White Paper on Penetration Testing by PatelTiLAK

VIEWS: 241 PAGES: 14

More Info

1.    Abstract      ……………………………………………………………………………….…..3

2.    Introduction         ……………………………………………………………………….….4

3.    Reasons to Get a Penetration Test ………………….…………………….…..4

4.    Requirements for a Successful Penetration Test …………………..…...6

5.    What can be tested?          ........................................................6

6.    What should be tested? ........................................................6

7.    What to Look for in a Penetration Testing Service Provider …..….7

8.    What to do to ensure the project is a success                .…………………….…..7

9.    Types of Penetration Tests           ………………………………………………………..9

10.   Standards and Certification          ………………………………………………………12

11.   Conclusion ..………………………………………………………………………………….14

12.   References .…………………………………………………………………………………..14






The intent of this Paper is to uncover the importance of Penetration Testing.

A penetration test does not guarantee absolute security – it's just a
measurement of your security posture. So, "never have a false sense of

After going through the paper, you will have enough information about
Penetration Tests and you will be able to select proper Security Policies for
your organization.

It has been tried to keep it as simple as possible so that All can understand
it well.


Introduction                             Reasons    to   Get                 a
                                         Penetration Test
What is a Penetration Test?

       A penetration test offers an      Provides a Good Starting Point
invaluable and compelling way to
establish a baseline assessment of               Many           organizations
security as seen from outside the        underestimate how wide open their
boundaries       the    organization’s   security     exposure     is,     and
network.        Properly     executed    overestimate the capacity and
Penetration tests provide evidence       resources their internal IT staff can
that vulnerabilities do exist and        utilize to address it. A penetration
that network penetrations are            test provides a good first step to
possible. More importantly, they         understanding     current     security
provide a blueprint for remediation      posture specifically because it
in order to start or enhance a           identifies gaps in security, and
comprehensive             information    outlines where to apply security
protection strategy.                     technologies and services so that
A penetration test simulates covert      the organization can develop an
and      hostile    network    attack    action plan to minimize the threat
activities in order to identify          of attack or misuse.
specific exploitable vulnerabilities
and to expose potential entryways
to vital or sensitive data that, if
                                         Creates a Compelling Event
discovered and misused by a
malicious individual, could pose               How        can         network
increased risk and liability to the      administrators      and      security
organization, its executives and         managers justify a needed increase
shareholders. Qualified security         in the security budget or make the
consultants         who       perform    security message heard at the
penetration tests attempt to gain        executive level? Well-document
access to online assets and              results from a penetration test that
company resources through the            expose     the    susceptibility   of
network, servers and desktops,           customer data, human resources
from either the internal or external     records or even executive e-mail
perspective, much like an intruder       accounts create compelling events
would.     These     results   clearly   that any executive concerned with
articulate security issues and           company finances, liability or
recommendations and create a             reputation needs to know.
compelling event for the entire
management team to support a
security program.

Performs Due Diligence and              Protects   Against     Inter-
Independent Audits                      Connected Partner Risk

      Security posture needs to be            Online commerce initiatives
examined on a regular basis to          require organizations to grant
account for the evolution of new        partners,      suppliers,      B2B
Internet threats.. An unbiased          exchanges, customers and other
security analysis and penetration       trusted connections into their
test can focus internal security        networks. The entire structure is
resources where they are needed         only as strong as its weakest link.
most. In addition, an independent       Any poorly secured system, left
security audit provides evidence of     unchecked,     poses      dangerous
due diligence in a legal                security risks for everyone else.
context    for   protecting   online    Many
assets, limiting C-level liability      organizations are now requiring
and/or minimizing potential loss of     that their security vendor provide
shareholder       value.      These     security audits of partners to
independent audits are rapidly          ensure that all connected entities
becoming      a   requirement    for    have a standard baseline for
obtaining cyber-security insurance.     security.

