Basic's of Penetration Testing

From ITCwiki

A penetration test (otherwise known as a pentest) is used to expose a weakness in a computer system such as a company server or network. This kind of test allows a company to see where its vulnerabilities lie and attempt to fix them. Most often the test is conducted by some one that is not directly employed by the organization but is contracted from outside it.

Unlike a hacker the tester is given permission and is paid to exploit the organizations security weaknesses. The tester does not passively scan for security weaknesses either. While penetrating the system this will often times halt, slow down or even stop processes within the company. This is meant to simulate an actual cyber-attack on the organization. This simulation not only exposes security loop holes but tests fail safes (if any) that are put in place. Generally a pentest is conducted on a system that is vulnerable to attack and has important data, such as a banks web page with account information.

After the test is completed the tester generates a report known as a “penetration test report”. This report is short and to the point. The report details the method of attack that was used, and what information was compromised during the attack as well as the value of the information exposed. Also the report can contain preventative measures for such an attack, or the organization can come up with their own solutions.

There are three primary methods of penetration testing. All three are based on the knowledge that the tester has of the system before attempting to breach it. With the black box method the tester has no foreknowledge of the system or its infrastructure. The tester has to figure out where the system is and what type it is as well as the device it is operating on. After this has been deduced the tester can start attempting to breach the system. Because this type of attack is a simulation of an outsider hacking into a system this is the closest of the three methods an organization can get to a real attack.

The other two methods are known as white box and grey box. A white box attack is essentially the opposite of a black box attack. The tester has all the information about the system and its infrastructure, including in depth diagrams of the network and IP addresses as well as source codes for the organizations custom applications. With the grey box method the tester only has some of the information pertaining to a system and its network. These types of attacks are useful in simulating an internal threat to the organization, i.e. an employee who either intentionally or purposefully violates system security.

The Open Source Security Testing Methodology Manual or OSSTMM is a manual that discusses penetration testing in greater detail. The manual covers everything from fraud, social engineering attacks and network security, and physical security. The OOSTMM provides details on what items need tested. It also explains what to do before during and after a security test, as well as how to evaluate the results of the test.

These tests do not come without some risks of their own however. As mentioned earlier the test is meant to exploit weaknesses and vulnerabilities. These exploits can have consequences. During a test the system may slow down, crash or even worse break and become inoperable. With an experienced tester these risks are minimalized.

Pentesting is and invaluable tool for many companies and organizations. The report generated from this test will allow a corporation to identify and determine many things when conducting a vulnerability assessment. The test results can show the likely hood of a certain type of threat, its impact on operations, shows previously unknown loopholes, and the effectiveness of current security measures. In fact many organizations are mandated by the government to perform pentests as part of a security audit. The Payment Card Industry Data Security Standard (PCI DSS) requires organizations that hold credit card information to conduct annual and ongoing Pentesting after a system change.

Penetration testing is akin to running a drill or exercise. When a building conducts a fire drill it is testing the effectiveness of evacuation procedures as well as alarm systems. If the drill was never conducted and the building caught fire many lives could be lost. Just as a bank that offers online banking run drills with its online security through Pentesting. Imagine how much important personal information a person places online through their online banking service, if threats aren’t discovered through pen testers and then sent to the bank to be evaluated and prevented someone with malicious intent could end up with your credit information.

By: Curt Hermanson and Byron Schwarz