Testing time

Penetration testing is growing in popularity among regional enterprises, but there are several things organisations need to keep in mind to get the most from their investment.

  • E-Mail
By  Sathya Mithra Ashok Published  November 8, 2008

Penetration testing is growing in popularity among regional enterprises, but there are several things organisations need to keep in mind to get the most from their investment.

There are several analogies that one can provide for penetration testing (PT).

"PT is where you go around checking, and when you find that a particular door is unlocked, or provides you free entry, you go inside and very deliberately spill something," says Judhi Prasetyo, Middle East consulting manager at Fortinet.

One of the major mistakes that enterprises make is scheduling a test. From personal experience I would say that is the first thing they should avoid. They should not schedule, or be specifically prepared, for a PT.

This is as opposed to risk assessment processes, where "when you find a door unlocked, or somehow manage to gain access to the room, you roam around and look for other weaknesses that can be found (like whether the drawer is open, or the cupboard, or a laptop is lying around), and then you go back and write a report on it," says Prasetyo.

In simpler terms, PT is where an enterprise deliberately tests the strength of its defence systems, by trying to punch holes in it. And, according to most industry stakeholders, the importance of these tests to the modern-day organisation cannot be exaggerated.

"PT is an absolute must. It is part of the overall risk assessment that an organisation does. Again, PT should definitely be an ongoing exercise rather than a point exercise, simply because threats evolve if not hourly, then on a daily basis. New patches for systems come into being on a very regular basis. So it should be an ongoing exercise," says Guru Prasad, head of the networking division at FVC.

RV Ramani, principal security consultant at Paramount Computer Systems agrees, adding: "Investing in security solutions without performing a risk assessment or PT services, is like buying ingredients without knowing a recipe.

You must know your risks and vulnerabilities before you plan for any security investment. Assurance services such as PT and risk assessment will identify all the vulnerabilities, and will help IT managers in prioritising their security initiatives.

In recent times, PT has been gaining importance, and growing in popularity among companies in the region.

"Though we do not offer these services, we offer some of the tools that can be used for PT provision. Indirectly, we see demand for these services growing as more and more providers are buying these tools from us. And many of them state, that their existing and older customers are asking them for this particular service. So it is not as if they are buying these tools to attract new clients.

They are using these tools because they are seeing demand for these services from their existing clients, and they want to provide these services so they don't lose that revenue stream," points out Prasetyo.

Due to its relative newness to the Middle East market, and the nascent character of several providers, PT does not happen here the same way that it does in more developed markets.

"Many security providers are still doing the defacto tool-based exercise when it comes to PT in the region. It has matured over time. I can see some of the new entrants and existing ones taking a more rounded approach about PT.

They are taking a more consultative, more development oriented approach to doing PT, rather than just doing tools based testing. We are definitely catching up, primarily because of more established players coming into the Middle East. I see the approach has changed as well over time. I think they are slowly getting there, but I would stil say there is still some ways to go in terms of the approach," says Prasad.

He insists, like many others in the industry, that PT has to be a necessarily consultative process that changes according to the needs and specific nature of an organisation, rather than being a tool-based one where a particular application is just plugged in to check an enterprise's defences.

Before entering into an agreement with a provider, the end-user will need to check the provider's previous record as well as the tools he will use to conduct the test.

"The first thing to do is to ask the provider what tools they use. Based on this knowledge, you can judge the quality of the PT that will happen. One of the most important ways of doing PT today is on a protocol subject, since most vulnerabilities occur due to badly written apps. Protocol vulnerability tests can happen only in custom built penetration apps.

The tester typically writes an app, understanding the protocols that are in use in an enterprise and then develops the PT plan. Expertise in this area should also be checked," warns Prasad.

PT costs an enterprise a lot of resources, but unless the organisation is clear on what it wants with these checks, it can prove to be a wasted exercise.

Basics of examination

PT, to most people in the industry, still involves only the simulation of an external attempt to get into organisational networks. However, a true-blue test would have to look at information lifecycle practices and employee behaviour to give a complete picture of the security scenario.

"PT can be anything from self tests to external tests. It depends on the nature of the business and what they do. Most commonly, PT is implemented against the external interface. However, it can be done to internal apps as well," says Greg Day, EMEA security analyst at McAfee's Avert Labs.

Testing process involves several stages. The most basic divisions on this is black box, white box and grey box testing.

"Blackbox testing refers to a PT expert who has absolutely no knowledge of an enterprise network host, or any inside knowledge of apps that are running. Basically it is an open approach where the ethical hacker attacks networks without any internal knowledge.

White box testing is done with the full knowledge of systems within an enterprise. The penetration tester knows exactly what systems, networks and architecture they have and approach that with the full knowledge," explains Prasad.

Grey box testing falls into areas between black-box and white-box testing.

Prasad continues: "PT can be divided into three. The first is the most vulnerable, and involves web apps PT. Any enterprise that has any site or any app that is exposed on the extranet or on the internet is the first target for this. Second is the external PT, where the hacking technique is involved.

This includes tests on the internet from the outside into the enterprise network. And then there is the internal PT, where the hacker sits inside the network and emulates an inside job. These are the most typical testing methodologies and approaches that one follows in the industry."

PT activities, especially in the region, do not always follow these processes. This and other factors, creates multiple challenges for enterprise end-users when they invest in tests.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code