Index 1. Abstract ……………………………………………………………………………….…..3 2. Introduction ……………………………………………………………………….….4 3. Reasons to Get a Penetration Test ………………….…………………….…..4 4. Requirements for a Successful Penetration Test …………………..…...6 5. What can be tested? ........................................................6 6. What should be tested? ........................................................6 7. What to Look for in a Penetration Testing Service Provider …..….7 8. What to do to ensure the project is a success .…………………….…..7 9. Types of Penetration Tests ………………………………………………………..9 10. Standards and Certification ………………………………………………………12 11. Conclusion ..………………………………………………………………………………….14 12. References .…………………………………………………………………………………..14 Abstract The intent of this Paper is to uncover the importance of Penetration Testing. A penetration test does not guarantee absolute security – it's just a measurement of your security posture. So, "never have a false sense of security." After going through the paper, you will have enough information about Penetration Tests and you will be able to select proper Security Policies for your organization. It has been tried to keep it as simple as possible so that All can understand it well. Introduction Reasons to Get a Penetration Test What is a Penetration Test? A penetration test offers an Provides a Good Starting Point invaluable and compelling way to establish a baseline assessment of Many organizations security as seen from outside the underestimate how wide open their boundaries the organization’s security exposure is, and network. Properly executed overestimate the capacity and Penetration tests provide evidence resources their internal IT staff can that vulnerabilities do exist and utilize to address it. A penetration that network penetrations are test provides a good first step to possible. More importantly, they understanding current security provide a blueprint for remediation posture specifically because it in order to start or enhance a identifies gaps in security, and comprehensive information outlines where to apply security protection strategy. technologies and services so that A penetration test simulates covert the organization can develop an and hostile network attack action plan to minimize the threat activities in order to identify of attack or misuse. specific exploitable vulnerabilities and to expose potential entryways to vital or sensitive data that, if Creates a Compelling Event discovered and misused by a malicious individual, could pose How can network increased risk and liability to the administrators and security organization, its executives and managers justify a needed increase shareholders. Qualified security in the security budget or make the consultants who perform security message heard at the penetration tests attempt to gain executive level? Well-document access to online assets and results from a penetration test that company resources through the expose the susceptibility of network, servers and desktops, customer data, human resources from either the internal or external records or even executive e-mail perspective, much like an intruder accounts create compelling events would. These results clearly that any executive concerned with articulate security issues and company finances, liability or recommendations and create a reputation needs to know. compelling event for the entire management team to support a security program. Performs Due Diligence and Protects Against Inter- Independent Audits Connected Partner Risk Security posture needs to be Online commerce initiatives examined on a regular basis to require organizations to grant account for the evolution of new partners, suppliers, B2B Internet threats.. An unbiased exchanges, customers and other security analysis and penetration trusted connections into their test can focus internal security networks. The entire structure is resources where they are needed only as strong as its weakest link. most. In addition, an independent Any poorly secured system, left security audit provides evidence of unchecked, poses dangerous due diligence in a legal security risks for everyone else. context for protecting online Many assets, limiting C-level liability organizations are now requiring and/or minimizing potential loss of that their security vendor provide shareholder value. These security audits of partners to independent audits are rapidly ensure that all connected entities becoming a requirement for have a standard baseline for obtaining cyber-security insurance. security. Meets Regulatory Offers validation Requirements As organizations adapt to new business models and Regulatory and legislative technologies, a penetration test requirements are making provides validation between penetration tests required as a business initiatives and a security necessity of doing business. framework that allows for Regulations such as HIPAA (Health successful implementation at Insurance Portability and minimal risk. In other words, after Accountability Act), OCC Bulletin an organization 2014, and Graham Leach Bliley all establishes its security practices include security compliance codes. and believes that its infrastructure is secure, a penetration test provides critical validation feedback. Requirements for a personnel that manage it. Examples of areas that are Successful Penetration commonly tested are: Test • Off-the-shelf products Penetration tests require (operating systems, certain key elements to be in place applications, databases, in order to ensure useful, timely networking equipment etc.) results. First, they must cover the • Bespoke development full