Guide to penetration testing, Part 2: Performing a penetration test

What makes a good penetration test?

Let's take a look at some of the key factors that make a good pen-test:

• Establish the parameter: Defining the scope of work is the first and most important step to performing a successful penetration test. This will define the boundaries, objectives and the validation of procedures (the success criteria).
• Know da man: Hire skilled and experienced consultants to perform the test- the ones who know what they are doing. In other words, separate professionals from the amateurs. Make sure they are:
  • Legally capable
  • Experienced
  • And, abide by the non disclosure agreement.
• Chose adequate set of tests: Manual and automated will yield the best balance of cost/benefits.
• Follow a methodology: It's not a guessing game. Everything needs to be planned, documented and followed.
• Resulting value: The results should be documented carefully and efforts should be made to make them understandable to the client. Whether it's a technical report or an executive summary, there is always a need to explain. The security consultant /tester should be available to answer queries or explain results.
• Findings and recommendations: This is a very important part of a pen-test. The final report must clearly state the findings and must map the same to the potential risks. This should be accompanied by a remediation roadmap based on the BEST SECURITY PRACTICES.

Before we get into the testing strategies and techniques used in penetration testing, let's take a look at some scenarios where it can be useful:

• Setting up a new office
  Whether it's a new business set up or addition of new sites, penetration testing helps identify potential weaknesses in the network infrastructure. For example, an Internal testing is critical when adding new sites, as it will examine which network resources are available and reveal the type of traffic passing between sites.

• Deployment of new network infrastructure
  Every new network infrastructure should be thoroughly tested to simulate the actions of a hacker. While an external test is generally performed (with little prior knowledge of the infrastructure) to ensure perimeter security, the internal testing should also be executed to ensure that network resources such as: servers, storage, routing and access devices are sufficiently hardened and that the infrastructure is secure from any attack, assuming that the perimeter is breached.

• Changes/upgrade to existing infrastructure
  Changes are inevitable -- be it software, hardware or network design, changes/upgrades are performed to either enhance the features; to fix critical bugs and/or to accommodate a new requirement. Whenever existing infrastructure is changed, it should be tested again to ensure that new vulnerabilities have not arisen. The amount of testing required will depend on the nature and level of the changes made to the infrastructure. While, minor changes such as configuration changes to a particular rule will only require a port scan to ensure the expected firewall behaviour, any major changes such as upgrades of critical equipment/OS version may require a full retest.

• Rolling out a new application
  Once the infrastructure has been thoroughly tested, the new applications (whether Internet facing or Intranet hosted) must also be tested for security blanket before they are put in production. This testing needs to be performed on a "real-life" platform, ensuring that the application only uses the defined ports and that the code itself is secure.

• Changing/upgrading an existing application
  As with infrastructure changes, application changes also vary in nature. Very minor changes such as user account changes will not require testing. However, major changes involving the functionality of the application should be thoroughly retested.

• Periodic repeat testing
  Managing security is not easy and companies should not consider a penetration test as the final remedy of all security problems. If a company considers it "so," they are falling for a false sense of security. It's always a good practice to perform periodic testing of sensitive systems to ensure that unscheduled changes have not been made.

Continue to Part 3: Penetration testing strategies

Click here to return to our index page

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary