Have you ever been told by someone,
what the password of your mail id is, and you are stunned by the fact that
which personal mail has he read in your mailbox. But believe this is no longer
just “script kiddies” breaking into your network and is more severe in a
multi-tier network architectures, Web services, custom applications, and
heterogeneous server platform environments, In the past several years, it has
become apparent that there is real money to be made from criminal hacking, and
identity theft is one of the world’s fastest growing problems.
Although
there are many ways to secure systems and applications, but being in the shoes
of a hacker is a complete new way to test yourself, by PENETRATION TESTING you
can actually replicate the types of actions a malicious attacker would take.
Penetration
testing has evolved from being ad hoc, to a robust and trustworthy testing
methodology with the use of high quality commercial tools. In the hands of a
properly trained penetration tester ,these new testing methodologies provides
a stable, quality-assured testing tool that can be used to accurately assess
systems by penetrating existing vulnerability.
Let’s define Penetration Testing:
Penetration testing is a process of
accessing your overall security before hackers do. It is a testing technique
for discovering, understanding, and documenting all the security holes that can
be found in a system.
The person who makes an attempt to gain
access to resources without knowledge of usernames/passwords is identified as a
hacker/attacker however the person who does it officially (with pre
authorization) is identified as Penetration tester. In other words unauthorized
attackers are hackers and authorized attackers are penetration testers.
A penetration tester must act as a
hacker/attacker while doing penetration testing. It’s important to understand
that it can never prove the absence of security flaws. It can only prove their
presence.
Why Penetration Testing:
Ask yourself, do you want your
application to be attacked by hackers? So attack it yourself.
Aspects of Penetration Testing -
Find Holes Now Before Somebody Else
Does
The goal is that the penetration tester will find
ways into the network so that they can be fixed before someone with less than
honorable intentions discovers the same holes. We can think of a Penetration
Test as annual medical physical checks where even if you believe you are
healthy, your physician will run a series of tests (some old and some new) to
detect dangers that have not yet developed symptoms.
Report Problems to Management
Penetration testing result helps to justify the
lack of security in the environment to the upper level management. Often
an internal network team will be aware of weaknesses in the security of their
systems but will have trouble getting management to support the changes that
would be necessary to secure the system. By having an outside group with a
reputation for security expertise analyzes a system; management will often
respect that opinion more. Remember that ultimate responsibility for the
security of IT assets rests with Management because it is they, not the
administrators, who decide what the acceptable level of risk is for the
organization.
Verify Secure Configurations
If the CSO (or security team) are confident in
their actions and final results, the penetration test report verifies that they
are doing a good job. The penetration test doesn’t make the network more
secure, but it does identify gaps between knowledge and implementation.
Security Training For Network Staff
Penetration testing gives security people a chance
to recognize and respond to a network attack. For example, if the penetration
tester successfully compromises a system without anyone knowing, this could be
indicative of a failure to adequately train staff on proper security
monitoring.
Discover Gaps in Compliance
Using penetration testing as a means to identify
gaps in compliance is a bit closer to auditing than true security engineering,
but experienced penetration testers often breach a perimeter because someone
did not get all the machines patched, or possibly because a non-compliant
machine was put up “temporarily” and ended up becoming a critical resource.
Testing New Technology
The ideal time to test new technology is before it
goes into production. As it can often save time and money because it is
easier to test and modify new technology while nobody is relying on it.
How do we perform penetration
testing?
Although there are various
methodologies that a penetration tester can follow, there are broadly 4 main
phases:
4
Stage Penetration Testing Methodology
- Planning - The
planning phase is where the scope for the assignment is defined.
Management approvals, documents and agreements etc. are signed. The
penetration testing team prepares a definite strategy for the assignment.
- Discovery - The
discovery phase is where the actual testing starts; it can be regarded as
an information gathering phase. This phase can be further categorized as
follows:
- Foot-printing phase - to
get the maximum possible information available about the target organization
and its systems using various means, both technical as well as
non-technical. This involves searching the internet, querying various
public repositories (databases, domain registrars, Usenet groups, mailing
lists, etc.).
- Scanning and Enumeration phase - The
identifying live systems, open / filtered ports found, services running
on these ports, mapping router / firewall rules, identifying the
operating system details, network path discovery, etc.
- Vulnerability Analysis phase - find
any possible vulnerabilities existing in each target system. During this
phase a penetration tester may use automated tools to scan the target
systems for known vulnerabilities. These tools will usually have their
own databases consisting of latest vulnerabilities and their details.
- Attack - This is
the phase that separates the Men from the Boys. This is at the heart of
any penetration test, the most interesting and challenging phase.
This phase can be further categorized into:
- Exploitation phase -
During this phase a penetration tester will try to find exploits for the
various vulnerabilities found in the previous phase.
- Privilege Escalation phase -
There are times when a successful exploit does not lead to root access.
An effort has to be made at such point to carry further analysis on the
target system to gain more information that could lead to getting
administrative privileges, e.g. local vulnerabilities, etc.
Reporting -This
stage can occur in parallel to the other three stages or at the end of the
Attack stage. Many penetration testers do not concentrate on this stage and
follow a hurried approach to make all the submissions. But this stage is
probably the most important of all the phases, after all the organization is
paying you for this final document.
