Can you choose the right Pen Test?

What you need to know about Pen Tests, to make sure you get the results you want

Pen tests may seem like a security test panacea. However they have been known to go terribly wrong and become vastly expensive. Here’s what you need to know to make sure you get the results you want at the price you expect.

Pen tests come in many flavours and degrees of risk. Some pen tests are active which means a security expert is actively trying to exploit security vulnerabilities that they have identified. Some are passive which means the test is really a vulnerability assessment. In a vulnerability assessment there is no active testing whatsoever.

There are black box and white box pen tests. Black box tests assume zero prior knowledge. The auditor must first do research which may include social engineering in order to create a profile of the target network. It gets better. The black box pen test can be done on a need to know basis with the IT department kept in the dark. The pen test sponsor of the audit, such as the IT Security Governance Committee, may deem it necessary to exclude members of the IT department from being informed about the test.

White box pen tests are philosophically the exact opposite of black box pen tests. White box pen tests are based upon testing specific security elements within an enterprise network and all the work is carefully choreographed in concert with the client’s IT operations group prior to commencement of the test. In my opinion this is a much better approach for the following reasons:

• The test will focus exactly on the technology that is of business concern to the enterprise.
• Reduced risk of unintended damage and downtime caused during an active pen test.
• Adequate backups can be done prior to the pen test.

If you decide on any sort of pen testing my advice is to discuss the test methodology with respect to several standards and recommended methodologies. Here are but a few to consider:

• The Open Source Security Testing Methodology – Rules of Engagement
• National Institute of Standards and Technology
• Global Information Assurance Certification
• Open Web Application Security Project
• Information Assurance Certification Review Board

What are you trying to identify?

If your goal is to identify security and compliance vulnerabilities then I would suggest you strongly consider the white box pen test or vulnerability assessment. There is a far better return on investment, in my opinion, of paying for an auditor to find the vulnerabilities, allow you the time to fix them, and then to retest, rather than to pay someone to attempt to breach vulnerability.

The reason for this is quite simple. The time a pen test team will spend attempting to breach vulnerability is usually in direct proportion to the amount of money the client is willing to pay for the test. So test time is limited. Not so for a potential hacker. So money is better spent eliminating rather than testing a vulnerability.

It is also critical to identify exactly what elements of an infrastructure are worth examining for vulnerabilities:

• Elements facing outward toward the Internet or inward facing towards “insiders”.
• Applications – web based or otherwise.
• Server operating systems and configurations.
• Network security hardware and software.
• Network telecommunications technology.
• Network security architecture.
• Intrusion detection and IT operations response to potential threats.
• Portable device security / authentication / identity management.

Careful consideration of your business goals should point you in the right direction when choosing your pen test options.

Have a secure week.

Regards,

Ron Lepofsky CISSP, B.A. SC. (Mech Eng)

ERE Information Security and Privacy Auditors

• Security