Meets                  Regulatory       Offers validation
                                              As organizations adapt to
                                        new     business       models     and
      Regulatory and legislative        technologies, a penetration test
requirements       are        making    provides     validation      between
penetration tests required as a         business initiatives and a security
necessity    of   doing     business.   framework       that    allows     for
Regulations such as HIPAA (Health       successful     implementation       at
Insurance       Portability      and    minimal risk. In other words, after
Accountability Act), OCC Bulletin       an organization
2014, and Graham Leach Bliley all       establishes its security practices
include security compliance codes.      and believes that its infrastructure
                                        is secure, a penetration test
                                        provides      critical      validation


Requirements   for   a                    personnel   that    manage         it.
                                          Examples of areas that            are
Successful Penetration                    commonly tested are:
                                             •   Off-the-shelf         products
       Penetration    tests     require          (operating            systems,
certain key elements to be in place              applications,       databases,
in order to ensure useful, timely                networking equipment etc.)
results. First, they must cover the          •   Bespoke           development
full range of the threat spectrum,               (dynamic web sites, in-house
from the presence of an antivirus                applications etc.)
engine to the presence of malicious          •   Telephony        (war-dialling,
code to vulnerabilities that might               remote access etc.)
enable denial of service and other           •   Wireless (WIFI, Bluetooth,
sophisticated attacks. Second, they              IR, GSM, RFID etc.)
must deliver clear, unambiguous              •   Personnel           (screening
results that address both the                    process, social engineering
technical and business objectives                etc.)
of the client. Third, the consultants        •   Physical (access controls,
who perform the tests must follow                dumpster diving etc.)
robust testing methodologies, use
software that carries the most
upto-date vulnerability research
available, and they must possess
creative instincts to manipulate the
                                          What should be tested?
tools    in    both     typical    and
                                                Ideally, your organisation
unconventional ways. Finally, the
                                          should have already conducted a
experienced technicians who
                                          risk assessment, so will be aware
administer the penetration tests
                                          of the main threats (such as
must know how to gain maximum
                                          communications         failure,     e-
results with minimal disruption to
                                          commerce       failure,     loss    of
normal business operations.
                                          confidential information etc.), and
                                          can now use a security assessment
                                          to identify any vulnerabilities that
What can be tested?                       are related to these threats. If you
                                          haven't     conducted        a    risk
   All parts of the way that your         assessment, then it is common to
organisation captures, stores and         start with the areas of greatest
processes information can be              exposure, such as the public facing
assessed; the systems that the            systems;      web     sites,     email
information is stored in, the             gateways, remote access platforms
transmission       channels     that      etc.
transport it, and the processes and

Sometimes the 'what' of the             reconsider    before      using    a
process may be dictated by the          penetration testing service provider
standards that your organisation is     who merely runs a security audit or
required to comply with. For            scanning tool and delivers a report
example, a credit-card handling         on that one tool’s results. While an
standard (like PCI) may require         individual
that all the components that store      tool provides some value as a
or process card-holder data are         standalone assessment device, it
assessed.                               can never replace the human mind
                                        to creatively apply new methods
                                        and techniques to break and
                                        bypass standard security systems,
                                        much like an intruder would.
What to Look for in a
Penetration      Testing
Service Provider
       Many       companies     offer   What to do to ensure
penetration testing services, but       the project is a success
the best choice is a provider who
offers focus on the entire threat
spectrum,        including     highly
researched vulnerability and threat     Defining the scope
intellectual capital and tools. Look
for a robust penetration testing              The scope should be clearly
methodology, preferably one that        defined, not only in the context of
provides a multi-layer approach         the components to be (or not to
that identifies and leverages small     be) assessed and the constraints
cracks     that    springboard   into   under which testing should be
identifying major cracks not found      conducted, but also the business
by typical security tools. Make sure    and    technical   objectives.  For
the final deliverable report provides   example penetration testing may
business      value,    as   security   be focussed purely on a single
recommendations should be based         application on a single server, or
on the client’s                         may be more far reaching;
business     objectives    and    the   including all hosts attached to a
appropriateness        of    security   particular network.
measures per exposure. Lastly, use
a provider that has a proven track
record of finding known and new
threats            and         whose
recommendations provide a holistic
approach to security. A final note:

