Penetration Testing
Sanjay Bavisi, EC-Council
Last year I walked into a restaurant in Rochester, New York, with a business partner; I was wearing an EC-Council official polo shirt. The back of the shirt was embroidered with the words “Licensed Penetration Tester.” On reading those words on my shirt, a group of young executives seated behind me started an intense dialogue among themselves.
They were obviously not amused at my “behavior,” since that was a restaurant for decent people! On my way out, I walked up to them and asked if they were amazed at what that statement meant. They replied “Absolutely!” When I explained to them the meaning of a Licensed Penetration Tester, they gave a loud laugh and apologized to me. They admitted that they had thought I was a pervert.
Each time I am at an airport, I get some stares when I put on that shirt. So the question is, what is penetration testing?
In this chapter, we’ll talk about penetration testing and what it is (and isn’t!), how it differs from an actual “hacker attack,” some of the ways penetration tests are conducted, how they’re controlled, and what organizations might look for when they’re choosing a company to conduct a penetration test for them.
Because this is a chapter and not an entire book, there are a lot of things that I just don’t have the space to talk about. What you’re about to read is, quite literally, just the tip of the iceberg when it comes to penetration testing. Keep that in mind when you think to yourself: “What about . . .?” The answer to your question (whatever it might be) is probably a part of our licensed penetration tester certification course!
1. What is Penetration Testing?
Penetration testing is the exploitation of vulnerabilities present in an organization’s network. It helps determine which vulnerabilities are exploitable and the degree of information exposure or network control that the organization could expect an attacker to achieve after successfully exploiting a vulnerability. No penetration test is or ever can be “just like a hacker would do it,” due to necessary limitations placed on penetration tests conducted by “white hats.” Hackers don’t have to follow the same rules as the “good guys” and they could care less whether your systems crash during one of their “tests.” We’ll talk more about this later. Right now, before we can talk any more about penetration testing, we need to talk about various types of vulnerabilities and how they might be discovered.
Before we can exploit a vulnerability in a penetration test, we have to discover what vulnerabilities exist within (and outside of) the organization. A vulnerability is a potential weakness in an organization’s security. I use the term “potential” because not all vulnerabilities are exploitable or worth exploiting. A flaw may exist and may even be documented, but perhaps no one has figured out (yet) how to exploit it. Some vulnerabilities, although exploitable, might not yield enough information in return for the time or resources necessary to exploit them. Why break into a bank and steal only a dollar? That doesn’t make much sense, does it?
Vulnerabilities can be thought of in two broad categories: logical and physical. We normally think of logical vulnerabilities as those associated with the organization’s computers, infrastructure devices, software, or applications. Physical vulnerabilities, on the other hand, are normally thought of as those having to do with either the actual physical security of the organization (such as a door that doesn’t always lock properly), the sensitive information that “accidentally” ends up in the dumpster, or the vulnerability of the organization’s employees to social engineering (a vendor asking to use a computer to send a “quick email” to the boss).
Logical vulnerabilities can be discovered using any number of manual or automated tools and even by browsing the Internet. For those of you who are familiar with Johnny Long’s Google Hacking books: “Passwords, for the love of God!!! Google found passwords!” The discovery of logical vulnerabilities is usually called security scanning, vulnerability scanning, or just scanning. Unfortunately, there are a number of “security consultants” who run a scan, put a fancy report cover on the output of the tool, and pass off these scans as a penetration test.
Physical vulnerabilities can be discovered as part of a physical security inspection, a “midnight raid” on the organization’s dumpsters, getting information from employees, or via unaccompanied access to a usually nonpublic area (I really need to use the bathroom!).
Vulnerabilities might also exist due to a lack of company policies or procedures or an employee’s failure to follow the policy or procedure. Regardless of the cause of the vulnerability, it might have the potential to compromise the organization’s security. So, of all the vulnerabilities that have been discovered, how do we know which ones pose the greatest danger to the organization’s network? We test them! We test them to see which ones we can exploit and exactly what could happen if a “real” attacker exploited that vulnerability.
Because few organizations that I know of have enough money, time, or resources to eliminate every vulnerability discovered, they have to prioritize their efforts; this is one of the best reasons for an organization to conduct a penetration test. At the conclusion of the penetration test, they will know which vulnerabilities can be exploited and what can happen if they are exploited. They can then plan to correct the vulnerabilities based on the amount of critical information exposed or network control gained by exploiting the vulnerability. In other words, a penetration test helps organizations strike a balance between security and business functionality. Sounds like a perfect solution, right? If only it were so!
There are organizations that do not care about the “true risks” that their organizations face. Instead, they are more interested in being able to tell their shareholders or their regulating agencies that they’ve conducted a penetration test and “passed” it. If the penetration test is structured so that only certain systems are tested, or if the test is conducted during a known timeframe, the test results will be favorable to the organization, but the test isn’t a true reflection of its network security posture. This kind of “boutique testing” can lead to a false sense of security for the organization, its employees, and its stakeholders.
