Jump to content

Penetration test

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by M3tainfo (talk | contribs) at 02:48, 23 November 2004 (New page on Pen Testing, needs more work...). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Penetration Testing

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black-box testing assumes no prior knowledge of the infrastructure to be tested, and the testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, White-box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code and IP addressing information. There are also several variations in between, often known as Gray-box tests.

The relative merits of these approaches are debateable. It is argued that black-box testing most closely simulates the actions of a real hacker, however this ignores the fact that any targeted attack on a system most probably requires some knowledge of the system, and any insider attacker would be in posession of as much information as the system owners. In most cases it is preferable to assume a worst-case scenario and provide the testers with as much information as they require, assuming that any determined attacker would already have acquired this.

In practice, the services offered by penetration testing firms range from a simple scan of an organisation's IP address space for open ports and identification banners (Black to a full audit of source code for an application.

Rationale

A penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any Internet facing site, before it is deployed. This provides a level of practical assurance that any Script-Kiddie or other more determined hacker will not be able to attack the system.

Methodology

The Open Source Security Testing Methodology Manual by Pete Herzog is a peer-reviewed methodology for performing penetration testing and obtaining security metrics. The OSSTMM covers the whole process of risk assessment involved ina penetration test, from initial requirements analysis to report generation. The siz areas of testing methodology covered are:

  • Information Security
  • Process Security
  • Internet Technology Security
  • Communications Security
  • Wireless Security
  • Physical Security

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated. The latest version of the manual is 2.1 with version 3.0 available soon.

Standards

If you are hiring a company to provide penetration testing services for you, it is important to be able to judge their abilities before engaging them. The process of carrying out a penetration test can reveal sensitive information and organisations must be certain they are dealing with professionals. It is for this reason that most security firms are at pains to show that they do not employ ex-hackers and that all employees adhere to a strict ethical code. In addition, there are several professional and govenment certifications that indicate the firms trustworthiness and conformance to industry best practice.

For example, ISECOM produces and hosts the OSSTMM methodology (see above) and will provide training and certification in its use. In the UK, CESG (The government Communicationn and Electronic Security Group) has traditionally provided IT health check services for HMG and the public sector. It now maintains an accreditation for its IT Health Check Service, or CHECK. Companies belonging to CHECK must have employees that are security cleared and have passed the CESG Hacking Assault Course.

Resources

Penetration Testing Companies

Information

Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Penetration_test&oldid=7821806"