range of the threat spectrum, (dynamic web sites, in-house from the presence of an antivirus applications etc.) engine to the presence of malicious • Telephony (war-dialling, code to vulnerabilities that might remote access etc.) enable denial of service and other • Wireless (WIFI, Bluetooth, sophisticated attacks. Second, they IR, GSM, RFID etc.) must deliver clear, unambiguous • Personnel (screening results that address both the process, social engineering technical and business objectives etc.) of the client. Third, the consultants • Physical (access controls, who perform the tests must follow dumpster diving etc.) robust testing methodologies, use software that carries the most upto-date vulnerability research available, and they must possess creative instincts to manipulate the What should be tested? tools in both typical and Ideally, your organisation unconventional ways. Finally, the should have already conducted a experienced technicians who risk assessment, so will be aware administer the penetration tests of the main threats (such as must know how to gain maximum communications failure, e- results with minimal disruption to commerce failure, loss of normal business operations. confidential information etc.), and can now use a security assessment to identify any vulnerabilities that What can be tested? are related to these threats. If you haven't conducted a risk All parts of the way that your assessment, then it is common to organisation captures, stores and start with the areas of greatest processes information can be exposure, such as the public facing assessed; the systems that the systems; web sites, email information is stored in, the gateways, remote access platforms transmission channels that etc. transport it, and the processes and Sometimes the 'what' of the reconsider before using a process may be dictated by the penetration testing service provider standards that your organisation is who merely runs a security audit or required to comply with. For scanning tool and delivers a report example, a credit-card handling on that one tool’s results. While an standard (like PCI) may require individual that all the components that store tool provides some value as a or process card-holder data are standalone assessment device, it assessed. can never replace the human mind to creatively apply new methods and techniques to break and bypass standard security systems, much like an intruder would. What to Look for in a Penetration Testing Service Provider Many companies offer What to do to ensure penetration testing services, but the project is a success the best choice is a provider who offers focus on the entire threat spectrum, including highly researched vulnerability and threat Defining the scope intellectual capital and tools. Look for a robust penetration testing The scope should be clearly methodology, preferably one that defined, not only in the context of provides a multi-layer approach the components to be (or not to that identifies and leverages small be) assessed and the constraints cracks that springboard into under which testing should be identifying major cracks not found conducted, but also the business by typical security tools. Make sure and technical objectives. For the final deliverable report provides example penetration testing may business value, as security be focussed purely on a single recommendations should be based application on a single server, or on the client’s may be more far reaching; business objectives and the including all hosts attached to a appropriateness of security particular network. measures per exposure. Lastly, use a provider that has a proven track record of finding known and new threats and whose recommendations provide a holistic approach to security. A final note: Choosing a security partner and what is their background and age)? Another critical step to • Do they hold professional ensure that your project is a certifications, such as PCI, success is in choosing which CISSP, CISA, and CHECK? supplier to use. • Are they recognised contributors within the As an absolute fundamental security industry (white when choosing a security partner, papers, advisories, public first eliminate the supplier who speakers etc)? provided the systems that will be • Are the CVs available for the tested. To use them will create a team that will be working on conflict of interest (will they really your project? tell you that they deployed the • How would the supplier systems insecurely, or quietly approach the project? ignore some issues). • Do they have a standardised methodology that meets and Detailed below are some questions exceeds the common ones, that you might want to ask your such as OSSTMM, CHECK and potential security partner: OWASP? • Can you get access to a • Is security assessment their sample report to assess the core business? output (is it something you • How long have they been could give to your providing security executives; do they assessment services? communicate the business • Do they offer a range of issues in a non-technical services that can be tailored manner)? to your specific needs? • What is their policy on • Are they vendor independent confidentiality? (do they have NDAs with • Do they outsource or use vendors that prevent them contractors? passing information to you)? • Are references available from • Do they perform their own satisfied customers in the research, or are they same industry sector? dependent on out-of-date • Is there a legal agreement information that is placed in that will protect you from the public domain by others? negligence on behalf of the • What are their consultant's