Penetrate this!

The oft-perceived image of penetration testing is that of a team of tattooed techno geeks sitting in a small, dark room trying to crack into an organisation's network in the middle of the night. The reality is that penetration testers are trained and dedicated e-security professionals whose primary objective is to assess the defense and stability of your network and systems.

As the e-marketplace continues to grow in popularity and functionality, the probability of intrusion increases in proportion with an organisation's footprint on the e-world. Expanding online customer and employee services can be great for business, but it also opens your network to higher visibility and increased traffic.

In addition to developing best practices – those that identify and define an organisation’s IT strategy, including ongoing maintenance and emergency response plans – identifying pitfalls, defining priorities and planning for the future can go a long way to reducing the threat of online attack. Undertaking penetration testing is a solid step toward safeguarding your information and intellectual property.

Protect Your Assets
Penetration testing plays a key role in assessing the level of your organisation's e-security, examining the effectiveness of the controls in place that restrict unauthorised entry. As a formalised set of procedures designed to assess the existing security controls of a system or organisation, penetration testing is a mainstay in any vulnerability analysis toolkit. Organisations need to know if unauthorised individuals can access their critical information resources by utilising vulnerabilities in the network. The sole objective of any penetration test is to identify one’s weakness before it is exploited.

The process is straightforward. An entrusted tester, with proper authorisation from your company and schedules defined prior to initiation, uses known vulnerabilities in an attempt to perform intrusions into hosts, networks, operating systems and applications, as well as measuring the difficulty of gaining access to onsite equipment.

Based on experience, the weakest link within an organisation is often not the technology of the network, but the physical access to it. The first step in penetration testing involves assessing the physical infrastructure of an organisation and identifying all the barriers that lay between the tester and your database or servers.

The second step involves electronic testing, which consist of attacks on computer defeating current network perimeter defense. Depending on the scope of work, a tester may use a suite of tools to achieve the required goals. Emphasis will often be placed on an organisation’s exposure to the Internet. Specific machines, e.g. primarily Web servers, firewalls and routers, are scrutinised to ensure that the organisation’s network is protected from external attacks.

The Stages
As the diagram below shows, there are three main stages of testing: intelligence gathering, reconnaissance and exploit. Specific skillsets and tools are employed to ensure that the project runs smoothly and provides optimal results.

Figure 1.1 Remote Penetration Service Scope of Work

Intelligence gathering is a process that allows the tester to create a complete profile of an organisation’s security posture. By using a combination of tools and techniques, a tester can take an unknown entity and reduce it to a specific range of network or individual IP addresses.

Reconnaissance is an essential step mapping out a network to determine if individual systems possess open entry points into an organisation.

Exploit is the final phase where all standard rules and fundamentals are broken to expand the limits of a system’s capabilities to the point where it breaks, thus revealing a weak spot.

Testing outcomes are compiled and presented as a final report. The report should include where the weaknesses were found, as well as recommendations to eliminate the vulnerabilities. Critical vulnerabilities must be addressed immediately and, thereafter, a schedule must be derived to determine when all the vulnerabilities have been addressed.

Special attention should be given to the custody of the final document. Report findings must be handled with the utmost confidentiality; if the information falls into the wrong hands, it could be used to exploit vulnerabilities before they have been addressed and secured.

The Bottomline
Organisations have traditionally perceived IT security as a technological issue. With online investment reaching into the millions of dollars for larger firms, security is one of the most important business issues facing organisations and business owners today. The decision to perform evaluations like penetration testing requires full management support with the interest of protecting the organisation’s invaluable information assets.

Regular assessments like penetration testing are vital to an organisation's ongoing e-security. Understanding the necessity for and stages of testing ensures that you will be better equipped to meet the challenges of identifying current weaknesses, implementing the necessary tools to address vulnerabilities and anticipating future risk.

Benjamin Mah, CISSP, is a senior consultant with e-Cop.net in Singapore.