Penetration testing has been well popularized by the media. Many companies are now offering penetration services to identify vulnerabilities in systems and the surrounding processes. Several reasons are given for the popularity of penetration testing.. One of these is the mystique that has been associated with the ‘hacker’ image. In some instances, prospective target organizations may be attracted to this type of service more from the perceived value rather than the actual value. After the completion of the penetration test and the ‘hacker’ mystique dissipates, the target organization will be looking for substantive value from the penetration test such as corrective and improvement solutions. This include in depth analysis of the penetration techniques with the target ORG's information technology experts.
Regardless of the reason that draws the target organization to engage a ‘tiger team’ to simulate hacker network attacks, the penetration testing organization has many challenges in interpreting and delivering on the client’s requirements. Clearly, understanding the target organization's expectations is the most critical part of planning and implementing the penetration test. The penetration ‘rules of
behavior’ document serves an important role in formalizing the results of the planning phase for the penetration test.
Alternatively, penetration testing has also become a commodity characterized by the performance of a series of substantive test procedures. In many industries, a penetration study has become a required audit. Under these conditions, penetration services may be perceived as low value. Accordingly, it is often necessary to review the specific test procedures and provide the necessary audit evidence to support conclusions drawn from the penetration test.
What are Penetration ‘Rules of Behavior’
Penetration ‘rules of behavior’ are basically a test agreement that outlines the framework for external and internal penetration testing. Prior to testing, this agreement is signed by representatives from both the target organization and the penetration testing organization to ensure there is a common understanding of the limitations, constraints, liabilities, and indemnification considerations between
the target organization and the assessment team throughout the penetration test
The specific ‘rules of behavior’ are necessary to ensure that testing will be performed in a manner that will minimize operational impact while maximizing the usefulness of the penetration test. The penetration rules will also serve to ensure that unplanned events are addressed through an incident response protocol. Depending upon organizational legal requirements, a separate Release and
Authorization form may be required (in addition to the ‘rules of behavior’) that states that the penetration testing organization will be held harmless and not criminally liable for unintentional interruptions and loss or damage to damage and equipment
Attacking Techniques
The rules of behavior should describe the testing techniques for external and internal testing. A comprehensive description of these techniques is essential to minimize or avoid inadvertent damage or loss of information on the target systems. Penetration methodologies may vary among companies providing penetration services, but the primary phases should basically be the same.
- Discovery, in which information is gathered on the target organization through Web sites and mail servers, public records and databases (Address and Name Registrars, DNS, Whois, EDGAR, etc.)
- Enumeration in which the penetration team actively tries to obtain user
names, network share information and application version information of
running services - Vulnerability mapping in which the test team maps the profile of the
environment to publicly know vulnerabilities [3]; and - Exploitation; in which the test team will attempt to gain privileged access
to a target system by exploiting the identified vulnerabilities
0 Comments