The best defence is a good offence, a cliché goes.
So for IT security a good offence is attacking yourself. That’s the only way any organization will find out what holes are really there despite your security staff’s best efforts.
You could hire an independent organization to do the work (advantage: it is skilled at the task, will be merciless and won’t take shortcuts) or have IT staffers do it (advantage: saves money).
The SANS Institute has eight recommendations for exercising these attacks, which are outlined below.
But be prepared: To do this well you have to be truly mercenary.
There is the now infamous example of an unnamed U.S. law intelligence agency that was humiliated when a third party penetration team managed to trick staff into letting it onto its network by creating a fictional new employee on Linkedin. The resume was bait: the team waited for the agency’s staff to find the resume, who befriended the “new employee.”
It wasn’t that they were able to get login codes; the real stunt was they managed to plant a virus on staffers’ computers when they clicked on a Christmas greeting from the phantom employee.
On top of that they separately got the IT manager.
So rule two of penetration testing is go beyond looking for holes in the firewall.
Rule one, as SANS emphasizes, is that this is only worthwhile after basic defensive measures have been implemented as part of a comprehensive and ongoing program of security management and improvement. These are often specified and required by formal Risk Management Frameworks and processes, the institute says.
In his book Network Security Auditing (Cisco Press), author Chris Jackson says there are four kinds of testing:
Whitebox, where the tester has complete information about the design, configuration, addressing, and even source code of the systems under test. This type of test is generally used to simulate a worst-possible scenario of an attacker who has intimate knowledge of the network and systems.
Blackbox, the classical penetration test in which the tester simulates an external hacker and is given no information about the subject under test, other than what he can glean from the testing methods. The concept of this type of test is to identify weaknesses that can be exploited based on publicly available information.
Graybox, a test that falls in the middle of the other two types in that some information is disclosed to the tester to “get him started.” Intended to simulate the insider threat, the penetration tester might be provided network diagrams, IP addressing, and user-level access to systems.
Red Team/Blue Team assessment: the terms come from the military where combat teams are tested to determine operational readiness. In the computer world, a Red and Blue Team assessment is like a war game, where the organization being tested is put to the test in as real a scenario as possible. Red Team assessments are intended to show all of the various methods an attacker can use to gain entry. It is the most comprehensive of all security tests. This assessment method tests policy and procedures, detection, incident handling, physical security, security awareness, and other areas that can be exploited. Every vector of attack is fair game in this type of assessment.
Whatever your approach the SANS Institute has the following eight tips:
–Conduct regular tests from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks;
–Any user or system accounts used to perform penetration testing, should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over;
— Perform periodic Red Team exercises (see below) to test organizational readiness to identify and stop attacks or to respond quickly and effectively.
— Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, e-mails or documents containing passwords or other information critical to system operation;
— Plan clear goals of the penetration test itself with blended attacks in mind, identifying the goal machine or target asset. Many APT-style attacks deploy multiple vectors–often social engineering combined with web or network exploitation. Red Team manual or automated testing that captures pivoted and multi-vector attacks offers a more realistic assessment of security posture and risk to critical assets;
— Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts;
— Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time;
— Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.