A penetration test is any simulated attack scenario. It could be purely technological, it could focus on uncovering weaknesses to social engineering tactics, or it could take a holistic approach and use any and all tactics and tools available to penetrate the organization’s defenses. Because this type of testing is inherently invasive and simulates as close as possible the methods of an actual attack, it is important that all parties have a clear outline of what will be done, what restrictions (if any) must be followed, and what the tests are designed to uncover. If there is any miscommunication between the testers and the organization’s management team, a useful penetration test could easily become a crisis situation.
For example, suppose an organization hired a security consulting firm to conduct a penetration test against its IT infrastructure. During the planning stage, management neglected to mention that they would be launching a new customer-facing website during the window allowed for the penetration test. The penetration test proceeded, and the test attack interrupted service during the website launch. Management was understandably upset that a test scenario disrupted a major website launch. The penetration testers had no idea that this particular website was any more important than any other hosted on the organization’s servers. All this would have been avoided had the penetration test team known that the new website was off-limits, and if management had known exactly what the penetration test team planned to do.
Good communication between the penetration testing team and the organization is crucial, especially when determining the scope and timing of the test. Some methods used by penetration testing teams can result in systems crashing and network slowdowns due to increased traffic. It is important for the penetration team to know at what times this type of test is acceptable and when it is not. An organization will not want its customer-facing eCommerce website, for example, to be brought down during peak ordering times.
Any penetration test should follow a well-planned methodology that has been approved by upper management. The basic stages of a penetration test are:
These basic steps will help ensure an accurate, safe penetration test that produces actionable results for the organization. The basic goals of any penetration test are to assess three areas: whether policies and standards are followed, whether an appropriate baseline is achieved throughout the infrastructure, and whether countermeasures and access control systems are implemented properly. The next three sections discuss these goals in detail.
Always consult legal counsel before conducting any penetration test, even on your own organization.
Every organization should have policies and standards for access controls. Simply having standards is not enough to secure an infrastructure—those standards must be implemented and followed consistently. A good penetration test attempts to uncover inconsistencies and exploits them to demonstrate this weakness in the organization’s infrastructure.
Social engineering methods are often used to find weaknesses in policy and in implementing standards. Often, a lax attitude toward security and a lack of understanding of how policies and standards contribute to an organization’s overall security posture lead to employees who take shortcuts and circumvent access controls. They may hold or prop open the doors to sensitive areas, reuse passwords, or share privileged accounts. A good penetration testing team will use social engineering and other methods to discover these weak areas.
During the planning phase, a security baseline is defined. The baseline is the minimum level of security that is acceptable to the organization. Whether that baseline is achieved throughout the organization is a question answerable by a good penetration test.
For example, if the organization has determined that no outside access should be permitted to the Intranet as one baseline for access control systems, penetration tests may scan for open ports on the intranet server and attempt to gain remote access.
Access control systems are often complex and sophisticated systems. Unfortunately, vulnerabilities often hide in those complexities. Security countermeasures are not always well understood by IT staff, and access control systems can be misconfigured in such a way as to allow false positives. Penetration tests probe access control systems and attempt to force a false positive. If they are successful, penetration tests will also exercise security countermeasures and ensure that they are effective.