• No results found

INTRODUCTION TO PENETRATION TESTING

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "INTRODUCTION TO PENETRATION TESTING"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

DATA SECURITY MANAGEMENT

I NTRODUCTION TO

P ENETRATION T ESTING

Stephen Fried

I N S I D E

What is Penetration Testing? Terminology; Why Test? Types of Penetration Testing; What Allows Penetration Testing to Work?

INTRODUCTION

This article provides a general introduction to the subject of penetration testing and provides the security professional with the background need- ed to understand this special area of security analysis. Penetration testing can be a valuable tool for understanding and improving the security of a computer or network. However, it can also be used to exploit system weaknesses and attack systems and steal valuable information. By under- standing the need for penetration testing, and the issues and processes surrounding its use, a security professional will be better able to use pen- etration testing as a standard part of the analysis toolkit.

This article presents penetration testing in terms of its use, application, and process. It is not intended as an in-depth guide to specific techniques that can be used to test penetration-specific systems. Penetration testing is an art that takes a great deal of skill and practice to do effectively. If not done correctly and carefully, the penetration test can be deemed in- valid (at best) and, in the worst case, actually damage the target systems.

If the security professional is unfamiliar with penetration testing tools and techniques, it is best to hire or contract someone with a great deal of ex- perience in this area to advise and educate the security staff of an orga- nization.

WHAT IS PENETRATION TESTING?

Penetration testing is defined as a formalized set of procedures de- signed to bypass the security controls of a system or organization for the purpose of testing that system’s or

P A Y O F F I D E A

Here is where one learns all about penetration testing up to the point of actually using this powerful technique. It is important to know what one is trying to accomplish before actual- ly attempting a penetration test because mis- takes can be disastrous to computer opera- tions. Mistakes might even be career limiting.

82-02-67

(2)

organization’s resistance to such an attack. Penetration testing is per- formed to uncover the security weaknesses of a system and to determine the ways in which the system can be compromised by a potential attack- er. Penetration testing can take several forms (which will be discussed later) but, in general, a test consists of a series of “attacks” against a tar- get. The success or failure of the attacks, and how the target reacts to each attack, will determine the outcome of the test.

The overall purpose of a penetration test is to determine the subject’s ability to withstand an attack by a hostile intruder. As such, the tester will be using the tricks and techniques a real-life attacker might use. This sim- ulated attack strategy allows the subject to discover and mitigate its secu- rity weak spots before a real attacker discovers them.

The reason penetration testing exists is that organizations need to de- termine the effectiveness of their security measures. The fact that they want tests performed indicates that they believe there might be (or want to discover) some deficiency in their security. However, while the testing itself might uncover problems in the organization’s security, the tester should attempt to discover and explain the underlying cause of the laps- es in security that allowed the test to succeed. Simply stating that the tester was able to walk out of a building with sensitive information is not sufficient. The tester should explain that the lapse was due to inadequate attention by the guard on duty or a lack of guard staff training that would enable them to recognize valuable or sensitive information.

There are three basic requirements for a penetration test.

1. The test must have a defined goal and that goal should be clearly doc- umented. The more specific the goal, the easier it will be to recog- nize the success or failure of the test. A goal such as “break into the XYZ corporate network,” while certainly attainable, is not as precise as “break into XYZ’s corporate network from the Internet and gain access to the research department’s file server.” Each test should have a single goal. If the tester wishes to test several aspects of security at a business or site, several separate tests should be performed. This will enable the tester to more clearly distinguish between successful tests and unsuccessful attempts.

2. The test should have a limited time period in which it is to be per- formed. The methodology in most penetration testing is to simulate the types of attacks that will be experienced in the real world. It is reasonable to assume that an attacker will expend a finite amount of time and energy trying to penetrate a site. That time may range from one day to one year or beyond; but after that time is reached, the attacker will give up. In addition, the information being protect- ed may have a finite useful “lifetime.” The penetration test should

(3)

acknowledge and accept this fact. Thus, part of the goal statement for the test should include a time limit that is considered reasonable based on the type of system targeted, the expected level of the threat, and the lifetime of the information.

3. The test should have the approval of the management of the orga- nization that is the subject of the test. This is extremely important, as only the organization’s management has the authority to permit this type of activity on its network and information systems.

TERMINOLOGY

There are several terms associated with penetration testing. These terms are used throughout this article to describe penetration testing and the people and events involved in a penetration test.

Tester: The person or group who is performing the penetra- tion test. The purpose of the tester is to plan and exe- cute the penetration test and analyze the results for management. In many cases, the tester will be a mem- ber of the company or organization that is the subject of the test. However, a company may hire an outside firm to conduct the penetration test if it does not have the personnel or the expertise to do it itself.

Attacker: A real-life version of a tester. However, where the tester works with a company to improve its security, the attacker works against a company to steal informa- tion or resources.

Attack: The series of activities performed by the tester in an attempt to circumvent the security controls of a particu- lar target. The attack may consist of physical, proce- dural, or electronic methods.

Subject of the test:

The organization upon whom the penetration test is being performed. The subject can be an entire com- pany or it can be a smaller organizational unit within that company.

Target of a penetration test:

The system or organization that is being subjected to a particular attack at any given time. The target may or may not be aware that it is being tested. In either case, the target will have a set of defenses it presents to the outside world to protect itself against intrusion.

It is those defenses that the penetration test is designed to test. A full penetration test usually con- sists of a number of attacks against a number of dif- ferent targets.

(4)

WHY TEST?

There are several reasons why an organization will want a penetration test performed on its systems or operations. The first (and most preva- lent) is to determine the effectiveness of the security controls the organi- zation has put into place. These controls may be technical in nature, affecting the computers, network, and information systems of the organi- zation. They may be operational in nature, pertaining to the processes and procedures a company has in place to control and secure informa- tion. Finally, they may be physical in nature. The tester may be trying to determine the effectiveness of the physical security a site or company has in place. In all cases, the goal of the tester will be to determine if the ex- isting controls are sufficient by trying to get around them.

The tester may also be attempting to determine the vulnerability an or- ganization has to a particular threat. Each system, process, or organiza- tion has a particular set of threats to which it feels it is vulnerable. Ideally, the organization will have taken steps to reduce its exposure to those threats. The role of the tester is to determine the effectiveness of these countermeasures and to identify areas for improvement or areas where additional countermeasures are required. The tester may also wish to de- termine whether the set of threats the organization has identified is valid and whether or not there are other threats against which the organization might wish to defend itself.

A penetration test can sometimes be used to bolster a company’s po- sition in the marketplace. A test, executed by a reputable company and indicating that the subject’s environment withstood the tester’s best ef- forts, can be used to give prospective customers the appearance that the subject’s environment is secure. The word “appearance” is important here because a penetration test cannot examine all possible aspects of the subject’s environment if it is even moderate in size. In addition, the

Management: The term used to describe the leadership of an organi- zation involved in the penetration test. There may be several levels of management involved in any testing effort, including the management of the specific areas of the company being tested, as well as the upper management of the company as a whole. The specific levels of management involved in the penetration test- ing effort will have a direct impact on the scope of the test. In all cases, however, it is assumed that the tester is working on behalf of (and sponsored by) at least one level of management within the company.

Penetration test (or more simply the test):

The actual performance of a simulated attack on the target.

(5)

security state of an enterprise is constantly changing as new technology replaces old, configurations change, and business needs evolve. The “en- vironment” the tester examines may be very different from the one the customer will be a part of. If a penetration test is used as proof of the se- curity of a particular environment for marketing purposes, the customer should insist on knowing the details, methodology, and results of the test.

A penetration test can be used to alert the corporation’s upper man- agement to the security threat that may exist in its systems or operations.

While the general knowledge that security weaknesses exist in a system, or specific knowledge of particular threats and vulnerabilities may exist among the technical staff, this message may not always be transmitted to management. As a result, management may not fully understand or ap- preciate the magnitude of the security problem. A well-executed penetra- tion test can systematically uncover vulnerabilities that management was unaware existed. The presentation of concrete evidence of security prob- lems, along with an analysis of the damage those problems can cause to the company, can be an effective wake-up call to management and spur them into paying more attention to information security issues. A side ef- fect of this wake-up call may be that once management understands the nature of the threat and the magnitude to which the company is vulner- able, it may be more willing to expend money and resources to address not only the security problems uncovered by the test but also ancillary security areas needing additional attention by the company. These ancil- lary issues may include a general security awareness program or the need for more funding for security technology. A penetration test that un- covers moderate or serious problems in a company’s security can be ef- fectively used to justify the time and expense required to implement effective security programs and countermeasures.

TYPES OF PENETRATION TESTING

The typical image of a penetration test is that of a team of high-tech com- puter experts sitting in a small room attacking a company’s network for days on end or crawling through the ventilation shafts to get into the company’s “secret room.” While this may be a glamorous image to use in the movies, in reality the penetration test works in a variety of different (and very nonglamorous) ways.

The first type of testing involves the physical infrastructure of the sub- ject. Very often, the most vulnerable parts of a company are not found in the technology of its information network or the access controls found in its databases. Security problems can be found in the way the subject han- dles its physical security. The penetration tester will seek to exploit these physical weaknesses. For example, does the building provide adequate access control? Does the building have security guards, and do the

(6)

guards check people as they enter or leave a building? If intruders are able to walk unchecked into a company’s building, they will be able to gain physical access to the information they seek. A good test is to try to walk into a building during the morning when everyone is arriving to work. Try to get in the middle of a crowd of people to see if the guard is adequately checking the badges of those entering the building.

