Steven Furnell and Maria Papadaki from the Centre for Security, Communications and Network Research, University of Plymouth explain what to look for in a penetration tester.

Examination of IT breaches often reveals that they could have been prevented if security was properly tested. Indeed, many incidents occur because attackers were able to get in where there was already a hole, and would actually have been avoidable if more had been done to identify and address these in advance.

For example, looking at recent survey findings from the Computer Security Institute (CSI), it is significant that the most common actions taken following an incident were to patch vulnerable software (62 per cent) and to patch or remediate vulnerable hardware or infrastructure (49 per cent) according to the Computer Security Institute's 15th Annual 2010 / 2011 Computer Crime and Security Survey.

While part of the problem may be overcome via a robust patching regime, the wider issue of vulnerability management extends beyond rectifying vendor-sourced implementation errors and also includes the additional weaknesses that may arise thanks to local configuration errors, the surrounding infrastructure and the behaviour of users.

This not only applies to production software, but to security controls and monitoring tools as well. It is essential to discover any configuration errors that might exist in the existing security infrastructure, and to ensure their robustness. The onus is therefore on organisations to ensure that they are on top of the issue, and there may be real advantage to be gained from a proactive programme of security testing. 

While a baseline approach would be to conduct an audit, to ensure that security controls and practices are in line with expected standards, greater confidence could arise from active assessments that seek to simulate the effects of an actual attack.

As a result, penetration testing is now a widely recognised aspect of security, with the aforementioned CSI survey revealing that some 34 per cent of respondents used external services to evaluate their systems, while 41 per cent claimed to conduct such activities internally. Moreover, the utilisation is increasing, with further findings indicating that more than a third of organisations expect to increase their related expenditure according to Ernst & Young’s 2010 Global Information Security Survey.

However, while recognition is growing, organisations may still face challenges in determining how to approach the issue, including both the scope and the conduct of testing. As previously indicated, penetration tests ought to extend beyond technology to encompass the wider organisation and the people in it. However, the non-technical aspects often tend to receive less attention.

For example, according to Ernst & Young survey findings from 2008, while 85 per cent of respondents claimed to perform ‘internet testing’, only 46 per cent tested ‘physical access to secure areas’, and just 19 per cent tried ‘social engineering attempts’ against their staff.

Ideally, a holistic approach should be considered by any organisation that regards itself as a possible focus of targeted attacks, as determined attackers would be likely to use any avenue open to them (with the exploitation of human weaknesses being likely to be a desirable fallback if confronted with robust technical defences, or indeed a preferred starting point for some attackers anyway).

A job for the pros

In addition to illustrating its general growth, past findings have also highlighted penetration testing as the most commonly outsourced aspect of security, with Ernst & Young’s 2009 findings revealing that 55 per cent already outsourced it, while a further 18 per cent were considering it according to Ernst & Young’s 2010 survey.

With this in mind, organisations need to be very sure about who they are bringing in, and will rightly wish to look for suitable certifications or qualifications that can signify a professional capability. Luckily, there are a variety of schemes in the industry that can provide such assurance.

For example, there are two related options within the SANS Global Information Assurance Certification series; namely GIAC Certified Penetration Tester (GPEN) and GIAC Web Application Penetration Tester (GWAPT).

Further examples from other sources include the Information Assurance Certification Review Board’s Certified Penetration Tester (CPT), the EC-Council’s Certified Ethical Hacker, and the various registrations available to both individuals and service providers through the Council of Registered Ethical Security Testers (CREST).

Of course, evidencing a professional capability should be about more than just having the technical skills. An understanding and acceptance of ethical practice is crucial, and some assurance of the candidate’s background is also useful. For example, EC-Council’s requirements for granting Licensed Penetration Tester status require candidates to provide documentation to show a clean criminal background check.

Indeed, the idea of pen testing is somewhat more worrisome in the poacher-turned-gamekeeper scenario of ex-hackers offering their services to test and secure systems, and we need to be fairly sure that anyone being taught the techniques has a properly aligned moral compass and is not going to go running off to use them inappropriately.

What’s in a name?

Having mentioned ethics, one potentially confusing aspect is that penetration testing is often used interchangeably with the term ethical hacking.

Although there is clearly some validity to the label (i.e. we are looking to leverage the same creativity and skills that hackers might employ, but without the accompanying harmful motives or disruptive impacts that might normally accompany them), referring to ethical hacking can also seem a somewhat uncomfortable choice - still playing off the 'glamour' associated with the term hacking, plus perhaps muddying the waters around its legitimacy (especially given that some hackers have been known to defend unsanctioned actions by claiming that they were helping to expose security weaknesses).

So, while there might be a clearly intended professional interpretation, it is easy to see how the term could be misrepresented to justify cyber vigilantism and other unsanctioned activities, with the perpetrators claiming they were operating with ethical intent.

Of course, we should not get too hung up on the name. Regardless of the label, penetration testing can clearly make a valuable contribution to system, network and physical security. The key issue is to ensure that the parameters are defined and agreed, and that the testing is therefore conducted with the full sanction of the organisation concerned.

Even then, it is not without risk, and systems could conceivably be disrupted as a result of the activities. However, the use of professional testers under controlled conditions means that things are likely to be up and running again far more quickly than if the same thing occurred thanks to a real attack.