supplier? credentials? • Does the supplier maintain • How experienced are the sufficient insurance cover to proposed testing team (how protect your organisation? long have they been testing, Types of Penetration "leak" of sensitive information, where the attacker has access to Tests source code, network layouts, and possibly even some passwords. Black box vs. White box Denial of Service (DoS) Penetration tests can be conducted testing in several ways. The most common Denial of service testing involves difference is the amount of attempting to exploit specific knowledge of the implementation weaknesses on a system by details of the system being tested exhausting the target's resources that are available to the testers. that will cause it to stop Black box testing assumes no prior responding to legitimate requests. knowledge of the infrastructure to This testing can be performed be tested. The testers must first using automated tools or manually. determine the location and extent The different types of DoS can be of the systems before commencing broadly classified into software their analysis. At the other end of exploits and flooding attacks. the spectrum, white box testing Decisions regarding the extent of provides the testers with complete Denial of Service testing to be knowledge of the infrastructure to incorporated into a penetration be tested, often including network testing exercise depend on the diagrams, source code, and IP relative importance of ongoing, addressing information. There are continued availability of the also several variations in between, information systems and related often known as grey box tests. processing activities. Denial of Penetration tests can also be service can take a number of described as "full disclosure" (white formats; those that are important box), "partial disclosure" (grey to test for are listed below: box), or "blind" (black box) tests based on the amount of • Resource overload – these information provided to the testing attacks intend to overload party. the resources (i.e. memory) of a target so that it no The relative merits of these longer responds. approaches are debated. Black box • Flood attacks – this involves testing simulates an attack from sending a large amount of someone who is unfamiliar with the network requests with the system. White box testing intention of overloading the simulates what might happen target. This can be during an "inside job" or after a performed via: applications. While Internet ICMP (Internet Control facing applications give an Message Protocol), known as organization the much "smurf" attacks needed global customer UDP (User Datagram reach, providing access to Protocol), known as "fraggle" partners inside the intranet attacks introduces new security • Half open SYN attack - this vulnerabilities because, even involves partially opening with a firewall and other numerous TCP connections monitoring systems, security on the target, so that can be compromised, since legitimate connections could traffic must be allowed to not be started. pass through the firewall. • Out-of-band attacks – these The objective of application attempt to crash targets by security testing is to evaluate breaking IP header the controls over the standards: application (electronic o Oversized packets commerce servers, on-line (ping of death) – the financial applications, packet header indicates distributed applications, and that there is more data Internet front ends to legacy in the packet than systems) and its process there actually is. flow. Topics to be evaluated o Fragmentation may include the application's (teardrop attack) – usage of encryption to sends overlapping protect the confidentiality fragmented packets and integrity of information, (pieces of packets) how users are authenticated, which are under length. integrity of the Internet o IP source address user's session with the host spoofing (land attack) application, and use of – causes a computer to cookies – a block of data create a TCP stored on a customer's connection to itself. computer that is used by the o Malformed UDP packet Web server application. header (UDP bomb) – UDP headers indicate Let's take a look at some important an incorrect length. components of application testing: • Application security testing With the growth of • Code review: Code reviews ebusiness, core business involve analysing all the functionality is now being application-based code to offered through Web-based ensure that it does not contain any sensitive service attacks using the information that an intruder same techniques. might use to exploit an application. For example: Publicly available application code may include test comments, names or clear text passwords that will give Functionality testing: an intruder a great deal of information about the This involves testing the application. systems responsible for the • Authorization testing: application's functionality as Involves testing the systems presented to a user. This will responsible for the initiation require testing: and maintenance of user sessions. This will require o Input validation – bad testing: characters, specific o Input validation of URLs or overlong login fields – bad inputs can produce characters or overlong unpredictable results; inputs can produce and unpredictable results; o Transaction testing – o Cookie security – ensuring that the cookies can be stolen application performs to and legitimate sessions specification and does can be used by an not permit the user to unauthorised abuse the system. individual; and o Lockout testing – testing the timeout and intrusion lockout parameters set in the War