2. How does Penetration Testing Differ from an Actual “Hack?”
Earlier, I mentioned that penetration testing isn’t and never can be “just like a hacker would do it.” How come? Except in the case of “directed” sabotage or espionage, it’s not personal between your organization and attackers. They don’t care who you are, where you are, or what your organization does to earn its living. They just want to hack something. The easier it is to attack your network, the more likely it is that you’ll be a target. Ask your network administrator to look at the network intrusion detection logs (or look at them yourself if you’re a network admin). See how many times in a 24-hour period your organization’s network gets scanned for potential vulnerabilities.
Once an attacker has decided that you’re his or her (yes, there are female hackers—good ones, too!) next target, they may take weeks or months to perform the first step of an attack: reconnaissance. As a penetration tester or company providing penetration testing services, I doubt that you’re going to get hired to spend six months doing reconnaissance and another couple of months conducting an attack. So, the first difference between a penetration test and a real attack is the length of time taken to conduct all the activities needed to produce a successful outcome. As “good guys,” we don’t have the luxury of time that the “bad guys” do. So we’re handicapped to begin with.
In some (not all) cases, once attackers find a suitable vulnerability to attack, they will. They don’t care that the vulnerability resides on a mission-critical system, if the vulnerability will crash the system, or that the system might become unusable in the middle of the busiest time of day. If that vulnerability doesn’t “pan out,” they find another and try again. They keep it up until they run out of vulnerabilities that they can exploit, or they’re discovered, or they manage to successfully breach the network or crash the system. Penetration test teams normally don’t have this luxury, either. Usually the test team has X amount of time to find a vulnerability and get in or the test is over and the network is declared “safe and secure.” If the test team didn’t have enough time to test all the vulnerabilities—oh, well. The test is still over, they still didn’t get in, and so our network must be safe! Few seem to think about the fact that a “real” attacker may, just by blind luck, choose one of the unable-to-be-tested-because-of-time-limitations vulnerabilities and be able to waltz right into the network without being detected.
Some systems are declared “off limits” to testing because they’re “too important to have crash” during a test. An organization may specify that testing can only occur during certain hours or on certain days because of a real or perceived impact on business operations. This is the second difference between a penetration test and a real attack: Hackers don’t play by any rules. They attack what they want when they want and how they want. Just to be clear: I’m not advocating denial-of-service testing during the busiest time of an organization’s day, or unrestricted testing at any time. I’m just trying to make a point that no system is too critical to test. From a hacker’s perspective, there are no “off-limits” systems, just opportunities for attack. We’ll talk more about differences between real attacks and penetration tests when we talk about the various types of testing in the next section.
3. Types of Penetration Testing
Some sources classify penetration testing into two types—internal and external—and then talk about the “variations” of these types of tests based on the amount of information the test team has been given about the organization prior to starting the test. Other sources use a reverse-classification system, typing the penetration test based on the amount of information available to the test team and then the location from which the test is conducted. I much prefer the latter method, since it removes any chance of misunderstanding about what testing is going to be conducted where. Warning: If you’re planning to take the CISSP or some of the other network security certification examinations, stick with the “old skool” “classification by location, then type” definitions for penetration testing types and variations.
When a penetration test is conducted against Internet-facing hosts, it is known as external testing. When conducted against hosts inside the organization’s internal network, it is known as internal testing. Obviously, a complete penetration test will encompass testing of both external and internal hosts. The “variations” of penetration tests are normally classified based on how much information the test team has been given about the organization. The three most commonly used terms for penetration types are white-box, gray-box, and black-box testing. Before we talk about these penetration testing variations, you need to understand that we can conduct any of them (white, gray, or black) either externally or internally. If we want a complete test, we need to test both externally and internally. Got it? Good! Now we can talk about what is involved with each type of testing.
We’ll start with white-box testing. The “official” definition of white-box testing usually includes verbiage about providing information so as to be able to assess the security of a specific target or assess security against a specific attack. There are several problems with this definition in real life. The first is that it sounds as though you would only conduct a white-box test if you were looking to verify the security of one specific host or looking to verify the security of your network against one specific attack. But it would be foolhardy to test for only one vulnerability. Since the “variations” we’re talking about are supposed to be centered on the amount of information available to the test team, let’s look at a white-box test from an information availability perspective.
Who in your organization knows the most about your network? Probably the network administrator. Any organization that has recently terminated employment of a network administrator or member of the IT Department under less than favorable circumstances has a big problem. There is the potential that the organization’s network could be attacked by this former employee who has extreme knowledge about the network. In a white-box test, therefore, the test team should be given about the same amount of information that a network administrator would have. Probably the team won’t be given passwords, but they’ll be given network ranges, topologies, and so on.
Gray-box testing, by “official” definition, provides “some” knowledge to the test team, about the sort of thing a normal, unprivileged user might have: hostnames, maybe a few IP addresses, the fact that the organization allows senior management to “remote” into the network, and so on. Common, though not necessarily public, knowledge about the “inner workings” of the organization’s network is the level of information provided to the test team. Some sources claim that this testing type (as well as the information disclosed in a white-box test) “puts the tester at an advantage” over an attacker because the test team possesses information that an attacker wouldn’t have. But that’s not necessarily the case. Any organization that has terminated a “normal user” has the potential for an attack based on that user’s inside knowledge of the network.
