Penetration Testing
eBook - ePub

Penetration Testing

A guide for business and IT managers

  1. 150 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Penetration Testing

A guide for business and IT managers

About this book

Penetration testing is the attempt to professionally break in to an organisation's computer systems, with the goal of determining whether the systems are secure.This guide for business and IT managers, developed in collaboration with CREST, explains the process of penetration testing and the benefits it brings. The book provides essential insight and tips for setting up a penetration testing programme, maintaining it, and responding to the results of penetration tests.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Penetration Testing by Nick Furneaux,Jims Marchang,Rob Ellis,Jason Charalambous,Moinuddin Zaki,Peter Taylor,Roderick Douglas,Felix Ryan,Ceri Charlton,Gemma Moore,Tylor Robinson,Sharif Gardner, James Hayes in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.

1 WHAT IS PENETRATION TESTING?

Nick Furneaux
In the mid-15th century BC the Old Testament (Hebrew) Bible describes the wandering of the Israelite people who had purportedly been released from Egyptian bondage by Divine hand. Some 70 years later they stood on the edge of the so-called ‘Promised Land’, waiting to wage war on the peoples within. But before any attack, the patriarchal leader Moses ordered the first ‘penetration test’ I could locate in recorded history. In simple terms, Moses sent in spies to test out the defences of the land. This is what they reported to Moses (Numbers 13:27):
We entered the land into which you sent us, and it is indeed flowing with milk and honey, and this is its fruitage. Nevertheless, the people who dwell in the land are strong, and the fortified cities are very great. We also saw the Anakim there … and the Canaanites are dwelling by the sea and along the Jordan.
This was, by any definition, an aggressive, well-planned penetration test. Their mission was to test the ability to penetrate the defences of the target and the test successfully highlighted a number of positive opportunities and also issues for them to address:
The target was asset rich, metaphorically ‘flowing with milk and honey’. This meant that there were high-value goods to be captured making it worth the effort to attack.
Fortified cities. The defences were strong.
They ‘fingerprinted’ the peoples, their locations and strengths.
images
Fingerprinting is a term used when planning both technical and social engineering type attacks. It is the act of gathering certain attributes of a computer or person and drawing conclusions from that data to help make an attack more successful. A more common term used when gathering data on individuals is ‘profiling’.
This metaphor demonstrates exactly the elements that make up the purpose and the desired results of an ‘aggressive’ penetration test against an organisation’s technical and personnel infrastructure. To deploy technical measures, to discover high-value targets, to fingerprint the defences and identify vulnerable resources which need to be exploited to gain access to, or perhaps destroy, the high-value elements.
HOW DOES THIS AFFECT MY ORGANISATION?
Every company, organisation or agency has their ‘milk and honey’, something worth stealing, exploiting or destroying, and it is fundamentally the steps taken by Moses that an attacker would employ to attack your business. An attacker would ask the following questions:
1. Does your organisation have something I want to exploit, steal or destroy?
a. information;
b. intellectual property;
c. money;
d. reputation;
e. conduit to another business with any of the above.
2. What are the defences in place to protect these assets?
a. Can I potentially attack or circumvent the defences?
b. Can I coerce, bribe or otherwise leverage an employee?
3. Once inside your network, what can I expect, what can I do, how do I get to my target?
images
The problem is that we all tend to see our business or organisation in the paradigm of what it makes, sells, employs or otherwise. We do not naturally look at it as an attacker would. For example, your organisation may value its customer list and see risk in terms of what a competitor could do with it. However, an attacker may instead see a customer list as an opportunity to use the data to carry out identity theft, use bank details to steal money, sell stored credit card details and many other possibilities. Indeed, the result of a successful hack may have losses that were not as easy to foresee.
A cyber attack, otherwise known as a ‘hack’, is a modern colloquial term meaning the accessing of a digital asset such as a computer, device or an entire network by a person or group, without permission of the owner. The term hacker used to have a positive connotation, relating to a computer programmer or engineer, but has changed in the last 20 years to mean a person who would attempt to attack a digital asset for a variety of reasons.
A good example of this was the cyber attack against the mobile and broadband operator TalkTalk in October 2015 (Hodge, 2016). Considerable sums are spent by the company every year protecting the mobile and internet networks it operates and ensuring that private call data is safe from attackers. However, the hack against an arguably softer part of the network resulted in the loss of 150,000 customer records; 15,000 of these included bank account details. Interestingly, in this case, there was no suggestion that these details were used to attack individuals, so it may appear that there was no lasting harm done.
Was there a cost to TalkTalk? Its own figures pointed to a loss of 95,000 customers in three months specifically due to the hack, losing the company an estimated £60 million, perhaps more. Was the hack the result of a nation-state attack or the attention of a crime group? No, in 2016 a 17-year-old boy stood trial for the hack, carried out from his bedroom, and was given a 12-month youth rehabilitation order (Burgess, 2016; ITV News, 2016).
The best type of penetration test will not only probe your network but also identify the risks, the ‘milk and honey’ of your organisation and recommend methods to mitigate loss.
WHY CARRY OUT A PENETRATION TEST?
Your organisation, in fact every organisation, is a target. A small car repair garage could be a target for ransomware, perhaps asked to pay just £100s to unlock data encrypted by malware, which may be a significant sum to a small business. A mid-sized software house may have unreleased software worth stealing; a pharmaceutical company’s intellectual property could be worth millions; even a free online forum may contain user data that would be useful or valuable to an attacker. Every organisation has something worth acquiring. Aside from that, an attacker may just access a network and destroy data, simply for the challenge, just because it’s there.
Too often we see penetration tests being carried out purely to tick a proverbial box for the company board. It may be that the only motives for having a penetration test carried out are for attaining a security standard, fulfilling a contract or insurance terms or simply because it’s the right thing to do. Although these are sound reasons, the primary purpose should be to fully test and understand vulnerabilities that may exist within your organisation. When a penetration test is done just to ‘tick a box’, the resulting report is often read (sometimes just the Executive Summary) and filed until next year with often limited action being taken.
An effective penetration test should fully emulate what a prospective attacker would do, results should be considered and where possible, solutions and fixes implemented.
images
The top three key benefits of penetration testing to businesses, cited by respondents to a BCS penetration survey undertaken in March 2017,1 were:
identification of security weaknesses;
assurance;
compliance.
Getting proactive
If an attacker is going to ask questions of your network, those responsible for the business need to ask them first. It is concerning to note that in many organisations the task of protecting the organisation from attack falls squarely in the hands of the IT department. This is the wrong place to start. The board, following consultation with pertinent departments such as IT, legal and compliance, along with key leaders such as the chief information officer (CIO) and chief information security officer (CISO), should first identify the likely business targets and think through the possible risks, from the irritation of adware appearing on computers to the risks that could result in a business-ending event. Those decisions should not just be the domain of IT – part of it, yes – but management should be driving that conversation.
Unless your business has virtually unlimited resources to spend on consultants, the most effective penetration tests are the ones defined by the organisation itself. An external penetration test company will not be able to easily understand the nuances of your business and a board that has thought carefully about the business-affecting risks can more efficiently target a penetration test against the right assets. This does not mean that a penetration test should always be carried out internally, indeed there are arguments against that, but simply that targets are more easily defined by an organisation. Perhaps the best balance is for a business to define and identify its weaknesses and have those tested both internally and by an experienced external resource.
PENETRATION TESTS WON’T ALWAYS STOP YOU BEING HACKED
In 2016, we at CSITech spent three months planning and executing a penetration test attack against a large bank. We were successful, lessons were learned, holes were plugged and defences hardened. A month later the head of international banking received an email from ‘[email protected]’, asking for $2 million to be transferred to an account in the Middle East immediately. So, he paid up. Our penetration test did its job and improvements were made, but we had not accounted for a person who could not identify a badly constructed phishing attack. This highlighted an area for corporate training.
images
Phishing. This word indicates an attempt to coerce a person to act in a way beneficial to an attacker. This is a social engineering attack. This may be by phone, email or other means. Usually the word is used when related to an email to many individuals, perhaps asking them to click a malevolent link or respond with information useful to the attacker. A targeted attack against a specific individual is termed a spear-phishing attack.
It is vital that appropriate expectations are set for the board when signing the contract on a penetration test. Penetration testing is a crucial exercise, but it is possible that a test will not highlight an area which is later exploited. Penetration testing can never cover all the bases.
Don’t forget the employees
Your organisation undoubtedly has spent significant resources hardening your network. You install firewalls, intrusion detection systems, anti-virus scanners and a host of other technological defences. The problem is that organisations then make the critical ‘mistake’ of filling the organisation with people. People like to help – but in the security world, that is bad. We train them that way, we tell them that the customer is always right (bad), that you should ‘go the extra mile’ (also bad).
Now, this is, of course, a facetious view of t...

