As noted in my first article of this series (see part one, two and three), security and reliability encompass holistic network assessments, vulnerability assessments and penetration testing. In this post I’d like to go deeper into penetration testing; however, first, let’s go back for a quick refresh before getting started.

There are three broad steps any organization can take with respect to security and reliability to get a handle on their current security posture, whether internal (corporate or “inside the firewall”) or external (Internet or “outside the firewall”). These include a series of in-depth assessments that include network, vulnerability and penetration testing.

• Network Assessment – Network assessment is a broad term that might encompass a holistic view of an organization’s Internet security posture both internally and externally. A network assessment can be tailored to specific security requirements for any organization, but ultimately the assessment will provide a baseline gap analysis and remediation steps to fill those gaps.

• Vulnerability Assessment – Once your baseline network assessment is completed, an organization may wish to perform periodic vulnerability assessments. Whether internal or external, vulnerability assessments can uncover critical gaps in security that may lead to credential leaks, intellectual property theft, or denial of service to employees or customers. A well-planned and well-executed vulnerability assessment should eliminate false positives, but it can never give an organization 100 percent confidence that a specific vulnerability cannot be exploited. Vulnerability assessments should be executed on at least a quarterly basis, but it’s not uncommon for larger organizations to execute them monthly.

• Penetration Testing – The next and final step in assessing your organization’s security and reliability is penetration testing. While I typically say that vulnerability assessments give you a “95 percent confidence level” that a vulnerability exists, penetration testing can give you 100 percent confidence that a specific vulnerability exists as well as show you how it can be exploited by attackers.

Now that we are all caught up, let’s dive in to penetration testing.

What is a penetration test?

A penetration test typically follows a full vulnerability assessment, after you have identified systems with known or suspected vulnerabilities. The existence of vulnerabilities may be obvious, or may require exploitation to validate. By definition, penetration testing involves exploiting a vulnerability to prove its existence or to expose other previously unknown vulnerabilities, or even additional systems, not previously known or tested.

Once you’ve completed a vulnerability assessment, you must build an attack profile for penetration testing and then execute your attacks.

Step One: Attack Profile

In the attack profiling phase, you must conduct research on your vulnerabilities to determine the best tools to use to attempt exploitation. There are a plethora of commercial, free and open source penetration testing toolkits, including:

• CANVAS
• Metasploit (free and commercial versions)
• Core Impact
• Nikto (web applications)
• Burp Suite (web applications)

There are many more scripts and toolkits you might use for both vulnerability assessments and penetration testing, such as wireless discovery applications, packet capture applications, port scanners, etc. We’ll cover some of the more common tools in future articles.

There are too many details to cover in this overview, but suffice it to say a penetration test engineer must understand the underlying operating systems, applications and protocols for the vulnerabilities they are trying to exploit.

Exploits may be common to a given application regardless of the platform (operating system and protocols), but they may also be a very specific combination of hardware platform, operating system, application, protocols, and even network elements to include routers, switches and firewalls.

The commercial toolkits listed above provide a good framework and automation for running exploits, but they all have many configuration parameters, variables and scripts related to very specific vulnerabilities that one must understand in order to execute and effective penetration test. To paraphrase a famous line from the movie Caddyshack, “be the exploit!”

Step Two: Attack Execution

Now, the real work begins. You may understand the vulnerability, you may have your tools and scripts ready to execute and exploit the vulnerability, but inevitably things won’t go as planned. As with vulnerability assessments, you may have to adapt your profile because you find that a firewall or network ACL (access control list) is blocking communication in one direction or a given vulnerability cannot be exploited for unknown reasons, or operating system/application fingerprinting was inaccurate. There are many scenarios that may cause you to alter course and change tools or methods to attempt exploitation.

In Summary

Penetration testing (and security on the whole) can be as much art as science, but hopefully this article rounds out our series on security and reliability and gives you some insight on the importance of including this as part of your organization’s processes. Ultimately, you will gain confidence in assessing risks and determining which vulnerabilities should be considered real, requiring mitigation. This is the very best way to be prepared for real-time risks and attacks.