Once inside, check if sensitive areas of the building are locked or oth- erwise protected by physical barriers. Are file cabinets locked when not in use? How difficult is it to get into the communications closet where all the telephone and network communication links terminate? Can a person walk into employee office areas unaccompanied and unquestioned? All the secure and sensitive areas of a building should be protected against unauthorized entry. If they are not, the tester will be able to gain unre- stricted access to sensitive company information.

While the physical test includes examining protections against unau- thorized entry, the penetration test might also examine the effectiveness of controls prohibiting unauthorized exit. Does the company check for theft of sensitive materials when employees exit the facility? Are laptop computers or other portable devices registered and checked when enter- ing and exiting the building? Are security guards trained not only on what types of equipment and information to look for, but also on how equip- ment can be hidden or masked and why this procedure is important?

Another type of testing examines the operational aspects of an organi- zation. Whereas physical testing investigates physical access to company computers, networks, or facilities, operational testing attempts to deter- mine the effectiveness of the operational procedures of an organization by attempting to bypass those procedures. For example, if the company’s help desk requires each user to give personal or secret information be- fore help can be rendered, can the tester bypass those controls by telling a particularly believable “sob story” to the technician answering the call?

If the policy of the company is to “scramble” or demagnetize disks before disposal, are these procedures followed? If not, what sensitive informa- tion will the tester find on disposed disks and computers? If a company has strict policies concerning the authority and process required to ini- tiate ID or password changes to a system, can someone simply claiming to have the proper authority (without any actual proof of that authority) cause an ID to be created, removed, or changed? All these are attacks against the operational processes a company may have, and all of these techniques have been used successfully in the past to gain entry into computers or gain access to sensitive information.

The final type of penetration test is the electronic test. Electronic test- ing consists of attacks on the computer systems, networks, or communi- cations facilities of an organization. This can be accomplished either manually or through the use of automated tools. The goal of electronic testing is to determine if the subject’s internal systems are vulnerable to

(7)

an attack through the data network or communications facilities used by the subject.

Depending on the scope and parameters of a particular test, a tester may use one, two, or all three types of tests. If the goal of the test is to gain access to a particular computer system, the tester may attempt a physical penetration to gain access to the computer’s console or try an electronic test to attack the machine over the network. If the goal of the test is to see if unauthorized personnel can obtain valuable research data, the tester may use operational testing to see if the information is tracked or logged when accessed or copied and determine who reviews those access logs. The tester may then switch to electronic penetration to gain access to the computers where the information is stored.

WHAT ALLOWS PENETRATION TESTING TO WORK?

There are several general reasons why penetration tests are successful.

Many of them are in the operational area; however, security problems can arise due to deficiencies in any of the three testing areas.

A large number of security problems arise due to a lack of awareness on the part of a company’s employees of the company’s policies and pro- cedures regarding information security and protection. If employees and contractors of a company do not know the proper procedures for han- dling proprietary or sensitive information, they are much more likely to allow that information to be left unprotected. If employees are unaware of the company policies on discussing sensitive company information, they will often volunteer (sometimes unknowingly) information about their company’s future sales, marketing, or research plans simply by be- ing asked the right set of questions. The tester will exploit this lack of awareness and modify the testing procedure to account for the fact that the policies are not well-known.

In many cases, the subjects of the test will be very familiar with the company’s policies and the procedures for handling information. Despite this, however, penetration testing works because often people do not ad- here to standardized procedures defined by the company’s policies. Al- though the policies may say that system logs should be reviewed daily, most administrators are too busy to bother. Good administrative and se- curity practices require that system configurations should be checked pe- riodically to detect tampering, but this rarely happens. Most security policies indicate minimum complexities and maximum time limits for password, but many systems do not enforce these policies. Once the tester knows about these security procedural lapses, they become easy to exploit.

Many companies have disjointed operational procedures. The pro- cesses in use by one organization within a company may often conflict with the processes used by another organization. Do the procedures

(8)

used by one application to authenticate users complement the proce- dures used by other applications, or are there different standards in use by different applications? Is the access security of one area of a compa- ny’s network lower than that of another part of the network? Are log files and audit records reviewed uniformly for all systems and services, or are some systems monitored more closely than others? All these are exam- ples of a lack of coordination between organizations and processes.

These examples can be exploited by the tester and used to get closer to the goal of the test. A tester needs only to target the area with the lower authentication standards, the lower access security, or the lower audit re- view procedures in order to advance the test.

