Guest editorial by Alberto SoliñoPenetration testing is a highly scientific, metrics-driven approach to IT security that has been in practice since almost the dawn of the modern computing era when programmers first began conducting organized tests, or “hacks” of their own, or others’ technologies to test their performance and reliability.
Penetration testing is a highly scientific, metrics-driven approach to IT security that has been in practice since almost the dawn of the modern computing era when programmers first began conducting organized tests, or “hacks” of their own, or others’ technologies to test their performance and reliability.
From nearly the start, as developers attempted to assess the tolerance levels of their technologies to different forms of input, and some user organizations, including governments, did the same, they realized that this process was helpful not only in terms of allowing them to design more stable products, but also in securing these technologies to prevent them from being broken or improperly accessed.
As government agencies and businesses that handle proprietary and sensitive data continued to adopt computing more broadly, and demand that these systems were hardened against undesired interruption or accessibility, both by their developers and internal IT security staff, the formal process of penetration testing was born.
Decades later, penetration testing stands as one of the most established and demonstrative methods for gauging the security posture of nearly any type of software program imaginable. However, based largely on misconceptions about the specific techniques involved in the process and the types of skill sets needed to practice it, pen testing remains something of a mystery to the uninitiated.
Penetration testing, and its own subsequent technological offspring – automated penetration testing, is increasingly being recognized by mainstream authorities – including numerous standards bodies and leading IT security practitioners – as the most effective manner of calculating a system or organization’s level of IT-based risk and garnering actionable data to drive management of those vulnerabilities.
What follows is a listing of some of the leading myths and misconceptions that have been applied to penetration testing, and the reasons why they are now – or never were – valid.
Here are some of the more prevalent penetration testing myths and misconceptions:
1. Pen testing is unsafe from an overall security and reliability standpoint.
While it is true that when conducted improperly or insufficiently managed, penetration testing may have unintended consequences, this is a matter of its practical application, not the process of testing itself. Pen testing can be an intrusive exercise and sometimes has unexpected consequences, but when carried out with the necessary level of planning and due diligence, and using products that have been vetted using thorough QA processes, it’s as safe as any other form of security or systems assessment. In particular, by arming those IT staffers responsible for performing tests with commercial-grade solutions that have themselves been tested to ensure that their exploits can be trusted to execute only a controlled set of actions, and that they will not have any unexpected or residual effects on the assets being tested, organizations can feel confident about carrying out assessment on live, production systems without generating unexpected side-effects.
2. The only way to conduct thorough pen testing is via outsourced services.
Penetration testing originated as an internal process for technology developers, government agencies and other organizations as a method of targeted self-assessment; only after the process began being consumed by larger numbers of organizations who did not have internal security expertise, or whom were forced to seek third-party assessments by regulators, did it become a practice delivered widely by consulting services providers. With the emergence of automated penetration testing software, many organizations – with widely varying levels of internal expertise – have moved to more broadly embrace pen testing as a central element of their internal IT security and risk management programs, including as a means of preparation for audits. In addition to having the flexibility to perform testing on their own timetable, proponents would also argue that internal testing also allows for assessment without exposing vulnerabilities to third parties.
3. Pen testing always takes a long time.
Like any form of analysis, penetration testing timeframes can vary based on many factors, including the scope of individual projects, the assets being tested, and any other parameters dictated by its practitioners. However, it is not a prerequisite, or even a common rule-of-thumb, that these assessments must encompass lengthy periods of time. Like many other areas of IT, this misconception has been driven in part by the desire of services providers to extend engagements and boost billable hours related to performing tests. The advancement of automated penetration testing solutions has had a dramatic affect on this entire proposition, in particular. In addition to allowing inexperienced testers to conduct assessments, these solutions also automate many manual time-consuming testing tasks, allowing skilled testers to speed their work, from necessary preparatory information gathering to reporting of results.
4. You need experienced staff to conduct extensive pen testing.
Traditionally, formal penetration testing has largely been considered the domain of highly experienced IT security professionals and specialized consultants, but this has changed radically in recent years with the emergence of automated penetration solutions. Today, with improvements in pen testing software and the emergence of products offering everything from pre-test intelligence collection and target selection, through testing itself and even reporting of results, organizations can rapidly begin using this process to help isolate and validate their vulnerabilities. While organizations seeking to run highly customized or independent reviews may still desire for more experienced users or consultants to carry out those specialized projects, many types of pen tests can now be run on a frequent basis by internal IT staff armed with the appropriate solutions.
