Penetration Testing

One of the most convoluted truths in information security is that the best way to secure a system is by breaking into it. While this may sound like an oxymoron, hacking your own systems is the best way to keep them secure. This process is known as penetration testing and should be part of every good security policy. The fact is, security administrator's cannot know how good their security is until they attempt to get around it or break through it. There are firms that specialize in performing penetration testing on a contract basis to help companies improve their information security.

When performing penetration testing, it is important to make sure that management is aware of what is being done. There are cases where security specialists have been fired and sued for performing penetration testing without authorization within the company that employed them. Getting prior authorization protects both the administrator and the company they are working for.

Before getting into the methodology of penetration testing, it is important to go over the timing. The best time to start penetration testing is from the design phase up to final implementation. Every aspect of the system should be thoroughly tested and weaknesses found should be secured. By performing good testing procedures throughout the entire process of access control system development, the administrator ensures that the final implementation contains the fewest vulnerabilities possible.

Methodology

Penetration testing should be started by testing with the most common tools available. A simple search on a security-related Web site such as www.securityfocus.com or http://neworder.box.sk will bring up some known vulnerabilities for the software being utilized. Using the tools or methods available through sites like these as a starting point for performing penetration testing will give administrator's a basic test and allows them to fix any known issues.

Next, the specific access control infrastructure should be analyzed for any points that might be vulnerable. Things like single points of failure or systems that are publicly available over the Internet are good places to start. Try simple penetration testing and disaster testing on all of these systems. For example, if an administrator is using a third-party product to perform authentication via their existing NDS tree, what happens when the tree is unavailable? Does the product authenticate users by default? These are the types of questions the administrator must ask when performing penetration testing on a systems.

When doing penetration testing, your first step should always be to obtain permission to perform the test. It never looks good for an information security professional to be fired for hacking into the network they were hired to protect without permission. After all necessary buy-offs on the concept of performing the testing have been obtained, they can move on to determining what they want to do.

The best practice is to go over the system and identify specific potential weak points that should be tested. These could be possible vulnerabilities themselves or be stepping-stones used to get to another vulnerability. After the specific areas to attack have been determined, the security administrator should document a specific step-by-step attack plan of exactly what they are going to do, making sure that management has a copy of the plan and approves it prior to beginning the test. Also, they must ensure that logging and monitoring systems are in place to track activity and help gather results.

When the plan is approved and monitoring is in place, the administrator is clear to go into action. They should follow the plan as closely as possible and document any disparities between the plan and their actions. When the test is completed, the administrator should document the results of the test using the information captured by the monitoring systems. They should also capture any relevant supporting data or information gathered during the test and include this with their report.

When the report is done, management should receive a copy. The security administrator should analyze what was learned and start formulating their next penetration test plan from the information they have gathered. If they continue using this cycle, they will successfully perform penetration testing using solid and well-established procedures.

The most important question of all is "What if?". With a Web server, what if an administrator sends 1024 more bytes to an asp page than it was expecting? What if they send special characters in a request to a Common Gateway Interface (CGI) form? What if someone gets past the firewalls, what can they access? Constantly asking the question "What if?" allows the administrator to try and come up with unusual attacks that could be performed against their system. This is the same method used by the best hackers to develop new techniques.

After thoroughly testing the system and implementing it into production, the administrator is still not done with penetration testing. They must always keep an eye on security-related Web sites or newsgroups for new attacks that could affect their systems. They should also conduct random penetration testing on their systems to make sure that nothing was changed that accidentally opened up a previously patched hole. Perhaps a patch was applied which changed a modified setting back to the default. Always be on the watch and keep testing.

Identifying Weaknesses

Part of penetration testing is finding where the access control system is strong and well protected, and also finding areas that are not so well protected. These weak areas are specific sections of an access control system that show up during penetration testing as vulnerable. Whenever one of these weak areas is detected, the administrator needs to do everything in their power to get the weakness fixed or patched as soon as possible. Chances are good that if they are able to find a weakness in the system, an intruder will be able to identify the same weakness.

Unfortunately, not all weak areas can be fixed. This may be due to budget constraints, problems with existing technologies, or the amount of effort required to patch these holes. Information security professionals have to be aware of the weak areas in their system even if they are unable to make the system stronger. These weak areas are hot spots that should be constantly monitored. Whenever possible, the best policy is to patch weak areas in the system rather than leaving a potential vulnerability unchecked.