the relevance of penetration testing to corporate network security

Information Security Technical Report, Vol. 2, No. 3 (1997) 80-86

The Relevance Of Penetration Testing To Corporate Network Security

by Gay Hardy, Director of Consultancy, Zergo Ltd

This article discusses the topic of penetration testing, current approaches, and its releuance in una!erstanding the security of corporate networks.

Introduction

Penetration testing, tiger team testing and generally the whole subject of attacking systems has been a controversial area for some time. There have been arguments for and against such techniques ranging from them being potentially very dangerous through to them being unnecessary when there are easier ways to identify weak controls.

The explosive growth of networking generally and especially the use of public networks such as the Internet, has made penetration testing a much more topical subject. Anxiety about real network attacks, reliance on sophisticated defences such as firewalls, and media coverage have all made corporate managers and network technicians more interested in penetration testing. It provides a more tangible feel for how secure the network really is, and the findings often generate an active response.

This article looks at penetration testing and explains what it offers, how it can be undertaken, what the benefits and pitfalls are and suggests approaches. It concludes that penetration testing is a very useful part of the monitoring and evaluating toolkit, and with the arrival of automated tools will be easier to employ.

What is penetration testing?

The term penetration testing covers a wide range of tests and techniques which generally

are designed to test for security vulnerabilities in the network environment. In some situations they are similar to emulating the activities of a hacker, by probing and searching for ways to circumvent or bypass controls, and searching for weak points in the target organization’s electronic communications perimeter. This perimeter is formed by:

?? The gateways to third party networks such as the Internet, public X.25 networks and more proprietary networks.

?? Telephonic systems, usually PBXs.

?? Modems and similar devices supporting fax and data connections over analogue and digital links.

Some of these interfaces often are poorly configured and permit easy access and opportunities for abuse to those using publicly available scanning tools to discover them. The use of the same tools and techniques is sometimes limited to just identifying the vulnerabilities and their potential for allowing unauthorized access to the organization’s networked systems. Penetration testing can, however, be more structured when testing actual defences e.g. proving that a firewall is behaving in accordance with the defined policy and showing that it is filtering traffic as intended, maintaining logs as intended and reacting properly when under attack. When trying to gain positive assurance that defences are working as designed, penetration testing is akin to system acceptance testing with the objective being to provide assurance that security functions are operating as intended. This kind of test is particularly relevant to high security installations such as secure

80 0167-4048/97/$17.00 0 1997, Elsevier Science Ltd


Internet servers and applications like Internet banking and E-commerce.

It is often assumed that tests like these are only performed from ‘outside’ the network perimeter. While this is a key part of the process, tests should be performed on the inside too. Information leaking out is just as important as unauthorized access into a network, and the complexity of networking means that backdoors and gateways between networks provide for convoluted ways to break security controls.

An awful lot of time can be wasted testing in areas that do not warrant attention or that reveal nothing useful.

This kind of activity should only really be performed by trained and knowledgeable staff, with appropriate planning and disciplines, and the results need to be communicated and often interpreted so that management and technical staff can usefully understand the process and findings.

Applied in a proper manner, penetration tests can be very pro-active and positive in helping raise awareness and understanding about the real status of network security.

And of course like any testing activities, the results only relate to the day they were performed. Because networks change so frequently, these kinds of tests need to be repeated on a regular basis.

What does it deliver? Benefits

Penetration tests should generate in addition to the actual test results themselves, a vulnerability assessment of the network that has been examined, usually a great deal of interesting and revealing information about the network itself, and conclusions about the adequacy of the controls that are in place.

Indirectly, the testing helps to raise security awareness, to define specific security improvements, and often provides the evidence required to alert management to the need to take security seriously. It can act as a deterrent, in the same way that any monitoring activity can do, and it can encourage a more disciplined approach to design and implementation.

