Penetration test
Encyclopedia
A penetration test, occasionally pentest, is a method of evaluating the security
of a computer system or network
by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
Security issues uncovered through the penetration test are presented to the system's owner. Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks.
Penetration tests are valuable for several reasons:
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing penetration testing (after system changes).
assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing
provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. There are also several variations in between, often known as grey box tests. Penetration tests can also be described as "full disclosure" (white box), "partial disclosure" (grey box), or "blind" (black box) tests based on the amount of information provided to the testing party.
The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.
The services offered by penetration testing firms span a similar range, from a simple scan of an organization's IP address
space for open ports and identification banners to a full audit of source code for an application.
facing site, before it is deployed. This provides a level of practical assurance that any malicious user will not be able to penetrate the system.
Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of it.
knowing that the system could have been rendered inoperable by an intruder. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated.
and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security
access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. OSSTMM is also known for its Rules of Engagement
which define for both the tester and the client how the test needs to properly run starting from denying false advertising from testers to how the client can expect to receive the report. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
The National Institute of Standards and Technology
(NIST) discusses penetration testing in SP800-115. NIST's methodology is less comprehensive than the OSSTMM; however, it is more likely to be accepted by regulatory agencies. For this reason, NIST refers to the OSSTMM.
The Information Systems Security Assessment Framework (ISSAF) is a peer reviewed structured framework from the Open Information Systems Security Group that categorizes information system security assessment into various domains and details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. The ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. It includes the crucial facet of security processes, and their assessment and hardening to get a complete picture of the vulnerabilities that might exist. The ISSAF, however, is still in its infancy.
hackers
and that all employees adhere to a strict ethical code. There are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.
The Tiger Scheme is a not for profit scheme that offers three certifications: Associate Security Tester (AST), Qualified Security Team Member (QSTM) and Senior Security Tester (SST). The SST is technically equivalent to CHECK Team Leader and QSTM is technically equivalent to the CHECK Team Member certification. Tiger Scheme certifies the individual, not the company. The Tiger scheme also offers certification for computer forensic practitioner relating to Forensic Readiness, Scene of Crime Management, Forensic Practitioner and Malicious Software Analyst. The Tiger scheme is the only scheme in the UK that has all of its assessments accredited and quality audited by a University (The University of Glamorgan).
The Information Assurance Certification Review Board (IACRB) manages a penetration testing certification known as the Certified Penetration Tester (CPT). The CPT requires that the exam candidate pass a traditional multiple choice exam, as well as pass a practical exam that requires the candidate to perform a penetration test against live servers.
SANS
provides a wide range of computer security training arena leading to a number of SANS qualifications. In 1999, SANS founded GIAC, the Global Information Assurance Certification, which according to SANS has been undertaken by over 20,000 members to date. Two of the GIAC certifications are penetration testing specific: the GIAC Certified Penetration Tester (GPEN) certification; and the GIAC Web Application Penetration Tester (GWAPT) certification.
Offensive Security offers an Ethical Hacking certification (Offensive Security Certified Professional) - a training spin off of the BackTrack Penetration Testing distribution. The OSCP is a real-life penetration testing certification, requiring holders to successfully attack and penetrate various live machines in a safe lab environment. Upon completion of the course students become eligible to take a certification challenge, which has to be completed within twenty-four hours. Documentation must include procedures used and proof of successful penetration including special marker files.
Government-backed testing also exists in the US with standards such as the NSA Infrastructure Evaluation Methodology (IEM).
For web applications, the Open Web Application Security Project
(OWASP) provides a framework of recommendations that can be used as a benchmark.
The Council of Registered Ethical Security Testers (CREST) provides three certifications: the CREST Registered Tester and two CREST Certified Tester qualifications, one for infrastructure and one for application testing.
The International Council of E-Commerce consultants certifies individuals in various e-business and information security skills. These include the Certified Ethical Hacker course, Computer Hacking Forensics Investigator program, Licensed Penetration Tester program and various other programs, which are widely available worldwide.
OWASP
, the Open Web Application Security Project, an open source web application security documentation project, has produced documents such as the OWASP Guide and the widely adopted OWASP Top 10 awareness document.
The Firefox browser is a popular web application penetration testing tool, with many plugins specifically designed for web application penetration testing.
OWASP Mantra Security Framework
is a free and open source
security toolkit with a collection of hacking tools, add-ons and scripts based on Firefox intended for penetration testers, web application developers and security professionals etc.
