intruders hack both institutions and service bureaus. These hacks place the assets of the institution in peril. The FBI claims that almost 60 percent of all business sites have been the victims of unauthorized access. Some companies have lost money. Many have been the victims of a denial-of-service (DoS) attack, in which a hacker sends more information than your system can handle. This causes your system to slow down or stop working. Examiners and auditors frequently ?nd that the institution does not know whether or not it has suffered a security breach. According to the Computer Emergency Response Team (CERT) and the U.S. Department of Energy Computer Incident Advisory Center (CIAC), hackers invaded more than 25,000 sites in 2001.

Intrusions can lead to loss of money, data, and productivity. Hackers, spies, and competitors can all steal, regardless of whether or not an intrusion occurs. For example, hackers can take advantage of bugs in Web sites to gain unauthorized information. We have even discovered many examples where poorly designed Web sites allowed visitors access to unauthorized information. Therefore, even authorized visitors can copy information and can sell con?dential customer information and strategic information to competitors. These attacks can damage the institution’s reputation and expose it to legal action. The intruder can also install entrances for future activity, such as backdoors, Trojan horses, and program worms. A well-planned test reenacts all such actions. Penetration testing will normally provide evidence of exposures before they occur. In the case of found Trojan horses and viruses, it will act as a detective control.

Penetration testing not only improves security but it helps to train your staff about security breaches. It provides evidence of proper care and diligence in the event of lawsuits ?led because of an intrusion. Moreover, penetration testing authenticates vendors’ claims about their product features. We advise you to have the test performed by a disinterested third party. For example, if the tester recommends that you purchase his product after he completes the test, he may not recommend the most effective solution. He also may not ?nd security weaknesses in his products. The testing must be impartial and provide a view of the entire security system.

All institutions that offer E-commerce products should perform annual penetration tests. In no way does this mean that an annual test is suf?cient to ensure effective security. We believe that the institution should conduct such tests at least once per year and present the testing report of ?ndings to the board of directors. However, the security plan must indicate how much penetration testing is suf?cient. For many sites, an annual penetration test is the equivalent of having the security guard only check if someone locked the front gate after closing time about once a year. Many testers offer yearly contracts for regular testing, which most organizations ?nd extremely helpful in keeping up with the number of exploits and holes published daily.

Institutions using service bureaus should insist on annual penetration testing of the service bureau. Ideally, the institution will take part in the penetration test. The service bureau should issue report ?ndings to its client institutions. The institution should use this report to design a limited penetration test at the institution. An exception to this requirement occurs when the institution takes an active part in the penetration test of the service bureau.

Costs

Costs of such tests can vary from as little as $2000 for targeted tests to several hundred thousand dollars. The risk assessment or Standard of Due Care Study and your security policy determine the extent of the test and necessary costs. Institutions will include penetration testing costs in cost/bene?t studies as part of the business analysis decision.

Limits

The institution should carefully design the scope of the penetration test to protect the company from inad-vertent downtime and loss of business due to a successful intrusion during the test. While it may also be impractical to allow the tester to have access to production systems, testing does not have to be perilous if done at low traf?c times.

While the tester may be limited because the employees know about the penetration test, this knowledge only hampers penetration testing if the tester is also attempting to measure human security controls. Some testers prefer that company personnel know about the test in advance, so that the employees can tighten security before testing. For example, weekly penetration tests will cause the employees to apply patches the moment they come out, rather than waiting for a penetration test report showing they are not doing their jobs. Moreover, professional testers will notify the company as soon as they ?nd any high risks and have it ?x them immediately. They will still include the risks in the report, but the tester does not leave the company at risk during the testing and report-writing time.

The company must take great care to carefully design the limits and scope of the penetration test; yet it must also allow the tester suf?cient access to evaluate security effectiveness. The organization should de?ne exactly what the tester can and cannot test. These requirements should go in the contract and be de?ned by IP addresses.

