Assessing the Need for Penetration Testing

The best way to stop a criminal is to think the way a criminal thinks. Installing burglar alarms and fences is not enough to ensure that you are safe from burglary. To effectively stop a burglar, you must predict his every move. Likewise, to prevent against a cracker, you must think like a cracker. One of the ways companies are assessing their security against attacks is by hiring outside security firms to attempt to penetrate their networks.

Security threats are on the rise, and companies must be prepared to face them head on. The complexity of computing systems, the rapid increase in viruses, and the dependence of a company on the public Internet are just some of the reasons that networks are easier to break into than ever before. Not only that, but the tools used by hackers are becoming simpler and more accessible each day. The Computer Emergency Response Team (CERT) reported financial losses related to computer crime at $141,496,560 in 2004. (You can read more about this survey at http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf). With such financial ramifications, companies are looking for new means to protect their technology assets.

Companies are no longer falling victim to the Titanic syndrome. When the Titanic was built, its engineers never thought the ship would sink. Yet, despite the confidence of its engineers, it sank on April 15, 1912. In the same way, companies now realize that just because their staff stamps their approval that the network is secure does not mean that it is secure; they have no certainty until the network is tested. This realization has led to the rise of penetration testing, where ethical hackers attempt to breach an organizational network using the same tools and techniques as a malicious attacker.

The need for penetration testing is not just to confirm the security of an organizational network, however. The need for penetration testing also stems from the concern that a network might not be adequately protected from the exponential number of threats. Security threats are increasing because of the following factors:

• Proliferation of viruses and Trojans

• Wireless LANs

• Complexity of networks today

• Frequency of software updates

• Ease of hacking tools

• The nature of open source

• Reliance on the Internet

• Unmonitored mobile users and telecommuters

• Marketing demands

• Industry regulations

• Administrator trust

• Business partnerships

• Cyber warfare

Proliferation of Viruses and Worms

A virus is a malicious program that replicates by attaching copies of itself onto executable applications. When a user launches the executable application, the virus is launched, too. In comparison, a worm is a self-replicating program that is self-contained and does not require a host to launch itself.

For example, the Sasser virus was one of the most damaging viruses in 2004. Created by a German teenager, this virus and its variants caused trains to halt, flights to be cancelled, and banks to close. Security professionals scrambled to update their anti-virus signatures in time to defend against Sasser and its variants. The inevitable creation of viruses and their ensuing damage makes security testing a must for corporations to ensure their protection against unwanted applications.

Wireless LANs

In 1971, the first wireless local-area network (WLAN) was introduced in Hawaii. Called the ALOHANET, this WLAN connected seven computers across four islands. Today, wireless networks are popular in many organizations for their ease of use and flexibility. However, wireless networks are susceptible to eavesdropping. Hackers can sniff the wireless network and crack passwords or, if no encryption mechanisms are used, read the transmitted plaintext data. Although security standards such as the Wired Equivalency Protocol (WEP) have been implemented, they can easily be circumvented or cracked. These vulnerabilities led to the need for penetration testers to attempt to intercept and read or change wireless communication so that companies could assess their wireless security. Chapter 11, "Scanning and Penetrating Wireless Networks," covers wireless network vulnerabilities in greater detail.

Complexity of Networks Today

In the past, knowing one network operating system (NOS) was enough to manage a network. Now administrators are expected to support multiple NOSs in addition to firewalls, routers, switches, intruder detection systems, smart cards, clustering solutions, SQL databases, and web servers, to name a few. Each of these technologies has gotten more complex, too. A static website housed on a web server is not enough. Now companies require multiple firewalls, encryption solutions, load-balancers, back-end databases, and dynamic front-end websites. Administrators of networks are expected to be far more knowledgeable than what was expected of them previously. This rise in complexity makes it difficult for network administrators to stay on top of security threats and applicable patches. Asking administrators to be experts on computer cracking while staying abreast of their other daily responsibilities is not feasible. Penetration testers, on the other hand, make it their profession to be security experts and are qualified to attempt penetration into complex data networks, providing an unbiased and accurate analysis of the security infrastructure of an organization.

Having an unbiased view of the security infrastructure of an organization is a big selling point for companies. Administrators and managers often downplay any vulnerabilities discovered, but penetration testers are an outside party hired because of their unbiased view of the security for an organization.