Table of contents

  1. Front Cover
  2. Half-Title Page
  3. BCS, THE CHARTERED INSTITUTE FOR IT
  4. Title Page
  5. Copyright Page
  6. Contents
  7. List of figures and tables
  8. About the authors
  9. Foreword
  10. Abbreviations
  11. Glossary
  12. Preface
  13. 1. WHAT IS PENETRATION TESTING?
  14. 2. SUCCESSFUL PENETRATION TESTING: AN OVERVIEW
  15. 3. REGULATORY MANAGEMENT FOR PENETRATION TESTING
  16. 4. EMBEDDING PENETRATION TESTING WITHIN ORGANISATIONAL SECURITY POLICIES AND PROCEDURES
  17. 5. OUTCOME- AND INTELLIGENCE-LED PENETRATION TESTING
  18. 6. SCOPING A PENETRATION TEST
  19. 7. PENETRATION TEST COVERAGE AND SIMULATING THE THREAT
  20. 8. BUILDING ORGANISATIONAL CAPABILITY FOR PENETRATION TESTING
  21. 9. COMMISSIONING PENETRATION TESTS
  22. 10. SELECTING TOOLS FOR PENETRATION TESTING
  23. 11. GOOD PRACTICE FOR PENETRATION TESTING
  24. 12. ROLE AND COVERAGE OF REPORTING
  25. 13. INTERPRETATION AND APPLICATION OF REPORT OUTCOMES
  26. 14. ACTING ON PENETRATION TESTING RESULTS
  27. Notes
  28. Index
  29. Back Cover