This is the first article in a six-part tutorial for consultants and value-added resellers (VARs) about penetration testing. Over the course of the six articles we look at several elements of penetration testing, including the test phases, tools and techniques, types of wireless testing and what bugs to look for. In this first article, I give an overview of penetration testing, discuss some legal and ethical implications, and give some pointers on what potential customers look for in a penetration tester.
Penetration testing is a security testing methodology that should be one element of a total security testing strategy that you offer customers. Whether large or small, every business needs to know what their "security posture" is, how secure their network is, and how this posture relates to other companies in the same market space.
A complete security snapshot includes:
- Level I, High-level assessment: A top-down look at the organization's policies, procedures, standards and guidelines. A Level I assessment is not usually hands-on, in that the system's security is not actually tested.
- Level II, Network evaluation: More hands-on than a Level I assessment, a Level II assessment has some of the Level 1 activities with more information gathering and scanning.
- Level III, Penetration test: A penetration test is not concerned with policies. It's more about taking the adversarial view of a hacker, by seeing what can be accomplished and with what difficulty.
The reason to penetration test is the same as the reason a business has a security policy: to leverage due diligence and due care data protection for the preservation of the company's capital investment.
Several factors have converged in the marketplace to make penetration testing a necessity. The evolution of information technology has focused on ease of use at the operational end, while exponentially increasing the complexity of the computer. Unfortunately, the administration and management requirements of these systems have increased because:
- The skill level required to execute a hacker exploit has steadily decreased.
- The size and complexity of the network environment has mushroomed.
- The number of network and Web-based applications has increased.
- The detrimental impact of a security breach on corporate assets and goodwill is greater than ever.
All of these factors are good selling points when presenting a pen testing project to your customer.
Penetration testing is most commonly carried out within a "black-box" approach; that is, with no prior knowledge of the infrastructure to be tested. At it simplest level, the penetration test process involves three phases:
- Preparation phase - A formal contract is executed containing non-disclosure of the client's data and legal protection for the tester. At a minimum, it also lists the IP addresses to be tested and time to test.
- Execution phase - In this phase the penetration test is executed, with the tester looking for potential vulnerabilities.
- Delivery phase - The results of the evaluation are communicated to the pre-defined organizational contact, and corrective action is advised.
Legal and ethical implications of penetration testing
Attacking a network from the outside carries ethical and legal risk to you, the tester, and remedies and protections must be spelled out in detail before the test is carried out. For example, the Cyber Security Enhancement Act 2002 implicates life sentences for hackers who 'recklessly' endanger the lives of others, and several U.S. statutes address cyber crime.
Statute 1030, Fraud and Related Activity in Connection with Computers, specifically states that whoever
intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. Therefore, it's vital that you receive specific written permission to conduct the test from the most senior executive.
While written permission to conduct a pen test helps protect you from risks, your customer also requires protection measures. You must be able to guarantee discretion and non-disclosure of sensitive company information by demonstrating a commitment to the preservation of the company's confidentiality. The designation of red and green data classifications must be discussed before the engagement, to help prevent sensitive data from being re-distributed, deleted, copied, modified or destroyed.
The credibility of your firm as to its ability to conduct the testing without interruption of the customer's business or production is also of paramount concern. You must employ knowledgeable engineers who know how to use minimal bandwidth tools to minimize the test's impact on network traffic.
The ethicality of your company and testers is very important, also. Many customers insist that the testing firm not engage any "black-hat" testers (that is, testers who have criminal convictions) and that the testing firm conducts background checks on anyone who will participate in the engagement.
About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons. As an expert for SearchSecurityChannel.com, Russell welcomes your questions on pen testing and information security threats.