Now let’s talk about everyone’s favorite: black-box penetration testing. Again, we’ll start with the common definition, which usually says something like “provides the test team with little or no information except for possibly the company name.” The test team is required to obtain all their attack information from public sources such as the Internet. There’s usually some sentence somewhere in the description that says how a black-box test is always much better than any other type of test because it most closely mimics the way an attacker would conduct an attack. The definition might be right (and I might even be inclined to agree with it) if the organization has never terminated a network admin or any other employee with network access. I might also be more in agreement with this train of thought if the majority of attacks were conducted by unknown persons from the far reaches of the globe instead of former employees or currently employed “insiders”!
Depending on what article or book you happen to be reading at the time, you might also see references to application penetration testing, Web penetration testing, shrink-wrap penetration testing, wireless penetration testing, telephony penetration testing, Bluetooth penetration testing . . . and the list goes on. I’ve seen every possible device in a network listed as a separate penetration test. The bottom line is that if it’s present in the network, an organization needs to discover what vulnerabilities exist on it and then test those vulnerabilities to discover what could happen if they’re successfully exploited.
I guess since Morgan Kaufmann asked me to write this chapter, I can give you my opinion: I don’t like black-box penetration testing. I don’t want any network of mine tested “just like a hacker would do it.” I want my network tested better than any hacker ever could, because I don’t want to end up on the front page of The New York Times as the subject of a “latest breach” article. My client’s data are much too important to take that chance.
The success of every penetration test rests on the experience of the test team. If some hacker has more experience than the test team I hire, I’m in trouble! So how do I even the odds? Instead of hiring a team to do a black box, in which they’re going to spend hours searching for information and poking around, I give them the necessary information to test the network thoroughly, right up front. By doing so, their time is actually spent testing the network, not carrying out a high-tech scavenger hunt. Any good penetration test team is still going to do reconnaissance and tell me what information is available about my organization from public sources anyway. No, I’m not going to give up the administrative password to my network. But I am going to tell them what my IP ranges are, whether or not I have wireless, and whether I allow remote access into the network, among other things.
In addition to the types and variations of penetration testing, we also need to talk about announced and unannounced testing. Which of these two methods will be used depends on whether your intent is to test the network itself or the network’s security staff. In an announced test, the penetration testing team works in “full cooperation” with the IT staff and the IT staff has “full knowledge” about the test, such as what will be tested and when. In an unannounced test, only specific members of the tested organization (usually the higher levels of management) are aware that the testing will take place. Even they may only know a “window” of time for testing, not the exact times or dates.
If you follow the published guidelines, an unannounced test is used when testing an organization’s incident response capability is called for. Announced tests are used when the organization simply wants to test network devices. Is this really how it happens in the real world? Sometimes it isn’t.
Most organizations that conduct annual testing do so at about the same time every year, especially if it’s a government organization. So there’s really no such thing as an “unannounced” test. Everyone knows that sometime between X and Y dates, they’re going to be tested. In some organizations this means that during that timeframe there suddenly appears to be an increased awareness of network security. Machines get patched quicker. Logs are reviewed daily. Abnormal activities are reported immediately. After the testing window is over, however, it’s back to the same old routine until the next testing window, next year.
What about announced testing, you ask? Think about it: If you’re a network administrator and you know a test is coming, you’re going to make sure that everything is as good as you can make it. Once again, there’s that increased emphasis on security—until the testing window is over, that is.
Let’s take a minute to recap what we’ve talked about so far. We’ve learned that a penetration test is used to exploit discovered vulnerabilities and to help determine what an attacker could do if they successfully exploited a vulnerability. We learned that not all vulnerabilities are actually a concern, because there might not be a way to exploit them or what we’d get by exploiting them wouldn’t justify the time or effort we spent in doing so. We learned that there are different types and variations of penetration tests, that they can be announced or unannounced, and that none of them are actually “just like a hacker would do it.” Probably the most important thing we’ve learned so far is that if we really and truly want to protect our network from a real-life attack, we have to offset the biggest advantage that a hacker has: time. We discovered that we can do this by giving the testing team sufficient information to thoroughly test the network instead of surfing the Internet on our dime.
What’s next? Let’s talk about how a penetration test might be conducted.
4. Phases of Penetration Testing
There are three phases in a penetration test, and they mimic the phases that an attacker would use to conduct a real attack. These phases are the pre-attack phase, the attack phase, and the post-attack phase, as shown in Figure 22.1.
Figure 22.1 The three phases in a penetration test.
The activities that take place in each phase (as far as the penetration testing team is concerned) depend on how the rules of engagement have specified that the penetration test be conducted. To give you a more complete picture, we talk about these phases from the perspective of a hacker and from that of a penetration team conducting the test under “black-box” conditions.
The Pre-Attack Phase
The pre-attack phase (see Figure 22.2) consists of the penetration team’s or hacker’s attempts to investigate or explore the potential target. This reconnaissance effort is normally categorized into two types: active reconnaissance and passive reconnaissance.
Figure 22.2 The pre-attack phase.
Beginning with passive reconnaissance, which does not “touch” the network and is therefore undetectable by the target organization, the hacker or penetration tester will gather as much information as possible about the target company. Once all available sources for passive reconnaissance have been exhausted, the test team or attacker may move into active reconnaissance.
