Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/20/2010
06:40 PM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The What And The Why Of Professional Penetration Testing

Welcome to the first in a series of posts on professional penetration testing. During the course of the next few entries, I will shed light on the often confusing and rarely straightforward world of penetration testing based on my experience during the past decade as both a professional penetration tester and a manager of penetration testing teams.

Welcome to the first in a series of posts on professional penetration testing. During the course of the next few entries, I will shed light on the often confusing and rarely straightforward world of penetration testing based on my experience during the past decade as both a professional penetration tester and a manager of penetration testing teams.A penetration test is a type of security assessment that simulates a real-world attack by a determined adversary against one or more of your target assets. These assets can be networks, applications, devices, infrastructure, or anything else you deem important enough to protect. What makes penetration testing unique is the actual exploitation of targets in a live environment. Unlike other forms of security assessments, penetration testing's approach really does mean that the penetration tester will attempt to actively exploit identified vulnerabilities and attempt to leverage any weaknesses within the targets to gain further access.

When deciding whether a pen test should be conducted, an organization should be trying to answer the following question: "Can someone break into my sensitive assets?" A penetration test's primary purpose is to breach the security of a target in as realistic a fashion as possible. By contrast, the focus of a pen test is not to identify as many vulnerabilities as possible, and it is not to calculate the risk that an asset poses. While hybrid variations do exist, in their pure form those types of security tests would be more accurately termed "vulnerability assessments" and "risk assessments," respectively.

As part of my job, I often encounter people who confuse the terms and wind up asking for one thing and wanting another. I've had clients ask me for penetration testing but to avoid performing any exploitation. Once I even had a client ask me for a "robot test" -- but that's neither here nor there. So remember that when requesting a penetration test, you're really asking for a real-world attack that involves exploiting your targets to determine whether their security can be compromised.

During the years, I've observed a steady increase in the use of penetration testing by organizations attempting to secure their systems. As recently as a few years ago, you would find that the vast majority of organization did not perform any kind of security testing. This is perhaps understandable, as they had no compelling reason to do so other than it being a "good idea" -- like flossing every day. But with the threats facing a company's assets growing in number and sophistication, there has been a corresponding increase in organizational awareness of these risks and an expansion in the effort taken to protect against them. So it should come as no surprise to see that several interested parties have begun pushing for the use of pen testing to validate the security of a system.

But why do organizations ask for penetration testing? In my experience, I've found that the most common reasons a company performs penetration testing to be the following:

  • Meeting a regulatory, industry, or customer requirement (e.g., FISMA, PCI, NERC CIP);
  • confirming the security of an application as part of the secure development life cycle;
  • validating a risk or vulnerability management program's effectiveness;
  • proving the (in)security of a system to make (or break) a case; and
  • demonstrating the real consequences of unaddressed vulnerabilities

By far the largest driver is the growing number of regulatory and industry requirements calling for this type of testing, usually on an annual basis. In addition, an increase in consumer awareness has prompted companies to also enforce stronger security requirements internally against their own systems as well as against any systems owned by third-party providers. To be blunt, these drivers amount to "because I said so" reasoning. And, of course, you comply if you want to pass the audit or win the business.

Penetration testing is also one of the first activities to be established by development organizations that are in the process of adopting or have already established an active application security program. Usually the pen testing is conducted alongside QA testing or as the final phase before release into production.

Penetration testing can also be used to determine the efficacy of established risk or vulnerability management programs. This type of testing can be seen as a form of security controls testing and is normally performed on an annual basis. Many companies also have security policies that mandate an annual penetration test. Less commonly, although frequent enough to warrant mention, pen testing can be used to prove the (in)security of a system or demonstrate the real world impact of insecure systems and unmitigated vulnerabilities.

Of course, there are many additional reasons for performing a penetration test, but whatever the driver, the test should fundamentally answer the question of whether the security of the system can be breached.

Stay tuned for the next entry in this series on professional penetration testing. I'll discuss the different types and variations of penetration tests in addition to beginning a larger discussion on the different skill levels of penetration testers.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Prior to that, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. He has presented his research at conferences including Black Hat, ToorCon, InfoSec World, SANS, and Microsoft BlueHat. Vincent has been published in interviews, journals, and books with highlights including "Hacking Exposed: Wireless" and "Hacking Exposed: Web Applications." Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).