Performing the Access Control System Penetration Test
A penetration test is any simulated attack scenario. It could be purely technological, it could focus on uncovering weaknesses to social engineering tactics, or it could take a holistic approach and use any and all tactics and tools available to penetrate the organization’s defenses. Because this type of testing is inherently invasive and simulates as close as possible the methods of an actual attack, it is important that all parties have a clear outline of what will be done, what restrictions (if any) must be followed, and what the tests are designed to uncover. If there is any miscommunication between the testers and the organization’s management team, a useful penetration test could easily become a crisis situation.
For example, suppose an organization hired a security consulting firm to conduct a penetration test against its IT infrastructure. During the planning stage, management neglected to mention that they would be launching a new customer-facing website during the window allowed for the penetration test. The penetration test proceeded, and the test attack interrupted service during the website launch. Management was understandably upset that a test scenario disrupted a major website launch. The penetration testers had no idea that this particular website was any more important than any other hosted on the organization’s servers. All this would have been avoided had the penetration test team known that the new website was off-limits, and if management had known exactly what the penetration test team planned to do.
FYI
Good communication between the penetration testing team and the organization is crucial, especially when determining the scope and timing of the test. Some methods used by penetration testing teams can result in systems crashing and network slowdowns due to increased traffic. It is important for the penetration team to know at what times this type of test is acceptable and when it is not. An organization will not want its customer-facing eCommerce website, for example, to be brought down during peak ordering times.
Any penetration test should follow a well-planned methodology that has been approved by upper management. The basic stages of a penetration test are:
- Planning and preparation—This is the most crucial stage in any penetration test. In the planning stage, penetration testers and organization management should meet to determine the goals, scope, and methodology of the penetration test. Without a clear indication of what the penetration test should accomplish, it is likely to produce nothing but a list of exploitable vulnerabilities without any prioritization or guidelines for the organization.
During this stage, appropriate legal documents must be created to protect the penetration testers. As part of the testing, penetration testers engage in activities that would otherwise be considered illegal, and it is possible that confidential information will be compromised. The testing contract should elaborate on how such confidential information will be handled and either returned or disposed of after the test. It should also contain a liability waiver to protect the testers from legal ramifications in the case of accidental or intentional damage to systems or data during the test. - Information gathering—During the information-gathering stage, the penetration testing team uses nonintrusive methods to discover as much as it can about the target network. In this stage, port scanners and online tools such as Netcraft (www.netcraft .com) are invaluable. They give the penetration team a good sense of which parts of the network are potential targets and which systems are detectable. The team will use this information later during the actual penetration attempt.
- Vulnerability detection—Once the penetration team knows something about the target network, it can begin to probe for vulnerabilities using nonintrusive vulnerability scanners. The information gathered at this stage helps the team choose specific attack vectors and target systems during the penetration attempt.
- Penetration attempt—During the penetration attempt, testers may use a variety of methods and tools to gain unauthorized access to systems and networks. Social engineering may be a key method, if it is allowed under the terms of the contract with the organization. The penetration team may also attempt to defeat physical security to gain access to facilities such as data centers. The testing team must keep detailed records of every action it takes as a guide for the clean-up process.
- Analysis and reporting—Once the penetration test is complete, the testing team analyzes the gathered data and writes a report for the organization. The final report should contain a summary of the testing methods used and their success or failure on various targets, a detailed listing of all information gathered during the testing, a list that describes all vulnerabilities found, and recommendations for remediation.
- Clean-up—During penetration testing, the team may create new user accounts, modify configuration or data files, and make other changes to the environment. Once the test is complete, the testing team has the responsibility to undo any changes it made to the environment.
These basic steps will help ensure an accurate, safe penetration test that produces actionable results for the organization. The basic goals of any penetration test are to assess three areas: whether policies and standards are followed, whether an appropriate baseline is achieved throughout the infrastructure, and whether countermeasures and access control systems are implemented properly. The next three sections discuss these goals in detail.
TIP
Always consult legal counsel before conducting any penetration test, even on your own organization.
Assess if Access Control System Policies and Standards Are Followed
Every organization should have policies and standards for access controls. Simply having standards is not enough to secure an infrastructure—those standards must be implemented and followed consistently. A good penetration test attempts to uncover inconsistencies and exploits them to demonstrate this weakness in the organization’s infrastructure.
Social engineering methods are often used to find weaknesses in policy and in implementing standards. Often, a lax attitude toward security and a lack of understanding of how policies and standards contribute to an organization’s overall security posture lead to employees who take shortcuts and circumvent access controls. They may hold or prop open the doors to sensitive areas, reuse passwords, or share privileged accounts. A good penetration testing team will use social engineering and other methods to discover these weak areas.
Assess if the Security Baseline Definition Is Being Achieved Throughout
During the planning phase, a security baseline is defined. The baseline is the minimum level of security that is acceptable to the organization. Whether that baseline is achieved throughout the organization is a question answerable by a good penetration test.
For example, if the organization has determined that no outside access should be permitted to the Intranet as one baseline for access control systems, penetration tests may scan for open ports on the intranet server and attempt to gain remote access.
Assess if Security Countermeasures and Access Control Systems Are Implemented Properly
Access control systems are often complex and sophisticated systems. Unfortunately, vulnerabilities often hide in those complexities. Security countermeasures are not always well understood by IT staff, and access control systems can be misconfigured in such a way as to allow false positives. Penetration tests probe access control systems and attempt to force a false positive. If they are successful, penetration tests will also exercise security countermeasures and ensure that they are effective.