The test can include, but is not limited to, the following tools and techniques (see http://www.cccure.org/ modules.php?name = Downloads&d_op = viewdownloaddetails&lid = 9&ttitle = Domain_1.zip for more detail):

  • Network mapping and port scanning

  • Vulnerability scanning

  • Wardialing

  • Snif?ng

  • Spoo?ng

  • Session hijacking

  • Various denial-of-service (DoS) and distributed DoS (DDoS) attacks

  • Stack-based buffer over?ows

  • Password cracking

  • Backdoors

  • Trojan horses and rootkits Disadvantages include the following:

  • Penetration testing can cause severe line-management problems without the involvement of senior management.

  • Penetration testing is a waste of time if it is the only security measure taken by the company.

  • It is very expensive, especially if improperly planned.

  • The tester can use the information he ?nds against you.

Who You Should Avoid

Your institution should never enlist a convicted felon to test your security system.

What You Should Tell the Tester

  • You should provide your institution’s legal company name and address as well as the name of a contact person who they can always contact (day or night).

  • You should also provide the limits and scope of the testing without denying the tester the opportunity to use his creativity. However, you must ensure that you instruct the tester that the testing should not damage anything and to document any problems caused or found.

  • You should detail what systems or networks are off-limits and during what hours the testing will take place. Some experts suggest that you handle this like a ?rewall — list what you will allow and prohibit everything else. Be prepared to pay extra for testing at strange hours. Ensure that you have quali?ed employees on site during those strange hours to reboot downed systems.

  • You should also indicate if you own the transaction Web site or use an ISP.

  • Specify whether you will allow social engineering attacks (deception, trickery, or coercion are at the heart of social engineering techniques). Many testers believe that social engineering attacks may do more harm than good because they affect employee morale. Therefore, you may wish to limit publication of the successful social engineering attacks or redact the names of employees the tester fooled into providing information.

  • Specify whether you will allow DoS attacks. If you allow these attacks, schedule them for a non-operations time and have someone babysitting the network while the attack happens. However, never allow distributed denial-of-service attacks, as they involve other companies; they always bring systems down and harm your Internet service provider and all routers in between.

  • Specify whether the tester will cover his tracks or leave evidence on the system, such as text messages. The tester should never leave a backdoor program in your system. You may decide that a report of areas where the tester could have entered is suf?cient.

    1. Specify exactly what the purpose of the test is:

    2. Is it to get into your system, provide proof of successful entrance, and stop?

    3. Will the tester place something on your system, such as a ?le or message, as proof that he gained entrance to the system?

    4. Will you authorize the tester to gain system administrator privileges that allow him unlimited access to accounts?

    5. Should the tester gain access to ?les or e-mail?

    6. The tester should collect data indirectly by doing research on the Internet. This is mandatory for a penetration test. The Internet presence measures the footprints your employees leave on the Internet.

  • Ask the tester to provide a list of things he or she will do to facilitate the test.

  • Will the social engineering attacks be limited strictly to remote attacks, such as phone calls to employees, or will the hacker also conduct them in person? (In-person attacks include reviewing information in trash receptacles, posing as maintenance personnel, service bureau personnel, or employees of the institution, following employees into secured areas (tailgating), etc.) Many experts believe that on-site penetration testing is really auditing. Some companies have their employees perform the on-site social engineering tests in conjunction with the outside tester. Social engineering can also include e-mailing employees or inviting them to visit a certain Web site.

  • Require that the tester indicates in his report how he got the data and if he believes your site is secured against the top-20 tools currently available in the wild. Require that he give some examples of how he located these tools and which ones they are. It is not suf?cient that your site is currently safe from the exploits these tools attempt. The tester should measure your network’s response to each tool’s unique signature or method. For example, some tools are poorly written and may accidentally bring down a network, even though that was not the intent of the tool. In this way, you determine if the tester just uses a commercial scanning tool, or if he really tries to hack into your system. Many experts believe that no one tool is more than 10 percent effective in penetration testing.

