In the past few years, the UK penetration testing market has grown considerably with several organisations in the market offering an extensive range of services, differing wildly when it comes to price and quality. But just how many failings can be addressed and reduced by penetration testing and how does this type of activity fit into a solid information security strategy?
In this article I’m hoping to explore some common strategies which can be employed to ensure an organisation takes a comprehensive and responsible approach when it comes to penetration testing.
You will find many factors that influence the demand for the penetration testing and many variables that may influence the outcome of a test. It’s first important to obtain a balanced perspective of value of the penetration testing; the requirement for testing normally arises as a result of an independent risk assessment.
A significant concern is the results of the penetration test should aimed toward providing an independent, unbiased view of the security posture of the systems / applications being tested; the outcome, therefore, should be objective and be directly translatable into actionable points for the administration and security teams.
The testing process shouldn’t be seen as either obstructive or trying to lay blame or fault on any team or individual, it is an exercise where a view should be taken solely to identify security shortfalls. An informative and open evaluation will require the aid and co-operation of many people, well beyond those who were active in the commissioning of the penetration test.
Additionally testing may be used to provide a baseline for remedial action to be able to improve the information protection strategy.
Among the initial steps to be considered during the scoping requirements phase will be to establish the rules of the engagement and deciding on the right methodology to be used by the penetration testing team, in order to meet business’ requirements of the test. A penetration test can be part of a security initiative requiring multiple approaches but most often they are performed independently.
Penetration testing requires an active evaluation of the system for any vulnerabilities that could result from improper system configuration, known hardware or software flaws, or from operational weaknesses in technical or process surrounding the system / application. Any security problems that are discovered during a penetration test should be recorded together with a recommendation for mitigation along with scoring to allow the business to prioritise remedial efforts. CVSS or similar need to be tailored to suit the exact circumstances.
A penetration test mimics an attack against the system to identify specific weaknesses and vulnerabilities. Anything identified during testing could pose a risk to the integrity of the system, the data which resides on it or may be much further reaching.
Experienced security consultants should be tasked with completing the testing, possibly with additional priority objectives such as leveraging any vulnerabilities against components which are accessible externally. These types of vulnerabilities generally pose much greater risk and are a demonstrable justification of present and future testing.
In order to attain a level of confidence that any testing will be carried out to the highest possible standard, these guidelines should be considered to form the baseline for any security evaluation. It is important any testing carried out complies with policy and any relevant regulation, and the results should be measurable against the scoped requirements. The report should include results that are repeatable and consistent, and the results should include any speculative actions which may be present, for example attack chaining or testing for conditions which may result in denial of service.
It should be recognised that there is always an element of risk when executing any penetration testing, especially if systems and applications to be tested reside in a live environment. Although the utilisation of experienced professional penetration testers mitigates a large portion of this risk, it can never be entirely eliminated.
There are some specialist areas requiring unique skills such as embedded devices, networks and web applications. The basic processes involved can be broken down to scanning, vulnerability identification, exploitation and reporting. The effort granted to each exercise, is dependent on the requirements of the business, the skill of the testers and the time assigned to the penetration testing process.
Using a mixture of automated tools for vulnerability scanning and network / application mapping, in combination with manual testing, a knowledge-focused methodology provides the end customer with a best-of-breed testing service which will identify risks and issues gleaned from potentially non-obvious vectors and attack paths.
An initial penetration test is crucial to establishing an unbiased viewpoint of an organisation’s security posture.
Performing regular penetration tests is an integral element in ensuring a system is kept at a high level of security in line with any corporate demand or requirement. Regular testing provides the management team with a continuous view of the security of their systems and provides the technical team with tailored advice to help in improving the effectiveness of the overall security strategy.
Regular penetration testing should account for new trends in attack techniques and tools. An unbiased penetration test should ensure security resource can be focused where they are needed most.