When the world became aware of the magnitude of the threat posed by hacking, various security measures were invented by computer experts and security specialists. One of the most prominent among such measures is the process called penetration testing. In this chapter we shall look into this concept in detail and the various reasons for undertaking this testing.
What is it?
Penetration testing is the process whereby a deliberate attack is mounted on a computer system, in which its weak spots are noted, and the data stored in it is accessed. The intention is to demonstrate and thereby ascertain the efficiency of the security safeguards installed in the system.
The primary objective of penetration testing is to find out the vulnerable areas in a system and fix them before any external threat compromises them. The key areas to be tested in any penetration testing are the software, hardware, computer network and the process.
The testing can be done both in an automated way as well as manually. The automated method makes use of software and programs that the penetration tester has composed, which are then run through the system and network. However it is not possible to find out all vulnerabilities solely through penetration testing.
This is when the manual testing comes in. For instance the vulnerabilities in a system due to human errors, lack of employee security standards, design flaws or faulty employee privileges can be diagnosed better by way of manual penetration testing.
Besides the automated and manual methods of penetration testing, there is a third variety which is basically a combination of both automated and manual systems. This form of testing is more
comprehensive in terms of area of coverage and hence it is used commonly to identify all possibilities of security breaches.
This is in many ways similar to the concept called “business process re-engineering” and is used as a management planning and decision making tool. The process of penetration testing involves execution of the following steps:
• Identification of the network and in particular, the system on which the testing is to be carried out.
• Fixing of targets and goal. Here, a clear demarcation is made between breaking into a system to prove its faults as against breaking into and retrieving information contained in the system.
• Gathering information pertaining to the structure of the system or network.
• Reviewing the information that has been collected and based on such data, charting out a plan of action to be adopted. Multiple courses of action may be outlined and the most suitable one is selected.
• Implementation of the most appropriate course of action.
There are two broad kinds of penetration tests. It may be in the form of a “White Box” test or a “Black Box” test. In case of a white box test, the company or organization enlists the services of an agency or individual to carry out the penetration tests, and provides them with all information with respect to the structure of the system and its background.
The party carrying out the tests need not do any groundwork for collection of information. On the other hand, where the penetration test is of the black box variety, very little or in most cases, no background information is provided to the agency except the name of the organization for which the test is being done.
Once the penetration test is successfully completed, the system administrator or owner is briefed about the weaknesses in the system that has come to fore as a result of the test. The test report should list out in detail the weak spots as observed in the test, the severity of such flaws, the short term and long term impact on the system and its contents and finally the methods to fix such shortcomings.
Various strategies employed
The following are the most commonly adopted strategies of penetration testing:
In this form of penetration testing, the procedure is performed by the organization’s in-house security department. They may call for the help of external agencies but the decision making and implementation powers rest with the organization itself. One of the most characteristic features of this form of penetration testing is that employees in the organization are kept in the loop and are aware of the tests.
This form of penetration testing is carried out exclusively on those devices and servers of the
organization that are visible to outsiders, for instance the e-mail servers, domain name servers etc. The intention of performing a penetration test with the external approach is to ascertain whether any outsider can attack the abovementioned devices and in case of such an attack, the repercussions of the same.
This is the exact opposite of a test as per the external approach. Here the intention is to mimic the situation where the system is under attack from inside by someone who has high level access and privileges. The test can establish the extent of damages that can be causes in the event of such an attack.
Black box test
The basic principle behind a black box test has been mentioned in the earlier part of this chapter. The agency or individual carrying out the penetration test is given very little information about the organization or its system safeguards. This form of testing is very time and resource intensive because the agency has to start from scratch and undertake the complete process of gathering information, planning and execution.
Advanced black box test
As is obvious from the name, this is a higher level of black box test. The major differentiating factor is the quantum of people inside the organization who are aware of the penetration test being carried out. In case of a normal black box test, although only a limited amount of information is provided to the testing agency, almost all the managerial level employees of the organization are aware of the tests being carried out. However in case of an advanced black box test, only a few people in the top management of the company will be aware of the tests being conducted