Choosing a security partner                   and what is their background
                                              and age)?
      Another    critical step to         •   Do they hold professional
ensure that your project is a                 certifications, such as PCI,
success is in choosing which                  CISSP, CISA, and CHECK?
supplier to use.                          •   Are        they      recognised
                                              contributors      within    the
       As an absolute fundamental             security      industry   (white
when choosing a security partner,             papers, advisories, public
first eliminate the supplier who              speakers etc)?
provided the systems that will be         •   Are the CVs available for the
tested. To use them will create a             team that will be working on
conflict of interest (will they really        your project?
tell you that they deployed the           •   How would the supplier
systems insecurely, or quietly                approach the project?
ignore some issues).                      •   Do they have a standardised
                                              methodology that meets and
Detailed below are some questions             exceeds the common ones,
that you might want to ask your               such as OSSTMM, CHECK and
potential security partner:                   OWASP?
                                          •   Can you get access to a
    •   Is security assessment their          sample report to assess the
        core business?                        output (is it something you
    •   How long have they been               could       give     to    your
        providing              security       executives;        do      they
        assessment services?                  communicate the business
    •   Do they offer a range of              issues in a non-technical
        services that can be tailored         manner)?
        to your specific needs?           •   What is their policy on
    •   Are they vendor independent           confidentiality?
        (do they have NDAs with           •   Do they outsource or use
        vendors that prevent them             contractors?
        passing information to you)?      •   Are references available from
    •   Do they perform their own             satisfied customers in the
        research,    or    are    they        same industry sector?
        dependent on out-of-date          •   Is there a legal agreement
        information that is placed in         that will protect you from
        the public domain by others?          negligence on behalf of the
    •   What are their consultant's           supplier?
        credentials?                      •   Does the supplier maintain
    •   How experienced are the               sufficient insurance cover to
        proposed testing team (how            protect your organisation?
        long have they been testing,

Types       of    Penetration           "leak" of sensitive information,
                                        where the attacker has access to
Tests                                   source code, network layouts, and
                                        possibly even some passwords.

Black box vs. White box                 Denial    of    Service      (DoS)
Penetration tests can be conducted
in several ways. The most common
                                        Denial of service testing involves
difference is the amount of
                                        attempting to exploit specific
knowledge of the implementation
                                        weaknesses on a system by
details of the system being tested
                                        exhausting the target's resources
that are available to the testers.
                                        that    will   cause    it  to  stop
Black box testing assumes no prior
                                        responding to legitimate requests.
knowledge of the infrastructure to
                                        This testing can be performed
be tested. The testers must first
                                        using automated tools or manually.
determine the location and extent
                                        The different types of DoS can be
of the systems before commencing
                                        broadly classified into software
their analysis. At the other end of
                                        exploits and flooding attacks.
the spectrum, white box testing
                                        Decisions regarding the extent of
provides the testers with complete
                                        Denial of Service testing to be
knowledge of the infrastructure to
                                        incorporated into a penetration
be tested, often including network
                                        testing exercise depend on the
diagrams, source code, and IP
                                        relative importance of ongoing,
addressing information. There are
                                        continued     availability   of  the
also several variations in between,
                                        information systems and related
often known as grey box tests.
                                        processing activities. Denial of
Penetration tests can also be
                                        service can take a number of
described as "full disclosure" (white
                                        formats; those that are important
box), "partial disclosure" (grey
                                        to test for are listed below:
box), or "blind" (black box) tests
based     on    the     amount     of
                                          •   Resource overload – these
information provided to the testing
                                              attacks intend to overload
                                              the resources (i.e. memory)
                                              of a target so that it no
The relative merits of these
                                              longer responds.
approaches are debated. Black box
                                          •   Flood attacks – this involves
testing simulates an attack from
                                              sending a large amount of
someone who is unfamiliar with the
                                              network requests with the
system.    White    box    testing
                                              intention of overloading the
simulates what might happen
                                              target.    This    can     be
during an "inside job" or after a

