Penetration Testing: Part 3
I keep writing about penetration testing because few activities within information security are so subject to chicanery, incompetence and ignorance. In my previous blog posting I discussed a few ways that penetration can be improperly conducted and/or written up. I’d like to delve a bit deeper into this issue, as there are so many ways to go awry when it comes to penetration testing.
The most frequently used type of pen testing is external pen testing in which the pen testers launch attacks against hosts, devices and applications within an organization’s network from the outside. The pen testers typically encounter security barriers such as perimeter firewalls and network address translation (NAT). Success in penetrating systems is thus often limited. The same is not usually true for Web applications, however, because they by necessity must generally be accessible by anyone. Many of these applications have at least several externally exploitable vulnerabilities. Externally-launched pen tests are valuable in that they show how vulnerable an organization is to Internet attacks. At the same time, however, because of the previously mentioned barriers, they generally uncover only some of the vulnerabilities that exist in hosts, devices and applications. There is more work to do if an organization wants a more comprehensive and genuine view of all the vulnerabilities that exist.
Another kind of pen test, an internal pen test, starts from within an organization’s network. The testing team is normally given access to several parts of the internal network. Because there are no firewall, NAT complications, and other barriers in this kind of testing, more vulnerabilities in more hosts can be tested, yielding a more complete picture of the range and number of vulnerabilities within the organization’s IT environment.
Sometimes pen testing is conducted in connection with a mandated external audit, e.g., one in connection with determining whether an organization is compliant with a regulation such as FERC/NERC. In this case pen testing often uncovers a plethora of vulnerabilities, prompting the information security manager to complain that the test was unfair and that it should have been limited to testing from the outside. I strongly disagree. With security perimeters becoming less effective over time, making the assumption that attackers are able to attack only from outside a network is specious. Conducting testing by starting within the organization’s network is fair and realistic. But conducting both an external and an internal pen test is the better way to go if a more complete view of vulnerabilities is to be achieved.
But simply conducting an external and internal pen test still does not provide a complete picture of vulnerabilities that exist. Many of today’s attacks target Web browsers, which have become one of the major causes of security breaches. An even more complete pen test will thus also include testing of susceptibility of browsers (and possibly also users who use them) to downloading malicious content. Additionally, the possibility of an insider or sometimes even an outsider walking up to a machine and gaining unauthorized access or installing a physical sniffer or rogue code either clandestinely or through social engineering if the user is present is ever present. A really thorough penetration test would thus also include having pen testers attempt to gain physical access to systems.
How much pen testing is enough? As in most cases in information security, the answer is that it depends. In some cases, an external test is sufficient for the purposes for which it is conducted. In others, only a very complete test will do. The more complete the testing, the higher the cost will be, but once again, you get what you pay for.