Penetration Testing: The Necessity Of Challenging Defenses

Penetration testing is a relatively new field in the industry. It is a field in which “white hat” hackers attempt to identify information technology security flaws in a given system. People sometimes regard it as a shady operation or even a “dark art,” but it provides a valuable service to organizations all over the world. Despite using the tools and methods of criminals, the controlled application of criminal know-how in penetration testing can be the only way to unveil unforeseen security flaws.

Penetration testers can find work in all sorts of fields, as all sorts of fields employ some form of security measures that demand further testing. Organizations hire penetration testers “to compromise security in order to demonstrate the vulnerability.” (Allsopp, 2009). Any business organization has a lot to lose from security failure. A security system “protects company secrets, assists in compliance with federal laws, and enforces privacy of company clients.” (Winkler & Dealy, 1995). Modern companies tend to have much invested in computer infrastructures, and within these systems are a wealth of data including trade secrets, bank information, and perhaps certain information that would be very embarrassing if it were to come to light. Due to the predictable functioning of computer devices and the unpredictable innovation of humans, “there must be design considerations used to protect them from outside influences.” (Duggan, 2005). During a penetration test, a penetration team of hackers and specialists will attempt to breach their client’s security measures in order to “identify the exploits and vulnerabilities that exist within an organization’s IT infrastructure and to help confirm the effectiveness – or ineffectiveness – of the security measures that have been implemented.” (Budiarto et al., 2004). In a nutshell, penetration testing deals with finding the devil in the details.

Despite the penetration test relying on a variety of tools and skills more typical to criminals than legitimate professionals, the professional aspect of the trade stands first and foremost in the field. Dealing with individuals who have the power to breach high-tech security would already be nerve-wracking to a potential client, but paying for them to do it brings another level of sensitivity to the issue. The client is, of course, interested in results, and penetration tests need to be conducted “using effective and repeatable processes for improvements to be made, business goals to be met, quality to be improved, and profitability to be increased.” (Wilhelm, 2010). In a positive move for the trade’s image, penetration testing has grown from a rather dubious practice run by talented individual hackers into “an industry, and has been supported by training programs, standardized through certifications, and taught in educational institutions.” (Wilhelm, 2010). Penetration testing is used in business because it is effective. Pitting a security system against human opponents is the ultimate test of its efficacy, and “there is rarely a better way to justify additional funding for security controls than by physically demonstrating the flaws that exist in operational information systems. A board of directors will instantly appreciate the value of security once they’ve witnessed the exposure of confidential information by a successful penetration test.” (Budiarto et al., 2004). In modern business practice, it is the most commonly used method of trial-by-fire to demonstrate a new system’s efficacy, “in part because it’s an attractive late life-cycle activity. Once an application is finished, its owners subject it to penetration testing as part of the final acceptance regimen.” (Arkin et al., 2005). By experimentally exploiting a variety of means of infiltration, a penetration team can identify holes in a system, allowing interested parties to address them before actual threats can exploit them maliciously.

Considering that the techniques and contrivances of penetration testing are usually considered unethical, if not illegal, violations of privacy or technological vandalism, the practice is indeed risky from a perspective of safety and economics. Considering that, under normal circumstances, business operations will be expected to function normally during penetration testing, a blunder during testing can result in a system crash. During such operations, “these systems should be considered ‘critical’ and addressed with due care. The company’s management is faced with maintaining a balance between making sure the testing is complete and ensuring they are still able to do business so that revenue is not lost.” (Klevinsky, 2002). Beyond this, the company is not only risking lost revenue, but it is also risking machinery and other equipment that could be and often is extremely expensive. Klevinsky writes, “Considering the cost of configuration and ongoing maintenance and taking into account the data and other electronic assets (such as client databases, proprietary code, documentation, and other often irreplaceable intellectual property) on these machines, the overall cost (or value) of these systems can be tremendous.” (2002). Needless to say, the client is putting a lot of trust in its hired penetration test team, and this requires certain legal precautions. Any request for penetration testing is not necessarily legal, as not every officer of a potential client company has the authority to authorize such action. In the event that the officer that hires a penetration tester did not actually have the authority to do so, a penetration tester “may incur fees related to court costs in addition to the loss of fees for services. Therefore, legal agreements must be reached before the testing begins, and the tester needs to make sure he or she has a signed ‘Get Out of Jail Free Car’ from a company officer authorized to enter the organization into a legally binding agreement.” (Klevinsky, 2002). The agreement between a client and a penetration team takes the form of rules of engagement. The rules of engagement “are the operational parameters within which penetration test team members work; they guide and constrain the team. They exist to determine not only what needs to be considered during the lifecycle of the project but also to protect testers and clients from misunderstandings and the legal consequences these can generate. RoEs are mutually agreed to by testers and the client.” (Allsopp, 2009). In the interest of keeping business running smoothly, protocol in such business deals is a very important thing, and relevant individuals should under no circumstances take their responsibility lightly.