Many penetration tests succeed because people often do not pay ad- equate attention to the situations and circumstances in which they find themselves. The hacker’s art of social engineering relies heavily on this fact. Social engineering is a con game used by intruders to trick people who know secrets into revealing them. People who take great care in protecting information when at work (locking it up or encrypting sensi- tive data, for example) suddenly forget about those procedures when asked by an acquaintance at a party to talk about their work. Employees who follow strict user authentication and system change control proce- dures suddenly “forget” all about them when they get a call from the

“Vice President of Such and Such” needing something done “right away.”

Does the “Vice President” himself usually call the technical support line with problems? Probably not, but people do not question the need for in- formation, do not challenge requests for access to sensitive information even if the person asking for it does not clearly have a need to access that data, and do not compare the immediate circumstances with normal pat- terns of behavior.

Many companies rely on a single source for enabling an employee to prove identity, and often that source has no built-in protection. Most com- panies assign employee identification (ID) numbers to their associates.

That number enables access to many services the company has to offer, yet is displayed openly on employee badges and freely given when re- quested. The successful tester might determine a method for obtaining or generating a valid employee ID number in order to impersonate a valid employee.

Many hackers rely on the anonymity that large organizations provide.

Once a company grows beyond a few hundred employees, it becomes increasingly difficult for anyone to know all employees by sight or by voice. Thus, the IT and HR staff of the company need to rely on other methods of user authentication, such as passwords, key cards, or the above-mentioned employee ID number. Under such a system, employ- ees become anonymous entities, identified only by their ID number or their password. This makes it easier to assume the identity of a legitimate employee or to use social engineering to trick people into divulging in-

(9)

formation. Once the tester is able to hide within the anonymous structure of the organization, the fear of discovery is reduced and the tester will be in a much better position to continue to test.

Another contributor to the successful completion of most penetration tests is the simple fact that most system administrators do not keep their systems up to date with the latest security patches and fixes for the sys- tems under their control. A vast majority of system break-ins occur as a result of exploitation of known vulnerabilities — vulnerabilities that could have easily been eliminated by the application of a system patch, configuration change, or procedural change. The fact that system opera- tors continue to let systems fall behind in security configuration means that testers will continuously succeed in penetrating their systems.

The tools available for performing a penetration test are becoming more sophisticated and more widely distributed. This has allowed even the novice hacker to pick up highly sophisticated tools for exploiting sys- tem weaknesses and applying them without requiring any technical background in how the tool works. Often these tools can try hundreds of vulnerabilities on a system at one time. As new holes are found, the hacker tools exploit them faster than the software companies can release fixes, making life even more miserable for the poor administrator who has to keep pace. Eventually, the administrator will miss something, and that something is usually the one hole that a tester can use to gain entry into a system.

Stephen Fried is the senior manager for Global Risk Assessment and Secure Business Solutions at Lucent Tech- nologies, leading the team responsible for determining the security threats to Lucent's internal systems and ser- vices. Stephen is a Certified Information Systems Security Professional and has been a featured speaker on information security and technology at meetings and conferences worldwide.

References

Download now ( PDF - 9 Page - 71.01 KB )

Related documents

Research on Recognition System of Agriculture Products Gas Sensor Array and its Application

Principal components with the same number were selected as input feature vectors for LDA and BP neural network, the recognition results were shown in Table 1. When only one

We ve Been Robbed! Why did we pay for the coverage if it does not cover the claim? By George E. Nowack, Jr. Fidelity Insurance

The exclusion of coverage for the dishonest acts of owners, partners, principals of an insured does not apply when a management company is an insured under an

Antenatal risk factors for postnatal depression: A prospective study of chinese women at maternal and child health centres

The findings in the present study support the impor- tance of assessing antenatal depressive symptomatology and monitoring Chinese women with significant antena- tal depressive

CLASS EDITORI: 2001 NET PROFIT OF EUR MILLION TOTALS 9% OF REVENUES; DIVIDEND PER SHARE REMAINS UNCHANGED

Reflecting the slowdown in advertising investment and particular difficulties in the financial markets during the year, the 2001 results are less than those for 2000 (net profit

Wells and welfare in the Ganga Basin: Public policy and private initiative in Eastern Uttar Pradesh, India

For the poorest farmers in eastern India, then, the benefits of groundwater irrigation have come through three routes: in large part, through purchased pump irrigation and, in a

Paediatric Early Warning Score Clinical Guideline

The Paediatric Early Warning Score (PEWS) is designed to enable health care professionals to recognize “at risk” children and to trigger early referral to medical staff, so that

North Atlantic and Rio Tinto Joint Venture Potash Project in Saskatchewan, Canada. Resource Summary

The summary resource report prepared by North Atlantic is based on a 43-101 Compliant Resource Report prepared by M. Holter, Consulting Professional Engineer,

copy FrancoAngeli The authors

Ferroday Ltd specialise in the development and application of product data technology standards for the representation of materials and other engineering properties and