Given the complexity and scale of today’s corporate networks, penetration testing may be the only way to find out how secure the network really is. The benefit of this approach is that it can provide real evidence of weaknesses, and also can provide real assurance that a control is working. The tests also help to improve the understanding of security issues by technical support staff and often will identify where better policies and procedures are required to strengthen the security functions.

Pitfalls

This kind of activity is, however, specialized and potentially dangerous. Performed by someone inexperienced or not careful it can bring corporate networks down, can cause real damage, and can generate major embarrassments.

It is our experience that penetrating testing often reveals problems in IT asset and inventory management, particularly with respect to the ever increasing deployment and use of modems attached to workstations, PCs and laptops. Penetration testing results usually demonstrate the need for tighter control over the configuration and use of these devices.

Alternative approaches

False conclusions will be drawn if the tests are not comprehensive or properly undertaken.

There are many ways of approaching penetration tests, and they all have their

Information Security Technical Report, Vol. 2, No. 3 81


advantages and disadvantages. For each specific case a plan needs to be developed that is appropriate for the particular situation. The following describes some of the alternatives:

Blind or with knowledge?

Blind testing assumes no prior knowledge of the network or the security and is similar to emulating the activities of a hacker. Management sometimes want to know how easy it would be for someone to gain unauthorized access if they were simply probing from the outside. No pre-conceived assumptions will direct the tests in a particular direction. The disadvantage of this approach is that it can waste a lot of time. On the other hand very weak defences will be shown up straight away.

Some companies may prefer outsiders to carry out the tests with no internal knowledge for straightforward security reasons, so that knowledge of the network defences does not leak outside the organization.

Tests carried out with a background understanding of the security requirements, the controls that should be in place and the nature of the network topology allow test plans to be designed to specifically test controls and vulnerabilities. The danger is working under the impression that the understanding is valid when it isn’t, and then making errors when choosing key areas to examine.

A balanced approach based on a reasonable knowledge of the network with test plans that include a variety of tests is usually best.

Unannounced or pre-planned?

Completely unannounced tests where attacks are made with no prior warning can be very dangerous and can cause real damage. On the other hand if everyone knows that tests are to be carried out, perhaps an untypical level of vigilance will result.

It is usually best to conduct the tests in a properly pre-planned way with involvement of staff on a need to know basis. A major side benefit of penetration testing is to educate and improve the understanding of network vulnerabilities by involving support staff. In addition, the tests themselves are likely to be more effective and efficient if they are supported by staff who are familiar with the environment.

Remote or on-site?

Because network penetration tests are often compared with hacking attempts it is often assumed that they should be carried out remote from the network to simulate the ‘real conditions’. Some organizations offering this kind of service prefer to undertake the tests from their own site because it can be logistically easier for them.

In certain circumstances there may be no other way of testing some of the conditions except from a remote connection, but in the majority of cases the tests can be performed on site from the perimeter of the network. It is usually best to do tests like these on site for the following reasons:

Involvement of technical support staff is usually advantageous for the same reason as described above.

Remote tests will involve penetration tests through intermediate service providers. This may limit some of the things that can be done, and may also cause unnecessary alarms.

When a vulnerable interface is found decisions need to made as to how much further the exploration of the vulnerability should go, such decisions should be based on the potential damage to system operations such an exploration may cause. In all cases these decisions are most easily made when the testing is performed on- site.

82 Information Security Technical Report, Vol. 2, No. 3


On-site testing allows the organization’s responses to the ‘attacks’ to be more easily monitored.

There are tests that ought to be performed on-site such as back-door testing and testing of information leakage out of the network.

If you are commissioning testing by an outside consultant, you as the client should be involved in the testing process in order to monitor the activity and to ensure the process is performed properly. This is easier to do on-site but if off-site tests are necessary you should witness these as well.

Structured or adhoc?

Any kind of testing procedure is normally best performed based on a properly prepared test plan, test schedule, and in some cases clearly defined test scripts. This ensures that the scope and completeness of the testing can be managed and controlled properly.

