Tuesday, October 14, 2014

The Case for Penetration Testing

Overview
Penetration Testing is the method of testing that focuses on finding areas of weakness in software systems in terms of security. These areas are put to the test to determine if they can be broken into or not.

A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating end-users’ adherence to security policies.

The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.

Reason for Penetration Testing
  • Security breaches and service interruptions are costly
    • Security breaches and any related interruptions in the performance of services or applications can result in direct financial losses, threaten organizations’ reputations, hamper customer loyalties, and trigger significant fines and penalties.
  • Identifies and prioritizes security risks 
    • Penetration testing evaluates an organization’s ability to protect its networks, applications, endpoints and users from external or internal attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets.

When Should Penetration Testing be Performed?
Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers. Tests should also be run whenever:
  • New network infrastructure or applications are added
  • Significant upgrades or modifications are applied to infrastructure or applications
  • New office locations are established
  • Security patches are applied
  • End user policies are modified

Benefits of Penetration Testing
  • Intelligently Manage vulnerabilities
  • Avoid the cost of downtime
  • Meet Regulatory requirements and avoid fines
  • Preserve customer loyalty and corporate image

How to Conduct Penetration Testing
  • It starts with a list of Vulnerabilities/potential problem areas that would cause a security breach for the systems.
  • If possible, this list of items has to be ranked in the order of priority/criticality.
  • Devise penetration tests that would work (attack your system) from both within the network and outside (externally) to determine if you can access data/network/server/website unauthorized.
  • If the unauthorized access is possible, the system has to be corrected and the series of steps need to be re-run until the problem area is fixed.

Criteria for Selecting the Best Penetrating Tool
  • It should be easy to deploy, configure and use.
  • It should scan your system easily.
  • It should categorize vulnerabilities based on severity that needs immediate fix.
  • It should be able to automate verification of vulnerabilities.
  • It should re-verify exploits found previously.
  • It should generate detailed vulnerability reports and logs.

Some of Tools Used for Penetration Testing
  • Metasploit
    • This is the most advanced and popular Framework that can be used to for pen-testing. It is based on the concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain system. If entered, it runs a ‘payload’, a code that performs operations on a target machine, thus creating the perfect framework for penetration testing.
    • It can be used on web applications, networks, servers etc. It has a command-line and a GUI clickable interface, works on Linux, Apple Mac OS X and Microsoft Windows. 
  • WireShark
    • This is basically a network protocol analyzer –popular for providing the minutest details about your network protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many other systems. The information that is retrieved via this tool can be viewed through a GUI, or the TTY-mode TShark utility. 
  • Core Impact
    • CORE Impact Pro can be used to test mobile device penetration, network/network devise penetration, password identification and cracking, etc. It has a command-line and a GUI clickable interface, works Microsoft Windows. This is one of the expensive tools in this line and all the information can be found at below page.
Conclusion
Penetration testing must be performed to manage 
  • Intelligently Manage vulnerabilities
  • Avoid the cost of downtime
  • Meet Regulatory requirements and avoid fines
To learn more about Prolifics' testing solutions, visit: http://www.prolifics.com/solutions/quality-assurance-testing

Ritesh Sujir is a Delivery Manager in the Testing Practice at Prolifics. He is an accomplished project management professional with 14+ years of experience working with Fortune 500 clients. Ritesh specializes in all aspects across project management and is accountable for the development and maintenance of project plans, risk assessments, and status reports. His recent experience includes clients in the Banking, Retail, and Healthcare verticals.