Pen Testing for Low Hanging Fruit - Part 4 of 7

Thursday, October 21, 2010

Bryan Miller

F8f122d50eba11c3af5607575b277bc6

Do It Yourself or Outsource? - Part 4 of a 7-part series - (Part 1 Here) (Part 2 Here) (Part 3 Here)

Hopefully if you're still reading you agree that penetration testing is a necessary undertaking. 

Debate continues on whether internal or external testing is more important as well as the frequency of testing.  But most security and privacy advocates agree that periodic security audits need to be performed. 

Some clients alternate internal and external testing on a yearly basis.  Others perform external tests on a more frequent basis such as quarterly or semi-annually. 

Some clients train their internal IT staff to perform the tests while others only use external resources to keep the separation of duties clear.

Much has been written about the rising tide of internal threats and from my own experience I can certainly say this is true. 

There was a time years ago when external threats were the main concern.  During this time firewalls and other security devices had arcane syntax and were often hard to configure and manage. 

Today, modern firewalls have rich GUI command interfaces and software wizards that greatly reduce the amount of knowledge that security technicians need to properly configure such devices. 

Between the advances in firewall technology, the increasing use of anti-virus and anti-malware software at the perimeter and an increasing awareness of internal threats the overall security posture for many organizations has greatly increased. 

But, much still needs to be done to ensure that all organizations, both regulated and non-regulated, put forth the due diligence to ensure privacy and security concerns are being met.

Once you've decided that penetration testing is a good thing, how do you go about doing it? 

One option is to outsource the whole process to a reputable security vendor.  This option is appealing because it makes the whole process nice and neat and keeps the internal auditors very happy. 

Auditing best practices generally prefer that outside consultants perform such tests since there is a clear separation of duties and the chance for conflicts of interest are eliminated. 

However, it is perfectly acceptable for internal IT staff to perform tests throughout the year and then have an external consultant perform the tests for official compliance reporting. 

This way the cost of the external consultant is reduced since most of the issues would have already been found and resolved. 

If you do choose to outsource it never hurts to understand some of the process and terminology just to make sure the vendor you choose is using an acceptable methodology and that the results are sufficiently documented to allow you to remediate the issues.

If you choose to do the work using your own IT staff, the first step is to select an acceptable methodology. 

There are many different methodology documents in use today [6,7] and they all basically attempt to ensure that all areas of network infrastructure devices are properly tested. 

Some of the more popular ones have been submitted by the Center for Internet Security (CIS), NIST, CIA, OSSIM and COBIT.  

Some are more structured and rigid than others and you will have to examine them for yourself and find the one with which you are most comfortable. 

There is no right or wrong answers in choosing a methodology.  The main decision factor should be your comfort level and a solid understanding of the techniques employed in the document.

The next consideration is tools and training [8,9].  There are two schools of thought concerning tools and training. 

The first school says go to training first and then start learning the tools taught in class. 

The second school says to spend time learning the tools and then go to training.  The goal of the second school of thought is to allow you to fine tune your skills since you will already have a familiarity with the tools discussed in class. 

Again, this decision is a personal one and will differ from person to person.

The choice of tools is a very crucial component of any good penetration tester's arsenal.  When comparing tools look for those that provide security and privacy reporting options. 

Many tools have report templates for common regulatory requirements such as HIPAA, SOX and PCI. 

Most professionals performing penetration tests will have well over a 100 tools designed to test a wide variety of operating systems, applications and infrastructure devices. 

When running tools during a test, one suggestion is to always test any given device with several tools and never trust one tool too much.  Another consideration is what devices will be tested and how often. 

Generally, it is best to test all devices connected to your network on at least an annual basis.

Possibly Related Articles:
6900
Network->General
Pen Testing Penetration Testing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.