Frequency of Software Updates

Along with the increase in complexity comes the increase in the number of software patches that need to be installed. Administrators are finding it difficult to stay abreast of all necessary patches to harden their systems and install them in a timely manner. As a result, systems are left unpatched and thus vulnerable to attack. Penetration testers assess the vulnerabilities through simulated attacks.

Availability of Hacking Tools

Thousands of software tools exist to attack networks, most of which are free or available as shareware. With file sharing centers such as Kazaa, E-Donkey, and E-Mule, pirated attacking tools are found with ease. What is worse, many of these tools do not require extensive knowledge of computing to operate, making it easy for anyone who has foundational computer knowledge to execute and attack networks. Often, such novices are called script-kiddies. A script-kiddie is a person who does not have expert-level knowledge of programming or networking, but simply downloads these software tools off the Internet and runs them. The easier it is to attack a network, the greater the need to ensure its protection.

The Nature of Open Source

In 1984, the GNU project was launched to provide people with free software (GNU is a recursive acronym meaning GNUs Not UNIX). Their license, which you can find at http://www.gnu.org, specifies the following four characteristics for software to be considered "free" or open source:

• The freedom to run the program, for any purpose.

• The freedom to study how the program works and adapt it to your needs. Access to the source code is a precondition for this.

• The freedom to redistribute copies so that you can help your neighbor.

• The freedom to improve the program and release your improvements to the public so that the whole community benefits. Access to the source code is a precondition for this.

Although providing source code is a benefit for many, it also takes away the difficulty in reverse engineering programs to discover vulnerabilities. Because hackers can also read the source code, they can quickly discover vulnerabilities such as buffer overflows that would allow them to crash a program or execute malicious code. In defense of GNU, however, providing the source code also provides developers worldwide with the ability to create patches and improvements to software. (In fact, the open source web server Apache was titled such because it was a patchy server, referring to the countless patches provided by the open source community.) Penetration testers are needed to attempt to exploit potential vulnerabilities of open source software to determine the likelihood of attack.

Reliance on the Internet

The economy of today depends on the Internet for success. Forrester research (http://www.forrester.com) estimates that more than $3.5 trillion will be generated in revenue for North American e-commerce sites. Having an online presence comes with a risk, however, because it places you on a public network, which is less trusted than an internal network. Penetration testers can assess the security of the online presence of a company.

Unmonitored Mobile Users and Telecommuters

More companies than ever are allowing users to work remotely or out of their home. Unfortunately, it is difficult for security administrators to monitor these remote systems. Hackers who have knowledge of these remote connections can use them for their advantage. Companies can hire penetration testers to do gray-box testing, where they simulate a remote user and attempt to gain access and escalate their privileges on internal systems.

Marketing Demands

Financial institutions, online shopping sites, and hosting data centers are just a few of the company types that market their secure network to potential customers. Penetration testers are needed to validate the security of these sites. Sometimes the results of the tests are provided to potential customers, too.

Industry Regulations

Many industries have federal guidelines for data security that they have to meet. Healthcare facilities have the Health Insurance Portability and Accountability Act (HIPAA), the Canadian Privacy Act, and the European Union Directive on Data Protection. U.S. financial institutions have the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes Oxley Act (SOX), and government agencies have requirements like the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP), among others. Penetration testers are often hired to ensure compliancy with these requirements.

Administrator Trust

Trusting your security administrators when they affirm that your network is "secure" is not enough. Companies can be liable for their security weaknesses. For example, if your e-mail server is open for mail-relay and a spammer uses your e-mail server to launch spam that might cause harm to another entity, your company might be found negligent and be liable for compensatory damages. To trust the word of an administrator without verification through an outside firm of penetration testers can be construed as negligence.

Business Partnerships

Many companies are forming business partnerships to improve sales results, customer services, and purchasing efficiency. Providing employees from another company with access to your internal network and the ability to view confidential information is risky, however. Often when two companies form a partnership, one or more third-party penetration testing firms are mutually hired by the companies to test the accessibility of one partner network to the other.

Hacktivism

Government organizations and popular corporate dot-com sites can be more susceptible to hacktivism than other lesser-known sites. Hacktivism is hacking for a political, social, or religious cause. Usually, hacktivists deface a website and replace the site with their own political or religious message.

Government agencies often hire penetration testers to assess the vulnerability of the agency to hacktivist attacks.