CHAPTER 2: PREPARING TO CONDUCT A PENETRATION TEST

Conducting a successful penetration test is a challenge for even the most experienced penetration tester. A penetration test requires perseverance and creativity, as well as a bit of luck. Luck must be earned, however; as Samuel Goldwyn once said, “I make my own luck and the harder I work, the luckier I get.¹⁰” The pen tester is always best following a clear and structured methodology that will ensure that all possible avenues of attack are explored and no potential vulnerability is overlooked.

Most pen testers use Linux^®-based operating systems for their work. A further explanation of Linux, and some if its features can be found in Appendix 1: Linux, at the end of this book. A person that is not familiar with Linux may want to read through that appendix before continuing with this chapter.

Approval and scope

The first step in any penetration test must be to obtain formal approval from the business to conduct the test. A penetration test is a risk-filled operation, and the pen tester will want to be protected from any problems that may arise as a result of the test. The penetration test must also be conducted under strict terms of confidentiality and non-disclosure. A penetration tester may learn about serious vulnerabilities in a target network and must never exploit those vulnerabilities for any purpose, save the execution of the test. The pen tester must be careful not to disclose the nature of any vulnerability to any unauthorized party, and be careful not to expose any details of the test through conversation, careless handling of test results or end-of-test reports.

The pen tester must also be aware of any legal restrictions related to conducting a pen test or the use of hacking tools. In some countries, the very possession of many tools used in pen testing may be illegal.

Once approval has been granted by senior management to conduct the pen test (often called a “get out of jail free” card), the pen tester will be ready to begin the preparation work leading up to the test itself.

Performing a penetration test is much more than just running some tools or probing some systems. A pen test is a scientific and methodical series of steps and tasks focused on discovering the vulnerabilities in networks, systems, implementations, physical infrastructure, utilities, hardware, user training, procedures and applications.

The first challenge the pen tester faces is to work within the limited amount of information that was provided by the client. There are several types of pen tests – ranging from blind, double blind and zero knowledge to partial knowledge and full knowledge tests. Each type of test has both advantages and disadvantages.

Internal versus external

The CNSSI 4009 Glossary¹¹ defines penetration testing as: “Security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation.”

The Information Systems Audit and Control Association (ISACA¹²) defines penetration testing as: “A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers.”

We can see from these definitions that penetration testing is not a term restricted to internal or external parties, but can be, and should be, conducted by internal teams where possible, but also by external experts on a regular basis. External teams may provide a level of expertise not available internally and are often more objective or independent in their perspective. This allows them to examine, assess and report on any findings with less of the influence or bias that may curtail the work of an internal team.

Zero knowledge test

A zero knowledge test is conducted by an external party that is provided a bare minimum of information to work from. These tests are not as common as partial knowledge tests and may be the most challenging and difficult for the pen testing team. The first step is to learn as much about the client as possible from public sources or social engineering.

This type of test most closely resembles the type of attack performed by an attacker that does not have inside knowledge of the target and must seek out the information that is available through searches and probes of publicly available data.

There are numerous examples of organizations that have benefitted from a zero knowledge test through discovering that a great deal of sensitive information about their organization was available in publicly accessible places. In two cases involving large and highly sensitive organizations, the testers found application source code that was being posted by developers onto user groups for the purpose of getting help from other programmers to solve application-coding challenges. Such a breach could provide an attacker with a considerable advantage in planning an attack.

Partial knowledge test

In a partial knowledge test, the testing team is provided some degree of detail about systems, IP addresses, network configurations, physical locations, or any other such details the client decides to provide. The partial knowledge test is the most common type of test conducted by external parties and is often the most economical and effective. The testing team can quickly target the focus of the test and quickly assess the security of the system.

Full knowledge test

A full knowledge test is usually only conducted by an internal testing team that has complete access to system and network configurations. These tests are often conducted on a regular (perhaps even continuous) basis, as the organization monitors and examines their own network controls and ability to withstand an attack.

