Vous êtes sur la page 1sur 7

A penetration test, occasionally pentest, is a method of evaluating the security of a

computer system or network by simulating an attack from a malicious source, known as a


Black Hat Hacker, or Cracker. The process involves an active analysis of the system for
any potential vulnerabilities that could result from poor or improper system
configuration, both known and unknown hardware or software flaws, and operational
weaknesses in process or technical countermeasures. This analysis is carried out from the
position of a potential attacker and can involve active exploitation of security
vulnerabilities. Any security issues that are found will be presented to the system owner,
together with an assessment of their impact, and often with a proposal for mitigation or a
technical solution. The intent of a penetration test is to determine the feasibility of an
attack and the amount of business impact of a successful exploit, if discovered. It is a
component of a full security audit.[citation needed] For example, the Payment Card
Industry Data Security Standard (PCI DSS), and security and auditing standard, requires
both annual and ongoing penetration testing (after system changes).

Black box vs. White box

Penetration tests can be conducted in several ways. The most common difference is the
amount of knowledge of the implementation details of the system being tested that are
available to the testers. Black box testing assumes no prior knowledge of the
infrastructure to be tested. The testers must first determine the location and extent of the
systems before commencing their analysis. At the other end of the spectrum, white box
testing provides the testers with complete knowledge of the infrastructure to be tested,
often including network diagrams, source code, and IP addressing information. There are
also several variations in between, often known as grey box tests. Penetration tests can
also be described as "full disclosure" (white box), "partial disclosure" (grey box), or
"blind" (black box) tests based on the amount of information provided to the testing
party.

The relative merits of these approaches are debated. Black box testing simulates an attack
from someone who is unfamiliar with the system. White box testing simulates what might
happen during an "inside job" or after a "leak" of sensitive information, where the
attacker has access to source code, network layouts, and possibly even some passwords.

The services offered by penetration testing firms span a similar range, from a simple scan
of an organization's IP address space for open ports and identification banners to a full
audit of source code for an application.

Rationale

A penetration test should be carried out on any computer system that is to be deployed in
a hostile environment, in particular any Internet facing site, before it is deployed. This
provides a level of practical assurance that any malicious user will not be able to
penetrate the system.

Black box penetration testing


Penetration testing can be an invaluable technique to any organization's information
security program. Basic white box penetration testing is often done as a fully automated
inexpensive process. However, black box penetration testing is a labor-intensive activity
and requires expertise to minimize the risk to targeted systems. At a minimum, it may
slow the organization's networks response time due to network scanning and vulnerability
scanning. Furthermore, the possibility exists that systems may be damaged in the course
of penetration testing and may be rendered inoperable, even though the organization
benefits in knowing that the system could have been rendered inoperable by an intruder.
Although this risk is mitigated by the use of experienced penetration testers, it can never
be fully eliminated.

Methodologies

The Open Source Security Testing Methodology Manual is a peer-reviewed


methodology for performing security tests and metrics. The OSSTMM test cases are
divided into five channels which collectively test: information and data controls,
personnel security awareness levels, fraud and social engineering control levels,
computer and telecommunications networks, wireless devices, mobile devices, physical
security access controls, security processes, and physical locations such as buildings,
perimeters, and military bases.[citation needed]

The OSSTMM focuses on the technical details of exactly which items need to be tested,
what to do before, during, and after a security test, and how to measure the results.
OSSTMM is also known for its Rules of Engagement which define for both the tester and
the client how the test needs to properly run starting from denying false advertising from
testers to how the client can expect to receive the report. New tests for international best
practices, laws, regulations, and ethical concerns are regularly added and updated.
[citation needed]

The National Institute of Standards and Technology (NIST) discusses penetration testing
in SP800-115.[1][2] NIST's methodology is less comprehensive than the OSSTMM;
however, it is more likely to be accepted by regulatory agencies. For this reason, NIST
refers to the OSSTMM.[citation needed]

The Information Systems Security Assessment Framework (ISSAF) is a peer reviewed


structured framework from the Open Information Systems Security Group that
categorizes information system security assessment into various domains and details
specific evaluation or testing criteria for each of these domains. It aims to provide field
inputs on security assessment that reflect real life scenarios. The ISSAF should primarily
be used to fulfill an organization's security assessment requirements and may additionally
be used as a reference for meeting other information security needs. It includes the
crucial facet of security processes and, their assessment and hardening to get a complete
picture of the vulnerabilities that might exist. The ISSAF, however, is still in its infancy.

Standards and certification

The process of carrying out a penetration test can reveal sensitive information about an
organization. It is for this reason that most security firms are at pains to show that they do
not employ ex-black hat hackers and that all employees adhere to a strict ethical code.
There are several professional and government certifications that indicate the firm's
trustworthiness and conformance to industry best practice.[citation needed]

The Council of Registered Ethical Security Testers (CREST) offers three certifications:
CREST Registered Tester, CREST Certified Tester (Infrastructure) and CREST Certified
Tester (Web Applications).

CREST (Council of Registered Ethical Security Testers) is a non-profit association


created to provide recognised standards and professionalism for the penetration testing
industry.[3] For organisations, CREST provides a provable validation of security testing
methodologies and practices, aiding with client engagement and procurement processes
and proving that the member company is committed to providing testing services to the
highest standard. For individuals, CREST provides a career path and industry leading
qualifications for penetration testers. Three certifications are currently offered: the
CREST Registered Tester and two CREST Certified Tester qualifications, one for
infrastructure and one for application testing.[4]

The Information Assurance Certification Review Board (IACRB) manages a penetration


testing certification known as the Certified Penetration Tester (CPT). The CPT requires
that the exam candidate pass a traditional multiple choice exam, as well as pass a
practical exam that requires the candidate to perform a penetration test against live
servers.

