Richard Stagg, Managing Consultant, IRM (Asia) Ltd
It’s pretty much a given, in these enlightened times, that if you run a network with any kind of permanent Internet connection, whether it’s broadband or leased-line, you will need to have the security tested. After all, nothing is safe any more. Web servers are hacked and pages defaced regularly; systems are compromised, and then used to send bulk-email, or flood innocent systems with service-denying volumes of traffic. Of course, if that happens you get the blame.
For this reason, testing your network is a very important task, and one which is regularly passed on to external companies who claim to be “experts” in this field, and who use racy terms like “tiger team” to describe their “ethical hackers”. But do these companies really know what they are doing? Are their testing practices actually good value for money? Critically, if they say you are secure, are you really secure?
The first thing that you need to understand is what they are actually selling. The term commonly used for this kind of testing work is a “penetration test”. What this translates into, however, varies from company to company. In a distressingly large number of cases, buying a “penetration test” results in nothing more than being automatically scanned by a security auditing tool such as ISS’s Internet Security Scanner, or the open-source Nessus. Some companies will perform a simulated attack, using commercial vulnerability testing tools such as CSC’s HEAT.
But what does this achieve? Is this good enough? The problem is usually that the security testing companies don’t sit down with the client to help them identify their real requirements. The question, you see, isn’t “am I secure?”; it’s “am I secure against…?” And it is this blank space that has to be filled in before any kind of testing can take place. For example, a company with a simple brochureware website need only be afraid of having it defaced – so their nemesis is the “script kiddy” hacker, who form 90% or more of the active hackers on line, but only 20% or so of the real threat. Conversely, an on-line store holding credit card numbers provides much more motivation, so their risk assessment must include the last 10% of highly skilled attackers.
The risk assessment, in an ideal world, should dictate the nature of the penetration test, or simulated attack. Sadly, too many organizations are using automated scanners which simply do not allow for these shades of detail.
Ideally, a penetration test should accurately mimic the threat identified by the risk assessment. After all, if you invited someone to mimic an intruder breaking into your office, you’d be upset if he landed a helicopter on the roof and walked in from upstairs – especially if he then charged you for the rental of the helicopter. In theory, it’s a way in, but it’s not a valid test of the genuine threats posed by real intruders. Simulated hacking attacks are no different – and since hackers do not use automated vulnerability assessment tools (for a start, they can’t afford them), any penetration test that includes them should be viewed with deep suspicion.
The challenge, when arranging a penetration test, is to find an organization whose technicians not only understand exactly how hackers think, but also exactly how they go about their attacks; whose technicians perform their attacks in exactly the same way, using the same tools, responding identically to the same stimuli. The even greater challenge to find an organization whose technicians can do all this, and at the same time keep sufficient professional distance that they can produce meaningful results for you at the end. The greatest challenge of all is to find an organization that does all this, and is demonstrably trustworthy.
Editor's Note: Yui Kee can provide a full range of Penetration Test Services, please contact us (cdsales@yuikee.com.hk) for details.