By Kane Cutler, PCI QSA, Tiger QSTM, CEH
Although statistics show that skydiving is a relatively safe pastime, things do sometimes go wrong. Since 2004 653 people have lost their lives and in spite of improved safety guidelines, two of the four fatalities suffered by the world’s skydivers last year were the result of parachute malfunctions. The relevance of this to the penetration test may seem tenuous, but consider this: each of the individuals who lost their lives almost certainly had faith in their equipment. In the same way, people managing organisations may have faith that their cyber security is fail safe, yet the evidence proves that faith in an untested environment is not always well-placed.
So when considering the questions of risk, those responsible for cybersecurity should ensure that the effectiveness of any plan for protecting applications and infrastructure goes beyond simple faith. The penetration test is a crucial tool in this safeguarding process. But before considering what a penetration test is, it is worth looking at what it is not. It is not a vulnerability scan, a compliance audit or a security assessment; penetration testing stands apart from these efforts in a few critical ways.
A penetration test does not stop at simply uncovering vulnerabilities: it goes to the next step by actively exploiting those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organisation’s IT assets, data, humans, and/or physical security. Simply being compliant does not ensure real-world protection.
A penetration test is designed to answer the question: ‘What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?’ Automated tools and process frameworks may give some degree of reassurance but they do not allow for the infinitely flexible nature of a human mind that is armed with motive and determination. So it is the human mind that is also the most effective defence. An individual or team of testers are able to think laterally; they can both analyse and synthesise. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies, while useful as part of the testing process, are no match for human intelligence.
Some automated penetration tests limit their scope to only one target via one vector. A full penetration test allows for multiple attack vectors to be explored against the same target. Often it is the combination of information or vulnerabilities across different systems that will lead to a successful compromise. While the automated test may have provided some valuable results, these results are only useful within the same context the test was conducted.
A properly executed penetration test will determine the feasibility of a particular set of attack vectors. It will identify the higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence. It will identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software and will assess the magnitude of potential business and operational impacts of any successful attack. But for it to be truly effective, establishing the scope of the penetration test at the outset is key.
The scope will be dependent on what the drivers are for the organisation and these will determine the stated goals. These drivers may also influence other aspects of the engagement such as target selection scope, assumptions, and even funding ceilings that limit the amount of time a test team has to explore and compromise the organisation’s assets.
The importance of determining the right kind of penetration test for an organisation and its scope cannot be overstated. Ultimately, if we care about the security of people and data, it is the real world threat that counts rather than any box ticking exercise.