Netragard Protects Voters

Penetration Testing – What’s that?

It amazes me that most of the “security companies” that offer penetration testing services don’t know what penetration testing is. Specifically, they don’t deliver penetration tests even though they call their services penetration testing services. In most cases their customers think that they’re receiving penetration tests but instead they’re receiving the lesser quality vulnerability assessment service.
When customers are looking to purchase penetration testing services they should receive penetration testing services. Likewise, when they’re looking to purchase vulnerability assessment services they should receive vulnerability assessment services. Unfortunately, customers won’t know what they’re receiving unless they clearly understand what those services are and how those services are defined. The services are not interchangeable and they are  entirely different.
The English dictionary defines a Penetration Test as a method for determining the presence of points where something can make its way through or into something else. Penetration testing is not unique to Information Security and is used by a wide variety of other industries.  For example, penetration testing is used to test armor by exposing the armor to a level of threat that is usually slightly higher in intensity than what it will face in the real world. If the armor is defeated by the threat then it is improved upon until it can withstand the threat.
The standard product of penetration testing is a report that identifies the points where penetration is possible.  If the service that was delivered was a real penetration test then the report cannot contain any false positives. You either penetrate or you don’t, there is no grey zone. If the report contains false positives than a service that was delivered was not a true penetration test and was likely a vulnerability assessment which is an entirely different and lower quality service.
A Vulnerability Assessment as defined by the English dictionary is a best estimate as to how susceptible something is to harm or attack. Vulnerability assessments are often used where penetration testing is too risky. Specifically, a vulnerability assessment might be used to assess the Eiffel Tower, the Statue of Liberty, the strength of a bridge, etc.   The important difference between Penetration Tests and Vulnerability Assessments is that Vulnerability Assessments do not prove that vulnerabilities exist but instead provide a best guess as denoted by the word “assessment”.
With regards to IT Security, Vulnerability Assessments test at a lower than real world threat level.  This is because Vulnerability Assessments do not exploit the vulnerabilities that they identify yet malicious hackers do.  Vulnerability Assessments alone are inadequate when it comes to providing deep and effective testing services but are useful for performing quarterly maintenance and checkups.
Lastly, don’t allow your vendor to confuse methodology with service definition.  Methodology defines how a service is delivered but not what a service is and from what perspective.  With regards to security testing there are only two core services , Vulnerability Assessments and Penetration Tests.  You can apply those services to Web Applications, Networks, People, Physical Locations, WiFi, etc.  For example, you can receive a Web Application Penetration Test, or a Network Vulnerability Assessment.  You wouldn’t need to receive both a Vulnerability Assessment and a Penetration Test against the same target as that would be redundant.  A Penetration Test covers the same ground as a Vulnerability Assessment only with even more depth, and accuracy.

Define Perimeter

Its surprising to us that people still define their network perimeter by their firewall, which is often the perceived demarcation point between the Internet and the Local Area Network (LAN).  The fact of the matter is that the real demarcation point has nothing to do with the firewall at all.   In fact these days the real demarcation point has more to do with the human element (you) than with technology in general.
I bring this up because the issue surfaces during penetration testing engagements frequently.  Specifically, customers want penetration testing services against their perimeter but they don’t actually know what their perimeter is.  Once we explain it to them their perspective on what a penetration test is changes significantly and for ever.  Their perimeter is defined by any point that is accessible to an Internet based attacker, but what does that really mean?
Clearly firewalls, web servers, email servers, ftp servers, etc. are accessible to an Internet based attacker.  But what about all of those services that businesses use on a daily basis that reach out to the Internet to collect data.  What about what you are doing right now?  You are likely reading this post in your web browser which means that you’ve reached out from the safety of your LAN to our web server.  What if I told you that this blog entry was specifically designed to exploit a vulnerability in your web browser and compromise your system?  Yes, by reading this blog entry your computer just got hacked.  (Not really, but imagine).
Truth be told, your web browser is not the only technology that is vulnerable to this sort of attack.  In fact, this is what defines a client side attack.  In this case the client is your web browser, but in some cases it might be your MP3 player, your email client, your smart phone, your PDF reader, or maybe even the update functionality in your anti-virus software.  Anything and everything that reaches out to third party networks from your network is a component of your network perimeter and each of those things helps to define your total attack surface. If you’re not including those types of tests when you receive penetration tests then you’re really only testing a very small fraction of your total attack surface.  Considering the number of businesses that are compromised on a daily basis with client side attacks, is that really something that you can afford to overlook?  Just an idea…