Penetration testing is generally structured into a three-step process. The first step is network enumeration, discovering as much as possible about the target system; the second is vulnerability analysis, identifying all possible avenues of attack; and the last in exploitation, attempting to compromise the network by taking advantage of previously acquired information. (Klevinsky, 2002). The penetration team will use techniques that can be roughly sorted into three categories, including physical penetration, which involves physically entering a facility to manipulate variables within; operations penetration, which involves dumpster diving, eavesdropping, and social engineering in order to obtain information; and electronic penetration, which refers to directly gaining access to computer systems. These techniques all pose a risk for a certain aspect of the company, and the stage of the operation and the means of exploitation determine the risk. For example, in the network enumeration stage, “a hacker is primarily collecting data. There is no intention to alter data integrity or availability, although Confidentiality is affected.” (Budiarto et al., 2004). Beyond this, later stages, when the operative is deeper into the system and in contact with more delicate elements within, the risks become ever larger. If the operative plants a bug on target equipment, “Confidentiality is at risk. If he is malicious and intending on causing damage to the company, Integrity, and Availability at risk. This may also be the case if the hacker intends only to spy, but mistakes made along the way have affected Integrity and Availability.” (Budiarto et al., 2004). Needless to say, it can be a shifty business, and the clandestine nature of the procedure will generally involve certain tactics that many would find distasteful.

Physical penetration is an important weapon of the trade dealing with the most basic sort of threat to any security premises: physical intrusion. Despite all the technological advances made in recent years, “you can have the best firewalls and change control procedures; you can have regular electronic penetration testing against networks and applications; you can audit your source code and lock down your servers. All of these approaches are fine and, if conducted well, are generally worthwhile. However, if an attacker can physically penetrate your premises and access information systems directly, these strategies won’t protect you.” (Allsopp, 2009). Despite the discomfort involved in paying someone to spy on oneself, the information gathered from testing this most basic level of security is invaluable. During a physical penetration test, penetration testers “demonstrate vulnerability through physical intrusion to client premises. This is most often achieved through covert intelligence gathering, general deception, and social engineering although it may involve a more direct approach such as night-time intrusion, defeating locks and crawling up fire escapes, depending on the rules of engagement.” (Allsopp, 2009). Even if these means of infiltration are under normal circumstances highly illegal, ultimately, the penetration test is an elaborate, observatory game of role-playing in which the tester impersonates the potential threat. For a physical penetration test to provide useful, specific results, “it is vital to determine and, to a certain degree, emulate the nature of the threat facing that organization. The threats faced may differ dramatically.” (Allsopp, 2009). Considering the threats of cat burglars, data thieves, and espionage from rival companies, there is no dearth of variation in threats, and a single omission can leave a system especially vulnerable. In the interest of rooting out the security flaw that allows them to do so, penetration teams will break into target premises to test its integrity.

Beyond a simple breaking-and-entering attempt, companies have much to fear from an intruder who knows how to talk his way into corporate records. This practice is referred to as social engineering, the basic art of the con-artist. In testing for vulnerabilities to deceptive tactics, a penetration team will engage in operations penetration. Despite the fact that “[m]any companies spend hundreds of thousands of dollars to ensure corporate computer security… even the best security mechanisms can be bypassed through Social Engineering. Social Engineering uses a very low cost and low technology means to overcome impediments posed by information security measures.” (Winkler & Dealy, 1995). Despite much shorter timeframes for a penetration test, in the case of a real social engineering attack, the procedure “would be accomplished over weeks, if not months. Since the potential reward for an attacker would be very great, a real attack would have included several physical visits to the company’s offices and possibly even obtaining a job at the company.” (Winkler & Dealy, 1995). Social engineering is not so much technical skill as it is the malicious application of people skills. It entails using social interactions to compromise the security of a victim’s computer system. It can be as simple as when “a hacker will randomly call a company and ask people for their passwords. In more elaborate circumstances, a hacker may go through the garbage or pose as a security guard to obtain critical information. A recent edition of 2600: The Hacker’s Quarterly detailed methods for obtaining a job as a janitor within a company.” (Winkler & Dealy, 1995). A social engineering attack involves engineering one’s circumstances into a position to casually pick up relevant information without giving away malicious intent.

