Penetration Testing

Penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. Penetration testing can be carried out in several different ways, including zero knowledge, full knowledge, or partial network knowledge. Regardless of what is known about the network, the penetration test team typically starts with basic user access. Its goal is to advance to root or administrator and control the network or systems. Probably the most important step of a penetration test is the approval. Without a signed consent of the network owner, the penetration test team could very well be breaking the law. A generic model of a penetration test is listed here:

1. Discovery Identify and document information about the targeted organization.
2. Enumeration Use intrusive methods and techniques to gain more information about the targeted organization.
3. Vulnerability mapping Map the findings from the enumeration to known and potential vulnerabilities.
4. Exploitation Attempt to gain user and privileged access by launching attacks against known vulnerabilities.

Penetration testing can be performed with the full knowledge of the security staff, as a blind test, or a double-blind test. A blind test is one in which only publicly available information is used. A double-blind test is one in which only publicly available information is used and the security staff is not notified of the event. A double-blind test allows the organization to observe the reactions of the security staff.

These other types of tests should be considered beyond basic penetration tests:

• Application security testing Many organizations offer access to core business functionality through web-based applications. This can give attackers a big potential target. Application security testing verifies that the controls over the application and its process flow are adequately designed.
• Denial-of-service (DoS) testing The goal of DoS testing is to evaluate the networks susceptibility to DoS attacks.
• War dialing War dialing is an attempt to systematically call a range of telephone numbers to identify modems, remote-access devices, and maintenance connections of computers that could exist on an organization's network.
• Wireless network testing This form of testing is done to verify the organization's wireless access policies and ensure that no misconfigured devices have been introduced that have caused additional security exposures.
• Social engineering testing This form of penetration test refers to techniques using social interaction, typically with the organization's employees, suppliers, and contractors, to gather information and penetrate the organization's systems.

Various guides are available to help the penetration test team members follow a structured methodology for any of the testing scenarios described. The Open Source Security Testing Methodology Manual (OSSTMM) (www.isecom.org) is a good example of a test guide. The Open Web Application Security Project (www.owasp.org) is another source for testing methodologies and tips.