Penetration tests measure firms’ security

Penetration testers make it their business to overcome your defences and infiltrate the network. And your security measures may not be as robust as you think

Rob Pope had to take some deep breaths and look inconspicuous while he waited for someone to approach the security door.

When an employee opened the door and went through, he tailgated them, followed unnoticed into the adjacent corridor and then slipped into the heart of the building.

Once he was in, his heart stopped pounding and he began to take on the role of a staff member. He sat down at a PC and began to work. "I sat down at people's computers when they went to the lavatory, and tapped away getting network configuration details and downloading documents to a USB drive," he said. "No one asked who I was."

It was Pope's first intrusion, but since then he has sneaked into dozens of companies. Pope is not breaking the law, however - he only infiltrates with permission. He works for SecureTest, a company specialising in penetration tests. Clients ask the company to target specific elements of their IT infrastructure and identify vulnerabilities.

This can involve physical intrusion, in which testers gain access to different parts of the building - especially the server room.

A common tactic by penetration testers is to leave their business cards hidden in key spots, to be retrieved later on with the client's executives in tow. Clients are also expected to provide "get out of jail free cards" - signed letters releasing the testers if they are caught.

Even when companies are convinced that their company is invulnerable, they are frequently surprised by test results. Often, network managers may view their systems in terms of defence, putting up obstacles that appear invulnerable, but attackers do not play by the rulebook.

Testers use undocumented techniques and exploit human error and technical flaws to find their way into a system.

Some companies do not even configure their defences according to the conventional rules. Instead, they leave gaping holes that testers can simply stroll through.

"You think a place will be secure and you go in and you find yourself using techniques that you were using 20 years ago," said Dan Haagman, director of operations at information security consultancy 7Safe.

One basic mistake that testers see even today is weak password security, enabling them to guess their way into accounts. Another is firewall misconfiguration. Rogue machines connected to the network have also been good to Phil Huggins, chief technical architect at security consultancy and penetration tester Information Risk Management. He remembered one particularly enjoyable test.

"We found a Windows NT4 system facing the internet, unfiltered, and with no password on the administrator account, and the system name was Trojan. It took 15 minutes to reach the crown jewels," he said.

After the pre-test meetings, penetration tests start with information discovery in which testers gather information about the target. Techniques such as dumpster diving are common, in which testers search through rubbish to find useful snippets of information (do you know where the hard copies of your server logs are?).

Searching newsgroups for information about the company can yield results, and Google is a useful tool for those that know how to use it.

The "site" prefix (for searching within a particular web domain) and the "filetype" prefix (useful for searching for, say, Microsoft Access files, Outlook databases or systems administration scripts) can sometimes yield useful results - as can metadata gleaned from documents retrieved from a company's website.

The target scanning phase lets the penetration tester assess the size of what Haagman calls the company's "attack surface". The greater the number of attackable points in the system (public IP addresses, for example), the more opportunities there are for a tester to get in.

Identifying potential doorways into a system leads to a vulnerability assessment, in which the attacker rattles them to see how vulnerable they are. Security testing tools from companies such as Nessus are useful here because they can automate the process, identifying weak points in identifiable parts of the company's infrastructure.

The fun part is the penetration test, when the consultants really get to go to work, blowing the doors open and finding innovative ways to gain control of different parts of the system.

The attack points and methods used by penetration testers have changed over the past few years. "It all changed in 2000. Everyone went online," said Huggins. "Before that, it was all infrastructure based. It was all looking at networks, operating systems, patches and so on."

As the number of web-based applications increased, attack vectors became increasingly browser-based. Web applications can be fruitful for hackers, said Pope. Common vulnerabilities include exchanging user credentials over clear text before entering an encrypted session, or simply not encrypting connections with SSL at all.

One of the most dangerous web-based application attack vectors open to penetration testers is SQL injection, in which SQL commands are inserted into web input forms.

Poor input validation can miss these commands, enabling attackers to modify database queries containing web form input strings. Using this technique on a poorly-written system could let a penetration tester copy your entire customer database, for example.