Foundstone's Hacme Bank simulates a banking application. It helps developers and auditors practice web application attacks, including input validation flaws such as SQL injection and Cross Site Scripting (XSS).
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
of a computer system or network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization's systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
Security issues uncovered through the penetration test are presented to the system's owner. Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks.
Penetration tests are valuable for several reasons:
- Determining the feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
- Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assessing the magnitude of potential business and operational impacts of successful attacks
- Testing the ability of network defenders to successfully detect and respond to the attacks
- Providing evidence to support increased investments in security personnel and technology
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and ongoing penetration testing (after system changes).
Black box vs. White box
Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testingBlack box testing
Black-box testing is a method of software testing that tests the functionality of an application as opposed to its internal structures or workings . Specific knowledge of the application's code/internal structure and programming knowledge in general is not required...
assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing
White box testing
White-box testing is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality...
provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. There are also several variations in between, often known as grey box tests. Penetration tests can also be described as "full disclosure" (white box), "partial disclosure" (grey box), or "blind" (black box) tests based on the amount of information provided to the testing party.
The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.
The services offered by penetration testing firms span a similar range, from a simple scan of an organization's IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
space for open ports and identification banners to a full audit of source code for an application.
Rationale
A penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
facing site, before it is deployed. This provides a level of practical assurance that any malicious user will not be able to penetrate the system.
Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of it.
Risks
Penetration testing can be an invaluable technique to any organization's information security program. Basic white box penetration testing is often done as a fully automated inexpensive process. However, black box penetration testing is a labor-intensive activity and requires expertise to minimize the risk to targeted systems. At a minimum, it may slow the organization's networks response time due to network scanning and vulnerability scanning. Furthermore, the possibility exists that systems may be damaged in the course of penetration testing and may be rendered inoperable, even though the organization benefits inknowing that the system could have been rendered inoperable by an intruder. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated.
Methodologies
The Open Source Security Testing Methodology Manual is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels which collectively test: information and data controls, personnel security awareness levels, fraudFraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security
Physical security
Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. OSSTMM is also known for its Rules of Engagement
Rules of engagement
Rules of Engagement refers to those responses that are permitted in the employment of military personnel during operations or in the course of their duties. These rules of engagement are determined by the legal framework within which these duties are being carried out...
which define for both the tester and the client how the test needs to properly run starting from denying false advertising from testers to how the client can expect to receive the report. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
The National Institute of Standards and Technology
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
(NIST) discusses penetration testing in SP800-115. NIST's methodology is less comprehensive than the OSSTMM; however, it is more likely to be accepted by regulatory agencies. For this reason, NIST refers to the OSSTMM.
The Information Systems Security Assessment Framework (ISSAF) is a peer reviewed structured framework from the Open Information Systems Security Group that categorizes information system security assessment into various domains and details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. The ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. It includes the crucial facet of security processes, and their assessment and hardening to get a complete picture of the vulnerabilities that might exist. The ISSAF, however, is still in its infancy.
Standards and certification
The process of carrying out a penetration test can reveal sensitive information about an organization. It is for this reason that most security firms are at pains to show that they do not employ ex-black hatBlack hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
hackers
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
and that all employees adhere to a strict ethical code. There are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.
The Tiger Scheme is a not for profit scheme that offers three certifications: Associate Security Tester (AST), Qualified Security Team Member (QSTM) and Senior Security Tester (SST). The SST is technically equivalent to CHECK Team Leader and QSTM is technically equivalent to the CHECK Team Member certification. Tiger Scheme certifies the individual, not the company. The Tiger scheme also offers certification for computer forensic practitioner relating to Forensic Readiness, Scene of Crime Management, Forensic Practitioner and Malicious Software Analyst. The Tiger scheme is the only scheme in the UK that has all of its assessments accredited and quality audited by a University (The University of Glamorgan).
The Information Assurance Certification Review Board (IACRB) manages a penetration testing certification known as the Certified Penetration Tester (CPT). The CPT requires that the exam candidate pass a traditional multiple choice exam, as well as pass a practical exam that requires the candidate to perform a penetration test against live servers.