While many might find it ridiculous to rifle through a company’s refuse papers, that point where an important password is found can be extremely useful in undermining security measures. In one actual incidence, “the Masters of Deception, who significantly penetrated the United States’ telecommunications system, were only able to do so after obtaining information found in the garbage of the New York Telephone Company.” (Winkler & Dealy, 1995). A penetration team’s interactions with actual company employees can be extremely telling as to holes in a security system. In one recorded instance, using something as simple as a telephone directory, “the attackers contacted dozens of employees in various departments to obtain additional Employee Numbers that could be used for additional attacks. The numbers were usually obtained by impersonating a Human Resources employee who accidentally contacted the wrong employee, and needed the employee’s Employee Number to clear up the ‘confusion’.” (Winkler & Dealy, 1995). Findings such as these can identify security flaws not in the encryptions of a computer network or in the physical security system designed to prevent break-ins, but in a naïve or careless culture among rank-and-file employees and officers who would carelessly leave information for people to find or casually drop important data in conversation with unknown individuals. In testing for these things, “Social Engineering is the only conceivable method for testing security policies and their effectiveness. While many security assessments test the physical and electronically vulnerabilities, few vulnerability analyses study the human vulnerabilities inherent in users.” (Winkler & Dealy, 1995). In a quest to access computer data, the human element can provide an unwitting ally, and it is important to ensure that the corporate culture is not too trusting.

Beyond the human element is the element of the machine, leading to the possibility of electronics penetration. When a penetration team investigates computer security, “testers use reverse engineering software. They hack into networks and defeat protocols.” (Allsopp, 2009). This aspect of the penetration test requires individuals extremely skilled in computers to properly execute. Any given hacker on a penetration team “must be able to use various hacking tools, scripts, and exploits in order to test for known bugs and vulnerabilities. Further, the tester should have access to vulnerability services that can keep him or her apprised of the latest hacking tools, scripts, and exploits as well as new security bugs discovered in all the major hardware, software, and operating systems.” (Klevinsky, 2002). In keeping with having the right tool for the right job, a penetration tester should have “a collection of useful software, a tool kit, with tools and scripts for performing all types of security work, such as vulnerability testing, penetration testing, dial-in penetration, denial of service, password cracking, buffer overflows, and risk assessments.” (Klevinsky, 2002). If he intends to defeat security protocols, a penetration tester will require a specialized machine of his own. Given that corporate computer systems and security networks are usually not cheap or of exceedingly low quality, “[p]enetration testing often uses a lot of CP time and bandwidth. The more powerful the machine, the better the efficiency.” (Klevinsky, 2002). If the penetration team has the proper equipment, it can then begin a proper attack on the target machinery.

By the nature of the interconnectedness of computers today, the computer network of any facility is potentially highly vulnerable. Once a hacker has the information necessary to infiltrate a computer system and devised a plan of attack, “it is then possible to begin the Exploitation and Invasion stage. At this point, the hacker uses the gathered knowledge and attempts to access the server through the channels that were found open.” (Budiarto et al., 2004). In hacking, an imperative objective is to remain undetected. In many corporate computer systems, “[l]ack of monitoring and intrusion detection is another common hole that enables attackers to penetrate systems undetected. Many of the organizations we have encountered do not have monitoring in place, have it improperly configured, or do not review it on a regular basis.” Without proper monitoring, an attacker can infiltrate a computer network with impunity. If the attacker remains invisible to the security system, he “can perform more intrusive techniques to compromise the systems. Given enough time the attacker can probe the systems until he or she finds a weakness. In addition, the attacker can run brute force tools until successful or until someone finally notices the attack.” (Klevinsky, 2002). An effective and vigilant monitoring program is essential in ensuring security for any computer network.

