PENETRATION TESTING: ONE STEP CLOSER TO SECURITY

By Vishnu Subramoniam on September 30, 2014

Wiki Says “A penetration test, or the short form Pentest, is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.” – Ethically.

What we are missing? I will quote a simple example from our daily life where we totally misjudge the concept of security. I have often noticed our Homes guarded with thick strong Doors on the front, with alarms and even with electronic encrypted automated locks. I always wonder why we would presume the threat to strike from the front always. What about the balconies & kitchen doors? Do they offer the same security as the front ones do? Well, we might pay for getting easy on the later parts. That’s where our home security is vulnerable.

Let’s get tvo the topic now – Compare the Home to your ‘Website’ or ‘Application’, the front door to the ‘Login’. Yes, you have taken good care in encrypting firewalling your logins. But on second thoughts – ‘Is your website/application really secure from all sides?’ Finding out the soft spots of your application is as important as any other level of development. The soft spots are called ‘Vulnerabilities’ and exploiting the soft spots for access to the system is called ‘Hacking’.  Let’s get a little technical now- to start with, let’s get to the basic terminologies in Pentest.

What is a Vulnerability?

Wiki Says “In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.”

Let’s say, Vulnerabilities are flaws in computer software that create weaknesses in the overall security of the computer or network. Vulnerabilities can also be created by improper computer or security configurations. Threats exploit the weaknesses of vulnerabilities resulting in potential damage to the computer or personal data.

What is an Exploit?

To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being, is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system.

What is a Payload?

A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there. Yes, it’s a corny description, but you get the picture.

Vulnerability causes can be broadly due to:

  • Design and development errors
  • Poor system configuration
  • Human errors

Why Penetration testing?

  • Securing financial data while transferring between different systems & networks.
  • It’s been a trend nowadays that many clients are asking for pen testing as part of the software release cycle
  • To secure user data
  • To find security vulnerabilities in an application

It’s very important for any organization to identify security issues present in internal network and computers. Using this information, Securityorganization can plan defense against any hacking attempt. User privacy and data security are the biggest concerns nowadays. Imagine if any hacker manage to get user details of social networking site like Facebook. Organization can face legal issues due to a small loophole left in a software system. Hence, big organizations are looking for PCI compliance certifications before doing any business with third party clients.

What should be tested?

In cases of threats, we should ensure the security of Software – Hardware – Network – and the Process.

Penetration Testing Types:

1) Social Engineering: Human errors are the main causes of security vulnerability. Security standards and policies should be followed by all staff members to avoid social engineering penetration attempt.

2) Application Security Testing: Using software methods one can verify if the system is exposed to security vulnerabilities.

3) Physical Penetration Test: Strong physical security methods are applied to protect sensitive data. This is generally useful in military and government facilities. All physical network devices and access points are tested for possibilities of any security breach.

Pen Testing Techniques:

1) Manual penetration test

2) Using automated penetration test tools

3) Combination of both manual and automated process

The third process is more common to identify all kinds of vulnerabilities.

Penetration Testing Tools:

Automated tools can be used to identify some standard vulnerability present in an application. Pentest tools scan code to check if there is malicious code present which can lead to potential security breach. Pentest tools can verify security loopholes present in the system like data encryption techniques and hard coded values like username and password.

Criteria to select the best penetration tool:

  • It should be easy to deploy, configure and use.
  • It should scan your system easily.
  • It should categorize vulnerabilities based on severity that needs immediate fix.
  • It should be able to automate verification of vulnerabilities.
  • It should re-verify exploits found previously.
  • It should generate detailed vulnerability reports and logs.

Once you know what tests you need to perform, you can either train your internal test resources or hire expert consultants to do the penetration task for you.

Few of the Free and Commercial Tools:

Free services: Nmap, Nessus, Metasploit, Wireshark, OpenSSL, Cain & Abel, THC Hydra, w3af

Commercial services: Pure Hacking, Torrid Networks, SecPoint, Veracode.

Limitations of Pentest tools: Sometimes these tools can flag false positive output, which results in spending more developer time on analyzing such vulnerabilities which are not present.

A little detail on Manual Penetration Test:

It’s difficult to find all vulnerabilities using automated tools. There are some vulnerabilities which can be identified by manual scan only. Penetration testers can perform better attacks on application based on their skills and knowledge of system being penetrated. The methods like social engineering can be done by humans only. Manual checking includes design, business logic as well as code verification.

Penetration Test Process:

Let’s discuss the actual process followed by test agencies or penetration testers. Identifying vulnerabilities present in system is the first important step in this process. Corrective action is taken on these vulnerability and same penetration tests are repeated until system is negative to all those tests.

Let’s categorize this process in following methods:

1) Data collection: Various methods including Google search are used to get target system data. One can also use web page source code analysis technique to get more info about the system, software and plugin versions. There are many free tools and services available in the market which can give you information like database or table names, DB versions, software versions, hardware used and various third party plugins used in the target system.

2) Vulnerability Assessment: Based on the data collected in first step one can find the security weakness in the target system. This helps penetration testers to launch attacks using identified entry points in the system.

3) Actual Exploit: This is crucial step. It requires special skills and techniques to launch attack on target system. Experienced penetration testers can use their skills to launch attack on the system.

4) Result analysis and report preparation: After completion of penetration tests, detailed reports are prepared for taking corrective actions. All identified vulnerabilities and recommended corrective methods are listed in these reports. You can customize the vulnerability report format (HTML, XML, MS Word or PDF) as per your organization needs.

Limitations of Pentest:

Like any other process in the system, Pentest has its own drawbacks and limitations. Quoting a few –

  • Limitations of scope
  • Limitations of time
  • Limitations on access of penetration testers
  • Limitations on methods of penetration testers

Additional limitations are connected with the penetration testing team and their pen tests tools arsenal:

  • Limitations of skills of penetration testers
  • Limitations of imaginations of penetration testers
  • Limitations of known exploits
  • Most of penetration testers do not write their own exploits

 

Remember, Penetration testing provide an excellent view of the actual security state of an environment as well as the organization security state despite all its minor weaknesses. And this is a big deal, among organizations that want to protect their business as well as make secure their business in terms of information security. Penetration testing highlights what a real-world bad guy might see if he or she targeted the given organization.

 

 

Leave a Reply

SCROLL TO TOP
This site is registered on wpml.org as a development site.