If your IT staff isn’t doing penetration testing of the organization — or hiring an outside firm to do it — at least once a year then you’re missing the ability to find some of the weak points in your defences.
One of the most knowledgeable Canadians on pen-testing is Ottawa-based IT security consultant Adrien de Beaupre, who I interviewed in April about the art of penetration testing. At the time he offered a number of handy tips, which you can read here.
Want more? Last week in a blog for the Internet Storm Center’s InfoSec Handlers Diary he set down answers to some of the more common questions he gets asked, including the tools most often used.
Most are simple: To start, a Web browser, a project manager for scheduling, a database to track target data, a port scanner, a vulnerability scanner such as OpenVas or Tenable Nessus, and an exploitation kit such as Core Impact Pro or Metasploit. For web applications, wireless, or other forms of testing other tools will be needed.
But, he adds, “the only required tool is the matter most people have between their ears.”
As he told me, the real ingredients for a successful penetration test by a good team are people, process, and technology.
And while there are a number of tricks a pen tester can perform — like sending an unsuspecting employee a “gift” iPad to see if it will be used on the corporate network — de Beaupre warns the worst thing a tester can do is violate the rules of engagement or go out of scope. You can ask for clarification or modification if needed. But, he stresses, “there is no cheating in penetration testing. Only those things that are illegal, immoral, unethical, or illogical. ”
There’s more in this blog worth reading.