Blind test

One of the primary benefits of a penetration test is the opportunity to assess the watchfulness and response of the network and systems administrators. In a blind test, the test is conducted without the knowledge of the administrators. The testing team will watch to see if the test is detected by the administrators and, if it is, they will observe their reaction to it. This allows management to refine the processes used to monitor and respond to network attacks, as well as to assess the robustness of the controls. Some organizations provide incentives to reward administrators if they do notice the attack, either while it is ongoing, or if they detect the evidence of the attack through examining the logs following the attack.

Double blind test

A double blind attack is conducted in the same manner as a blind attack, except that, in the case of a double blind attack, neither the security team or the administrators are informed of the attack. Again, this allows the testing team to advise management on the ability of the organization to detect and respond appropriately to an attack.

Planning

A penetration test is a methodical and very carefully planned activity that must be conducted in an organized and well-managed manner. Planning for the test will include team selection, obtaining access and preparing to conduct the test.

Team selection

The pen testing team must be carefully screened to ensure that they are suitably trained and that they will not abuse the privileges or access that they will have. They must also agree not to disclose or use any of the knowledge they gain in doing the penetration test to the detriment of the client. This requires the signing of non-disclosure agreements and may require the testing team to be subjected to background checks to ensure that they do not have a criminal or an undesirable background. If a company chooses to engage an individual with an undesirable background, and that individual goes on to commit an improper act during or following the test, then company may find itself in a difficult legal position.

The skills needed to be an excellent penetration tester include a broad understanding of systems, networks and business functions. The tester should be good at communicating with the various members of the organization – including management, users and administrators – and proficient at writing and presenting reports on the results of their tests. It must be remembered that the purpose of a test is to help secure the business and allow the business to operate in a reliable manner, even though it is operating in a dangerous world that is full of risk. A report containing recommendations that would disable the systems of the organization and would result in the inability to conduct business would not be acceptable and only lead to the loss of credibility of the testing team. It may result in the rejection of their other recommendations, as well.

No single person is capable of performing all parts of a broad penetration test equally well, so it may be necessary to select team members that have varied areas of expertise. Some people are much better at social engineering or physical security testing, while others are experts in testing UNIX^®-based systems or focusing on a Windows^®-based network.

Access

Gaining access to systems is an important part of the test planning process. In many cases, an external testing team will want to place someone inside the organization, who can monitor the test and enable the testing team to react quickly if the test affects production systems or impacts business operations. This requires setting up access, allocating workspace and, possibly, arranging some level of network and communications access.

The test should be conducted in conditions that resemble the real world as much as possible. Some testing teams have asked the client organization to open certain firewall ports or enable certain services in order to conduct the test. This adjustment would mean, however, that the testing team would conduct the test in a world somewhat different from that which a hacker would encounter if trying to break in; and this would devalue the results of the test. A good pen testing team should be able to conduct the test without requiring changes being made to the organization’s networks or security controls.

Tools

Throughout this book, we will be looking at some of the tools used by a testing team. These tools are powerful and may be very damaging to client systems or business processes. Therefore, they must be used carefully and steps must be taken to ensure that the testers are both familiar with and know the risks associated with each of them.

A good tester will know how to use a variety of tools and techniques to conduct a test, and will be able to tune their attacks in order to adjust to the conditions and challenges found during it.

The selection of tools to be used during the test should be based on the type of testing being conducted. For example, it may be necessary to be discreet or conduct the test in a discreet manner, or the test may involve being quite noisy and aggressive.

Rules of engagement

Both before the test commences and during the signing of the testing agreement, the rules of engagement for the test should be documented. These will cover what the team should, or should not, be allowed to do (such as social engineering, gaining physical access, creating fake files, gaining elevated access, etc.) The testing team must know what to do if they gain access and know when to cease the test if there is a risk of compromise of the operations or confidentiality of the business.

