printer friendly version

Penetration testing - protection against risk

Penetration testing has been a mainstay of IT security for several years and many people think they know what it involves. However, many people actually have a very loose understanding of what it needs to cover in order to be truly effective, whereas penetration testing should be viewed as an integral element of a company's efforts to minimise exposure to risk.

Penetration testing can be defined as auditing the security of all the various 'back doors' into a company, for example running dummy attacks on Internet gateways, Web applications, internal networks and dial-up modems (war dialling). The reason why it is required is straightforward: no firewall provides sufficient protection on its own and cannot prevent all attacks, so any system connected to the Internet is at risk to a greater or lesser extent. Since most networks' configuration or structure changes over time, this can also have an impact on security. Therefore, penetration testing should be a fundamental element of an Internet security strategy, which typically also includes intrusion detection and protection, anti-virus and spam software, as well as firewalls of course.

So what options are available to companies? There are two main approaches: using ex-hackers to attack the network, or employing security consultants to devise broader penetration testing procedures. Both have their merits. Reformed hackers are viewed as an attractive option, not least because they are relatively cheap and are likely to make use of the latest technology, because the 'bad guys' tend to know about the loopholes before the security industry itself.

However, this approach does have its limitations, because it focuses on finding one way into the target system and then exploiting this weakness, rather than looking at the whole picture. To illustrate what this means: imagine employing an ex-burglar to check the security of a house. He would immediately spot the drainpipe leading to the open bathroom window and would be able to tell the homeowner that he was able to make an exit through the front door, having picked up the family jewellery en route. If the homeowner employed the police's security specialist, he would note the bathroom and drainpipe, but then move on to other possibilities, such as checking if there is a key under the flowerpot, or if the ladder in the garage is securely chained.

In other words, security consultants are more likely to take a broader and deeper view of a company's whole IT security. Rather than just focusing on the corporate firewall, consultants will test internal networks and unauthorised desk modems, as well as wireless networks. Also, since these consultants use audit processes that have their origins in banking and government, results are usually provided in a more useable and familiar form to the company's management. However, it does pay to shop around: some consultancies may send their top people to the pitch, but the actual work is carried out by raw graduates.

When selecting penetration testing service providers, it makes sense to apply the following criteria: what is the consultancy's track record and can it provide third party references? Is it vendor independent? Does it use appropriate, experienced staff for each testing assignment? Is the approach flexible enough to match the individual company's requirements?

There are a couple of other areas to take into consideration, including defining the scope of penetration testing, which is vital to achieve from the outset. Not only is it important to include all areas of network vulnerability, there is little point commissioning testing unless recommendations based on the results can be pushed through. This may sound commonsense, but IDsec has worked with companies where the distance between the security policy people and the operations staff was so wide that no actions were carried out following the results of penetration testing. Timing is also important: test too early in the development cycle and the results are quickly out of date; leave it too late and launch dates may mean that there is no time to fix problems. Also, the system needs to work properly from the outset, otherwise the tester cannot achieve consistent results.

Consultants often use automatic tools to run tests. These definitely have their place - largely because they are cost-effective and it would not be feasible to carry out large volumes of work quickly without them - but they need to be balanced with manual analysis. For example, only an experienced consultant can accurately eliminate false positives, or produce informed reports and recommendations.

Whichever route a company takes, penetration testing needs to be viewed as an integral part of a company's IT strategy. After all, companies spend fortunes on financial audits to minimise exposure to risk: why not apply the same principle to IT security?

Share this article:

Further reading: