Penetration Testing–Go for Compliance without Being Complacent
Let me start by saying that this is not an article that dishes out on penetration testing. I strongly believe that pen testing is important and is effective to find out certain loop-holes within an organization. But there are uncovered areas that still remain even after one or multiple pen tests are conducted on an organization per year. Before going into the details, let’s first understand a little about the attack surface. Simply put, an attack surface is the cumulative sum of the different points where an unauthorized user or the attacker can try to enter or extract information from an environment.
Now, in all practical sense, this can never be reduced to zero…unless you achieve the impossible task of doing business without any need of Internet, and that should lead to a buzz feed list of “Ten successful companies that do not use the Internet at all.” Coming back to the attack surface discussion, if something can’t be reduced to zero, the next best thing is to strive to minimize it continuously so the attack surface follows a downward trend. A big task of security professionals lies in a) reducing the attack surface and b) protecting the exposed attack surfaces by plugging all possible security holes.
A downward graph of both attack surface and security gaps is a healthy trend.
Pen Test: A Great tool for Compliance
Several standards and compliance bodies like PCI-DDS have regularly endorsed pen testing and it has proved its worth by helping uncover a few security holes. A pen test can be done both in white-box (where the pen tester has more in-depth knowledge or access to the org and its networks) or black-box (Where pen testers have a “hacker’s” outside view of the org) modes.
In general, the black box pen test is a more popular method adopted. Apart from using several highly popular tools, at the heart of pen test lies the “human” factor where the sharp analytical mind of the pen tester decides on the execution and the next steps in their penetration testing process.
Traditionally, pen test has done a great job of helping to reduce the threat surface and also plug gaps in the exposed attack surface. Regular pen tests have been effective in finding out several key loop-holes that potential attackers could have exploited. However, the major discussion that we would like to have in this blog is if that’s enough. If not, what areas do pen tests miss and how do we close this gap.
Is Compliance “Good Enough”- What Are We Missing?
The Risks Involved – Playing it Safe
Pen test by nature has its target set to the end point (the user PCs, servers, etc.). A successful pen test with improper clean-ups can lead to problems that were not there before. It’s like infecting a healthy person with a virus. These risks often make companies apprehensive about performing pen tests in the realistic environments and they end up putting several constraints on the pen testers that often take teeth out of the pen test exercises.
Pen Test Environment Often Lacks “Real-World” Traffic.
Because of the risks, most pen tests are done during quiet periods (like weekends or off-work hours). Although this reduces risks, it also makes the environment secluded and not representative of regular business-hour traffic, making the network/security team’s work easier in identifying/blocking pen test access. Conducting intrusions/attacks with the regular business-hour traffic can change the game as it will increase the realism and complexity of the attacks by a few folds.
The End-Point Focus of Pen Testing
The heart of most pen tests lies in compromising the end points. In their continuous pursuit at compromising the end points, sometimes they fail to assess or explore the network perimeter that is tasked to protect the endpoints. It can be argued that compromising the end points will expose issues in perimeters, but focused attention to the network perimeter will definitely reveal far more chinks in an organization’s security. Below are examples of security concerns that your pen testing may be overlooking.
- DDoS Attacks: Several big attacks to websites or data centers have been through distributed denial of service (DDoS) attacks. Most pen testers skip DDoS tests due to lack of infrastructure or tools to generate massive-scale bandwidth-intensive attacks and most networks vulnerable to such attacks remain unexplored simply due to lack of hardware and software infrastructures.
- Botnets of the World: Understanding if botnet to command and control (C&C) communications can be tracked, identified, or blocked by your network is key to block organized attacks. Such emulations are extremely complex, requiring comprehensive security infrastructure to accurately represent a botnet and C&C environment. Hence, they are often ignored for pen tests.
- Application Control and Efficiency Vulnerabilities: Several issues creep into organizations not due to someone from outside proactively trying to attack the employee, but because the employees access vulnerable/malicious sites, using malicious apps, etc. It’s important to know how strong an organization’s URL filtering or application detection/blocking capabilities are. Although pen testers can represent simple one-way access of one or two apps, emulating hundreds of apps and testing the infrastructure’s ability to identify and control an app is almost never executed as part of a pen test.
The Human Factor
As discussed earlier, the key differentiator for a pen test is the human factor and it is both the positive and negative aspect of pen testing. Pen testers do a great job of analyzing test results and performing on-the-fly re-adjusting of strategies based on the outputs. But at the same time, they are also limited by how fast or how many tests they can execute and analyze within the limited time allocated for pen testing. Methods that are heavily depended on manual interventions are not expected to be super-fast and are also prone to errors both in execution and in clean-ups.
It’s a Snapshot!!!
A small, time-bound pen test will give a short-lived security posture snap-shot of a network. The snap-shot is invalidated the moment there’s any change in network, security, or IT configuration. Most pen test companies will even have a written disclaimer stating the same and it’s quite impossible to conduct pen testing every time there’s a network change.
Compliance Should Not Lead to Complacence
To re-iterate, pen test has its own unique and irreplaceable value and traditional pen test was never created to cover all bases that are discussed in this blog. But at the same time, it should not be denied that just performing traditional pen tests will not cover all bases and there is still a significant size of attack surface completely unexplored and open to access by the bad guys. Good performance on pen tests or investing bi-yearly on pen test and taking recommended actions doesn’t guarantee a massive reduction in threat surfaces. As discussed earlier, to continuously have a downward trend of attack surface, we need to pursue multiple avenues of exposure through techniques that go beyond pen tests.
If you are looking for solutions to such testing (that most pen tests do not cover), check out Ixia’s BreakingPoint. It simulates real-world legitimate traffic, distributed denial of service (DDoS), exploits, malware, and fuzzing, so you can validate your entire security infrastructure and reduce your attack surface.