Penetration testing

Hacking for the good of the company.

Penetration testing – sometimes referred to as ethical hacking or an IT health check, is a method of obtaining independent assurance that the security controls implemented in a system are doing their job.

The term ‘pen test’ is often used as an abbreviated way of referring to a penetration test, especially in the security community.

External companies often carry out pen testing because full time specialists are not available in the organisation. Pen test teams perform vulnerability analysis of the networks and system components, looking for system errors that could allow a hacker to get through the defences. They will then exploit those vulnerabilities to show that they can be exploited.

CREST - The Council for Registered Ethical Security Testers  and TIGER Tigerscheme Penetration Testing are organisations approved by UKAS (UK accreditation service) to provide accreditation and certification for the technical information security market.

Typical questions the pen testing team will ask include:

• Is all the software patched and up to date? Many vulnerabilities are due to software not having the latest patches installed
• Is everything securely configured? Having default accounts removed and strong passwords enforced is a good idea
• Are unnecessary services still running? An open file share on a web server could be misused

There are many other issues that pen testing might detect, including the potential for denial-of-service attacks being effective. This may raise difficult issues, so it's important to complete a rigorous pen test scope.

Figure 1: The phases of penetration testing

Pen test scope

It is imperative that you perform a thorough pen test scope and that all parties are clear on the limits of the test to avoid unnecessary disruption. Good scoping is granular, cost-effective, and focused.

Before a pen test is commissioned, the external testing company will need to sign a non-disclosure agreement. They’ll be familiar with this process and are likely have their own documents for both parties to sign.

The following items should be defined in the pen testing scoping document:

• The systems and applications that are in scope.
• Any areas that are out of scope.
• Permission or explicit banning of attempts to perform Denial of Service attacks.
• Whether the third party is permitted to exploit vulnerabilities.
• Whether social engineering attacks are allowed.
• The tools and techniques to be used.
• Reporting requirements.
• A common approach is to ask the pen test team not to exploit any vulnerabilities without express permission. Although most pen testing tends to be technical, it’s possible to ask the testers to conduct social engineering attacks as part of the exercise. For example, phoning the service desk to try to acquire a password.

The content and structure of the testing reports should be agreed, as well as the timescales for delivery. If a critical vulnerability is identified, it should be raised immediately, rather than waiting for the formal report to be issued.

Documentation

Security documentation refers to policies, standards, and procedures, as well as design documentation, audit reports, and compliance matrices.

When implementing secure system documentation, consideration should be given to:

• secure storage.
• keeping the access list short and authorised by the application owner.
• making the documentation available through a public network with appropriate access protection.

In government departments this means that designing documentation on a 'need to know' basis – the principle of least privilege - to maintain confidentiality.

As you have seen – in the area of IT Infrastructure – a services focus, efficiency, and clearly-defined goals are even more important than usual. These are essential for punctual, robust, and cost-effective results which avoid any wasteful rework.