Every expert pen tester lives by their own set of rules, however, the best and the brightest adhere to some common best practices; in a recent piece in CSO, Core's own in-house guru Alberto Solino offered his tricks of the trade.
One of Core’s longest tenured employees, Director of Technical Program Management Alberto Solino – who until recently wore the title of Director of Security Consulting Services, was featured in a story on pen testing best practices published by CSO this week. In the piece, CSO contributor Neil Roiter polled a handful of recognized domain experts like Solino, seeking guidance on how an organization can improve its pen testing program to maximize the involved time, money and effort. As Alberto noted in our follow-up conversation after the piece was posted, each penetration tester has their own approach, but it’s interesting to see how the experts quoted in the story appeared to put forward a unified front from the perspective of demanding that a truly effective pen test is one that has a clearly defined set of goals and expectations going in – and that a hallmark of incomplete assessments, though common, is that they fail to involve the perquisite amount of planning needed to truly garner valuable results. “It’s true, many consultants and experienced testers fail to overlook this fact that an efficient, useful pen test is one where almost as much work is done in planning, and afterwards in presenting results, as is done during the testing itself,” Solino said. “Of course we think that arming testers with a commercial-grade solution such as Core Impact really helps address this common shortcoming, but at the end of the day, performing truly valuable assessment is really down to maintaining good fundamentals.” That said, here’s a synopsis of Roiter’s Top Ten List, and for the full article simply CLICK HERE.
Penetration tests: 10 tips for a successful program
Tip 1: Define Your Goals: "If can't express things in terms of my business, you're not providing me value," said Ed Skoudis, founder and senior security consultant at InGuardians. "Don't tell me you've exploited a vulnerability and gotten shell on that box without telling me what that means for my business." "You're trying to give the company a good assessment if their money is being well spent," said Solino.
Tip 2: Follow The Data: "In many cases customers have thousand of IP addresses they want us to pen test," said Omar Khawaja, Global Products Manager, Verizon Security Solutions. "We could run vulnerability tests and see what's most vulnerable, but they may not be the most important to your organization." "The idea to mimic what a real attacker will do during time frame agreed to with the customer," said Core's Solino, "not to find all the possible problems."
Tip 3: Talk to the Business Owners: "Define the scope that includes critical information assets and business transaction processing," said InGuardians' Skoudis. "Brainstorm with the pen test team and management together." Skoudis also suggests asking for management to give their worst case scenario, "what's the worst thing that could happen if someone hacks you?" The exercise helps scope the project by determining where "the real crown jewels" are.
Tip 4: Test Against the Risk: For example, the security director for a large university said they started performing pen testing to meet PCI DSS requirements. Once that program was in place, it became the model for testing a potential attacker's ability to penetrate their systems. The university classifies data as public, internal, sensitive and highly sensitive. For information that's highly sensitive, we perform pen testing under much the same guidelines as PCI," he said. "We back off from there, based on some specific criteria and some subjective judgment that goes into what level of pen testing, if any, will be done for system."
Tip 5: Develop attacker profiles: Your pen testers need to think like and act like real attackers. But attackers don't fit into one neat category. Build profiles of potential attackers. "We get a snapshot of what a particular attacker can do against a target, and we don't mix results," said Core Security's Solino. "For every profile, we get the result of the pen test and do another profile."
Tip 6: The More Intelligence the Better: Information gathering is as much a part of the process as the actual exploit—identify devices, operating systems, applications, databases, etc. The more you know about a target and its connected systems, the better chance you have of breaking in. "We're increasingly starting to do social engineering," said Verizon's Khawaja. "It's essentially reconnaissance—performed with the permission of the customer—to let us find everything in the environment that could assist us in breaking in."
Tip 7: Consider All Attack Vectors: Attackers can and will exploit different aspects of your IT infrastructure, individually or, frequently, in combination to get the data they are seeking. "A few years ago we would do network penetration testing, and application pen testing and wireless pen testing, and then we stepped back and said 'that makes absolutely no sense," said Solino. "The bad guy doesn't say, 'I can only break into a system using the network.'"
Tip 8: Define the Rules of Engagement: Pen testing simulates attack behavior, but it is not an attack. Whether you are conducting in-house testing or contracting with a consultant, you need to establish parameters that define what can and cannot be done, and when, and who needs to know. "Whether it's the operations center, or the investigative response team or physical security guards, everyone has to pretend it's just another day at the office," said Verizon's Khawaja.
Tip 9: Report Findings and Measure Progress: The goal of penetration testing is to improve your security posture, so if you are conducting internal tests, your report should provide useful, actionable and specific information. "The beauty of identifying the attack path is that it allows you to solve specific problems by breaking the path," said Core Security's Solino.
Tip 10: Decide Who Your Pen Testers Are: The decision to use in-house staff for pen-testing depends on the size of your organization, the value of the information you are trying to protect and where you want to put your internal resources. A good training candidate, said Core's Solino, has a strong knowledge of networking and application protocols as a foundation. Mostly, he looks for curiosity and a hacker mentality. – Matt Hines, Chief Blogger