        performed                     via:         applications. While Internet
        ICMP       (Internet      Control          facing applications give an
        Message Protocol), known as                organization      the     much
        "smurf"                   attacks          needed      global    customer
        UDP        (User        Datagram           reach, providing access to
        Protocol), known as "fraggle"              partners inside the intranet
        attacks                                    introduces     new      security
    •   Half open SYN attack - this                vulnerabilities because, even
        involves partially opening                 with a firewall and other
        numerous TCP connections                   monitoring systems, security
        on the target, so that                     can be compromised, since
        legitimate connections could               traffic must be allowed to
        not be started.                            pass through the firewall.
    •   Out-of-band attacks – these                The objective of application
        attempt to crash targets by                security testing is to evaluate
        breaking         IP        header          the     controls    over     the
        standards:                                 application          (electronic
           o Oversized            packets          commerce servers, on-line
               (ping of death) – the               financial          applications,
               packet header indicates             distributed applications, and
               that there is more data             Internet front ends to legacy
               in the packet than                  systems) and its process
               there actually is.                  flow. Topics to be evaluated
           o Fragmentation                         may include the application's
               (teardrop      attack)    –         usage     of   encryption     to
               sends          overlapping          protect the confidentiality
               fragmented         packets          and integrity of information,
               (pieces     of    packets)          how users are authenticated,
               which are under length.             integrity of the Internet
           o IP       source      address          user's session with the host
               spoofing (land attack)              application,    and    use    of
               – causes a computer to              cookies – a block of data
               create         a       TCP          stored    on    a    customer's
               connection to itself.               computer that is used by the
           o Malformed UDP packet                  Web server application.
               header (UDP bomb) –
               UDP headers indicate          Let's take a look at some important
               an incorrect length.          components of application testing:
    •   Application security testing
        With      the      growth       of     •   Code review: Code reviews
        ebusiness,      core     business          involve analysing all the
        functionality is now being                 application-based code to
        offered through Web-based                  ensure that it does not

        contain      any       sensitive    service attacks using     the
        information that an intruder        same techniques.
        might use to exploit an
        application. For example:
        Publicly available application
        code     may     include     test
        comments, names or clear
        text passwords that will give       Functionality testing:
        an intruder a great deal of
        information       about       the   This involves testing the
        application.                        systems responsible for the
    •   Authorization           testing:    application's functionality as
        Involves testing the systems        presented to a user. This will
        responsible for the initiation      require testing:
        and maintenance of user
        sessions. This will require           o Input validation – bad
        testing:                                characters,      specific
           o Input      validation     of       URLs      or   overlong
              login fields – bad                inputs    can   produce
              characters or overlong            unpredictable results;
              inputs    can     produce         and
              unpredictable results;          o Transaction testing –
           o Cookie       security      –       ensuring     that    the
              cookies can be stolen             application performs to
              and legitimate sessions           specification and does
              can be used by an                 not permit the user to
              unauthorised                      abuse the system.
              individual; and
           o Lockout       testing      –
              testing the timeout and
              intrusion          lockout
              parameters set in the
                                            War                   dialing
              application, to ensure
              legitimate       sessions
                                            War dialling is a technique
              cannot be hijacked.
                                            for systematically calling a
                                            range of telephone numbers
        This is performed to discover
                                            in an attempt to identify
        whether the login system can
                                            modems,      remote    access
        be forced into permitting
                                            devices and maintenance
        unauthorised access. The
                                            connections of computers
        testing   will  also   reveal
                                            that may exist on an
        whether     the  system    is
                                            organization's network. Using
        susceptible to denial of