SANS provides a wide range of computer security training arena leading to a number of
SANS qualifications. In 1999, SANS founded GIAC, the Global Information Assurance
Certification, which according to SANS has been undertaken by over 20,000 members to
date.[5] Two of the GIAC certifications are penetration testing specific: the GIAC
Certified Penetration Tester (GPEN) certification; and the GIAC Web Application
Penetration Tester (GWAPT) certification.[citation needed]

Government-backed testing also exists in the US with standards such as the NSA
Infrastructure Evaluation Methodology (IEM).[citation needed]

For web applications, the Open Web Application Security Project (OWASP) provides a
framework of recommendations that can be used as a benchmark.[clarification needed]
[citation needed]

The Tiger Scheme offers two certifications: Qualified Tester (QST) and Senior Security
Tester (SST). The SST is technical equivalent to CHECK Team Leader.

The International Council of E-Commerce consultants certifies individuals in various e-


business and information security skills. These include the Certified Ethical Hacker
course, Computer Hacking Forensics Investigator program, Licensed Penetration Tester

United Kingdom-specific certifications

A number of certifications have been developed in the UK, initially for the UK
government, and then for the commercial sector, which wanted equivalent levels of
assurance.

For many years the only standard/accreditation was the CHECK scheme, administered by
CESG (formerly known as the "Communications and Electronic Security Group", part of
GCHQ). This standard is a mandatory prerequisite for Central Government testing but,
due to EU rules, cannot be enforced for local government and government agency work.
It has also been favoured by many commercial blue-chip organizations. Subscriber
organizations to the scheme are required to maintain strict ethical standards, and certified
individuals are automatically vetted to at least SC level security clearance.

The TIGER Scheme is one of the two non-governmental UK schemes for certifying the
skills of penetration testers. The Scheme is managed by a Management Committee
composed of industry stakeholders. The TIGER scheme contracts out training to an
Operational Authority (OA), which is currently QBit ltd, and testing of applicants to an
Examining Body (EB), which is currently Glamorgan University. TIGER certification is
available directly from the TIGER bodies, and does not require employment by a member
/ associate employer. The Tiger Senior Security Tester (SST) has now been granted
CHECK Team Leader (CTL) Technical Equivalence by CESG. Tiger maintains a register
of certified security testers.

Web application penetration testing


Web application penetration testing refers to a set of services used to detect various
security issues with web applications and identify vulnerabilities and risks, including:

* Known vulnerabilities in COTS applications

* Technical vulnerabilities: URL manipulation, SQL injection, cross-site scripting,


back-end authentication, password in memory, session hijacking, buffer overflow, web
server configuration, credential management, Clickjacking, etc,

* Business logic errors: Day-to-Day threat analysis, unauthorized logins, personal


information modification, pricelist modification, unauthorized funds transfer, breach of
customer trust etc.

OWASP, the Open Web Application Security Project, an open source web application
security documentation project, has produced documents such as the OWASP Guide and
the widely adopted OWASP Top 10 awareness document.

The Firefox browser is a popular web application penetration testing tool, with many
plugins specifically designed for web application penetration testing.[citation needed]

Damn vulnerable web app other wise know as DVWA is an open source web application
which has been made to be vulnerable so that security professionals and students can
learn more about web application security. g is useful in the cases where the tester
assumes the role of an outside hacker and tries to intrude into the system without
adequate knowledge of the system.

Risks

Foundstone's Hacme Bank simulates a banking application. It helps developers and


auditors practice web application attacks, including input validation flaws such as SQL
injection and Cross Site Scripting (XSS).
What to do to ensure the project is a success
Defining the scope

The scope should be clearly defined, not only in the context of the components to be (or
not to be) assessed and the constraints under which testing should be conducted, but also
the business and technical objectives. For example penetration testing may be focussed
purely on a single application on a single server, or may be more far reaching; including
all hosts attached to a particular network.

Choosing a security partner

Another critical step to ensure that your project is a success is in choosing which supplier
to use.

As an absolute fundamental when choosing a security partner, first eliminate the supplier
who provided the systems that will be tested. To use them will create a conflict of interest
(will they really tell you that they deployed the systems insecurely, or quietly ignore
some issues).

Detailed below are some questions that you might want to ask your potential security
partner:

• Is security assessment their core business?


• How long have they been providing security assessment services?
• Do they offer a range of services that can be tailored to your specific needs?
• Are they vendor independent (do they have NDAs with vendors that prevent them
passing information to you)?
• Do they perform their own research, or are they dependent on out-of-date
information that is placed in the public domain by others?
• What are their consultant's credentials?
• How experienced are the proposed testing team (how long have they been testing,
and what is their background and age)?
• Do they hold professional certifications, such as PCI, CISSP, CISA, and
CHECK?
• Are they recognised contributors within the security industry (white papers,
advisories, public speakers etc)?
• Are the CVs available for the team that will be working on your project?
• How would the supplier approach the project?
• Do they have a standardised methodology that meets and exceeds the common
ones, such as OSSTMM, CHECK and OWASP?
• Can you get access to a sample report to assess the output (is it something you
could give to your executives; do they communicate the business issues in a non-
technical manner)?
• What is their policy on confidentiality?
• Do they outsource or use contractors?
• Are references available from satisfied customers in the same industry sector?
• Is there a legal agreement that will protect you from negligence on behalf of the
supplier?
• Does the supplier maintain sufficient insurance cover to protect your
organisation?