Once again, the carelessness of employees can bring down the mightiest corporate castle. In some instances, “employees put modems on their desktop PCs when they left for the day so they could continue working or Internet surfing from home. The systems containing these unknown modems are often poorly configured and are susceptible to attacks. Hackers use brute force dialing programs called war dialers to scan ranges of corporate phone numbers to identify modems.” (Klevinsky, 2002). A sufficiently skilled hacker can exploit these modems to gain access to the mainframe. This, coupled with any information regarding employee numbers and system passwords, can give a hacker everything a business would want to keep secret. The actual infiltration of the computer network “is the most dangerous part of penetration – the hacker has all the access required to carry out their agenda. If it is a spy operation, data could be sent to a remote collection repository. If it is a system-mapping reconnaissance mission, existing levels of access may be used to compromise more systems on the network.” (Budiarto et al., 2004). A malicious hacker cutting into a company's mainframe can spell destruction for any expectation of privacy, and, if the mainframe is tethered to anything with large moving parts, such as heavy robotic arms on assembly lines, compromised security could lead to injury of any attending employee.

Penetration testing is a valuable and powerful tool in ensuring smooth business, privacy, and security in any organization. A professional penetration test should always anticipate and emulate the profile of any potential attacker. The team should use a methodical and scientific approach “to successfully document a test and create reports that are aimed at different levels of management within an organization.” (Budiarto et al., 2004). A submission at the end of a job should clearly detail the team’s findings. A submission of results will typically “take the form of a list of flaws, bugs, and vulnerabilities identified during penetration testing. Software development organizations tend to regard these results as complete bug reports – thorough lists of issues to address to secure the system.” (Arkin et al., 2005).Despite the fact that the job of a penetration team is to anticipate and imitate criminals, it is important that the data be compiled in an organized and professional manner. Beyond this, there is a clear capacity for exploitation of client loyalty. Over the course of time, as technology evolves, “[s]ystems change, threats emerge and business strategies evolve. Testing should be repeated at frequent intervals and particularly following major changes to an IT infrastructure.” (Budiarto et al., 2004). If a penetration tester presents himself as professional, proves himself trustworthy, and demonstrates his proficiency on the job, he could find himself with lucrative return clients.

Penetration testing represents technological vivisection and should not be taken lightly under any circumstances. It is to open an unwitting subject and investigate the organs it uses to preserve its own integrity. It is a delicate operation, but it is a necessary one, and through penetration testing of physical, operations, and electronics varieties, security in a system can be vastly improved. It is only through a proper challenge to the function of a system that the system can be assessed, and the penetration tester is, in effect, the most important line of defense against invasions of privacy.

References

Allsopp, W. (2009). Unauthorised access: Physical penetration testing for IT security teams. Glasgow: Bell & Bain Ltd.

Arkin, B., Stender, S., & McGraw, G. (2005). Software penetration testing. Security & Privacy, IEEE, Volume 3, Issue 1, 84-87. Retrieved from http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1392709.

Budiarto, R., Ramadass, S., Samsudin, A., & Noor, S. (2004). Development of penetration testing model for increasing network security. Information and Communication Technologies: From Theory to Applications, 2004. Retrieved from http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=1307886&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D1307886.

Duggan, D. P. (2005). Penetration testing of industrial control systems. Springfield, VA: U.S. Department of Commerce. Retrieved from http://energy.sandia.gov/wp/wp-content/gallery/uploads/sand_2005_2846p.pdf.

Klevinsky, T. J., Laliberte, S., & Gupta, A. (2002). Hack I.T.: Security through penetration testing. Indianapolis: Pearson Education Corporate Sales Division.

Wilhelm, T. (2010). Professional penetration testing: Creating and operating a formal hacking lab. Burlington: Elsevier Inc.

Winkler, I. S. & Dealy, B. (1995). Information security technology?...Don’t rely on it: A case study in social engineering. Fifth USENIX UNIX Security Symposium. Annapolis: Science Applications International Corporation. Retrieved from https://www.usenix.org/legacy/publications/library/proceedings/security95/full_papers/winkler.pdf.