penetration testing guide

Introduction

Most people that find their way to this page do so because either they have been told they need to get their information systems tested to prove they are secure, or their systems have already been hacked and they want to understand what happened.

In both cases you'll be pleased to hear that the information in this guide should help you to quickly understand the choices you have available to improve the situation.

What is penetration testing?

The term "penetration testing" is an industry buzzword, which used to mean something quite specific, but is now commonly used by customers to refer to just about any type of security testing. We won't be bucking the trend either; we know a dead horse when we see one.

The general process tends to be that your systems get tested, and then at the end you receive a report that highlighs all the insecure areas that need attention, along with advice on how to fix them.

Here comes the science-bit

The goal of the exercise is simply to find all of the security vulnerabilities that exist in the systems being tested. In this context, a vulnerability is anything that increases the likelihood that an attacker can disrupt or gain authorised access to a system and any data contained within.

The most common vulnerabilities tend to be design flaws, configuration errors, and software bugs. These get introduced during development and implementation, generally by accident, and once identified by the penetration testing, can usually be quickly resolved by a little re-engineering.

Why might you want a penetration test?

Most organisations will have a penetration test due to one of the following reasons:

  • Some industries and types of data are regulated and must be handled securely (like the financial sector, or credit-card data). In this case your regulator will insist on a penetration test as part of a certification process.
  • You may be a product vendor (like a web developer), and your client may be regulated, so will ask you to have a penetration test performed on their behalf.
  • You may suspect (or know) that you have already been hacked, and now want to find out more about the threats to your systems, so that you can reduce the risk of another successful attack.
  • You may simply think it is a good idea to be proactive, and find out about the threats to your organisation in advance.

What should you test?

The exact "what" tends to be defined by one of the situations above, however just about anything that holds information can be tested:

  • Off-the-shelf products like servers, smart phones, firewalls and routers etc.
  • Bespoke software development like web sites, mobile applications and games etc.
  • Telephone equipment like exchanges, smart phones, VOIP and fax servers etc.
  • Wireless systems like WIFI networks, RFID tokens, and contactless cash etc.
  • Physical protection like CCTV, door entry systems and mechanical locks etc.

How do you ensure the project is a success?

As with all important buying decisions, you need to choose your vendor wisely and ensure that they are reputable:

  • Ask your colleagues and industry peers if they can recommend a vendor.
  • Ask the vendor for references from organisations of a similar profile to yours.
  • Ask the vendor for examples of similar projects they have undertaken.
  • Ask the vendor for a sample report, then evaluate its quality and clarity.
  • Agree a detailed scope of exactly what will be tested.
  • Ask the vendor for proof they are insured.
  • Ask the vendor to supply CVs for the staff who will be carrying out the work. Confirm their experience, then Google their names to ensure that they aren't current or x-hackers themselves.

Further reading

There are a collection of organisations that provide standards and certifications for both the data and systems that are the subject of regulation, and the consultants and vendors that deliver penetration testing. Like most things though, certifications arenít everything; individual experience and attitude count for much more in the real world. For example, everyone who drives is required to have a license, but just because they do, it doesnít mean they will be a good driver.

The paragraphs provided below are in no particular order, and donít constitute any form of recommendation.

Tiger

http://www.tigerscheme.org

Tiger Scheme is a commercial certification scheme for technical security specialists, backed by University standards and covering a wide range of expertise. The Tiger Scheme was founded in 2007, on the principle that a commercial certification scheme run on independent lines would give buyers of security testing services confidence that they were hiring in a recognised and reputable company.

OWASP

https://www.owasp.org

The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.

PCI

https://www.pcisecuritystandards.org

The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

ISACA

https://www.isaca.org

ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.

CHECK

http://www.cesg.gov.uk

The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system.

OSSTMM

http://www.osstmm.org

The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.

CREST

http://www.crest-approved.org

The Council for Registered Ethical Security Testers (CREST) exists to serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional security testing capability. It provides globally recognised, up to date certifications for organisations and individuals providing penetration testing services.