Penetration testing: hacking made ethical to test system security.
For companies looking to test their systems against security breaches, hiring a hacker might just be their best option. Ethical hackers are trained security professionals that provide penetration testing services--a secure and ethical way to verify the robustness of security controls.
An ethical hacker does more than verify if the organization is in compliance with the security policies. It provides organizations with a practical assessment of how vulnerable their network really is, and how difficult it would be for a hacker to break into it.
The testing process is much similar to the approach a hacker might take--the ethical hacker first goes after the low-hanging fruit or the most obvious ways to tamper with and extract pieces of information from the organization's network, and then gradually attempts more sophisticated attacks with the available time and resources.
An organization's penetration testing strategy will depend on how critical its data is or the services it offers, and the frequency of the testing will vary accordingly. Organizations typically perform penetration testing at least once a year on the overall network, but critical components of the network may be tested even more frequently, such as every six months.
VULNERABILITY SCANNING OR PENETRATION TESTING?
Unlike with vulnerability scanning, the ethical hacker performing penetration testing doesn't simply rely on automated tools. While tools are used to facilitate the process, the ethical hacker will try to hack into the server and exploit it, even if that server doesn't explicitly say it's vulnerable.
An ethical hacker has that hacker mindset and will prove creative enough to find ways to foil the system and take over the control of servers and applications, using its extensive knowledge of wired and wireless network security, firewalls, intrusion detection, web applications, and databases.
EXTERNAL VERSUS INTERNAL PENETRATION TESTING
The most common way of performing a penetration test is to test the external exposure of the organization's systems, meaning that when trying to hack into a client's network or web application, the attacks are performed via the Internet--just as a real hacker might do.
But internal tests are also recommended, since not all security threats come from the Internet. This means the ethical hacker performs penetration testing from inside the organization. An internal test provides information on what a hacker could do to the network once he's past the external barrier and, for example, controls one of the desktops connected to the internal network.
Just because an organization has a firewall and Internet filtering system in place doesn't mean that organization is not susceptible to external attacks. With the proliferation of mobile technology, it's easier than ever for a hacker to penetrate an organization's internal network. A consultant, for example, might unknowingly have malware installed on his computer and connect it to the organization's internal network. Or an employee might take a laptop home and unknowingly download a virus, then bring the laptop back and connect to the network.
With vulnerabilities and patches being released for Internet browsers and plug-ins regularly, an employee could unknowingly become part of a botnet by taking an organization laptop home and browsing a website with malicious code. A botnet is a large network of computers controlled by a hacker; the hacker sends commands to the controlled computers through the botnet to perform certain actions, such as a denial of service attack. That means the employee's computer becomes a relay for attacks in the corporate network--and the employee isn't even aware that attacks are being performed via his computer.
So, while external tests are a must--there are regular attempts to break into networks, usually by automated tools--internal tests are also strongly recommended.
TYPES OF TESTS
Typically, an ethical hacker tries to break into all of a client's systems, but the client can also choose to have an a la carte test--perhaps, for example, they want to test a specific email server or web application. In this case, the ethical hacker would simulate scenarios that attackers might perform on that email server or web application to see if vulnerabilities exist.
One of the most popular social engineering tests, called phishing, is typically performed on executives within the organization who have access to several systems. The ethical hacker will try to 'phish' for information from the executive, and then use that information to break into the executive's system. From there, the ethical hacker will see how far he can get into the corporate network, extracting data from the organization without triggering alarms or being spotted by the security systems in place.
Another popular test is denial of service; typically, a 'hacker activist' who is not happy with the practices of a certain organization or government will perform a denial of service attack to completely cut off communications between the organization or government and the Internet. Denial of service tests are performed by an ethical hacker in order to see if the organization has measures in place to protect itself against such attacks, and if those measures actually work as expected.
Finally, hacking into web applications available on the Internet and tampering with sensitive data, such as financial or private information, is a type of test that is included in most penetration tests.
A security firm typically tests various scenarios that involve several systems coupled together. If the email server is vulnerable, for example, the ethical hacker takes it a step further, such as attempting a social engineering attack, and from there tries to go deeper and deeper into the organization.
There are several ways in which these tests can be performed. The first is the 'black box' test, where the organization doesn't provide the ethical hacker with any information on how systems are configured or designed to work.
The next level is a 'grey box' test, where the organization provides the ethical hacker with some information (such as an account that allows the ethical hacker to access the network as a regular user), but not all information (such as an administrative account). Or, the organization might provide the ethical hacker with some access to the email server, without providing access to the logs.
Finally, there's the 'white box' test in which the ethical hacker has complete access to the organization's environment, such as access to the source code of an application, the ability to see logs generated by the server, and even the ability to modify some parameters (with the organization's permission).
Each type of test has its advantages. The black box test will provide a fairly accurate estimate of what attackers would be able to do if they had the same amount of time and information that the security firm had, whereas the white box test has the advantage of allowing the security firm to go into much deeper detail. And, in three weeks, the security firm will be able to see what would take attackers three months or more to discover.
In the beginning, companies tend to perform the black box test to get raw data about how vulnerable they are. But companies that have more sensitive data (such as those that work with medical or financial information) want to be aware of more sophisticated attacks, even if those attacks take more effort for hackers to perform, and that's where a white box test comes in.
Penetration testing provides a much higher level of assurance than vulnerability scanning alone. It can provide organizations of any size invaluable insight into strengths and weaknesses, keep them up-to-date with the ever-changing world of security threats, and lead to a set of recommendations and the execution of a concrete action plan.
Daniel Boteanu is a senior information technology security consultant at OKIOK, Laval, QC. He is an expert in penetration testing and vulnerability analysis of applications. Mr. Boteanu holds a M.Ing. in Computer Science from Institut National des Sciences Appliquees de Lyon and an M.Sc. in Computer Science from Ecole Polytechnique de Montreal. He also holds the MCR SANS GPEN and CSSLP certifications.