SBN

Explaining Penetration Testing


Pen Testing…
No, not making sure your Bic has ink.

Penetration Testing is the art of compromising someone’s system(s) at their request and showing them the results in hopes that something will be done about it. There is a lot of debate about what really happens before during and especially after this test is done. Many professionals have weighed in, including Marcus Ranum (Tenable Network Security) and HD Moore (Metasploit). You can hear a great podcast about Penetration testing at Risky Business.

There are tools that a penetration tester uses to find vulnerabilities in systems (and sometimes other things, such as trash). Once a vulnerability is found, there is another step and this one is more controversial – and where the arguments lie. Once a vulnerability is found, the tester actively exploits it and provides proof that the system is “PWNED”. The third step is deciding what to do with the info. If the test results get dusty, then why do this in the first place? Make sure that if you have a test done, you act to secure your systems.

I would like to weigh in.

I read an article that prompted both my last post and this post. In the article Penetration Testing: Dead in 2009 (CSO online) you will see the following:

The concept as we know it is on its death bed, waiting to die and come back as something else. That doesn’t mean pen testers will suddenly be unemployed, he said. It’s just that they “won’t be as cool” as they’ve been in more recent years.

Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.

[…]

Kevin Riggins, a senior information security analyst for a company in the Des Moines, Iowa, area, said it’s hard to argue with Chess’ premise that the goal should be fewer failures. But he doesn’t believe that sentiment has anything to do with the need for or the use of penetration testing. Furthermore, … production monitoring and measuring and penetration testing do not address the same issue.

Let’s pick this apart a little bit.

Mentioned in the quote is Brian Chess, co-founder and chief scientist of business software assurance (BSA) vendor Fortify Software Inc. Chess’ aguement appears in the first two paragraphs of the quote

I agree with Chess, but would like to revise the manner in which it is stated. Penetration testing is prudent when you have limited resources for assessment. From my official schooling as a teacher, I know that the terms testing and assessment have two very different connotations.

  • Testing is a pressure situation in which a “snapshot” is taken of the state of the subject being tested (what do you know about the events of The War of 1812?).
  • Assessment is an ongoing trend in which an assessor takes many “snapshots” into account (Do you understand the overall concepts of war in the 19th century?).
  • Assessors are usually people that have regular dealings with that which is being assessed and provide a better insight into the person/thing being assessed. (from this, you can also tell that I find the term “Vulnerability assessment” a bit erroneous in most cases

I agree with the Mr. Riggins except for that “he doesn’t believe that sentiment has anything to do with the need for or the use of penetration testing.” Following the previous paragraph, I hope that more IT personnel will realize that paying an outsider to test your environment is detrimental to the overall understanding of your environment in that it makes your staff’s priority to fix holes that they are handed (an excercise that fosters automated thought rather than real critical thinking) rather than continually assess the systems for possible exposures. Just make sure your task has the training and motivation to do a great job.

If assessment is done on a regular basis, I predict that FOI will decrease and systems will be more secure overall.

-Tim

*** This is a Security Bloggers Network syndicated blog from Security Workshop authored by Tim Cronin. Read the original post at: http://securityworkshop.blogspot.com/2008/12/explaining-penetration-testing.html