With penetration testing it is often difficult to be so structured, because the testing often involves probing and discovering vulnerabilities, which can lead to tests being created almost in real-time. A very structured approach may prove too inflexible and may result in key areas being omitted simply because they were not foreseen in the planning.

The best approach is to remain disciplined and to set clear objectives with the realization that the actual test paths may need to be developed as the testing is undertaken. Keeping records and documenting the process is essential if control over the process is to be maintained. This is especially true if the purpose of the test is to gain assurance that installed controls are operating as intended.

Fixed plan or iterative?

Commissioning a penetration test usually requires careful scheduling and planning to

ensure that the necessary logistics and conditions are set up appropriately. Often outside specialists are commissioned to do this kind of work, and, therefore, the client will have an interest in agreeing terms of reference, a work plan and a budget.

Experience shows that planning is essential but for similar reasons to those above, it is best to allow some flexibility. The concept of test cycles, where an initially well defined plan is prepared that then allows for some repeat iterations works best. This enables vulnerabilities and weaknesses that have been discovered in the first cycle to be built into the replanning, and also allows retests to be accommodated if corrections are being made to the network in response to findings from the test. Be aware though that if ‘incidents’ from the testing are being tackled while testing is being performed, then retesting must be properly organized as a regression test.

Stand-alone or part of wider review?

Penetration tests are mostly performed as a stand-alone discrete exercise. They can be initiated by a number of different causes ranging from a management concern to a pre- installation requirement for say a firewall or a secure Internet server. In some cases they may, therefore, follow some prior activity that will have reviewed risk, the technical environment and the proposed or installed controls.

Experience has shown that this kind of information can be very valuable input to a penetration test, and that it helps to ensure good planning and a focus for the tests themselves. The most useful prior activity is a pre-test risk/vulnerability assessment, which will ensure that the business perspective has been taken into consideration and that the degree of security expected is commensurate with the business needs. It also allows the test to concentrate on verifying controls and testing known potential vulnerabilities.

Information Security Technical Report, Vol. 2, No. 3 a3


The findings from a penetration test are usually very valuable for recommending security improvements, and sometimes for general improvements to the layout of the network. Almost every time they identify gaps in policy, procedure and manual practices.

Completion of a test ought to be followed by an implementation review that defines improvement projects for the network, otherwise valuable benefits from the exercise are in danger of not being realized.

Manual or automated?

Given the nature of penetration testing, which involves a high degree of technical activity from a workstation over the network, automation of the tests is highly desirable. Automating the process saves time, improves quality, and enables retests more easily. There are an increasing variety of tools available to the tester that include public domain software such as SATAN, COPS, Tripwire and Strobe, and also commercially available software such as SAFESuite, Pingware and Ballista; all IP-based networking security scanning mechanisms and techniques to varying levels and coverage. There are also a variety of public domain PBX and telephone system scanning tools, sometimes referred to as ‘wardialers’.

Shareware must be used with care, and it may not be possible to rely on it being up to date or fully tested. Commercially purchased tools that are supplied by reputable vendors who commit to development and quality control is preferable.

Training is also necessary, and the better vendors will provide this either themselves or through distributors. Good networking knowledge is, however, a pre-requisite for using tools like this and indeed for undertaking penetration testing generally.

Standard generic analysis and database tools can also be very valuable when dealing with

the output from tests and for analysing the log files on devices such as firewalls.

Over the coming years, it is very likely that the tools will become even more sophisticated. Automation of penetration tests really should be the goal. It is only when such testing is performed on a regular basis that organizations can be confident that they are routinely detecting and managing the security vulnerabilities at the interfaces to and within their networked systems. The next generation should acknowledge this and provide mechanisms not only for detecting vulnerabilities, but also for analysing them and reporting or highlighting the difference found between scans.

