Penetration Testing

Penetration testing does not reduce risk.

(Pause for dramatic effect.) Expect the objection “but doesn’t a penetration test discover vulnerabilities?”

Penetration testing discovers vulnerabilities. Discovering vulnerabilities doesn’t address the vulnerabilities. Addressing the vulnerabilities reduces risk. If the name of the game is discovering vulnerabilities, is a penetration test the most productive approach?

Penetration testing (pentest) receives a disproportionate amount of attention. Penetration testing does not reduce risk or increase security. Penetration testing actually increases the chance of information disclosure and application failure. Penetration testing introduces risk. Penetration testing hits the charts at number 20 (sharing that slot with Red Team Exercises) in the SANS/CIS Top Twenty Critical Security Controls.

Attempting to punch holes in a bucket does not harden the bucket. Failing to punch holes gives confidence about the bucket’s integrity.

So why do penetration testing at all? There are roles for penetration testing. Penetration testing provides some confidence that you are effectively implementing the other security controls. A penetration test may reveal gaps in your coverage. Remediating these gaps (working on the other security controls) would reduce risk and make you more secure. A penetration test is not a rigorous examination of the other security controls. You should not expect a penetration test to reveal all weaknesses.

A penetration test will be required for many regulations and contracts. Agreements, such as PCI, require penetration tests.  An agreement could not say “implement standard security controls well,” but an agreement could say “implement standard security controls in a industry-approved manner” and here a penetration test is a mechanism to verify an implementation. A penetration test is a more reasonable requirement than a system audit. If, for example, the Payment Card Industry required a system audit of any organization which would accept credit cards, the time and expense of the system audit would discourage organizations from accepting credit cards. The penetration test is a reasonable measure of establishing confidence.

Penetration tests provide some confidence that you have implemented other security controls well. Familiarity with penetration testing procedures can drive home the need to focus upon the other critical security controls.

A more rigorous approach to identifying gaps and weaknesses is to review the other security controls to determine their completeness. In other words, check your work. Do your own system audit. Like other complex issues, break the security problem into its constituent parts and address those parts.

See “Could we have prepared for this? Attack Simulations for Blue Team Hardening,” a SANS webcast presented by SANS instructor Alissa Torres. Alissa describes an Attack Simulation approach that seems to be more “agile” than penetration testing or red team exercises. There are things in the presentation that I world disagree with. Most importantly, an Attack Simulation should begin early in an organization’s maturity along with tabletop scenarios and developing an incident response procedure.

Web application vulnerability testing is often confused with penetration testing. Application software security, including web application security, is Security Control 18. Black box web application testing may be a step in a penetration test. When someone’s job title is “web application penetration tester,” there is confusion about what the job requires but the job has a flashy title.

The more important, the lower numbered, security controls should receive the majority of attention. Vulnerability scanning and remediation (Security Control 4) should occur on the scale of once a month. Vulnerability scanning should consist of configuration verification (Security Control 3) and software version (including patch level) verification. Check your work. If configurations seem weak, examine how the configuration came to exist. If changes failed, investigate why changes failed. Investigate which environments were missed (Security Controls 1 and 2). Alert when administrative privileges are used and follow up on those alerts (Security Control 5). Continue with the remaining of the SANS/CIS Top Twenty Critical Security Controls.

Implement the basics well and check your work. A penetration test will fail to reveal an exposure.

The boundaries of penetration testing must be clearly defined. A penetration test is what the contract says it is.

Case in point: the episode 229 podcast of PaulDotCom, in which the customer acknowledges that their ID card readers have a known vulnerability, tells the pentester “you can’t test that” … which evokes shameless derisive laughter. But why should it? Isn’t the customer trying to find out what they don’t know? Aren’t they trying to identify where their other critical controls are incomplete? Replacing an ID card reader system is an expensive process; knowing that it has a vulnerability doesn’t make a budget appear. Exclude that known vulnerability from the penetration test. A penetration test is what the contract says it is.

See also:

• HackingLoops is an online resource for learning Ethical Hacking. It covers wide range of information security topics including tips, password hacking along with relevant information about the latest tool. It also provides guidelines for baseline security.
• Training videos at PentesterAcademy
• Penetration Testing Framework by Kevin Orrey
• Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog
• The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Syngress Basics Series) by Patrick Engebretson
• Penetration Tester’s Open Source Toolkit, Third Edition by Jeremy Faircloth
• Coding for Penetration Testers: Building Better Tools by Jason Andress and Ryan Linn
• Metasploit: The Penetration Tester’s Guide by David Kennedy
• BackTrack 4: Assuring Security by Penetration Testing by Shakeel Ali
• BackTrack 5 Wireless Penetration Testing Beginner’s Guide
  by Vivek Ramachandran (Oct 9, 2011)
• Kali Linux penetration testing distribution; replacement for BackTrack
• Pentoo penetration testing distributionA
• NodeZero penetration testing distribution
• BackBox penetration testing distribution
• Recon-ng is a full-featured Web Reconnaissance framework written in Python by Tim Tomes. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, use the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!
• Wi-fEye Wireless Pentesting Tool 1.0 Beta is an automated wireless penetration testing tool written in python , its designed to simplify common attacks that can be performed on wifi networks so that they can be executed quickly and easily.
• Island Hopping the SpiderLabs Way
• Dradis is a self-contained web application that provides a centralized repository of information to keep track of security assessment information gathering that has been done so far, and what is still ahead.
• Penetration Testing Lab blog with links to distros, tools, exploits, other blogs
• Core Impact
• Anonymous speaks: the inside story of the HBGary hack
• SecurityOverride offers pen-testing tutorials, hacking challenges, security articles, exploits, tools and more. Its primary goal is to help develop penetration testing skills, and prevent security attacks in the future.
• PaulDotCom episode 232 with Mike Murr and Mike Murray about phishing and social engineering
• Information Gathering
• Pushpin online mapping using geolocation information from social networking sites
• Detecting ‘Auto-answer’ in Videoconferencing Equipment
• Don’t neglect Scapy for packet crafting. While you’re at it, get the
  Wireless Intrusion Detection Testing Tool from Alien Vault. Read Assessing Outbound Traffic to Uncover Advanced Persistent Threat [pdf] for additional uses for Scapy.
• NullSecurity belongs to a group of ethical security testers who actively develop and test security controls using a variety of custom tools and techniques. The content presented in the site is only part of the toolkit and is intended to aid both new and existing security staff who need to protect assets on a day to day basis, by eliminating holes that “black hat” hackers could use to circumvent existing controls.
• CMSmap is a Content Management System security scanner that automates the process of detecting security flaws of the most popular CMSs (WordPress, Joomla and Drupal). The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool. Python-based open source
• DockerScan to attack Docker images. Python-based open source