Attack and Penetration Testing

Why third party Penetration Testing is necessary? Independent IT security auditing is a must for any security-conscious enterprise or organisation which thrives to diminish information security risks, avoid related liability claims and become compliant with crucial standards and certifications, such as ISO27001. It is a complex process that involves both non-technical (security policies and guidelines reviews, social engineering "hacks") and hands-on technical tasks, such as penetration testing. While your internal technical team might be extremely competent when it comes to IT security, they are unlikely to be trained to look at the IT infrastructure through the hacker`s eyes and possess necessary time and resources to study and test the latest attack techniques, methodologies, approaches and tools in detail. In a nutshell, IT Security Systems Administrator (not to mention general system administrators and technicians) and Penetration Tester are two completely different trades that require distinct mentality, experience and skill sets. Besides, the compliance to standards and certificates, as well as client relations and partnerships, can simply demand that the IT security auditors have to be external. Also, being serviced by a respected, well-accredited penetration testing firm can significantly improve company`s public image, demonstrating that the management takes both corporate and customer information security very seriously. In turn, this will strongly help to avoid any due negligence lawsuits if an incident still takes place. Thus, the security policies of many corporations and organisations accomodate for regular third party penetration tests and these policy statements are meticulously followed through.

Different types of penetration tests

The main aim of any penetration test is to discover and mitigate information security risks for the evaluated party. Since modern networks are exposed to different, even unique classes of security risks, distinct types of penetration testing services exist to counter the threats posed by them. At the moment, the most common penetration testing service offered on the market is external penetration testing. It involves mapping publically exposed IT infrastructure and probing for possible vulnerabilities and misconfigurations from the Internet side. The report suggesting solutions to all the problems found is provided afterwards. However, the statistics collected by various law enforcement agencies around the world (for example, the FBI), demonstrate that despite all the media hype about hacking attacks from the Internet, the major threat comes from the internal attackers. Such attackers can be disgruntled employees, contractors with an access to the company`s internal network, guest users, external hackers who succeeded in breaking through the secure perimeter, or even industrial spies. Internal penetration testing combats this particular threat by helping to find and eliminate security flaws from within the audited network. It also checks whether the segments of your internal network belonging to different departments and branches are properly and securely separated. Usually this procedure needs a typical unprivileged employee network access level for the auditors performing the test. Sometimes it may also involve host penetration testing, which is elevating the access privileges on a single host (most often a server) to which a limited (user or guest) access is provided.

Other penetration testing types include application and appliance security evaluation, as well as source code security reviews. If your business operations strongly depend on a specific application or appliance, which is typical for the E-commerce firms and other entities, performing financial transactions and customer communications online, it makes a perfect sense to put these critical IT infrastructure elements under the expert scrutiny. This will help to eliminate dangerous security flaws and suggest optimal hardened configurations before the vital application or appliance goes into production and becomes exposed to various external and internal threats. Such evaluation can be done both on-site at your premises and off-site in a testing laboratory of the security company hired to do the audit. If your business depends on or requires in-house software development, the source code of developed applications can be checked by the external auditors on the subject of potential security problems prior to it`s compilation and use. An appropriate Non-Disclosure Agreement (NDA) with the third party performing the audit will be signed prior to the review to guarantee that your proprietary information is not exposed to the outside world.

Last, but not the least important penetration testing type is wireless penetration testing. More and more corporations, organisations and government bodies offer mobile access to their employees, customers and guests. To evaluate the security of wireless networks, the auditors must possess specific qualifications, knowledge, skills, experience, hardware and software related to mobile communications and protocols. This makes proper wireless penetration testing a specialised service not every security company can offer. Bear in mind, that the absence of an officially deployed wireless network does not mean that a wireless audit is not needed. Unauthorised wireless devices and client hosts with enabled wireless connectivity (for example, the majority of modern laptops and PDA`s with in-built Wi-Fi and mobile phones with in-built Bluetooth support) provide a perfect back-channel access to the internal network for outside attackers. Wireless security audits go a long way to find and eliminate all such devices and turn off unnecessary wireless access on the client hosts.

Selecting the consultants to perform proper penetration testing of your IT infrastructure

A security company must be able to offer a full range of previously listed penetration testing services. As the business IT infrastructure grows and new technologies become integrated, a need for additional types of audits is likely to arise. You don`t really want to hire one company to perform external checks, another one - to do wireless penetration testing, and a third one - to assess application security. A word of warning: unfortunately, many IT security firms use exactly the same tools and methodologies for both internal and external audits. External penetration tests are mainly server and firewall-centric, while many internal tests are protocol-centric, including security assessment of low layer protocols. Thus, the approach to internal security audits has to be quite different. When evaluating an IT security company, it is always worth checking whether they use different tools, methodologies and reporting formats for the internal and external penetration tests. Obviously, the same applies to performing other forms of penetration testing, such as host, wireless, application, appliance and source code checking.

Another problem is that the growing market demand for penetration testing services has created many security firms that, frankly, have little to offer for the money they charge. Very often, such company acquires a free or commercial security auditing software tool, runs it against a customer network and prints out the report, produced by the application. This kind of testing would only create a false sense of security, since a flaw not discovered by one tool they use may well be found by another one they don`t and the attackers do. Such an assessment would not identify network architecture misconfigurations and, most importantly, vulnerabilities not yet known to the public domain - no matter how expensive and comprehensive the used tools are. The only way to discover such flaws is to pull up the sleeves and perform thorough "old school" manual testing of the services, applications and protocols involved. Apart from finding unknown security holes, manual testing is absolutely necessary to verify the output of automated vulnerability scanners. Usually, 50 to 60 % of all problems found by such scanners are false positives. If they are not manually verified to present a real security risk, your IT team will spend plenty of time and valuable resources fixing the issues that simply do not exist!

Finally, the reports provided by the penetration testers have to be concise, understandable, and contain a high level overview of the audited entity security state, as well as summary and conclusions clearly generated by a human analyst, and not some automated tool. They must also include the risk rating and necessary attacker skill estimation for every potential vulnerability found. After all, defining the acceptable security risk level for your company`s IT infrastructure and allocating work time and resources for reaching and maintaining this level is entirely up to you as a manager. If a flaw is reported but shown as not presenting a significant risk, or only a handful of people in the world can execute an attack to abuse such a flaw, does it really need to be fixed immediately?

RUauthorised solves this problem by combining very best in freeware, commercial and in-house developed tools with an extensive pentesting template and procedures, written by an expert team and overseen by a C.L.A.S. (www.cesg.gov.uk) registered Consultant. Our philosophy on testing has proved so successful that over 65% of the vulnerabilities we document for clients have been missed by the best automated scanners, but discovered in the later manual testing.

We in RUauthorised thrive to comply with every single point outlined above by providing the complete range of professional penetration testing services employing methodologies and tools specific for each service type. Thorough manual and automatic discovery of known and unknown vulnerabilities and misconfigurations is performed as a solid foundation for the overall expert IT infrastructure security level and risk assessment.

To view the summary of the vulnerability tests and other security services offered by RUauthorised, please click here.