The penetration test is the activity in which a security vendor or white hat hacker will deploy their skills acquired from training, certification and practical experience. The aim of the penetration test is to discover system or network vulnerabilities and exploit those vulnerabilities with the consent of the system owner(s). The penetration test scans for vulnerabilities and looks to actively exploit any uncovered vulnerabilities; it is a complement to the vulnerability scanners used during a vulnerability assessment. The penetration test helps identify which vulnerabilities are real and discern whether they can actually be exploited. “Vulnerability scanners can tell what potential risks are, but pen tests can provide the actual facts about the risks, including if they are exploitable and what information could be exploited if they were” (Howarth, 2010a, para. 2).
There are many different flavors of pen testing. A manual or automated test may be executed. The manual test is more involved and typically more costly if an outside authority is used as it requires significantly more expertise than an automated test. The automated testing approach is carried out via the logic, rules and or AI embedded in a software product. One such commercial product on the market is SAINTexploit, which not only exposes vulnerability points but also exploits those vulnerabilities to prove their existence. SC Magazine for security professionals rates SAINTexploit as an overall 4.75/5 star product for automated penetration testing. The annual cost of the product is $8,745 for 1,000 unique targets; the product must be renewed annually for continued usage (Stephenson, P., 2013). “Automated tools can provide a lot of genuinely good information, but are also susceptible to false positives and false negatives, and they don’t necessarily care what your agreed-upon scope says is your stopping point” (Walker, M., 2013, Chapter 11).
The two types of penetration testing as defined by the EC-Council (the certification body for the Certified Ethical Hacker designation) are external and internal. External assessments test and analyze publicly available information, as well as conduct scanning and exploits from outside the network perimeter. The internal assessment is the opposite and is performed from within the network perimeter.
The concept of black, white and grey box testing also come into play with respect to determining what information is known beforehand in order to carry out the penetration test. Walker (2013) notes that in a black box test the attacker has no information of the system or infrastructure beforehand. The black box test requires the longest to accomplish and is the closest simulation to an actual attack. White box testing simulates an insider with complete knowledge of the systems and infrastructure, who carries out the penetration test. Finally the grey box test provides limited information on the targeted systems and/or infrastructure.
Another parameter that can make the pen test more closely resemble real world conditions is the incorporation of social engineering. The white hat is given permission to use phishing attacks in order to gain access to passwords or other sensitive information. With phishing, the ethical hacker can design any number of email messages, websites, or even utilize phone calls under false pretenses in order to get a user to install malicious software or hand over sensitive information. The organization can gauge the results of these controlled social engineering attacks to see which users need a refresher in the company security policy or to determine if the current security policy is effective.
An organization carrying out an external penetration test by using an outside company should have the scope and the rules of the test clearly defined in contractual or service level agreement terms. In the event of a disruption of service or any other catastrophic event, both parties should know ahead the responsible party for correcting any issues. Graves (2010, Chapter 15) asserts that the documents necessary to have signed from the client before conducting a white hat a penetration test are:
- “Scope of work, to identify what is to be tested”
- “Nondisclosure agreement, in case the tester sees confidential information”
- “Liability release, releasing the ethical hacker from any actions or disruption of service caused by the pen test”
Although penetration testing is widely used by organizations to test for system, network or human vulnerabilities there are some limitations to their effectiveness. All of the potential varying client parameters around the pen test (e.g. financial systems are out of scope, no social engineering, etc..) can work to hide exploits that would still be vulnerable to an actual black hat attack. Real world attacks can use a combination of social engineering, physical, and electronic methods often coordinated by an experienced team. The aforementioned combination of methods and expertise is very hard to simulate in a controlled environment. “The [enterprise’s] board and other stakeholders will not care about a clean network pen test if an attacker enters the building and, through a combination of social engineering and other low-tech gadgets like the hidden camera tie, steals your protected information” (Barr, J., 2012b).
Barr, J. G. (a) (November 2012). Recruiting Cyber Security Professionals. Faulkner Information Services. Retrieved March 23, 2013
Graves, K. CEH—Certified Ethical Hacker—Study Guide. Sybex. © 2010. Books24x7. Retrieved March 24, 2013
Howarth.F. (2010). (a) Emerging Hacker Attacks. Faulkner Information Services. Retrieved April 17th, 2013
Stephenson, P. (2013). SAINTmanager/SAINTscanner/SAINTexploit v7.14 Retrieved March 23, 2013 from http://www.scmagazine.com/saintmanagersaintscannersaintexploit-v714/review/3797/
Walker, M. CEH Certified Ethical Hacker: All-in-One Exam Guide. McGraw-Hill/Osborne, © 2012. Books24x7. Retrieved Mar. 24, 2013