Reporting

The final part of the pen test is the delivering of the report detailing the results of the test to management. The contract should already have confirmed whom the report will be provided to and the level of detail and content required. It should also state the obligation of the testing team to keep the report confidential and to not discuss the results of the test with unauthorized personnel.

Contracts

A pen test should only be conducted under the terms of a contract that stipulates the scope, responsibilities, authority and conditions under which the test is to be conducted. All of the details provided earlier, such as those about confidentiality, reporting, non-disclosure, permission for access, scope, the rules of engagement and the team member selection criteria should be addressed in the contract.

Scope

Rarely can an organization do one test that will test the entire organization, so the scope must be determined in advance of the test and documented in the contract. The scope may be limited to only web-facing systems, or it may include physical pen testing or social engineering; it may look only at UNIX systems or the Windows^®-based network, or it may be based in one geographic region of operations or focused on one department, product or service. In some cases, such as PCI DSS compliance, the scope and frequency of the tests may be mandated by regulation, standards or corporate policy.

An organization should conduct various types of tests of varying scope or focus, so that all parts of the organization will eventually be examined.

Liability

An important part of any agreement to conduct a pen test should be the consideration of liability. The organization requesting the test must be aware of the risks associated with the test. They must also be aware of the risks of damaging the client organization, improper disclosure of confidential client data and the risk of violating laws of a country that the organization is operating in. In some countries, the very possession of tools used for conducting a pen test may be illegal.

The contracts between the organization requesting the test and the testing team should address the risk of liability and non-performance, and each organization should have insurance coverage to protect themselves from undue loss or hardship.

In the case of any disagreement between the parties involved, the contract should also address the jurisdiction for hearing any complaints or engaging other legal proceedings.

Summary

A pen test is a carefully planned and managed task that requires contractual agreements, governance and oversight, and a prior agreement on the conditions, reporting and methods to be used in conducting the test.

Questions

1. A penetration test is:

a) Innovative and unmanaged

b) Creative and well-controlled

c) Carefully structured and restrictive

d) Disorganized and reactive.

Answer: B

A pen test must be carefully managed and controlled. It should also be innovative and carefully structured, but it should not be disorganized, unmanaged or reactive. The test may be restrictive, depending on the environment, but B is a better answer than C.

2. A pen testing contract should cover:

a) Non-disclosure agreements

b) Which client staff are to be interviewed

c) A list of tools to be used

d) The transfer of liability to the testing organization.

Answer: A

A pen testing contract should cover non-disclosure agreements, scope, reporting requirements, authority and rules of engagement, but will not require the listing of tools, selection of individuals or the transfer of liability. Instead, it should list the criteria for testing conditions and the assumption of liability.

3. A blind test is where:

a) The security team is not informed about the test

b) The testing team is not provided any information about the client systems

c) The systems and network administrators of the client organization are not informed of the test

d) The tools to be used in the test will not disclose any confidential or sensitive information about the client systems the testing team.

Answer: C

This is the definition of a blind test. A double blind test would not disclose the details to the security team.

4. A pen test should be performed as directed by:

a) The policy of the organization

b) Industry standards

c) Risk management teams

d) The amount of change to business and IT processes.

Answer: A

All of the other answers may influence the decision on when to conduct a pen test, but the pen test should only be scheduled when it is in accordance with the policy of the organization and senior management direction.

5. The pen tester notices a potential vulnerability that is on a system outside of the scope of the test. What should the pen tester do?

a) Do more testing to validate whether the vulnerability is real

b) Ignore the vulnerability, since it is out of scope

c) Download the patch to fix the vulnerability

d) Report the existence of the vulnerability to management.

Answer: D

The correct action is to report the situation. The pen tester should never undertake any activity outside of the scope of the authorized test.

¹⁰ www.brainyquotes.com.

¹¹ CNSSI 4009: National Information Assurance Glossary (2003), www.cnss.gov/Assets/pdf/cnssi_4009.pdf.

¹² www.isaca.org.