Penetration testing – the basics

Penetration testing as defined is the process of exploiting weaknesses in a computer or the network infrastructure.  A real-world hacking technique is used to exploit targeted system or network. It helps organization to accurately define the level of information security and identify the weak elements that need to be addressed. More so, it aids in evaluating an organization’s detection and response capabilities and determines whether proper controls are in place. Penetration testing, for some, is perceived as Vulnerability Assessment. Although the two processes comes hand-in-hand in terms of identifying technical security weaknesses, penetration testing is more intrusive in nature and involves active analysis of systems for any weakness, vulnerabilities or technical flaws.

There are two main approaches in conducting penetration testing, the black-box testing and the white-box testing.  Black-box testing, also known as the “zero-knowledge,” is a test approach with no prior knowledge of the infrastructure or target network. White-box is a test approach with complete knowledge of the target network. Black-box tests are similar to a real life hacking attempt. When organizations hire third party consultants, generally only people with need-to-know will be informed about the whole idea of the testing. During white-box testing, all information about the infrastructure including network devices and servers are provided by the organization. The type of test has to be decided by the organization as there are pros and cons for each. The main idea being, organizations should decide whether to skip the time consuming part of the information gathering, to conduct a shorter more in-depth white box test or to experience a real simulation of an actual attack on the network. 

What are vulnerabilities?

A vulnerability is essentially a weakness or flaw within the information technology (IT) infrastructure, this may be physical, technical or human in nature.  The most basic definition would be “any flaw in computer security that could allow an unauthorized user to gain control of a system.”

It is important to identify the vulnerabilities within the computer system, the risks associated with it, as well as the probability of exploiting it. With this in mind, a matrix of risk associated with all important assets of the organization may be defined. This is a fairly important practice in managing vulnerabilities. 

What do you want to achieve?

There are two major goals in conducting penetration testing/vulnerability assessment. First is to assess and/or test everything possible. A holistic approach should be considered as an intruder needs only one hole to break into the network which may bring the whole infrastructure down. It does not matter if the hole lies in the primary firewall or through a modem connected to an executive’s computer. Often, time and cost are two factors that get in the way of a complete and comprehensive vulnerability assessment/penetration testing. The time spent in conducting the assessment/test cannot be shared with other tasks and the cost may even limit the tools and resources to be used. For an organization with budget constraint, there are a number of tools that are completely free. However, usage of such should be restricted to the technical people or to those who are very well trained in handling such powerful tools. The second goal is to generate a clear, concise report that can be read, understood and used by management. One of the most common mistakes in running vulnerability assessment tools is to run it with all the default options. As this is set to the default mode, a default report will be generated and then print out thousands of pages with every vulnerabilities found – from the non-password protected telnet session on the organization’s primary servers, down to the very detail such as a workstation responding to a ping request. This method carried with it a significant number of pages for the technical people to read, and numerous vulnerabilities; the big question is – what is the value of this type of vulnerability assessment?

Some professionals and even organizations rely solely on the latest available scanning tools to perform assessments, but scanners are only one part of the complete vulnerability assessment process.  Over reliance to such tool can leave holes which may lead to information security compromise. Methodology is one of the most crucial factors in the success of a penetration testing/vulnerability assessment. An important area to consider is the trustworthiness and reputation of consultants who will be conducting the testing.  A penetration testing professional’s skills need to be specialized for the task and job to be done, and the approach should have a formal methodology and should provide a disciplined framework when conducting penetration testing/vulnerability assessment. 

In summary

The ultimate goal of a penetration testing/vulnerability assessment is to produce useful results, directed towards addressing technical issues and how will it benefit the business as a whole.  While a CEO may be more concerned on how the entire security system of the organization is doing as compared with industry standards, a chief technology officer (CTO), would be more interested in the details of a potential security hole.

Presenting the return on investment (ROI) for a penetration testing/vulnerability assessment can be difficult as it is a proactive maneuver. Sadly, this is not the way most organizations act when it comes to information security, everything is reactive. An action is not taken unless a breach or intrusion had occurred. Information security, as well as local regulation (i.e., BSP Circular 542) awareness, is rising, so the understanding in going through a Penetration Testing and Vulnerability assessment is growing. As part of a computerized organization, whether you are a with the technical or the business group, I would like to leave the following questions:  How secure do you think your technical environment is? Who is inside and watching your network? Who has access to your data? Are all confidential information appropriately secured?..... Where are you now in terms of information security?

(Jeannine Roxas-Ducusin  is a Manager  for Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. This article is for general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com.ph or jducusin@kpmg.com)

Show comments