Pen testing: How to ensure effective testing

• Article 11 of 33
• SC Magazine, August 2007
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

What do all companies that have ever hit the headlines over an IT security breach have in common? They all thought they were safe. Yet these break-ins happened. Penetration, or “pen”, testing is designed to see just how closely self-image and reality match by trying to break an organisation's security.

In IT circles, this usually means attempting to hack into network security and systems, but some organisations also employ physical and social engineering penetration testers to see how easy it is to get people to give away passwords or let unchecked workmen into vulnerable server rooms.

1. Know what you want to defend against
How a pen test is conducted depends on the client, the circumstances, the organisation and the sector in which it operates. Before hiring someone, you need to decide what types of threat you want to defend against.

You may just want to know how resistant to attacks a new system is or whether its installation has upset security with regards to other elements and invite the pen tester to probe the new infrastructure and interconnected systems. This can be relatively cheap and straightforward.

2. Black, white or grey?
You might want to see how a random internet marauder would fare against your defences, and what they could find out about your network. For this, potentially more expensive, “black-box” test, you give the pen tester a URL or range of IP addresses and a time limit and see what they can do.

Or you may be more worried about a current or ex-employee who knows your network intimately. With a “white-box”-style probe, you would bring the pen tester in-house and tell them everything about the infrastructure, maybe even giving them passwords to see what problems might exist if an employee were to try to gain access to systems for which they are not authorised.

“Grey box” tests mix these two approaches. “A commissioning company has to have a clear idea of what it wants,” says Paul Vlissidis, technical director of NCC Group. “If they say: 'Can you just test our internal network?' and they've got 2,000 servers, it will take forever if they want a thorough test. But if you know the servers are all the same build, you can just do a sample of ten, for example, and they can learn how to make the build more secure.”

3. It's all down to infrastructure
Basic pen tests will usually try to expose vulnerabilities in systems caused by poor patching, bad password choices, open ports, incorrect configuration and other common known vulnerabilities. More advanced or focused tests might home in on particular areas, such as specific applications, custom programs, code testing or SQL injection to try to extract database contents. The infrastructure in your company will determine what kinds of tests might be needed. If your organisation is old and large, you might still have open phone lines that could be vulnerable to war dialling, while wireless networks (whether authorised or not) might be susceptible to war driving.

Even the most innocuous of systems can have vulnerabilities. “There was one company we tested where the servers were well locked down and patched,” recalls Shaun Bligh-Wall, technical architect at Vistorm. “But there was a flaw in their backup software that could be exploited to give access to the full system. The administrators hadn't even realised there was an issue.”

4. Is it for you?
Choosing when or whether to bring in a pen-testing specialist is typically decided by risk or change management policies. Regulations, due diligence, the size of company, the number of web-facing systems, the organisation's dependency on those systems for its business, the budget available, the cost of a potential breach and other factors will all influence the decision.

“It very much depends on the client and their requirements whether we recommend pen testing,” says Lee Newcombe, a consultant at CapGemini and a former pen tester. More often he will recommend a vulnerability assessment that covers a wider range of issues, if not in as much detail.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages