Penetration testing is the process of attempting to gain access
to resources without knowledge of usernames, passwords and other normal
means of access. If the focus is on computer resources, then examples of
a successful penetration would be obtaining or subverting confidential
documents, price lists, databases and other protected information.
The main thing that separates a penetration tester from an attacker is permission. The penetration tester
will have permission from the owner of the computing resources that are
being tested and will be responsible to provide a report. The goal of a
penetration test is to increase the security of the computing resources being tested.
In many cases, a penetration tester will be given user-level
access and in those cases, the goal would be to elevate the status of
the account or user other means to gain access to additional information
that a user of that level should not have access to.
Some penetration testers are contracted to find one hole, but in many cases, they are expected to keep looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important for the pen-tester
to keep detailed notes about how the tests were done so that the
results can be verified and so that any issues that were uncovered can
be resolved.
It’s important to understand that it is very unlikely that a pen-tester
will find all the security issues. As an example, if a penetration test
was done yesterday, the organization may pass the test. However, today
is Microsoft’s “patch Tuesday” and now there’s a brand new vulnerability
in some Exchange mail servers that were previously considered secure,
and next month it will be something else. Maintaining a secure network
requires constant vigilance.
Pen-Testing vs.Vulnerability Assessment
There is often some confusion between penetration testing and vulnerability assessment. The two terms are related but penetration testing
has more of an emphasis on gaining as much access as possible while
vulnerability testing places the emphasis on identifying areas that are
vulnerable to a computer attack.
An automated vulnerability scanner will often identify possible
vulnerabilities based on service banners or other network responses that
are not in fact what they seem. A vulnerability assessor will stop just
before compromising a system, whereas a penetration tester will go as far as they can within the scope of the contract.
It is important to keep in mind that you are dealing with a ‘Test.’ A
penetration test is like any other test in the sense that it is a
sampling of all possible systems and configurations. Unless the
contractor is hired to test only a single system, they will be unable to
identify and penetrate all possible systems using all possible
vulnerabilities. As such, any Penetration Test is a sampling of the
environment. Furthermore, most testers will go after the easiest targets
first.
How Vulnerabilities Are Identified?
Vulnerabilities need to be identified by both the penetration tester
and the vulnerability scanner. The steps are similar for the security
tester and an unauthorized attacker. The attacker may choose to proceed
more slowly to avoid detection, but some penetration testers will also start slowly so that the target company can learn where their detection threshold is and make improvements.
The first step in either a penetration test or a vulnerability scan is reconnaissance.
This is where the tester attempts to learn as much as possible about
the target network as possible. This normally starts with identifying
publicly accessible services such as mail and web servers from their
service banners.
Many servers will report the Operating System they are running on, the
version of software they are running,patches and modules that have been
enabled, the current time, and perhaps even some internal information
like aninternal server name or IP address.
Once the tester has an idea what software might be running on the target
computers, that information needs to be verified. The tester really
doesn’t KNOW what is running but he may have a pretty good idea. The
information that the tester has can be combined and then compared with
known vulnerabilities, and then those vulnerabilities can be tested to
see if the results support or contradict the prior information.
In a stealthy penetration test, these first steps may be repeated for
some time before the tester decides to launch a specific attack. In the
case of a strict vulnerability assessment, the attack may never be
launched so the owners of the target computer would never really know if
this was an exploitable vulnerability or not.
No comments:
Post a Comment