dialing application, to ensure legitimate sessions War dialling is a technique cannot be hijacked. for systematically calling a range of telephone numbers This is performed to discover in an attempt to identify whether the login system can modems, remote access be forced into permitting devices and maintenance unauthorised access. The connections of computers testing will also reveal that may exist on an whether the system is organization's network. Using susceptible to denial of war dialing tactics, a hacker networks know are their maybe able to locate signals, it becomes easy for vulnerable out of band entry hackers to identify wireless points into an organization networks simply by "driving" and manipulate them to or walking around office access the network. The buildings with their wireless ignorance of IT staff in network equipment- this considering the phone technique is known as "war network, as a possible driving". Once an open primary access point is one wireless access point is of the main factor in the found, the war driver usually growth of these attacks. For maps it, so at the end he example: leaving open would have a map of access modems on critical network points with their properties servers, routers and other (SSID, WEP, MAC etc.). The devices can inadvertently goal of wireless network expose an entry point inside testing is to identify security the organization's network. gaps or flaws in the design, In this testing, once a implementation or operation modem or other access of the organization's wireless device has been identified, network. analysis and exploitation techniques are performed to assess whether this connection can be used to Standards and penetrate the organization's information systems network. Certification The Council of Registered Ethical Security Testers (CREST) offers three certifications: CREST Penetration testing for Registered Tester, CREST Certified wireless networks Tester (Infrastructure) and CREST Certified Tester (Web Applications). The introduction of wireless CREST (Council of Registered networks, whether inside Ethical Security Testers) is a non- corporate network profit association created to infrastructure or common provide recognised standards and homes, introduces additional professionalism for the penetration security exposures that are testing industry.For organisations, much more threatening than CREST provides a provable wired network attacks. Since, validation of security testing the only boundary wireless methodologies and practices, such as the NSA Infrastructure aiding with client engagement and Evaluation Methodology (IEM). procurement processes and proving that the member company For web applications, the Open is able to provide testing services Web Application Security Project to the CREST standard. Three (OWASP) provides a framework of certifications are currently offered: recommendations that can be used the CREST Registered Tester and as a benchmark. two CREST Certified Tester qualifications, one for The Tiger Scheme offers two infrastructure and one for certifications: Qualified Tester application testing. (QST) and Senior Security Tester (SST). The SST is technically The Information Assurance equivalent to CHECK Team Leader Certification Review Board (IACRB) and QST is technically equivalent manages a penetration testing to the CHECK Team Member certification known as the Certified certification. Tiger Scheme certifies Penetration Tester (CPT). The CPT the individual, not the company. requires that the exam candidate pass a traditional multiple choice The International Council of E- exam, as well as pass a practical Commerce consultants certifies exam that requires the candidate individuals in various e-business to perform a penetration test and information security skills. against live servers. These include the Certified Ethical Hacker course, Computer Hacking SANS provides a wide range of Forensics Investigator program, computer security training arena Licensed Penetration Tester leading to a number of SANS program and various other qualifications. In 1999, SANS programs, which are widely founded GIAC, the Global available worldwide. Information Assurance Certification, which according to SANS has been undertaken by over 20,000 members to date.Two of the GIAC certifications are penetration testing specific: the GIAC Certified Penetration Tester (GPEN) certification; and the GIAC Web Application Penetration Tester (GWAPT) certification. Government-backed testing also exists in the US with standards Conclusion References www.google.com Security is continuum, not an absolute. The value of penetration www.penetration-testing.com testing lies in its results -- the ones that answer the big question www.wikipedia.org "WHY?" A successful penetration test indicates more than a www.metasploit.com particular flaw, it identifies the process failures that produced the www.enigmagroup.org vulnerability, at the first place. Fixing or patching the vulnerability detected does not mean an end to your security worries or nightmares -- it is just the beginning of a never-ending cycle. A penetration test from a trusted provider offers an excellent means by which an organization can baseline its current security posture, identify threats and weaknesses, and start implementing remediation strategies. By identifying risk exposures and highlighting what resources are needed to correct them, penetration tests provide not only the basis for a security action plan, but also the compelling events, due diligence and partner interface protocols necessary to establish information security as a key corporate initiative.