During active reconnaissance, the attacker may actually “touch” the network, thereby increasing the chance that they will be detected or alert the target that someone is “rattling the doorknobs.” Some of the information gathered during reconnaissance can be used to produce a provisional map of the network infrastructure for planning a more coordinated attack strategy later. Ultimately it boils down to information gathering in all its many forms. Hackers will often spend more time on pre-attack or reconnaissance activities than on the actual attack itself.
The Attack Phase
This stage involves the actual compromise of the target. The hacker or test team may exploit a logical or physical vulnerability discovered during the pre-attack phase or use other methods such as a weak security policy to gain access to a system. The important point here is to understand that although there could be several possible vulnerabilities, the hacker needs only one to be successful to compromise the network.
By comparison, a penetration test team will be interested in finding and exploiting as many vulnerabilities as possible because neither the organization nor the test team will know which vulnerability a hacker will choose to exploit first (see Figure 22.3). Once inside, the attacker may attempt to escalate his or her privileges, install one or more applications to sustain their access, further exploit the compromised system, and/or attempt to extend their control to other systems within the network. When they’ve finished having their way with the system or network, they will attempt to eliminate all evidence of their presence in a process some call “covering their tracks.”
Figure 22.3 The attack phase.
The Post-Attack Phase
The post-attack phase is unique to the penetration test team. It revolves around returning any modified system(s) to the pretest state. With the exception of covering their tracks, a real attacker couldn’t care less about returning a compromised system to its original state. The longer the system remains compromised, the longer they can legitimately claim credit for “pwning” (owning) the system.
Obviously, in a real penetration test, the following list would include reversal of each and every change made to the network to restore it to its pre-attack state. Some of the activities that the test team may have to accomplish are shown here:
• Removal of any files, tools, exploits, or other test-created objects uploaded to the system during testing
• Removal or reversal of any changes to the registry made during system testing
• Reversal of any access control list (ACL) changes to file(s) or folder(s) or other system or user object(s)
• Restoration of the system, network devices, and network infrastructure to the state the network was in prior to the beginning of the test
The key element for the penetration test team to be able to restore the network or system to its pre-attack state is documentation. The penetration testing team documents every step of every action taken during the test, for two reasons. The obvious one is so that they can reverse their steps to “cleanse” the system or network. The second reason is to ensure repeatability of the test. Why is repeatability an issue?
An important part of the penetration test team’s job is not only to find and exploit vulnerabilities but also to recommend appropriate mitigation strategies for discovered vulnerabilities. This is especially true for those vulnerabilities that were successfully exploited. After the tested organization implements the recommended corrections, it should repeat the penetration test team’s actions to ensure that the vulnerability has indeed been eliminated and that the applied mitigation has not had “unintended consequences” by creating a new vulnerability. The only way to do that is to recreate the original test that found the vulnerability in the first place, make sure it’s gone, and then make sure there are no new vulnerabilities as a result of fixing the original problem.
As you might imagine, there are lots of possible ways for Murphy to stick his nose into the process we just talked about. How do penetration test teams and tested organizations try to keep Murphy at bay? Rules!
5. Defining What’s Expected
Someone once said: “You can’t win the game if you don’t know the rules!” That statement makes good sense for a penetration test team as well. Every penetration test must have a clearly defined set of rules by which the penetration test “game” is played. These rules are put into place to help protect both the tested organization and the penetration test team from errors of omission and commission (under normal circumstances). According to the National Institute of Standards and Technology (NIST), the “rule book” for penetration tests is often called the “Rules of Engagement.” Rules of Engagement define things like which IP addresses or hosts are and are not allowed to be tested, which techniques are and are not allowed to be used, when testing is permitted or prohibited, points of contact for both the test team and the tested organization, IP addresses of machines from which testing is conducted, and measures to prevent escalation of an incident response to law enforcement, just to name a few.
There isn’t a standard format for the Rules of Engagement, so it is not the only document that can be used to control a penetration test. Based on the complexity of the tested organization and the scope of the penetration test, the penetration test team may also use detailed test plan(s) for either or both logical and physical testing. In addition to these documents, both the client and the penetration test company conducting the operation will require some type of formal contact that spells out either explicitly, or incorporates by reference, such items as how discovered sensitive material will be handled, an indemnification statement, nondisclosure statement, fees, project schedule, reporting, and responsibilities. These are but a few of the many items that penetration testing control documents cover, but they should be sufficient for you to understand that all aspects of the penetration test need to be described somewhere in a document.
We now know what’s expected during the penetration test. Armed with this information, how does the penetration test team plan to deliver the goods? It starts with a methodology.
6. The Need for a Methodology
When you leave for vacation and you’ve never been to your destination before, you’re likely make a list of things you need or want to do before, during, or after the trip. You might also take a map along so you know how to get there and not get lost or sidetracked along the way. Penetration test teams also use a map of sorts. It’s called their methodology.
A methodology is simply a way to ensure that a particular activity is conducted in a standard manner, with documented and repeatable results. It’s a planning tool to help ensure that all mandatory aspects of an activity are performed.
Just as a map will show you various ways to get to your destination, a good penetration testing methodology does not restrict the test team to a single way of compromising the network. While on the road to your dream vacation, you might find your planned route closed or under construction and you might have to make a detour. You might want to do some sightseeing, or maybe visit long-lost relatives along the way.