What You Should Not Tell the Tester

You should not provide technical information that a hacker would not know in advance, such as information regarding:

  • Firewalls

  • Routers

  • Filters

  • Concentrators

  • Con?guration rules

What You Should Do before You Finalize the Contract

    1. You should determine the vendor’s policy on hiring:

    2. Obtain proof of liability insurance

    3. How long has the testing company been in business?

    4. How long has the testing team been together?

    5. Ask for a description of the vendor’s testing procedures. Avoid vendors who will not explain their entire testing procedure.

  • Ask the vendor how you will reach them during the testing process. Avoid vendors you cannot reach at any time during the test.

  • Ask the vendors about the dangers of denial-of-service attacks. Avoid vendors who encourage denial-of-service attacks without telling you how dangerous they are.

  • Ask for and insist on merit examples of past work.

  • Ask the vendor for redacted examples of his ?nal product. Avoid a vendor who will not supply speci?c examples of his ?nal product.

  • Demand that the vendor sign a nondisclosure agreement. Avoid vendors who refuse to do so.

  • Avoid vendors who offer refunds on security tests in cases of “secure networks.” Professional security testers operate as a service and will not offer refunds in most every case.

  • Have your contract reviewed by your attorney before signing.

  • Require copies of ?les and data that the tester is able to access during the attacks. Specify whether these outputs will be paper or digital. Ask for traf?c dumps, logs, and raw data. The tester should also provide the IP address from which the test is coming.

What You Should Tell Your Staff

Try to limit the number of employees who know about the test to the technicians responsible for the networks and computer systems. Assign one employee as the Internal Trusted Agent (ITA). The tester and ITA will communicate with each other if needed during the test. Your employees should know that automated intrusion detection systems block out the tester’s IP after a few seconds of scanning. They should not assume that all activity is part of the test. You could actually be under attack from a hacker. Ensure that the technicians know a scan is coming and from where.

What the Tester Should Provide at the Conclusion of the Test

The tester should provide both a brief executive summary (one or two pages) indicating test results, and a detailed listing of all ?ndings and results and what methodology of attacks he used. He should indicate what weaknesses he found and include recommendations for improvement. He should write his report so that nontechnical people understand it. At a minimum, the report should include the following items:

  • What could be tested

  • What was tested

  • When and from where the test happened

  • The performance effects on the test, and vice versa

  • A detailed executive summary in nontechnical terms that includes the good and bad

  • The tools used for ?ndings

  • Information security ?ndings

  • Holes, bugs, and miscon?gurations in technical detail with suggestions on ?xing them

  • Network map

  • Any weaknesses discovered

  • Passwords and logins discovered

  • Speci?c ?rewall/router behavior ?ndings against a list of attacks (not tools)

Your next move depends on his ?ndings. If he ?nds many problems, you should begin by ?xing the problems. You should also:

  • Review all security policies and procedures.

  • Ensure staff is trained in security.

  • Determine if you need to conduct a full security assessment.

  • Review corporate and disaster recovery planning.

Notes

1. The Open Source Security Testing Methodology Manual, by Peter Herzog, http:/www.isecom.com.

Acknowledgments

Many industry experts contributed to this chapter. Thanks to Chris Hare of Nortel Networks and Mike Hines of Purdue University. I am very grateful to those who made signi?cant contributions. Hal Tipton of HFT Associates in Villa Park, California, and author of numerous IT security books; Clement Dupuis of CGI in Canada and moderator of the CISSP Open Study Guide Web Site; and Pete Herzog, moderator of the Open Source Security Testing Methodology Forum.

The contents of this document are my own and do not represent those of any government agency.

PEOPLE FIND THIS PAGE BY THIS WORDS:

filetype: pentest pdf; how much does a penetration test cost; penetration test report; penetration testing proposal pdf; penetration testing report example; pentest fileytpe:pdf; pentest internet presence; pentest proposal pdf; who completes a penetration and security testing;

Tagged as: ,

Leave a Comment

Previous post:

Next post: