By Nicolai Solling
With the digital war now at the doorstep of the enterprise, IT managers are realising the need for a proactive approach to battling the ever-intensifying wave of attacks.
Security technologies such as antivirus, firewalls and Web gateways remain an obvious first line of defence, but investment into new areas, no matter how earnest the attempt, will inevitably be hampered unless IT teams understand the loopholes in their security infrastructures.
In the Middle East, many of the successful attacks carried out by organisations such as the Syrian Cyberarmy and Anonymous, have loosely defined structures. With their widespread networks of hackers of varying skill sets, the methodology of these attacks is difficult for any security organisations to predict. While having the best security system is vital to a hardened infrastructure, assessing the solution’s practicality is what most regional organisations fail to accomplish. Attacks are inevitable and now more than ever, there is need for insight beyond the obvious.
Penetration testing, commonly called ‘pen testing’, involves simulating attacks on an IT environment to identify the ways in which a would-be hacker would do so. It helps identify the risks an organisation is exposed to and allows IT teams to take the correct steps to bolster network defences and robustness against a wide variety of attacks. Perhaps the main advantage of penetration testing is that it gives customers a very clear understanding of where they stand from a security perspective and helps clearly identify where investments must be made and changes performed.
Perceived risks
Simply put, no organisation wants to ‘air its dirty laundry’ and trusting a third-party provider with uncovering vulnerabilities can be something of a hard sell. Organisations must however realise that professional service providers operate under strict, full non-disclosure agreements (NDAs) meaning that there will be no mentioning of the engagement and no sharing of the results of such an undertaking either internally or externally.
Finally, the true value of a penetration test lies in the results and findings. All too often, these reports simply consist of listing which patches and software releases are vulnerable. While this is valuable information it should not be the only output of a test. Working with a provider that has ethical hackers on board will leave the organisation with a far more thorough understanding of where the weaknesses lie.
Starting off
First, all of the organisation’s IT assets must be assessed to obtain a risk rating against the information that they contain. Organisations that have undergone the ISO 27001 certification would already have this information available. Based on risk rating, CIOs can then identify how much effort needs to be taken and how the security analysis should be performed. This can mean simply conducting an exercise to gain compliance, or conducting more thorough testing that simulates a more holistic attack profile.
The risk based approach is also vital as it defines the time frame of the engagement. This may range from a few days to even a couple months depending on the complexity of environment, scope of the undertaking and modus operandi.
The outcome of a successful penetration test is a detailed report that not only outlines the vulnerabilities and includes practical advice on mitigation approaches. The report should also add value by including tracking documents to ensure proper task assignments, follow-ups and easy status reporting. After the process is complete, an organisation must first address and correct all of the issues. As this can be a cumbersome and complex task that may require interaction of multiple teams, customers can seek assistance from the service provider in communicating and prioritising the risks.
In general, performing a decent analysis of an organisation’s exposure to threats is probably the most cost-effective form of pro-active security. It will ultimately not only assist the organisation in becoming more secure, but also guide decisions regarding which areas of IT security investments need to be made in.
Perhaps a more justified concern is the impact that a penetration test might have on the network. This is mostly a technical discussion. There is no denying that any network analysis does come with a certain level of risk, but a well-thought-out, logically sound approach can minimise this. Still, for certain mission-critical systems, it is always advisable to perform the tests outside of business hours or in agreed timeframes where the environments can be de-risked.
Shortcomings
While penetration testing is indeed offered by a number of providers in the Middle East, not every provider is equally competent and so, not every test is equally effective. The main shortcoming is that many organisations that claim to be ‘experts’, do nothing more than utilise standardised technical tools and therefore follow a mechanical or procedural approach. Generally these tools are good, but they fail in a number of areas, especially where the intelligence, knowledge and experience of a human being is a must.
Such areas require what is called a logical exploitation, which involves stressing the logical aspects of how communications are performed within an application. Examples could be manipulating response data from clients and servers to see how the application responds. Typically, this is something that is completely overlooked when relying solely on a tools-based approach.
Another key aspect where tools fail is in the review of the environment’s configuration settings. Often, small settings within the computing environment can have tremendous impact on the success of a hacker. Or in other words, certain settings make it easier to perform attacks, but from a tool’s perspective, it may not be seen as a vulnerability.
Finally, the true value of a penetration test lies in the results and findings. All too often, these reports simply consist of listing which patches and software releases are vulnerable. While this is valuable information it should not be the only output of a test. Working with a provider that has ethical hackers on board will leave the organisation with a far more thorough understanding of where the weaknesses lie.
Starting off
First, all of the organisation’s IT assets must be assessed to obtain a risk rating against the information that they contain. Organisations that have undergone the ISO 27001 certification would already have this information available. Based on risk rating, CIOs can then identify how much effort needs to be taken and how the security analysis should be performed. This can mean simply conducting an exercise to gain compliance, or conducting more thorough testing that simulates a more holistic attack profile.
The risk based approach is also vital as it defines the time frame of the engagement. This may range from a few days to even a couple months depending on the complexity of environment, scope of the undertaking and modus operandi.
The outcome of a successful penetration test is a detailed report that not only outlines the vulnerabilities and includes practical advice on mitigation approaches. The report should also add value by including tracking documents to ensure proper task assignments, follow-ups and easy status reporting. After the process is complete, an organisation must first address and correct all of the issues. As this can be a cumbersome and complex task that may require interaction of multiple teams, customers can seek assistance from the service provider in communicating and prioritising the risks.
In general, performing a decent analysis of an organisation’s exposure to threats is probably the most cost-effective form of pro-active security. It will ultimately not only assist the organisation in becoming more secure, but also guide decisions regarding which areas of IT security investments need to be made in.