Similarly, in a penetration test, your primary attack strategy might not work, forcing you to find a way around a particular network device, firewall, or intrusion prevention system. While exploiting one vulnerability, you may discover another one that leads you to a different host or a different subnet. A well-written methodology allows the test team the leeway necessary to explore these “targets of opportunity” while still ultimately guiding them to the stated goals of the test.
Most penetration test companies will have developed a standard methodology that covers all aspects of a penetration test. This baseline methodology document is the starting point for planning a particular test. Once the control documentation has been finalized, the penetration test team will know exactly what they can and cannot test. They will then modify that baseline methodology based on the scope statement in the Rules of Engagement for the penetration test that they are going to conduct.
Different clients are subject to different regulatory requirements such as HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, or others, so the penetration test team’s methodology must also be flexible enough to cover these and other government or private industry regulations.
In a minute, we’ll talk about the sources of penetration testing methodologies, but for now, just understand that a methodology is not a “nice to have,” it’s a “must have.” Without a methodology to be used as the basis to plan and execute a penetration test, there is no reliability. The team will be lost in the network, never knowing if they’ve fulfilled the requirements of the test or not until they’re writing the report. By then, it’s too late—for them and for the organization.
7. Penetration Testing Methodologies
Back to our map example for a minute. Unless you’re a cartographer, you’re probably not going to make your own map to get to your dream vacation destination. You’ll rely on a map that someone else has drawn, tested, and published. The same holds true for penetration testing methodologies. Before we talk about how a methodology, any methodology, is used in a penetration test, let’s discuss penetration testing methodologies in general. There are probably as many different methodologies as there are companies conducting penetration tests, but all of them fit into one of two broad categories: open source or proprietary.
Open-source methodologies are just that: available for use by anyone. Probably the best-known open-source methodology, and de facto standard, is the Open Source Security Testing Methodology Manual (OSSTMM), the brainchild of Pete Herzog. You can get the latest copy of this document at www.isecom.org. Another valuable open-source methodology is the Open Web Application Security Project (OWASP), geared to securing Web applications, available at www.owasp.org.
Proprietary methodologies have been developed by particular entities offering network security services or certifications. The specific details of the processes that produce the output of the methodology are usually kept private. Companies wanting to use these proprietary methodologies must usually undergo specific training in their use and abide by quality standards set by the methodology proponent. Some examples of proprietary methodologies include IBM, ISS, Foundstone, and our own EC Council Licensed Penetrator Tester methodology.
8. Methodology in Action
A comprehensive penetration test is a systematic analysis of all security controls in place at the tested organization. The penetration test team will look at not only the logical and physical vulnerabilities that are present but also at the tested organization’s policies and procedures to assess whether or not the controls in place adequately protect the organization’s information infrastructure.
Let’s examine the use of a penetration testing methodology in more detail to demonstrate how it’s used to conduct a penetration test. Of course, as the President of the EC-Council, I’m going to take the liberty of using our LPT methodology as the example.
EC-Council LPT Methodology
Figure 22.4 is a block representation of some of the major areas of the LPT methodology as taught in the EC-Council’s Licensed Penetration Tester certification course. The first two rows of the diagram (except for the Wireless Network Penetration Testing block) represent a fairly normal sequence of events in the conduct of a penetration test. The test team will normally start by gathering information, then proceed with vulnerability discovery and analysis, followed by penetration testing from the network perimeter, and graduating to the internal network.
Figure 22.4 Block representation of some of the major areas of the LPT methodology.
After that, beginning with wireless testing, what the test team actually does will depend on what applications or services are present in the network and what is allowed to be tested under the Rules of Engagement. I’ve chosen not to show every specific step in the process as part of the diagram. After all, if I told you everything, there wouldn’t be any reason for you to get certified as a Licensed Penetration Tester, would there?
The methodology (and course) assumes that the penetration test team has been given authorization to conduct a complete test of the target network, including using denial-of-service tactics so that we can acquaint our LPT candidates with the breadth of testing they may be called on to perform. In real life, a test team may seldom actually perform DoS testing, but members of the penetration test team must still be proficient in conducting this type of test, to make recommendations in their reports as to the possible consequences of an attacker conducting a DoS attack on the company’s network infrastructure. Here I give you a quick overview of each of the components.
Information Gathering
The main purpose of information gathering is to understand more about the target company. As we’ve already talked about, there are a number of ways to gather information about the company from public domain sources such as the Internet, newspapers, and third-party information sources.
Vulnerability Analysis
Before you can attack, you have to find the weak points. A vulnerability analysis is the process of identifying logical weaknesses in computers and networks as well as physical weaknesses and weaknesses in policies, procedures, and practices relating to the network and the organization.
External Penetration Testing
External testing is normally conducted before internal testing. It exploits discovered vulnerabilities that are accessible from the Internet to help determine the degree of information exposure or network control that could be achieved by the successful exploitation of a particular vulnerability from outside the network.
Internal Network Penetration Testing
Internal testing is normally conducted after external testing. It exploits discovered vulnerabilities that are accessible from inside the organization to help determine the degree of information exposure or network control that could be achieved by the successful exploitation of a particular vulnerability from inside the network.
Router Penetration Testing
Depending on where they are located in the network infrastructure, routers may forward data to points inside or outside the target organization’s network. Take down a router; take down all hosts connected to that router. Because of their importance, routers that connect the target organization to the Internet may be tested twice: once from the Internet and again from inside the network.