5. Pen testing is a “black art.”
Based on the type of work that penetration testing involves – the attempted exploitation of security vulnerabilities, most often using the same tactics employed by criminal hackers and malware programs – and the level of confidentiality required in safeguarding assessment results, many people have harbored the notion that testing is a something of a black art, practiced in back rooms by secretive people with highly specialized skills and elevated security clearances. The heavy use of penetration testing among government and military agencies has helped contribute to this perception. However, penetration testing is actually a highly ethical, logical, scientific approach to determining the vulnerability of programs by attempting to exploit their weaknesses just as a real-world attacker would. Today, many mainstream organizations conduct regular pen tests performed by internal IT security staffers who have been trained and certified to carry out the work, or who use automated software solutions to do so.
6. Pen testing results are difficult to understand.
Before the emergence of penetration testing solutions, it may have been valid to conclude that assessment results were often hard to understand, largely based on the customized manner in which individual testers tailored their projects and the results that they sought to achieve. However, with the introduction of automated software programs used to carry out pen tests, some of which include the ability to automatically create detailed summaries of the assessments they complete and the outcomes of those reviews, organizations can get their hands on the valuable strategic security intelligence provided via the process in easy-to-understand formats. And whereas in the past combining results from multiple tests to determine trends was a lengthy manual process, today’s solutions allows organizations to garner this type of data rapidly at the push of a button.
7. Pen testing and vulnerability scanning are comparable, versus complementary.
As IT security programs have evolved over time, penetration testing has been included in the range of functions categorized under the general terminology of “vulnerability assessment,” which also encompasses practices such as source code review and the use of vulnerability scanners. One offshoot of this development has been that some people mistakenly perceive that penetration testing and vulnerability scanning produce the same types of results, and are comparable. In reality, the two practices are very different, yet almost wholly complementary. Simply put, vulnerability scanners test programs for any type of potential security exposure they can find and produce voluminous results that offer little insight into the severity of those issues or how they might be exploited. Penetration testing shows assessors which vulnerabilities can be exploited by real-world attacks, how they can be exploited, and what level of risk they represent, such as what types of underlying data they may expose and when multiple flaws might be targeted in concert.
8. Pen testing results create new problems for IT security.
Some people familiar with the efficacy of penetration testing in unearthing exploitable vulnerabilities have arrived at the conclusion that the process creates more problems than it is worth, in that it can call-out a wide range of issues that may be difficult to effectively remediate. However, organizations can no longer afford to swear-off a highly productive form of security assessment based on fears of the work it might create, specifically as cyber-criminals are working ceaselessly to discern methods by which to take advantage of the same issues it elevates, and both government and industry regulators will not accept the argument of deniability when organizations are successfully attacked. Pen testing shows organizations which of their vulnerabilities are most available to potential attackers and allows them to prioritize remediation efforts accordingly.
9. It’s hard to sell pen testing to management.
Based on some of these preconceived notions about penetration testing, some people maintain the opinion that while it might be effective, the process is too invasive to advocate to either IT or business management, therefore making it impossible to pursue, or to get financial support for. However, unlike many other IT and security programs, pen testing is actually a practice that involves processes, goals and benefits that are easy to explain and defend to leadership. In today’s security environment, executives are very concerned with ensuring that hackers and malware attacks cannot take systems offline or steal valuable data, and with meeting regulatory compliance mandates that place legal responsibility for preventing such activities squarely upon their shoulders. Penetration testing is a safe, proactive method of assessing IT security posture in the face of real-world attacks and data theft attempts.
10. Pen testing is a luxury, versus a must-have.
In previous years when penetration testing was a more specialized process, and required the hiring of experienced staffers or outside consultants, the practice was considered a pursuit that was nice to engage in if you could afford it but impractical for many organizations. However, with the emergence of penetration testing solutions that allow organizations to use existing IT staffers to conduct assessments on a regular basis, most organizations can now afford to embrace the practice without adding significant overhead expenses. Further, with the continued evolution of the cyber-crime ecosystem and increased demand from regulators for organizations to become more proactive in securing IT assets, including those guidelines that specifically require pen tests, the process is no longer the domain of a select few but rather a standardized, mainstream best practice that they will soon be expected to incorporate into their regular operations.
* Alberto's Soliño director of consulting services at Core Security. He has led engagements for customers including Microsoft and Symantec.