Penetration test

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.

Black box vs. White box

Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. There are also several variations in between, often known as gray box tests. Penetration tests may also be described as "full disclosure", "partial disclosure" or "blind" tests based on the amount of information provided to the testing party.

The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.

The services offered by penetration testing firms span a similar range, from a simple scan of an organization's IP address space for open ports and identification banners to a full audit of source code for an application.

Rationale

A penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any Internet facing site, before it is deployed. This provides a level of practical assurance that any malicious user will not be able to penetrate the system.

Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of the system.

Risks

Penetration testing can be an invaluable technique to any organization's information security program. Basic black box penetration testing is often done as a fully automated inexpensive process. However, white box penetration testing is a labor-intensive activity and requires expertise to minimize the risk to targeted systems. At a minimum, it may slow the organization's networks response time due to network scanning and vulnerability scanning. Furthermore, the possibility exists that systems may be damaged in the course of penetration testing and may be rendered inoperable, even though the organization benefits inknowing that the system could have been rendered inoperable by an intruder. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated.

Methodologies

The Open Source Security Testing Methodology Manual is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. OSSTMM is also known for its Rules of Engagement which define for both the tester and the client how the test needs to properly run starting from denying false advertising from testers to how the client can expect to receive the report. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

The National Institute of Standards and Technology (NIST) discusses penetration testing in [ [http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf Special Publication 800-42, Guideline on Network Security Testing] ] [ [http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, September 2008 (replaces SP800-42)] ] . NIST's methodology is less comprehensive than the OSSTMM; however, it is more likely to be accepted by regulatory agencies. For this reason NIST refers to the OSSTMM.

The Information Systems Security Assessment Framework (ISSAF) is a peer reviewed structured framework from the Open Information Systems Security Group that categorizes information system security assessment into various domains and details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. The ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. It includes the crucial facet of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that might exist. The ISSAF however is still in its infancy.

Standards and certification

The process of carrying out a penetration test can reveal sensitive information about an organization. It is for this reason that most security firms are at pains to show that they do not employ ex-black hat hackers and that all employees adhere to a strict ethical code. There are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.

In the UK, there are three main standards. For many years the only standard/accreditation was the CHECK scheme, administered by CESG (formerly known as the "Communications and Electronic Security Group"; part of GCHQ). This standard is a mandatory pre-requisite for Central government testing but, due to EU rules, cannot be enforced for local government and government agency work (c.f. the CLAS consultancy qualification. It has also been favored by many commercial blue-chip organizations. Subscriber organizations to the scheme are required to maintain strict ethical standards, and certified individuals are automatically vetted to at least SC level security clearance.

The TIGER Scheme is one of the two non-governmental UK schemes for cerifying the skills of penetration testers. The Scheme is managed independently by a Management Committee composed of industry stakeholders with a vested interest in maintaining standards and in meeting market requirements. The TIGER scheme contracts out training to an Operational Authority (OA), which is currently QBit ltd, and testing of applicants to an Examining Body (EB), which is currently Glamorgan University. TIGER certification is available directly from the TIGER bodies, and does not require employment by a member / associate employer.

CREST (Council of Registered Ethical Security Testers) is a non-profit association created to provide a recognised certification for penetration testers which could be trusted by those wishing to hire penetration testers. [cite news|title=Infosec 2008: UK association of penetration testers launched |url=http://www.computerweekly.com/Articles/2008/04/24/230417/infosec-2008-uk-association-of-penetration-testers.htm |publisher=Computer Weekly |date=2008-04-24 |accessdate=2008-08-16] It maintains and publishes a register of those accredited organisations and individuals who have met the CREST standard. The association is comprised of member organisations (providers of penetration testing), of which there are currently fifteen, and a smaller advisory panel representing customers of the organisations. [cite news|title=Security testing standards council launched |url=http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=8730 |last=King |first=Leo |publisher=Computerworld UK |date=2008-04-24 |accessdate=2008-08-16] CREST members provide testing for new applicants, and while a syllabus is available, CREST does not provide or endorse any particular training course or provider. As with CHECK, CREST certification must be obtained while employed by a company already registered with the certification body.

Government-backed testing also exists in the US with standards such as the NSA Infrastructure Evaluation Methodology (IEM).

For web applications, the Open Web Application Security Project (OWASP) provides a framework of recommendations that can be used as a benchmark.

Web application penetration testing

"Web application penetration testing" refers to a set of services used to detect various security issues with web applications.

Enterprises across the world are performing their business on the web, yet only a meager percentage of websites are regularly and professionally tested for vulnerabilities. This increases the chances of website attacks and eventually leads to compromise of applications.

Web Application Penetration Testing services help identify issues related to:

* Vulnerabilities and risks in your web applications
* Known and unknown vulnerabilities (0-day) to combat against the threat until your security vendor provides the appropriate solution.
* Technical vulnerabilities: URL manipulation, SQL injection, cross site scripting, back-end authentication, password in memory, session hijacking, buffer overflow, web server configuration, credential management etc,
* Business Risks: Day-to-Day threat analysis, unauthorized logins, Personal information modification, pricelist modification, unauthorized funds transfer, breach of customer trust etc.

ee also

* Auditor Security Collection
* Computer Security

References