Firewall Penetration Testing
Firewall(s) are another critical network infrastructure component that may be tested multiple times, depending on where they reside in the infrastructure. Firewalls that are exposed to the Internet are a primary line of defense for the tested organization and so will usually be tested from the Internet and from within the DMZ for both ingress and egress vulnerabilities and proper rule sets. Internal firewalls are often used to segregate portions of the internal network from each other. Those firewalls are also tested from both sides and for ingress and egress filtering to ensure that only applicable traffic can be passed.
IDS Penetration Testing
As networks have grown more complex and the methods to attack them have multiplied, more and more organizations have come to rely on intrusion detection (and prevention) systems (IDS/IPS) to give them warning or prevent an intrusion from occurring. The test team will be extremely interested in testing these devices for any vulnerabilities that will allow an attacker to circumvent setting of the IPS/IDS alarms.
Wireless Network Penetration Testing
If the target company uses wireless (and who doesn’t these days), the test team will focus on the availability of “outside” wireless networks that can be accessed by employees of the target company (effectively circumventing the company’s firewalls), the “reach” of the company’s own wireless signal outside the physical confines of the company’s buildings, and the type and strength of encryption employed by the wireless network.
Denial-of-Service Penetration Testing
If the test team is lucky enough to land a penetration test that includes DoS testing, they will focus on crashing the company’s Web sites and flooding the sites or the internal network with enough traffic to bring normal business processes to a standstill or a crawl. They may also attempt to cause a DoS by locking out user accounts instead of trying to crack the passwords.
Password-Cracking Penetration Testing
Need we say more?
Social Engineering Penetration Testing
The test team may use both computer- and human-based techniques to try to obtain not only sensitive and/or nonpublic information directly from employees but also to gain unescorted access to areas of the company that are normally off-limits to the public. Once alone in an off-limits area, the social engineer may then try to obtain additional sensitive or nonpublic information about the company, its data, or its customers.
Stolen Laptop, PDA, and Cell Phone Penetration Testing
Some organizations take great pains to secure the equipment that is located within the physical confines of their buildings but fail to have adequate policies and procedures in place to maintain that security when mobile equipment leaves the premises. The test team attempts to temporarily “liberate” mobile equipment and then conducts testing to gain access to the data stored on those devices. They will most often attempt to target either or both members of the IT Department and the senior members of an organization in the hopes that their mobile devices will contain the most useful data.
Application Penetration Testing
The test team will perform meticulous testing of an application to check for code-related or “back-end” vulnerabilities that might allow access to the application itself, the underlying operating system, or the data that the application can access.
Physical Security Penetration Testing
The test team may attempt to gain access to the organizational facilities before, during, or after business hours using techniques meant to defeat physical access control systems or alarms. They may also conduct an overt “walk-thorough” accompanied by a member of the tested organization to provide the tested company with an “objective perspective” of the physical security controls in place. Either as a part of physical security testing or as a part of social engineering, the team may rifle through the organization’s refuse to discover what discarded information could be used by an attacker to compromise the organization and to observe employee reaction to an unknown individual going through the trash.
Database Penetration Testing
The test team may attempt to directly access data contained in the database using account password-cracking techniques or indirectly access data by manipulating triggers and stored procedures that are executed by the database engine.
Voice-Over-IP Penetration Testing
The test team may attempt to gain access to the VoIP network for the purpose of recording conversations or to perform a DoS to the company’s voice communications network. In some cases, if the organization has not followed the established “best practices” for VoIP, the team may attempt to use the VoIP network as a jumping-off point to conduct further compromise of the organization’s network backbone.
VPN Penetration Testing
A number of companies allow at least some of their employees to work remotely, either from home or while they are “on the road.” In either case, a VPN represents a trusted connection to the internal network. The test team will attempt to gain access to the VPN by either compromising the remote endpoint or gaining access to the VPN tunnel so that they have a “blessed” connection to the internal company network.
In addition to testing the applicable items in the blocks on the previous diagram, the penetration test team must also be familiar with and able to test for compliance with the regulatory requirements to which the tested organization is subject. Each standard has specific areas that must be tested, the process and procedures of which may not be part of a standard penetration test.
I’m sure that as you read the previous paragraphs, there was a nagging thought in the back of your mind: What are the risks involved? Let’s talk about the risks.
9. Penetration Testing Risks
The difference between a real attack and a penetration test is the penetration tester’s intent, authority to conduct the test, and lack of malice. Because penetration testers may use the same tools and procedures as a real attacker, it should be obvious that penetration testing can have serious repercussions if it’s not performed correctly.
Even if your target company ceased all operations for the time the penetration test was being conducted, there is still a danger of data loss, corruption, or system crashes that might require a reinstall from “bare metal.” Few, if any, companies can afford to stop functioning while a penetration test is being performed. Therefore it is incumbent on both the target organization and the penetration test team to do everything in their power to prevent an interruption of normal business processes during penetration testing operations.
Target companies should be urged to back up all their critical data before testing begins. They should always have IT personnel present to immediately begin restoration in the unfortunate event that a system crashes or otherwise becomes unavailable. The test team must be prepared to lend all possible assistance to the target company in helping to restore any system that is affected by penetration testing activities.