"I did a training course with 10 developers last week. Only two of them had heard of SQL injection, which amazed me," said Pope. But web applications are now well known points of attack. The emphasis is already switching to locally-run applications, said Pope. Using exploits in Office and other applications can give testers a way into a company, he said.

"People are filtering out .exe files sent via e-mail, but everyone lets Word and Powerpoint files through," he said, adding that the main danger now concerns flaws in the client code rather than macro viruses.

Buffer overflows are only one kind of exploit that can be generated by sending properly configured documents. "I wonder whether people are really testing their workstations and proxy servers against these kinds of attacks," said Pope.

The danger from poorly written or configured applications is linked directly to unprotected inner defences. A company may spend thousands of pounds securing the edge of its network, and pay little attention to the infrastructure within.

Internal applications that were never supposed to be seen by anyone from the public internet are often developed without adequate security, said Huggins. Now, thanks to the prevalence of IP networks and the ubiquity of HTTP, (aka the firewall avoidance protocol) they can be easily reached.

"Internal networks are still very soft inside, because people rely on the fact that they are not on the internet and they have some proxy filtering," said Huggins. "Once an intruder is on that network, if it is soft then they have the capability to move around."

This is compounded by a lack of network segregation, he said. Network administrators are often too overworked to properly configure virtual local area networks for security purposes.

It is a brave IT director who will invite someone to try and break their network. If you are going to do it, you want someone trustworthy. Poacher-turned-gamekeeper stories of companies hiring known black-hat hackers are doubtless true, but Haagman does not advise it.

"Security clearance is a very valuable thing these days," he said. "Would you trust an ex-burglar to do a security audit on your house? Would you have a convicted fraudster doing your tax returns?"

The last question is interesting: the FBI and countless financial institutions have hired former arch-fraudster Frank Abagnale Jr to demonstrate his techniques, after all.

Regardless of who you think you are getting, there could be consultants in the penetration testing community with chequered backgrounds, said Martin O'Neal, managing director at penetration testing firm Corsaire. His advice is to check out lots of references on potential suppliers from your peers. Ask around and do your own research.

There are accreditations for penetration testers - the EC Council has a certified ethical hacker qualification, for example. The Open Information Systems Security Group - a non-profit body whose phones are answered by a for-profit penetration testing consultancy - has its own. Which accreditations should clients look for?

7Safe has tried to avoid the credibility problems of conducting the training, examination and awarding of the certification itself by handing over the examination to the University of Glamorgan.

The university examines contenders for the consultancy's certified security testing certificate and certified security training professional courses, but lets 7Safe certify professionals and hand out the certificates. 7Safe and the university have also combined to produce a postgraduate certificate in penetration testing and information security.

O'Neal still prioritises Check, the accreditation scheme for security consultants provided by Government Communication Headquarters' information assurance arm, the CESG. Check is designed for public sector contractors and includes a security clearance element.

Commercial companies have been using Check as a criteria for selecting security providers, but sources suggest that the commercial IT sector, led by the Intellect trade association, is preparing another penetration testing standard designed exclusively for the commercial sector. It could be launched as soon as March.

In the meantime, some penetration testing experts stand by the Open Source Security Testing Methodology Manual. It is a methodology for security testing developed by the Institute for Security and Open Methodologies.

If you are going to let a company this close to your network, be sure to lay out the ground rules. In the pre-test meeting, the IT department should establish which parts of the network are to be tested and how far you may not want someone trying to own your mission-critical transaction server, but it may be acceptable for them to identify potential ways into that server.

How "noisy" should the attack become? Should attackers remain covert, or push the test as far as they can go and become increasingly blatant until they are caught?

What objectives exist along the way? Step one might be finding the chief executive's private e-mail address. The final step might be gaining physical access to the administrator's workstation.

Hopefully, proper vetting should avoid the same problem that O'Neal recalled befalling one company. One new supplier was keen to form a relationship, so offered a large e-commerce company (let's call them a free penetration test. "They proudly presented their results, whereupon the company's staff pointed out that they had tested, which was owned by a different organisation altogether," he said.

That is one scenario where a penetration tester definitely would not get the chance to leave any business cards lying around.

Related articles:

Read the security testing manual

Comment on this article: [email protected]

Read more on Network software