Defining Penetration Testing

The term hacking originated at the Massachusetts Institute of Technology (MIT) in the 1960s with the Tech Model Railroad Club (TMRC) when they wanted to "hack" the circuits to modify the performance of their train models. Hacking eventually came to mean the reverse engineering of programs for the purpose of increasing efficiency.

Cracking, in contrast, refers to hacking for offensive purposes such as breaking into a computer network. A hacker is one who performs hacking either maliciously or defensively. Malicious hackers are often called black-hat hackers or crackers. You will see the term malicious hacker(s) throughout the text of this book. Those who hack defensively are often called white-hat hackers. Some of the white-hat ethical hackers were originally black-hat hackers. However, they typically do not have as much credibility as traditional white-hat hackers because of their past history with malicious activity.

A penetration tester is an ethical hacker who is hired to attempt to compromise the network of a company for the purpose of assessing its data security. A team of ethical hackers working to break into a network is called a tiger team. Restrictions usually mandate what a penetration tester can and cannot do. For example, a penetration tester is typically not allowed to perform denial of service (DoS) attacks on a target network or install viruses. However, the scope of testing performed by ethical hackers varies depending on the needs of that organization.

Penetration testers can perform three types of tests:

• Black-box test The penetration tester has no prior knowledge of a company network. For example, if it is an external black-box test, the tester might be given a website address or IP address and told to attempt to crack the website as if he were an outside malicious hacker.

• White-box test The tester has complete knowledge of the internal network. The tester might be given network diagrams or a list of operating systems and applications prior to performing tests. Although not the most representative of outside attacks, this is the most accurate because it presents a worst-case scenario where the attacker has complete knowledge of the network.

• Gray-box or crystal-box test The tester simulates an inside employee. The tester is given an account on the internal network and standard access to the network. This test assesses internal threats from employees within the company.

Upon the hiring of a penetration testing firm, a company must define the test plan that includes the scope of testing. Some of the common factors that go into defining scope are as follows:

• Will the testing be done during normal business hours or after business hours?

• Will DoS attacks be allowed?

• Can backdoor Trojan applications be installed on target systems?

• Can defacement of websites be attempted?

• Can log files be erased?

• Will the test be black-box, white-box, or gray-box?

• Will the networking team be aware that testing takes place? (It is usually not a good idea for the IT team to know about testing because they might seek to harden the systems more than what is typical, making the test unrepresentative of what would normally happen.)

• What systems will be the target-of-evaluation (TOE)?

• Can social engineering be performed? Social engineering is the practice of obtaining network access through manipulating people. It is considered the easiest way to gain access because people are generally trusting. A classic form of social engineering is calling up an end user and, while pretending to be a member of the help desk team, asking the user for his password. Sometimes penetration testers are authorized to attempt social engineering methods to gain access. You can find more on social engineering in Chapter 4, "Performing Social Engineering."

• Can data be retrieved and removed from a target system?

Also, the testing plan should define how the test report should be distributed and to whom. If the test is to be distributed electronically, it should be done via signed and encrypted channels. Two reports should be made:

• A general, nonspecific report that can be kept in a secure location.

• A detailed report explaining threats and exploits accomplished. After review of the detailed report, a decision should be made as to where this report should be stored or if it should be shredded. Typically, the report is stored in a secure location so that it can be reviewed later after any future assessments are made.

A company should not perform penetration testing just one time. Testing should be recurring throughout the year such as once every quarter. A company should not rely on just one testing firm, but should rotate through at least two firms. Many companies use three firms: one to do preliminary testing and two to rotate between each quarter that will be used to ensure compliancy with industry regulations. To save on costs, some companies perform a thorough penetration test once a year and do regression testing the other three quarters where only reported vulnerabilities are checked. Regression testing can also be performed whenever changes are made to a system, such as when a new server is added on a network. This does not provide the most accurate results, but it does cut down on testing expenses.

A penetration tester is going to test against vulnerabilities and threats. A vulnerability is a weakness, design, or implementation error that could be exploited to violate security policies. A threat is a potential violation of security that might cause harm such as disclosure of sensitive data, modification of data, destruction of data, or denial of service.

Security is concerned with the protection of assets against threats. Threats can be related to confidentiality, integrity, or availability (C.I.A.):

• A confidentiality threat is when there is a risk of data being read that should be concealed from unauthorized viewing.

• An integrity threat is when there is a risk of data being changed by unauthorized users.

• An availability threat is when a service or network resource has a risk of being unavailable to users.

Attacks against C.I.A. are called disclosure, alteration, and destruction (D.A.D.) attacks. A target is said to be secure when the possibility of undetected theft or tampering is kept to an acceptable level. This acceptable level is determined by performing a cost-risk analysis in which the cost of protecting the data is compared to the risk of losing or compromising the data. The goal of penetration testing is not to reduce the risk to zero, but to reduce the risk to acceptable levels agreed upon by management. Ultimately, some residual risk must always be accepted.

The penetration testing report should draw its audience back to the security policy, not technology. A security policy is a document articulating the best practices for security within an organization as laid out by those individuals responsible for protecting the assets of an organization. (For more on security policies, see Appendix A, "Preparing a Security Policy.") Security vulnerabilities exist not because of the technology or configuration implemented, but because the security policy does not address the issue or because users are not following the policy. For example, if a website is found to be susceptible to DoS attacks using ICMP traffic, the problem is found in the policy not addressing how ICMP traffic should be permitted into a network or, if it is addressed, the policy is not being followed.

A penetration test should also differentiate between common exploits and zero-day exploits, if applicable. A zero-day exploit is an undocumented, new exploit that a vendor has not created a patch against. Although zero-day exploits are serious threats (and coveted attacks by malicious hackers), an administrator cannot do much in advance to prevent such attacks. If a target is found to be susceptible to a zero-day exploit, it should be documented that a patch is not yet available or was just released. The best practice to protect against zero-day exploits is to implement heuristic, or profile-based, intrusion detection.