O O Ø O O O O
Thoughts on Penetration Testing
The stylish (and proper) way to do a penetration test.
A penetration test, generally, attempts to mimic real hackers. It gives the penetration team some idea of how the organization will detect and respond to a real attack.
—Philip Moyer, CSI Alert, March 1998
A penetration test is a common technique for assessing an organization’s ability to detect and respond to an attacker. In this technique, Infosec professionals attempt to penetrate a target network in much the same way as an attacker might. By examining an organization’s ability to detect and respond to this attack, recommendations regarding network monitoring and security procedures can be made.
any information security consultants insist that penetration tests should be performed with no knowledge of the target system. They insist that to properly mimic an attacker, information gathering should be left up to the penetration team. Case in point:
...the penetration team needs only the IP addresses of the target systems. Some penetration teams will ask for operating system versions, network diagrams, lists of response personnel, telephone directories, and, believe it or not, firewall filter rules! Hackers naturally will not have access to such detailed information at the start of their attacks.
—CSI Alert, March 1998
I don’t agree with this reasoning...
Security Through Obscurity
Most Infosec professionals will agree to the following principle: Security through obscurity is no security at all. Yet strangely, they seem reluctant to apply it to penetration testing. Read it again:
Hackers naturally will not have access to such detailed information...
This statement sounds familiar. Telephone companies used to say much the same thing when it came to the workings of their telephone networks. Thousands of phone phreaks taught them otherwise. If you are confident that your network is secure, then no amount of knowledge about software versions, hardware platforms, or network topology should make a difference. If you are relying on the secrecy of this information to protect your systems, you are in for trouble.
Full Disclosure
So why not apply the principle of full disclosure to penetration testing? If your security implementation and procedures are designed so that you can detect and respond to an attacker who has full knowledge of your network, software versions, and hardware platforms, you are likely in a good position to respond to a less-informed attacker.
Admittedly, knowing detailed network information about a target system ahead of time eliminates the need for a social engineering attack. Some Infosec professionals consider social engineering to be an integral part of penetration testing. I do not. Here’s why...
You’re not Playing Fair
Social engineering is not the only way to get information about a target network. Bribery, binoculars, trashing, disgruntled employees, remote ftp logs, electronic surveillance, customer lists, and overheard conversation at lunchtime can also achieve the same end. Attackers do not always use legal means to gain their information. Information Security professionals must. Attempting to “level the playing field” by reducing the professional to a zero-knowledge state neither reflects the reality of the situation, nor improves the security or procedures of the target.
Yes, it can be valuable to an organization to perform a zero-knowledge information gathering exercise. It can be quite an eye opener to discover how much information about your systems and personnel can be gleaned without ever sending a packet over your networks. Information gathering alone, however, does not assess an organization’s ability to respond and react to a network intrusion. Bad guys do not play by the rules. Good guys have to. Given enough time, effort, and money, a determined attacker can very likely find out everything there is to know about your systems. Why not start a penetration test at the same level.
And Speaking of Rules...
Here’s a rule to live by:
Assume the bad guys know more than you do.
Just because a vulnerability hasn’t made its way onto BUGTRAQ doesn’t mean it’s not out there. Similarly, just because the Infosec company you just hired don’t know what version of Solaris you are running doesn’t mean somebody else doesn’t. If we assume an attacker already knows everything about the target network, we reduce the risk that we are underestimating his or her abilities. Security should not be a reactive process.
The failure of a penetration test to reveal any weaknesses does not indicate a network is secure from attack. It only indicates a network is secure from attack by the penetration testers. The failure of an organization to detect a penetration test is a slightly more serious issue. The best way to defend against unknown attacks is to be prepared to detect unusual behavior. By giving a penetration testing team full knowledge of the target systems, an organization can greatly reduce the risk they are underestimating the bad guys.
After all, security through obscurity is no security at all.
Kjell Wooding
Friday, April 10, 1998
A Little Light Reading
http://www.sun.com/sunworldonline/swol-02-1997/swol-02-security.html (Link expired)
http://www.westcoast.com/securecomputing/december/cover/cover.html (Link expired)
http://www.forbes.com/asp/redir.asp?/tool/html/98/apr/0403/feat.htm?st.ne.fd.mnaw (Link expired)
http://www.isl.sri.com/itp/security/firewall.html (Link expired)
http://www.indigo-net.com/annexes/289/winkler.htm (Link expired)