Professional Documents
Culture Documents
The Goals of Penetration Testing
The Goals of Penetration Testing
The Goals of Penetration Testing
PENETRATION TESTING
By Robert Shimonski
The ultimate goal to penetration testing is to test your technology assets for their
security, their safeguards, and controls by trying to penetrate through any configured
defenses. But pen testing can be broken down into individual smaller goals.
Pen testing, although a hot topic, isn’t a new concept nor is it an incredibly difficult
one. The underlying technologies, concepts, and techniques can go very deep.
However, conducting pen testing can be very easy if you’re trained and have the right
knowledge.
The breadth of pen testing is where the complexity grows because networks,
systems, infrastructure, mobility, and cloud architecture all stretch what needs to be
assessed. That requires you to look at every aspect of everything your client,
company, or business is accountable for.
You can be proactive by conducting daily, weekly, monthly, quarterly, and yearly
tests to find weaknesses that can be monitored or fixed.
A small, identified risk: The risk can be small where you know there is a
problem, but you accept its risk because you can’t fix it at this time. Maybe a
patch is not yet available by a software vendor and you need to wait.
An identified risk to monitor: You identify a risk and monitor it, but a
penetration and exploitation would lead to very little threat. An example may
be hurting the company’s reputation slightly by upsetting a few clients who rely
on the systems because they temporarily weren’t available. This risk is low
level.
There are also other situations where some vulnerabilities can’t be exploited, and it
makes sense to monitor them. Other vulnerabilities can be exploited and are of a
very high priority (and risk) and therefore must be monitored until they’re corrected,
which may take some time to accomplish.
You record all these risks in a risk register and log the results of most security
assessments (your pen test results) with a marker denoting the level of risk and the
priority in which it should be addressed.
A risk register is a list of known risks and vulnerabilities that you compile as you
scan, assess, penetrate, and test. The risk register is the official document (or
information stored and accessible in a database, spreadsheet, or other facility) that
shows the following:
What risks (and vulnerabilities) you’ve found
How you may have found those risks
The weight you’ve assigned to each risk
A priority level in fixing or correcting each risk
The table below shows what a typical risk register looks like.
A Risk Register
Risk Register Entry # Risk Category Risk Sub-category
1 Security Virus
2 Network Wireless
3 Power UPS
5 Datacenter Space
7 Environmental HVAC
8 Security Physical
10 Datacenter Consolidation
11 Storage Capacity
12 Storage Capacity
14 Database Backup
15 Database Corruption
16 Database Network
17 Datacenter Space
The risk register is a great tool to help you identify problems, but it would be hard to
guess what changes could cause problems, which is why companies have pen
testing conducted: to test their systems for weaknesses. A company might have an
in-house team doing the testing or outsource to a security firm or individual
consultant.
Vulnerabilities are a type of risk that can be rated and used as a recorded artifact that
can be logged, reviewed, and corrected by people who are responsible for its
correction.
Malware (malicious software) is a type of exploit created by a hacker that can take
this seemingly good service and turn it into a vulnerability. If a malicious party now
sends too much data to the buffer in an effort to exploit a weakness and overwhelm
(or overflow) it, it could cause performance to be impacted or in the worst-case
scenario, crash the system or cause it to be unresponsive.
Password usage: Weak passwords (easily guessed or easily cracked with a
password cracking tool) allow immediate entry into a system with the click of
the tools button. This is a real-world example of a very common vulnerability,
which can be found and prevented by a pen test.
A good corporate password policy (with a system that secures and enforces it) is the
best chance to protect against this vulnerability. Unfortunately, it’s still common in
many places around the world, and I’m sure during your own pen testing, you will find
instances of it during your own pen testing.
Sampl
e output from Nessus.
Never run a pen test, assessment, scan, or security test on a live production network
without permission! Many things can go wrong. For example, you could run a scan
on a segment of the network configured with devices to block penetration attempts
that shut services off that could impact a production system that’s servicing clients.
Another example: In a hospital system, if you decide to run a scan during the day on
a protected network segment without making some adjustments, it could shut down
services and prevent patients from receiving care.
RESPONDING TO INCIDENTS
What if you can see an active attack taking place because of issues you identified
through pen testing and which you are now monitoring as part of your ongoing risk
assessment? The answer lies in a process or workflow called incident response.
Incident response (which is sometimes called incident handling) is the event
management of an attack based on an exploitation of a known or unknown
vulnerability. As a security analyst, however, you should know what an incident
response team (IRT) is and why it exists.
You might wonder why you’d need a specialized team to handle security-related
issues, and the answer is actually very simple: The need is based on containing the
incident. Special training is required, and special procedures must be followed for an
incident to be handled correctly, as these examples show:
Where you are: Location is everything! If you’re local to the attack you can
start to work the issue and can conduct all tests and other actions without fear
of being disconnected from the network. If you’re working on a virtual private
network (VPN) connection or remotely connected to a system over a network,
it may be part of the attack vector and you could become disconnected. Being
local to the system allows you console access directly from the system itself
and in most cases, this can be the most reliable option.
Who you are (that is, what role you have): To be designated an active
member of an IRT, you simply need to be assigned the role. It may be a full-
time role in a larger organization or consulting firms, or in smaller firms you
may be assigned it as a collateral duty. Either way, the responsibility is the
same and understanding your role and the procedures, processes, and plans
are important.
The actual team you’re assigned to needs to train together. There is value in
understanding everyone’s place on the team and how to handle an active incident.
Obviously, you don’t ever want to have to respond to an active attack. Hopefully, you
might be able to prevent it in the first place, and that is why pen testing is so valuable
in the entire security framework and defense in depth. If you’re able to secure
everything properly or identify any weaknesses and fix them (or accept and monitor
them), you solve half the exploit battle.