Pen testing: Access denied
- Article 4 of 33
- SC Magazine, September 2006
How can you be sure your security works unless someone tried to crack it - and failed? Rob Buckley delves into the world of penetration testing.
Page 1 | Page 2 | Page 3 | All 3 Pages
An internal test typically involves one of two scenarios: a hacker with no knowledge of systems; or a disgruntled employee with some degree of expertise. “Either way, we'll go in with the full toolbox,” says Dave Beesley, managing director of Network Defence. “We'll have virtualised Linux running on laptops, packet analysers, network capture devices, network sniffing tools ... We'll collect data with the sniffing tools, find out what services are running and look for vulnerabilities that will enable us to gain access and escalate privileges.”
Internal tests such as these will usually reveal flaws, with Beesley estimating that nine out of ten organisations will have at least minor holes in their security. “Often though, they're low risk. For example, there may be a service open with no exploit code available.” However, one in three tests tends to reveal a severe flaw.
The NCC Group, along with a few other pen testers, goes further, using social engineering techniques to gain access to systems. This may involve ringing staff while pretending to be radio producers or claiming to be telephone maintenance personnel to get physical access to the building. “We ask how far we're allowed to go beforehand, and we ensure we don't leave the client less secure than when we started,” says Paul Vlissidis, the company's head of security testing.
Peace of mind - at a price
Depending on the client, a pen test may consist of a blanket check-up of all systems, or a specific application or group of applications that need testing. Since pen testing can run to £1,000 or more a day, usually for five days on average for a moderately sized network, most clients will typically go for a blanket check-up the first time, with only specific systems given regular check-ups later on. These may involve using a different pen tester, just to ensure that the original contractors didn't miss anything.
The ultimate test of pen testers themselves is whether they can find every single flaw and stop anyone breaking in. This requires a combination of resources and training. Ian Reece, S3 manager at Integralis, says his company's pen testers attend the same conferences as black-hat hackers, subscribe to security mailing lists and have access to whatever machines and systems they need.
Certification options
The Certified Ethical Hacker Certification, designed by the International Council of E-Commerce Consultants, is one way of training and certifying pen testers. It is available to organisations through companies such as The Training Camp.
However, not everyone's a fan. “All it does it certify you can do a hack,” Reece says. “But you could be anybody. It's no test of identity.” This proof of identity is important to many clients. Although there is frequently an image of the “poacher turned gamekeeper” attached to pen testers, few clients or testing companies are willing to trust those who were once on the wrong side of the law.
“I trust the firms that have always had a strong ethical focus,” says Stuart Okin, associate partner at Accenture's security practice. “It's down to personal choice, but if a client asked me to recommend a firm, I'd go for those that have always been on the 'white-hat' side.”
Page 1 | Page 2 | Page 3 | All 3 Pages