A sensible general approach

When undertaking a penetration test of a corporate network, it is obvious that care needs to be taken and also to get the most out of the exercise it should be carefully planned. Each situation will be different and like most things there is no ‘standard approach’. However the following steps are a useful checklist:

Pre-planning. Make sure prior to the test itself, that there is a good understanding of the business background, the risks and vulnerabilities, and the nature of the technical environment. This helps to define the scope, logistics and terms of reference for the test,

Define Test Objectives/Test Criteria. If you do not set objectives the test can deviate away from the desired aim. The objectives can be developed in detail as the test evolves, and can be redefined in the light of the test results. The test results and conclusions should be compared back with the original criteria. Try to make the criteria orientated towards a business risk or requirement rather than a technical objective - this



makes it easier when communicating the results to management.

?? Define u Test Plan. Taking some time to work out the practicalities of doing the tests, the test cycles, test steps, and in some cases test scripts, can save time and improve quality. But the planning must be flexible and allow for iterative testing.

?? Prepare and maintain a Workplan. Setting out a plan of activities and then recording results against a plan is a useful discipline for controlling adherence to objectives and for reporting status and incidents.

?? Document and Record Results. It is very important to control the output from the test and to maintain test documentation. The results can be important evidence but can rapidly result in a large volume of uncontrolled material if care is not taken. It is also important for managing incidents and for regression testing that the tests themselves are recorded together with the results, the incidents and any follow up actions. Simple electronic forms can be devised for this purpose.

?? Revisit Test Plan. Like all plans, be prepared to revise and refocus the test plan whenever necessary.

?? Remember Regression/Repeat Tests. If it is decided that weaknesses found will be corrected in parallel with the testing then perform regression tests to not only prove that the correction has fixed the original problem, but also that it has not created a new weakness or vulnerability making prior tests invalid.

?? Be prepared to invest time and effort into researching and investigating the findings of penetration testing while it is being conducted. This is particularly the case on the first occasion you commission such an exercise.

Emulate approaches used by hackers

There is a natural tendency to compare penetration tests with hacking attempts. While the motives are obviously different there are some similarities. Some of the approaches used by hackers are good pointers to use for penetration tests, and keeping alert to hacking incidents is a useful way .to pick up new network vulnerabilities. These are some of the characteristics of hacking that are useful to apply to penetration tests:

?? Gather as much useful information about the network and systems as you can - before and during the tests.

?? Consider what information may be available to an outsider about your organization which may be used to facilitate unauthorized access, e.g. how much information about user and system identities is revealed by E-mail transmitted over the Internet.

?? Use effective scanning, probing and hacking tools.

?? Exploit combinations of vulnerabilities.

?? Keep up to date on attack approaches and use tools that exploit the new attack techniques.

?? Look at human factors, how can people within the organization be used to compromise the security.

?? Repeat, iterate, and in some cases flood the connection with test conditions.

Current applications

Our experience has shown that penetration testing is a very valuable approach for providing real evidence of weaknesses in a network, and for providing assurance or acceptance of a security service.

Information Security Technical Report, Vol. 2, No. 3 85


The Internet has created a rapid increase in interest for this kind of activity, and probably the most common application of the technique is for checking network gateways and devices such as firewalls. There is also a need to scan internally for backdoors and devices such as modems.

As more risky services expand in use over corporate networks and public networks like the Internet, so the degree of security will increase. Assurance that the security functions correctly will be required, and penetration testing is increasingly being used to check secure servers and applications like Internet banking.

The corporate network provides access to a growing number of distributed and open systems and applications, Windows NT and Unix becoming the predominant platforms. Penetration testing is helping to reveal security weaknesses at the application level in these kinds of environments.

Conclusions

Penetration testing is definitely a valuable technique that is gaining in popularity. To do it properly requires specialist skills and techniques, which will often be obtained by the use of outside consultants. To do it properly also requires the controlled use of effective tools. Care needs to be taken to avoid damage or misleading results.

It is but one of the techniques available for improving network security and should be carried out in conjunction with risk assessments, security reviews and implementation projects.

In the future penetration tests are likely to be a standard part of the auditing and monitoring procedures, and also part of the acceptance procedure for critical network security components.


the relevance of penetration testing to corporate network security

Documents