Pen testing: Access denied
- Article 4 of 33
- SC Magazine, September 2006
How can you be sure your security works unless someone tried to crack it - and failed? Rob Buckley delves into the world of penetration testing.
Page 1 | Page 2 | Page 3 | All 3 Pages
There's not an office in the land that doesn't hear the klaxon of a fire alarm once a week. It's not because fires keep breaking out; it's because all safety equipment needs testing regularly. Yet, many organisations install security technology and never check that it is doing what it's supposed to.
Penetration, or 'pen', testing is becoming more important as auditors and external partners increasingly expect proof of security rather just installation of systems. Mastercard and Visa, for example, require all retailers using their systems to conform to the Payment Card Industry set of security criteria.
For many years, pen testing has involved scanning a range of IP addresses to see which services were running on that network; the testers would then try to hack those services to gain access to privileged information.
However, with the advent of firewalls and other security technologies, as well as the conversion of services to web-based systems, pen testing methods have had to evolve, too.
Many testing companies now offer an internal attempt to hack into clients' systems in addition to an external check of web applications.
“For the past couple of years, web attacks have been the only things that still work externally,” says Richard Brain, technical director of ProCheckUp.
His company uses a combination of manual and automated techniques to find holes in web-facing applications.
Frequently, tests manage to uncover undocumented flaws in commercial software. And, in Brain's experience, SQL insertion techniques are responsible for between 45% and 60% of the weaknesses his people find.
Testing a complicated web application properly takes about half a day, he estimates. This makes it difficult to spot all possible vulnerabilities.
Brain recalls his company being called in by one large US corporation after several pen testing firms had failed to explain how hackers had broken in. ProCheckUp found the flaw in that most unlikely of places, the “Contact us” page.
Page 1 | Page 2 | Page 3 | All 3 Pages