SANS
SANS Institute
The SANS Institute is a private US company that specializes in internet security training. It was founded in 1989, provides computer security training, professional certification through Global Information Assurance Certification , and a research archive - the SANS Reading Room...
provides a wide range of computer security training arena leading to a number of SANS qualifications. In 1999, SANS founded GIAC, the Global Information Assurance Certification, which according to SANS has been undertaken by over 20,000 members to date. Two of the GIAC certifications are penetration testing specific: the GIAC Certified Penetration Tester (GPEN) certification; and the GIAC Web Application Penetration Tester (GWAPT) certification.
Offensive Security offers an Ethical Hacking certification (Offensive Security Certified Professional) - a training spin off of the BackTrack Penetration Testing distribution. The OSCP is a real-life penetration testing certification, requiring holders to successfully attack and penetrate various live machines in a safe lab environment. Upon completion of the course students become eligible to take a certification challenge, which has to be completed within twenty-four hours. Documentation must include procedures used and proof of successful penetration including special marker files.
Government-backed testing also exists in the US with standards such as the NSA Infrastructure Evaluation Methodology (IEM).
For web applications, the Open Web Application Security Project
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
(OWASP) provides a framework of recommendations that can be used as a benchmark.
The Council of Registered Ethical Security Testers (CREST) provides three certifications: the CREST Registered Tester and two CREST Certified Tester qualifications, one for infrastructure and one for application testing.
The International Council of E-Commerce consultants certifies individuals in various e-business and information security skills. These include the Certified Ethical Hacker course, Computer Hacking Forensics Investigator program, Licensed Penetration Tester program and various other programs, which are widely available worldwide.
Web application penetration testing
Web application penetration testing refers to a set of services used to detect various security issues with web applications and identify vulnerabilities and risks, including:- Known vulnerabilities in COTS applications
- Technical vulnerabilities: URLUniform Resource LocatorIn computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
manipulation, SQL injectionSQL injectionA SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
, cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
, back-end authentication, password in memory, session hijackingSession hijackingIn computer science, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a...
, buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
, web server configuration, credential management, ClickjackingClickjackingClickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages...
, etc, - Business logicBusiness logicBusiness logic, or domain logic, is a non-technical term generally used to describe the functional algorithms that handle information exchange between a database and a user interface.- Scope of business logic :Business logic:...
errors: Day-to-Day threat analysis, unauthorized logins, personal information modification, pricelist modification, unauthorized funds transfer, breach of customer trust etc.
OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
, the Open Web Application Security Project, an open source web application security documentation project, has produced documents such as the OWASP Guide and the widely adopted OWASP Top 10 awareness document.
The Firefox browser is a popular web application penetration testing tool, with many plugins specifically designed for web application penetration testing.
OWASP Mantra Security Framework
OWASP Mantra Security Framework
Mantra is a free and open source security toolkit with a collection of hacking tools, add-ons and scripts based on Firefox intended for penetration testers, web application developers and security professionals etc.-Purpose:...
is a free and open source
Free and open source software
Free and open-source software or free/libre/open-source software is software that is liberally licensed to grant users the right to use, study, change, and improve its design through the availability of its source code...
security toolkit with a collection of hacking tools, add-ons and scripts based on Firefox intended for penetration testers, web application developers and security professionals etc.
Foundstone's Hacme Bank simulates a banking application. It helps developers and auditors practice web application attacks, including input validation flaws such as SQL injection and Cross Site Scripting (XSS).
See also
- BackTrackBackTrackBackTrack is an operating system based on the Ubuntu GNU/Linux distribution aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm...
- Computer SecurityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- ITHCITHCAn ITHC, or IT Health Check, is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK....
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Metasploit
- Tiger teamTiger teamA tiger team is a group of experts assigned to investigate and/or solve technical or systemic problems. The term may have originated in aerospace design but is also used in other settings, including information technology and emergency management...
- PentooPentooPentoo is a Live CD and Live USB designed for penetration testing and security assessment. Based on Gentoo Linux, Pentoo is provided both as 32 and 64 bit livecd. It features packet injection patched wifi drivers, GPGPU cracking software, and lots of tools for penetration testing and security...
- w3afW3afw3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications...
- BackBoxBackBoxBackBox is a Linux distribution based on Ubuntu developed to perform penetration tests and security assessments. Designed to be fast, easy to use and to provide a minimal yet complete desktop environment thanks to its own software repositories constantly updated to the last stable version of the...
External links
- List of Network Penetration Testing software, Mosaic Security Research