When is a bad guy not a bad guy? When he is your friend pretending to be a bad guy in order to protect you. That’s what Penetration Testing is all about.
Organizations spend a lot of time and money protecting their networks from hackers. Every connection point between their internal network and internet needs to be protected by a Firewall and malware scanning. The best defense is layered, so every computer on the network needs to be protected with malware scanning and its own Firewall. This involves a lot of time, effort and money.
Despite these protections networks are still breached. Even companies that specialize in network security have been breached. In February, Bit9 revealed that their network had been breached. Once inside, the firm said, attackers were able to steal Bit9′s secret code-signing certificates. They were used to successful spread malware signed as trusted B9 software.
How could this happen? Because they failed to use their own software designed to prevent such breaches!
Symantec has had to deal with the ongoing fallout from having their source code stolen for the 2006 versions of Norton Utilities, PC Anywhere and other products. In 2012 the code was released on the internet by affiliates of the hacktivist group Anonymous.
As with the Bit9 incident, hackers located a server on the company’s network that was not configured to their usual standards. That is all it takes. One opening and the bad guys are in.
When an organization wants, nay needs to go the extra mile to ensure they are safe from the bad guys, they can call in the good guys for Network Penetration Testing.
Network Penetration Testing, aka pentesting, includes many of the same activities of the malicious hackers, except they are conducted as a service to the target. They test networks and websites by simulating a hacker attack to see if there are security holes that could compromise sensitive data.
So called “White Hat” testers identify critical attack paths in a network’s infrastructure and provide advice on eliminating these threats. They attempt to bypass security weaknesses to determine exactly how and where the infrastructure can be compromised.
Conventional system and user testing of software determine if desired inputs produced desired outputs and responses, but fail to fully test the impact of undesired inputs. A vulnerability tester will provide input into a system precisely to see if it produces a response that can be exploited. This is like poking the caged tiger with a stick to see how it will react, but without the risk of getting your hand cutoff!
When people think of input they usually think first of input from a user interface, such as key entry or mouse clicks. Just as important are inputs from other application interfaces such as the Windows registry file or DLL files. Penetration testers will make changes to the registry and infect DLL files just to see what the results are.
They also have automated tools that can accomplish far more than you could ever do manually. Many of these tools have legitimate purposes, but can be turned to the dark side by hackers. Sniffer programs, for examples, were invented to listen to network communication and assist in diagnosing network issues. Ironically, the can be used to both detect network intrusions and to be an intrusion in a network. Intruders use sniffers to spy on user communication and capture their security credentials.
Similarly, the same type of automated processes that search engines use to index web pages can be used to search for information and vulnerabilities. Web crawlers, aka spiders, retrieve a web page and recursively traverse hyperlinks to retrieve web content that can be exploited.
Other penetration testing includes the following:
- Search engine discovery/Reconnaissance: Search the Google Index and remove the associated web content from the Google Cache
- SSL/TLS (Secured Socket Layer) Testing: Test for vulnerability and support for week ciphers.
- Infrastructure configuration management testing: Identify vulnerabilities due to server configuration.
- Testing for File extensions handling: Identify vulnerabilities due to default file extensions and misconfigurations.
- Testing for user enumeration: Many systems will tell you if a username entered does or does not exist in the system. This can be useful for brute force attacks that try every possibility to overcome authentication. Instead of having to test every possible combination of userid and password, you can crack the userid first and then work on the password.
- Testing for logout and browser cache management: This test ensures that once a user “logs out” they are actually logged out and it is not possible to reuse the user’s session.
- Testing SQL Databases: Breaching a database can give the hacker the proverbial keys to the kingdom, exposing critical financial, employee and customer data that criminals covet. Testing can include for vulnerability to SQL injection attacks and if default administration user ids and passwords have not been changed or deleted.
- Buffer overflow testing: A buffer overflow is one of the oldest hacker techniques and critical for the good guy hackers to test. The hacker attempts overwhelm a system with a large volume of data and, if the system is vulnerable, it may write the data outside the normal buffers and into memory. This can cause the system to crash or malicious code in memory may execute.
- Web Services Testing: A web application may consist of numerous services, each requiring different authentication procedure and enforcing different security policies. Such complexity increases the potential for a hole to exploit that must be identified.
The benefits are manifest. Penetration Testing will help you:
- Avoid the financial loss that could occur from a breach.
- Comply with regulations and security certifications.
- Protect your company, customers, and brand.
- Maintain business continuity and avoid service disruptions.
The bottom line is this, would you prefer for the door to be shut before or after the horse has left the barn? I favor shutting the door with the help of penetration testing.