Tiller - CISOs Guide to Penetration Testing

Hiring someone to hack your company goes by many names, such as ethical hacking, penetration testing, tiger teaming, intrusion testing, vulnerability analysis, and even security assessment. In addition, each term has different meanings in different countries or regions. The term penetrationtesting does not go over well in Central America and some places in the United States, whereas the term ethical hacking is not the preferred term in Western Europe. Tiger team is a derivative of a military term and I have heard it used in Taiwan and Japan, another place the use of the term ethical hacking, as the name of an act, does not go over well. Nevertheless, the most predominant term is penetrationtesting, more commonly referred to as pentesting.

The intention of this book is simple: explain and detail the methodologies, framework, and unwritten conventions pentests should exercise to provide the most value to organizations seeking to enhance their security posture.

There is a great deal of respect for other books of similar type, extensive training on the subject, and professional service organizations that provide pentesting services. All these convey valuable information pertaining to tools and processes on how to use them. However, it is critical that structure and process combine to ensure all parties recognize ultimate value and a company is not being tested under poor assumptions.

Security is a lot of things combined in many ways that will have varying degrees of impact, good and bad. This is a lesson in value and risk, and how they relate to pentesting. Within security, one must take into consideration the human element as much as the technical. Additionally, there are the pragmatic issues of value and risk, and their effects on business objectives.

There are several areas associated with pentesting that have yet to be addressed in their entirety. Following is a list of characteristics of pentesting and the gap associated with each. This book provides the framework and structure to address these fundamental issues.

Focusing on tools and technology, and very little on methodologyToday, there is a clear understanding of the use and availability of tools to support pentesting. Thanks to several popular references, the processes of technically performing a test are well documented and reasonably well established. However, organizations desperately need to understand the details in the overall processes and how to use the test and its results for the betterment of their security posture. This is the ultimate goal behind pentesting but, ironically, remains elusive and a rarity among the greater population of pentesting engagements.

Interpreting the resultsWhen a system is determined secure because it has survived a controlled attack, it does not necessarily mean that system is actually secure. The vast amount of assumptions, limitations, and expectations inherent in and applied to a test may result in inaccurate conclusions. Moreover, there are situations where the test resulted in voluminous amounts of vulnerabilities being identified, making it nearly impossible to weed through the information to find what really matters and effectively measure the risk. Another problem is that results are rarely integrated into the companys security program effectively and usually appear as ad hoc point solutions to solve an immediate need, such as a new firewall rule or another untracked policy statement. Those who do not perform insightful planning based on an established process typically do not realize the potential value a pentest can represent to the business. Understandably, a tests lack of comprehensive planning is the root cause of the questionable effectiveness of many tests.

Protecting the innocentPentesting requires breaking into computer systems or applications to demonstrate the risk of an identified vulnerability. By collecting specific information from the target, a tester can prove access was successful and reveal the risks associated with the exposure. The result is that highly sensitive information about the targets security capabilities (or the lack of them) is collected and maintained far outside the owners control. If this information were to fall into the wrong hands, it could be used to perpetrate a real attack against the company. Another risk is the information being leaked to the public or to stockholders who stand to lose their investment if the exposures represent a fundamental risk to the business. Information of this type can result in all types of disasters, including negative portrayals by the media, devaluation, loss of customers, or legal consequences. Also, there are several opportunities for the tester to accidentally inflict harm on intermediates, such as an Internet service provider (ISP), partners connected to the targets network, or customers interacting with the systems or applications under attack.

Politics and processesBreaking into a company can represent a substantial threat to the continued employment of several people within the organization. It is essential the test be performed to support the entire company and not an individual. In some cases, the deliverable pentest was not presented to the people who needed it most to make the necessary security improvements. Politics can play a major role in the planning of a test and the creation of limitations and expectations, ultimately affecting the outcome. Establishing a solid foundation of communication, expectations, imposed and inherent limitations, and metrics for the test will help to ensure the company benefits from the experience, not the individual.

Testing dangersThere are several dangers associated with penetration testing. These range from outages, system or application faults, and the destruction of information, to more ominous issues such as information leaks (when questionable resources are used to perform the engagement, possibly sharing critical information with others for status or money) and piggybacking (when a real hacker uses the tests activities to camouflage his attack). Proper teaming and communication protocols will protect both tester and target from inadvertently harboring illicit activities. Moreover, testing engagements are a prime source for teaching people how to break into networks, especially yours. Great care and attention must be paid to the people performing the test and to their ethics and responsibilities.

The audience for this book is ultimately senior and executive security management responsible for ensuring a sound security posture, and that investments in security, such as penetration testing, produce value and actionable results for the betterment of the organization. Managers who are looking to solicit third parties (or internal departments) to perform pentests against their networks, systems, applications, and even physical establishments are also beneficiaries of this book. Information security administrators, managers, directors, or anyone considering or responsible for obtaining penetration services can gain a great deal by employing a business-value, business-focused approach.

Information about what to expect from all phases of the test, from the first meetings to accepting the deliverable and knowing how to best use the results, is discussed. Elements detailed will help in identifying a good test from a bad one, or finding the value from what was perceived initially as a failure. Most important, organizations seeking penetration services will gain further insight into the appropriate measures and methodologies that should be practiced by a third party. Finally, this book provides guidance in setting test expectations: What are your expectations? What do you think the results will show? Are you prepared for Pandoras box to be opened? Understanding the details of a test will provide unequalled insight, and, most important, business value to any company.