10. Liability Issues
Although we just discussed some of the risks involved with conducting a penetration test, the issue of liability deserves its own special section. A botched penetration test can mean serious liability for the penetration test company that conducted the testing. The penetration test company should ensure that the documentation for the penetration test includes a liability waiver.
The waiver must be signed by an authorized representative of the target company and state that the penetration testing firm cannot be held responsible for the consequences of items such as:
11. Legal Consequences
The legal consequences of a penetration test gone wrong can be devastating to both the target company and the penetration testers performing the test. The company may become the target of lawsuits by customers. The penetration testers may become the target of lawsuits by the target company. The only winners in this situation are the lawyers. It is imperative that proper written permission is obtained from the target company before any testing is conducted.
Legal remedies are normally contained in a penetration testing contract that is drawn up in addition to the testing control documentation. Both the penetration test company and the target company should seek legal counsel to review the agreement and to protect their interests. The authorization to perform testing must come from a senior member of the test company, and that senior member must be someone who has the authority to authorize such testing, not just the network administrator or LAN manager.
Authorized representatives of both the penetration test company and the target company must sign the penetration testing contract to indicate that they agree with its contents and the contents of all documentation that may be included or included by reference, such as the Rules of Engagement, the test plan, and other test control documentation.
12. “Get Out of Jail Free” Card
We just talked about how the target company and the penetration test company protect themselves. What about that individual team member crawling around in the dumpster at 2:00 a.m., or the unfortunate team member who’s managed to get into the company president’s office and log onto his or her computer? What protection do those individuals have when that 600-pound gorilla of a security guard clamps his hand on their shoulder and asks what they’re doing?
A “Get Out of Jail Free” card might just work wonders in these and other cases. Though not really a card, it’s usually requested by the penetration test team as “extra insurance” during testing. It is presented if they’re detained or apprehended while in the performance of their duties, as proof that their actions are sanctioned by the officers of the company. The card may actually be a letter on the tested company’s letterhead and signed by the senior officer authorizing the test. It states the specific tasks that can be performed under the protection of the letter and specifically names the bearer.
It contains language that the bearer is conducting activities and testing under the auspices of a contract and that no violation of policy or crime is or has been committed. It includes a 24-hour contact number to verify the validity of the letter. As you can imagine, these “Get Out of Jail Free” cards are very sensitive and are usually distributed to team members immediately before testing begins, collected, and returned to the target company immediately after the end of any testing requiring their use.
There is a tremendous amount of work involved in conducting a thorough and comprehensive penetration test. What we’ve just discussed is but a 40,000-foot flyover of what actually happens during the process. But we’re not done yet! The one area that we haven’t discussed is the personnel performing these tests.
13. Penetration Testing Consultants
The quality of the penetration test performed for a client is directly dependent on the quality of the consultants performing the work, singularly and in the aggregate. There are hundreds if not thousands of self-proclaimed “security services providers” out there, both companies and individuals. If I’m in need of a penetration test, how can I possibly know whether the firm or individual I’m going to select is really and truly qualified to test my network comprehensively, accurately, and safely? What if I end up hiring a consultancy that employs hackers? What if the consultant(s) aren’t hackers, but they just don’t know what they’re doing?
In these, the last pages of this chapter, I want to talk about the people who perform penetration testing services. First, you get another dose of my personal opinion. Then we’ll talk about security services providers, those who provide penetration testing services. We’ll talk about some of the questions that you might want to ask about their operations and their employees. Here’s a hint for you: If the company is evasive in answering the questions or outright refuses to answer them—run!
What determines whether or not a penetration tester is “experienced”? There are few benchmarks to test the knowledge of a penetration tester. You can’t ask her for a score: “Yes, I’ve performed 27 penetration tests, been successful in compromising 23 of those networks, and the overall degree of difficulty of each one of those tests was 7 on a scale of 1 to 10.”
There really isn’t a Better Business Bureau for penetration testers. You can’t go to a Web site and see that XSecurity has had three complaints filed against them for crashing networks they’ve been testing or that “John Smith” has tested nine networks that were hacked within the following 24 hours. (Whoa! What an idea . . . ! Nah, wouldn’t work.) Few companies would want to admit that they chose the wrong person or company to test their networks, and that kind of information would surely be used by attackers in the “intelligence-gathering phase” as a source of information for future attacks on any company that chose to report.
Well, if we can’t do that, what can we do?
We pretty much have to rely on “word of mouth” that such-and-such a company does a good job. We have to pretty much rely on the fact that the tester has been certified to a basic standard of knowledge by a reputable certification body. We pretty much have to rely on the skill set of the individual penetration tester and that “the whole is more than the sum of its parts” thing called synergy, which is created when a group of penetration testers works together as a team.
I’m not going to insult you by telling you how to go ask for recommendations. I will tell you that there are security certification providers who are better than others and who hold their candidates to a higher standard of knowledge and professionalism than others. Since it’s hard to measure the “synergy” angle, let’s take a closer look at what skill sets should be present on the penetration team that you hire.
14. Required Skill Sets
Your penetration test “dream team” should be well versed in areas such as these:
• Hardware devices such as routers, firewalls, and IDS/IPS
That’s a rather long list to demonstrate a simple concept: Your penetration team should be able to show proof that they have knowledge about all the hardware, software, services, and protocols in use within your network.