    war dialing tactics, a hacker            networks know are their
    maybe     able     to    locate          signals, it becomes easy for
    vulnerable out of band entry             hackers to identify wireless
    points into an organization              networks simply by "driving"
    and manipulate them to                   or walking around office
    access the network. The                  buildings with their wireless
    ignorance of IT staff in                 network     equipment-     this
    considering     the     phone            technique is known as "war
    network,    as    a   possible           driving".   Once     an   open
    primary access point is one              wireless access point is
    of the main factor in the                found, the war driver usually
    growth of these attacks. For             maps it, so at the end he
    example:     leaving      open           would have a map of access
    modems on critical network               points with their properties
    servers, routers and other               (SSID, WEP, MAC etc.). The
    devices can inadvertently                goal of wireless network
    expose an entry point inside             testing is to identify security
    the organization's network.              gaps or flaws in the design,
    In this testing, once a                  implementation or operation
    modem or other access                    of the organization's wireless
    device has been identified,              network.
    analysis   and     exploitation
    techniques are performed to
    assess      whether         this
    connection can be used to          Standards                      and
    penetrate the organization's
    information systems network.       Certification
                                       The Council of Registered Ethical
                                       Security Testers (CREST) offers
                                       three      certifications:   CREST
    Penetration      testing for
                                       Registered Tester, CREST Certified
    wireless            networks       Tester (Infrastructure) and CREST
                                       Certified Tester (Web Applications).

    The introduction of wireless       CREST (Council of Registered
    networks,    whether   inside      Ethical Security Testers) is a non-
    corporate            network       profit   association    created    to
    infrastructure or common           provide recognised standards and
    homes, introduces additional       professionalism for the penetration
    security exposures that are        testing industry.For organisations,
    much more threatening than         CREST      provides    a    provable
    wired network attacks. Since,      validation   of    security   testing
    the only boundary wireless

methodologies       and      practices,   such as the NSA Infrastructure
aiding with client engagement and         Evaluation Methodology (IEM).
procurement        processes       and
proving that the member company           For web applications, the Open
is able to provide testing services       Web Application Security Project
to the CREST standard. Three              (OWASP) provides a framework of
certifications are currently offered:     recommendations that can be used
the CREST Registered Tester and           as a benchmark.
two     CREST      Certified    Tester
qualifications,        one          for   The Tiger Scheme offers two
infrastructure     and      one     for   certifications:    Qualified Tester
application testing.                      (QST) and Senior Security Tester
                                          (SST). The SST is technically
The       Information    Assurance        equivalent to CHECK Team Leader
Certification Review Board (IACRB)        and QST is technically equivalent
manages a penetration testing             to the CHECK Team Member
certification known as the Certified      certification. Tiger Scheme certifies
Penetration Tester (CPT). The CPT         the individual, not the company.
requires that the exam candidate
pass a traditional multiple choice        The International Council of E-
exam, as well as pass a practical         Commerce consultants certifies
exam that requires the candidate          individuals in various e-business
to perform a penetration test             and information security skills.
against live servers.                     These include the Certified Ethical
                                          Hacker course, Computer Hacking
SANS provides a wide range of             Forensics Investigator program,
computer security training arena          Licensed     Penetration    Tester
leading to a number of SANS               program     and     various  other
qualifications. In 1999, SANS             programs,     which    are  widely
founded      GIAC,     the     Global     available worldwide.
Information                Assurance
Certification, which according to
SANS has been undertaken by over
20,000 members to date.Two of
the     GIAC    certifications    are
penetration testing specific: the
GIAC Certified Penetration Tester
(GPEN) certification; and the GIAC
Web Application Penetration Tester
(GWAPT) certification.

Government-backed testing also
exists in the US with standards

Conclusion                                References

Security is continuum, not an
absolute. The value of penetration        www.penetration-testing.com
testing lies in its results -- the ones
that answer the big question              www.wikipedia.org
"WHY?" A successful penetration
test   indicates      more     than   a   www.metasploit.com
particular flaw, it identifies the
process failures that produced the        www.enigmagroup.org
vulnerability, at the first place.
Fixing or patching the vulnerability
detected does not mean an end to
your security worries or nightmares
-- it is just the beginning of a
never-ending cycle.

A penetration test from a trusted
provider offers an excellent means
by which an organization can
baseline    its    current    security
posture,    identify    threats   and
weaknesses,           and        start
implementing              remediation
strategies. By identifying risk
exposures and highlighting what
resources are needed
to correct them, penetration tests
provide not only the basis for a
security action plan, but also the
compelling events, due diligence
and partner interface protocols
necessary to establish information
security as a key corporate



To top