e-security  penetration test

Classification of Penetration Tests

The following figure shows a classification of possible penetration tests. On the left are six criteria for defining penetration tests, on the right are the various values for the criteria summarized in a compact tree diagram.

Distinguishing features, such as the extent of the systems tested, the cautiousness or aggressiveness of testing, etc., that characterize a specific penetration test have to be adapted to suit the goal of the test to ensure efficient and effective testing with a calculated risk.

An appropriate penetration test – to meet the client’s goals has to be defined on the basis of the above criteria.

The six criteria and their possible values are discussed below:

1. Information Base

What is the penetration tester’s initial level of knowledge about the target network or object?

A fundamental distinction is made between black-box testing, without any insider knowledge, and white-box testing, where the tester has insider knowledge:

1. A black-box test realistically simulates an attack by a typical internet hacker. The hacker has to research the necessary information in publicly available databases or make inquiries as an outsider.
2. In a white-box test an attack by a (former) employee or external service provider with detailed knowledge in certain areas. The extent of such knowledge can range from limited, e.g. as possessed by an employee who has worked in the company for only a short time, to in-depth system knowledge, such as that gained by an external IT service provider who has installed security-relevant systems.

2. Aggressiveness

How aggressive is the penetration tester during testing?

To allow a sufficiently fine distinction, four levels of aggressiveness are defined for the purposes of this study:

1. With the lowest level the test objects are investigated passively only, i.e. any vulnerabilities that are detected are not exploited.
2. With the second level – cautious – identified vulnerabilities are only exploited when, to the best of the tester’s knowledge, the system being tested will not suffer as a result, e.g. using known default passwords or trying to access directories on a web server.
3. With the next level – calculated – the tester also attempts to exploit vulnerabilities that might result in system disruptions. This includes, for instance, automatically trying out passwords and exploiting known buffer overflows in precisely identified target systems. Before taking such steps, the tester considers how likely they are to be successful and how serious the consequences would be.
4. With the highest level – aggressive – the tester tries to exploit all potential vulnerabilities, e.g. buffer overflows are used even on target systems that are not clearly identified, or security systems are deactivated by deliberate overloading (denial of service (DoS)) attacks. The tester has to be aware that, in addition to the systems being tested, neighboring systems or network components might also fail as a result of these tests.

3. Scope

Which systems are to be tested?

When a penetration test is being carried out for the first time, a full test is advisable to ensure that no security loopholes are overlooked in systems that have not been tested.

The time required for a penetration test is normally directly related to the scope of the systems to be investigated. Identical and near-identical systems can often be investigated in a single test, but as soon as there are different configurations, each system will need to be dealt with separately:

1. If only a specific sub-network, system or service is to be tested, for the purposes of this study the penetration test is termed focused. This test scope is appropriate after a modification or extension of the system landscape, for instance. Such a test can, of course, only provide information about the system that was tested; it cannot provide general information about IT security.
2. In a limited penetration test, a limited number of systems or services are examined. For example, all systems in the DMZ, or systems comprising a functional unit can be tested.
3. A full test covers all available systems. It should be noted that even in a complete test certain systems, e.g. outsourced and externally hosted systems, might not be able to be tested.

4. Approach

How “visible” is the team during testing?

If, in addition to the primary security systems, secondary systems such as an IDS, or organizational or personnel structures (e.g. escalation procedures) - are to be tested, the testing approach will have to be adapted accordingly:

1. The penetration tests carried out on secondary security systems and existing escalation procedures should – at least in the beginning – be covert, i.e. in the initial survey stage only methods that are not directly identifiable as attempts at attacking the system should be employed.
2. If the covert approach fails to generate a reaction, or a white-box test is carried out in collaboration with those responsible for the system, overt methods, such as extensive port scans with a direct connection, may be employed. The client’s staff may be included in the team conducting an overt white-box test. This is particularly advisable with highly critical systems because it means that the testers are able to react faster to unexpected problems.

5. Technique

What techniques are used for testing?

In a conventional penetration test, systems are attacked via the network only. In addition, other types of physical attacks and social engineering techniques can be used to attack systems.

1. A network-based penetration test is the normal procedure, and simulates a typical hacker attack. Most IT networks currently use the TCP/IP protocol, which is why such tests are also called IP-based penetration tests.
2. Apart from TCP/IP networks there are other communication networks that can also be used for staging an attack. These include telephone and fax networks, wireless networks for mobile communication, e.g. based on IEEE 802.11(b) and, in future, Bluetooth technology, too.
3. Nowadays, security systems such as firewalls etc., are widespread, and the configurations of such systems usually afford a high level of security, which means that it is extremely difficult, if not impossible, to defeat such systems in an attack. It is often easier and quicker to obtain the desired or necessary data by circumventing these systems in a direct physical attack. A physical attack can, for example, involve directly accessing data at a non-password protected workstation after gaining unauthorized access to the building and/or server rooms.
4. People are frequently the weakest link in the security chain, which is why social engineering techniques that exploit inadequate security skills or insufficient security awareness are often successful. Such tests are appropriate after the introduction of a general security policy, for example, to assess the extent of its implementation and/or acceptance. False assumptions about the supposed effectiveness of a security policy often result in security risks that, provided that the situation is assessed accurately, can be mitigated by taking additional action.
5. Starting point: Where is the penetration test carried out from?
6. The starting point of the penetration test, i.e. the point where the penetration tester connects his computer to the network or where his attacking attempts originate can be either inside or outside the client’s network or building.
7. Most hacker attacks are staged via the network’s connection to the internet. A penetration test from the outside is therefore able to detect and evaluate the potential risk of such an attack. Typically, the firewall, systems in the DMZ and RAS connections are investigated in such tests.
8. In a penetration test from the inside, the tester does not normally have to overcome firewalls or entry controls to access internal networks. Therefore a test from the inside can assess the effects of an error in the firewall configuration, a successful attack on the firewall, or of an attack by persons with access to the internal network.