In a previous post, we discussed the basics of the Web application security: the most common vulnerabilities and attacks, as well as some mitigation techniques.
From what we've talked about so far, we can safely conclude that we need to be thinking about the Web application security on every stage of the application development - from the technical design, through the testing and implementation to the post implementation period.
Computer security is commonly categorized in four functional groups: risk avoidance, prevention, detection, and response and recovery. To have all these, organizations need to assess their level of security; that is where the penetration test can play a crucial role. Of course, to achieve its goal, the penetration test should be done correctly.
Some security researchers passionately defend the need of a penetration test, others argue that the organizations just spend a lot of money to measure the skills of the testers. In this post, I will try to present a somewhat non-standard approach to understanding what a penetration test is and why an organization would want to do penetration tests.
There are many definitions of a penetration test. Personally, I would like to think of a penetration test as a security examination simulating the actions of a real attacker that aims to find vulnerabilities in a system by performing a series of tests that represents potential threats under different circumstances.
I don’t think that the penetration test is trying to prove that there are no holes in the system. If we go this way, the penetration test is really nothing but a way to measure the skills of the tester. I would argue that a good penetration test is a methodical approach to answering the basic questions below.
The first and the most asked question is
Why would someone attack my organization?
Usually, there are several reasons why a hacker would want to hack an organization: they may do it for fun or to brag; they may do it to get a jumping station to attack other systems; they may do it for political reasons or for revenge. But in the worst case scenario, they would do it to get to the assets of the organization. In my opinion, a good penetration test should be focused mainly on this scenario. The truth is that no matter of the reasons of the attacker, the consequences of a system compromise can be huge – from a loss of confidence to financial losses.
The truth is that every penetration test has certain limitations – it is limited in time, human resources, and money, and it provides a snapshot of the current situation, which may change at any time in the future. That is why, it is essential to focus on the scenario, in which the attackers want to get hold of the assets of the organization and that they know what they are doing and why they are doing it. So,
What assets would the hackers target?
To answer this question the penetration tester should have a good knowledge of the organization, their infrastructure and the target system. Depending on the type of the test, they can do it either by working with the owners of the target system or as a part of the test. Identifying what assets the organization has will also help answer the question why someone would want to attack the target system.
This pre-test activity plays an essential part in building the scenarios that will be used in the actual penetration test. It also help build targeted tests, tailored specifically for the organization. Without them, a penetration test is really nothing more than measuring the testers’ skill level.
The best penetration testing companies spend a lot of time on this. Whether it is a black-box penetration test or a white-box assignment, the pen tester would gather as much information about the organization as possible. At the end, they would know what critical assets the organization is trying to protect and will focus the test on
What would the hackers do with the assets of the organization?
This question is more about the intentions of the attacker, and it plays a role in identifying the impact a system compromise would have on the organization. While most organizations usually have an idea about what can be done with the information in their systems, they usually go for the worst case scenario. A well-planned and well-structured penetration test would take into account the ease of exploitation of the vulnerabilities found, which will help build a profile of the attacker that can compromise the system.
If a vulnerability can be easily exploited, the system can be compromised by script kiddies or by skilled attackers, performing targeted attacks. In the first case, the script kiddie may not go for the most valuable organizational assets – they may simply deface a web page, run a bot, or delete the information. The impact in this case, would be smaller and the effects – less damaging. In the case of a targeted attack, the effects can be devastating. It is crucial for a penetration test to take this into account and measure the impact on the organization in either scenario. When we know what assets we want and why, we can focus on
What would the hackers do to get them?
That is the core and the most interesting part of the penetration test for a penetration tester. This is where the creativity and the passion of the skilled penetration tester kick in. Security auditors would argue that methodology and standardized approach is the most important element of a penetration test. However, how to compromise a system and get to the assets you need is the one area that creativity is crucial. Doing automated tests and following scripts is just a part of the test. Understanding the system and doing the unexpected by using imagination and creativity makes the penetration good. And imagination and creativity come not only when you need to exploit a vulnerability or bypass a security control. They have their place in every stage of the test – from the information gathering, through the mapping of the application, identifying the security holes, exploiting them, covering your tracks to the cleaning up. The penetration tester should be passionate and determined; that is what the blackhat that can attack the system would be.
Identifying a vulnerability and exploiting it is just fine, but what if a real attacker wants the system for themselves? Could they patch a vulnerability to prevent the competition to get in and open a backdoor just for themselves? I believe that the penetration test should provide an answer to questions like this. Creativity of the tester plays an essential role in answering the question
What should I do to detect them?
The ability to detect an attack should be implemented at every stage of the security response. An organization should be able to detect attempts to compromise their system, as well as identify and react to incidents after they happen. Even the most sophisticated detection systems miss some attacks.
Penetration tests can be a very important part in testing the detection and incident response capabilities of organizations. Pentesters can be tasked to identify and bypass security controls to test the detection and the CIRT of the organization. If this is included in the scope of the test, the final report should include the approach, taken by the testers, their actions and recommendations on how to improve the detection and reaction to security incidents.
Eventually, the penetration test should answer the most vital question:
What should I do to protect my organization?
The final output of every penetration test is the conclusion report. The conclusion report should contain recommendations on how to fix all issues, found during the test. Depending on the severity of the issues, fixes should be applied to address them.
To summarize, if your organization is about to undertake a penetration test, you should:
- ask or work with the penetration company to identify the assets of your organization that could be targeted by attackers;
- request and approve scenarios and profiles of potential attackers;
- check the technical level of the testers by requesting a proof of concept on a system injected with known defects of non-trivial severity;
- request a sample report and verify that it contains recommendations on how to detect attacks and prevent incidents.
The penetration test is, in a manner of speaking, a matter of trust – trust in the skills of the testers, trust in their integrity. A good penetration company will offer you a test, tailored to the needs of your organization, performed with skill, creativity, and understanding.
It will not identify all the bugs in your system. It will, however, identify vulnerabilities in the platform and the technology; in the configuration and the deployment; in areas, such as data validation and filtering authentication and authorization, error handling and so on – vulnerabilities, which, if exploited properly, could compromise your system. It will measure the risk and the impact; it will test your incident response and readiness for confirmed security incidents. It will provide you with an insight on how a determined and motivated attacker would attempt to hack their way into your organization.