Based on the fundamental principle that prevention is better than cure, penetration testing (pen testing) is essentially an information assurance activity to determine if information is appropriately secured.
Conducted by penetration testers, sometimes referred to as ‘white hats' or ethical hackers, they use the same tools and techniques as the bad guys (‘black hat hackers'), but in a controlled manner with the express permission of the target organisation. The aim of the exercise isn't simply to determine whether it's possible to break through an organisation's defences, but to identify the breadth and depth of vulnerabilities.
Naturally, a major focus is offering detailed and accessible recommendations to improve an organisation's overall security posture. Aside from assessing the risk of the more technically oriented findings, typically root cause analysis will be provided as part of a report; this has a tendency to be more business focused around shortcomings in the organisation's overarching information security strategy – examples include why a password policy is insufficient, or highlighting inconsistent patch management.
Any organisation with sensitive information such as customer data, personally identifiable information, payroll data, payment card data, intellectual property or trade secrets should probably be incorporating penetration testing within their wider governance, risk and compliance activities.
One of the prominent drivers for conducting regular pen testing is PCI-DSS compliance, which outlines requirements for penetration testing activities to validate the security controls in place. Other drivers include businesses wanting to validate the resilience of a new IT environment or perhaps following a major change: fundamentally it's driven by the desire to ensure the company's assets and data are well protected from attack.
We know that being the victim of data breach can impact a business's top-line revenue through negative press, and in some industries, the risk of regulatory fines is also at play – no one wants to become the next data-breach headline.
Those companies with more mature approaches to security will tend to have proactively incorporated the use of pen tests into their strategy and have a relatively clear roadmap at the beginning of the year, commonly including the network environments and most critical web applications that require pen testing, how frequently they should be tested, and when.
Others adopt an ad hoc approach, sometimes just before a new system goes live or as part of their annual PCI review. The latter frequently just focuses on the infrastructure associated with payment card data and may leave the remainder of the network untested.
Vulnerability scans versus pen testing
A common area of confusion is the relationship between vulnerability scanning (automated) and pen testing (expert driven manual testing). Both involve a proactive and concerted attempt to identify vulnerabilities that could expose the organisation to a potential malevolent attack.
Vulnerability scanners are great at identifying ‘low-hanging' vulnerabilities, like common configuration mistakes or unpatched systems, which offer an easy target for attackers. What they are unable to determine is the context or nature of the asset or data at risk, but they are also less able than humans to identify unknown unknowns (things not already on the risk register, or not theorised by the organisation as potential security issues).
Good pen-testing teams, however, do this very well. For instance, we've had countless engagements where previously an environment was only vulnerability scanned, and when we've conducted a pen test of that same environment, we've managed to compromise a number of systems, gained unauthorised domain-administrator or root access to systems, and ultimately gained unauthorised access to sensitive data.
One final distinction is that vulnerability scans are unable to process certain types of security issues, such as subtle business logic flaws which would require a human's understanding of how a particular workflow or process is supposed to work in order to exploit it.
In truth, both are required, vulnerability scanning as a frequent, e.g. monthly or quarterly, baseline activity; and pen testing as the more detailed exercise; perhaps once or twice per year, depending on the assurance objectives. The point is that an experienced security tester, ethical or not, often finds critical and high-risk vulnerabilities in environments that regularly undergo automated vulnerability scanning.
Different types of pen tests
The most common types of tests are either directed at network infrastructure or a specific application. A network pen test typically includes entire networks and many hosts, sometimes crossing over geographical boundaries. The type of testing is usually both external against internet-facing servers and supporting infrastructure, and internally against internal corporate information systems assets, including servers, workstations and IP telephony systems.
Application testing, on the other hand, involves a targeted assessment of an individual, usually web-based, application. The application may be accessible just to the company's own employees, third parties or partners, or it could be facing the internet and available to all, such as an e-commerce website.
Conducting this type of testing will require the authentication credentials so each role or privilege level within the application can be tested. This will enable the tester to ensure that for any given user role, that role cannot create, read, delete or update data in an unauthorised manner.
Most organisations possess numerous web-based applications, not just the corporate website, that could be a potential entry point for attackers. Our recently published global security report, which gleaned results from 2,000 manual pen tests globally, revealed that ‘SQL injection' and ‘business logic' flaws are the most common web-based vulnerabilities that we regularly identify.
Choosing a pen tester
Clearly choosing a trusted partner to conduct pen testing is itself a sensitive matter and the area of professional penetration testing is still relatively new and somewhat unregulated. For instance, it lacks a central governing body on professional standards when compared with more established professions, such as financial auditing.
Some accreditations do exist, such as those offered by CREST (Council of Registered Ethical Security Testers), but it is a chiefly UK-centric accreditation at both company and individual level.
Given the relatively low barrier to entry for organisations claiming to be expert penetration testers, reputation and industry standing are of utmost importance when selecting a provider. While there are a number of high-calibre individuals working for boutique security consultancies, organisations should seek well-established penetration testing providers with well-documented methodologies, careful recruitment policies, established references and track record for delivering the full spectrum of advanced technical security services.
By incorporating pen testing activities as part of a wider information security strategy, organisations can validate the robustness of their security controls and identify as yet unknown risks to their business. The results of a pen test and guidance provided help organisations to better protect sensitive data from falling into the wrong hands.
John Yeo is a director of Trustwave SpiderLabs EMEA