Okay. They have technical skills. Is that enough?
15. Accomplishments
Are the members of the test team “bookworms” or have they had practical experience in their areas of expertise? Have they contributed to the security community? The list that follows should give you some indication of questions you can ask to determine the “experiences” of your test team:
• Have they conducted research and development in the security arena?
• Have they published research papers or articles in technical journals?
• Have they presented at seminars, either locally or internationally?
• What certifications do they hold? Where are those certifications from?
• Do they maintain membership/affiliation/accreditation in organizations such as the EC-Council, ISC2, ISACA, and others?
• Have they written or contributed to security-related books and articles?
How about some simple questions to ask of the company that will perform your test?
16. Hiring a Penetration Tester
Here are some of the questions you might consider asking prospective security service providers or things to think about when hiring a test team:
• Is providing security services the primary mission of the security service provider, or is this just an “additional revenue source” for another company?
• Does the company offer a comprehensive suite of services tailored to your specific requirements, or do they just offer service packages?
• Does the supplier have a methodology? Does their methodology follow a recognized authority in security such as OSSTMM, OWASP, or LPT?
• Does the supplier hire former hackers? Do they perform background checks on their employees?
• Can they distinguish (and articulate) between infrastructure and application testing?
• How many consultants does the supplier have who perform penetration testing? How long have those consultants been practicing?
• What will the final report look like? Does it meet your needs? Is the supplier willing to modify the format to suit your needs (within reason)?
• Is the report just a list of what’s wrong, or does it contain mitigation strategies that will be tailored to your particular situation?
• Is the supplier a recognized contributor to the security community?
• Do they have references available to attest to the quality of work already performed?
That ought to get a company started down the road to hiring a good penetration test team. Now let’s talk about why a company should hire you, either as an individual or as a member of a penetration testing team.
17. Why Should a Company Hire You?
When a prospective client needs a penetration test, they may publish a request for proposal (RFP) or just make an announcement that they are accepting solicitations for security services. When all the bids come in, they will only consider the most qualified candidates. How to you make sure that your or your company’s bid doesn’t end up in the “circular file?”
Qualifications
Highlight your or your company’s qualifications to perform the desired services. Don’t rely on “alphabet soup” after your name or your team’s names to highlight qualifications. Take the time to explain the meaning of CISSP, LPT, or MCSE.
Work Experience
The company will provide some information about itself. Align your response by highlighting work (without naming specific clients!) in the same or related fields and of related size.
Cutting-Edge Technical Skills
It doesn’t bode well when you list one of your primary skills as “MCSE in Windows NT 3.51 and NT 4.0.” Maintain your technical proficiency and showcase your most recent and most highly regarded certification accomplishments, such as CCNA, CEH, CHFI, CCNP, MCSE, LPT, CISA, and CISM.
Communication Skills
Whether your communicate with the prospective client through written or verbal methods, made sure you are well written or well spoken. Spell-check your written documents, and then look them over again. There are some errors that spell checkers just won’t find. “Dude, I’m gonna hack yer network!” isn’t going to cut it in a second-round presentation.
Attitude
Let’s face it: Most of us in the security arena have a bit of an ego and sometimes come off as a bit arrogant. Though that may hold some sway with your peers, it won’t help your case with a prospective client. Polite and professional at all times is the rule.
Team Skills
There is no synergy if there is no team. You must be a good team player who can deal with subordinates, superiors, and clients professionally, even in the most critical moments of an engagement.
Okay. You’ve done all this. What else do you need to know to get hired? What about the concerns of the company that will hire you?
Company Concerns
You can have a sterling record and the best qualifications around and still not get hired. Here are some of the “influencing factors” companies may consider when looking to hire a penetration testing team:
• Companies usually want to work in collaboration with reputable and well-established firms such as Foundstone, ISS, EC-Council, and others.
• Companies may want to verify the tools that will be run during a test and the equipment on which the tools run.
• Companies will want references for the individuals on the team as well as recommendations about the company itself.
• Companies demand security-related certifications such as CISSP, CEH, and TICSA to confirm the authenticity of the testing company.
• Companies usually have an aversion to hiring those who are known or suspected hackers.
• Companies may require security clearances.
• Companies may inquire about how and where their data will be stored while in the testing company’s possession.
Okay, you get the idea, right?
18. All’s Well that Ends Well
Anybody got an aspirin? I’m sure you probably need one after reading all the information I’ve tried to throw at you in this chapter. I’ve only barely scratched the surface of what a penetration test is, what it’s meant to accomplish, how it’s done, and how you report the findings to the client, but I’m out of space to tell you more.
Let me take these last couple of inches on the page to summarize. If you’ve got a network, the question is not “if” you’ll be attacked, but “when.” If you’re going to make your network as safe as possible, you need to find the weaknesses and then test them to see which ones are really, truly the things that need to be fixed “yesterday.” If you only conduct a penetration test once a year, a real hacker has 364 “unbirthdays” in which to attack and compromise your network. Don’t give them the opportunity. Get someone on your staff certified as an ethical hacker and a Licensed Penetration Tester so that they can perform ethical hacks and penetrations on a regular basis to help protect your network.