Ramy Al Damati

What makes a good penetration test?




While there are clear advantages of performing a penetration test -- what makes a penetration test worth the exercise is the result. The results need to be of value and easily understandable to the client.



There's a general misconception that penetration testing is all about using fancy automated security tools and handing over the generated reports as the deliverable.


But, it takes more than just security tools to successfully conduct a penetration test. While these automated security-testing tools play an important role within the exercise, they have limitations.


The fact is that these tools can never provide a true simulation of a skilled attacker. No matter how comprehensive reporting is done by the security tools, there's always a need to explain.



Let's take a look at some of the key factors that make a good pen-test:

*  Establish the parameter: Defining the scope of work is the first and most important step to performing a successful penetration test. This will define the boundaries, objectives and the validation of procedures (the success criteria).

*  Know da man: Hire skilled and experienced consultants to perform the test- the ones who know what they are doing. In other words, separate professionals from the amateurs. Make sure they are:

-Legally capable
-Experienced
-And, abide by the non disclosure agreement.

*  Chose adequate set of tests: Manual and automated will yield the best balance of cost/benefits.

*  Follow a methodology: It's not a guessing game. Everything needs to be planned, documented and followed.

*  Resulting value: The results should be documented carefully and efforts should be made to make them understandable to the client. Whether it's a technical report or an executive summary, there is always a need to explain. The security consultant /tester should be available to answer queries or explain results.

*  Findings and recommendations: This is a very important part of a pen-test. The final report must clearly state the findings and must map the same to the potential risks. This should be accompanied by a remediation roadmap based on the BEST SECURITY PRACTICES.

Before we get into the testing strategies and techniques used in penetration testing, let's take a look at some scenarios where it can be useful:


*  Setting up a new office

Whether it's a new business set up or addition of new sites, penetration testing helps identify potential weaknesses in the network infrastructure. For example, an Internal testing is critical when adding new sites, as it will examine which network resources are available and reveal the type of traffic passing between sites.



*  Deployment of new network infrastructure

Every new network infrastructure should be thoroughly tested to simulate the actions of a hacker. While an external test is generally performed (with little prior knowledge of the infrastructure) to ensure perimeter security, the internal testing should also be executed to ensure that network resources such as: servers, storage, routing and access devices are sufficiently hardened and that the infrastructure is secure from any attack, assuming that the perimeter is breached.



*  Changes/upgrade to existing infrastructure

Changes are inevitable -- be it software, hardware or network design, changes/upgrades are performed to either enhance the features; to fix critical bugs and/or to accommodate a new requirement. Whenever existing infrastructure is changed, it should be tested again to ensure that new vulnerabilities have not arisen. The amount of testing required will depend on the nature and level of the changes made to the infrastructure. While, minor changes such as configuration changes to a particular rule will only require a port scan to ensure the expected firewall behaviour, any major changes such as upgrades of critical equipment/OS version may require a full retest.



*  Rolling out a new application

Once the infrastructure has been thoroughly tested, the new applications (whether Internet facing or Intranet hosted) must also be tested for security blanket before they are put in production. This testing needs to be performed on a "real-life" platform, ensuring that the application only uses the defined ports and that the code itself is secure.



*  Changing/upgrading an existing application

As with infrastructure changes, application changes also vary in nature. Very minor changes such as user account changes will not require testing. However, major changes involving the functionality of the application should be thoroughly retested.



*  Periodic repeat testing

Managing security is not easy and companies should not consider a penetration test as the final remedy of all security problems. If a company considers it "so," they are falling for a false sense of security. It's always a good practice to perform periodic testing of sensitive systems to ensure that unscheduled changes have not been made.