Every company has the responsibility to organize and perform penetration testing (pen-test) of its premises and systems at certain intervals. However, few companies understand the process of penetration testing and rely on the supplier to provide all direction. Here is a brief description of a penetration testing methodology, that should aide the security officers in managing the actual test.
A penetration test (pen-test) is a controlled process in which a trusted third party performs security verification by using methods, tools and styles that would be performed by persons with malicious intent.
Elements of the pen-test
Target - a resource which will be targeted for attack during the pen-test. The target can be a single item (server, router, safe) or a set of resources with some common denominator (server farm, network segment, offices)
Trophy - a resource that the testers are tasked with extracting or destroying. Malicious attackers usually stand to gain benefit from the attack, and if the valuable resource is identified, it can be tagged as a 'trophy' to be won by the pen-testers. Bear in mind that sometimes the trophy may not be a physical item, but a loss of functionality or service that can tarnish the reputation of the company.
Test vector - the attack channel or set of channels that the pen-testers will use during the test.
Test type - which type of test will the pen-tester perform.
- Black box - the pen-tester performs the attack with no prior knowledge of the infrastructure, defence mechanisms and communication channels of the target organization. Black box test is a simulation of an unsystematic attack by weekend or wannabe hackers (script kiddies).
- Gray box - the pen-tester performs the attack with limited knowledge of the infrastructure, defence mechanisms and communication channels of the target organization. Gray box test is a simulation of a systematic attack by well prepared outside attackers or insiders with limited access and privileges.
- White box - the pen-tester performs the attack with full knowledge of the infrastructure, defence mechanisms and communication channels of the target organization. White box test is a simulation of a systematic attack by well prepared outside attackers with insider contacts or insiders with largely unlimited access and privileges.
This element differentiates from what kind of malicious attackers is the company trying to protect itself. Each next test type is not a super set of the previous one. For proper penetration testing, one has to perform all three types of test.
The penetration test must be approved by top management, with proper signed decision. The decision to perform a pen-test and it's details must be maintained as highly guarded secret which is known only to the top management, the security officer of the company and internal audit.
The supplier of the test (pen-tester) must be a credible and trusted company with relevant experience. Prior to top management approval, the supplier must provide a detailed pen-test plan to be approved by the the security officer. This test plan must include details about
- the target
- the trophy
- the test vector (locations to be tested, sources of pen-test attack like phone numbers, ip addresses etc.)
- the test type (white, gray or black box)
- names and references of all persons that will perform the pen-test to be approved by the buyer
- list of tools and methodologies that will be utilized during the pen-test
- method of protecting any collected confidential information during the pen-test
- method of self-auditing the entire pen-test process
- method of buyer-auditing the entire pen-test process
- time period of the pen-test
This test plan when approved will be amended to the pen-test contract, which should also include the following:
- A clause for penalties for any damages caused by the pen-test, which should not be higher then the contract value, except when malicious intent is proven
- A clause for risky test approval in which the buyer will approve or disprove possibly risky tests. Should such tests be approved, a list of targets and tests must be included.
- A clause to confirm that there is no conflict of interest by any involved parties in the penetration test. This clause should include or be amended by full industry affiliation of all involved parties.
- A clause of full confidentiality - restriction on using the results of the test for commercial purposes; restriction on publication of references regarding the pen-test; full and utmost protection of all information, results and conclusions collected during the negotiation, preparation and pen-test regardless of existing Non-disclosure agreements.
- A clause of immediate full disclosure - all collected results and conclusions must be reported in detail, regardless of estimated severity. Each conclusion must include tools and process description used to reach the conclusion. All conclusions estimated as critical and severe must be reported as they are identified in the pen-test, and the full detailed report must be handed over in maximum 48 hours days after completion of the pen-test.
Since the penetration process is a controlled process, it must be subject to immediate and later audit. This can and should include
- on-hand surveillance of the penetration test as it is performed
- filming the entire process on video camera
- full packet capture on all interfaces through which the penetration test is performed
Finally, here is a diagram of a penetration test process
NOTE: That this description is too brief to provide a full pen-test methodology. It is however based on a OSSTMM 2.2 (Open-Source Security Testing Methodology Manual), which i recommend to be read by everyone. However, this document is much more helpful to penetration testers.
Talkback and comments are most welcome