"Whether it's the operations center, or the investigative response team or physical security guards, everyone has to pretend it's just another day at the office," said Verizon's Khawaja.
Typically, companies will perform white box testing first to learn the security issues that have to be addressed. Subsequently, black box testing will help determine if the initial findings have been effectively remediated. Sometimes, for example, a CSO will want to know not only how vulnerable critical systems are, but how good their personnel are at detecting and responding to an attack.
In either case, certain key people need to be involved to avoid problems that might impact the business or undermine the testing. At least one person in the target environment who is involved in the change control process should be in the loop, said InGuardians' Skoudis. Under the rules of engagement, for example, the company may permit the pen testers to install software on the target devices to do more in-depth pivoting, but at least that one person has to be involved to make sure that the testers are not stopped by dropping their IP address from a router ACL or invoking a firewall rule.
In both white box and black box scenarios, Skoudis recommends daily briefings with the test stakeholders to let them know what the testers are doing. For example, the rules of engagement may allow the pen testers to exploit vulnerabilities, but the briefing can be used to give folks a heads up that they are about to do it.
"It builds bridges," he said. "It shows the pen testers are not a distant, evil group that is out to 'catch me.' Rather, it's all about transparency and openness."
The rules of engagement also may set limits on what may and may not be exploited, such as client machines, or techniques that may or may not be used, such as social engineering.
Tip 9: Report Findings and Measure Progress
The goal of penetration testing is to improve your security posture, so if you are conducting internal tests, your report should provide useful, actionable and specific information.
"The goal is to help improve security, for management to make decisions to improve business and help the operations team improve security," said InGuardians' Skoudis.
You should provide an executive summary, but the heart of your reporting should include detailed descriptions of the vulnerabilities you found, how you exploited them and what assets would be at risk if a real attack took place. Detail every step used to penetrate, each vulnerability that had to be exploited, and, most important, perhaps, all the attack paths.
"The beauty of identifying the attack path is that it allows you to solve specific problems by breaking the path," said Core Security's Solino.
Be very specific about recommendations. If architectural changes are required, include diagrams. Explain how to verify that a fix is in place (use this command, or that tool to measure). In cases where multiple systems are involved, explain how to mass deploy a fix, using GPOs if possible.
Make sure that each recommended remediation includes a caveat that the solution is thoroughly tested before it is implemented in a production environment. Enterprise IT infrastructure may be very complex.
"This is a huge issue," said Skoudis. "You don't know all the subtleties. You don't want to break production."
Penetration testing should not be a one-time exercise, and successive results should be compared. If you are performing internal testing, put together deltas to measure how your people are addressing issues. If the problems from the last test--or the last two--remain unaddressed, you may have a problem. Perhaps the software patching program isn't working as it should, or developers are not being properly trained to write secure code.
"What we're looking for are trends," said the university security director. "It's just like you would treat an audit report. If you have repeat findings, it indicates you might have a more serious problem."
Tip 10: Decide Who Your Pen Testers Are
The decision to use in-house staff for pen-testing depends on the size of your organization, the value of the information you are trying to protect and where you want to put your internal resources. A company may have a dedicated pen testing team or a group within the security team. An internal team is in a better position to conduct regular testing. If your organization is large and distributed, create mechanisms and promote an environment in which information can be shared.
"If have internal community that can share information, make sure they have a strong knowledge base backed up by mature knowledge management systems," said Verizon's Khawaja . "You want to make sure that what happened in your Beligian unit doesn't happen in Brazil."
Even if you do some in-house testing, there are good reasons for hiring consultants to perform at least some of the work. Some regulations require external companies to perform pen tests; consider that insiders may have too much information about the target systems, as well as a vested interest in the outcome. So, beyond compliance requirements, it's a good idea to bring a fresh view from the outside periodically.
For the same reasons, if you do hire outside testing consultants, rotate among vendors, just as would with auditors every few years.
"Bringing in outside people gives an added degree of confidence in the results," said the university security director. "There's no perception of conflict of interest."--
For your internal team, look for the right blend of knowledge and curiosity.
A good training candidate, said Core's Solino, has a strong knowledge of networking and application protocols as a foundation. Mostly, he looks for curiosity and a hacker mentality.
"It's IT knowledge and that attitude, a specific mindset that denies something is secure and says, 'Go for it!'"
"This is an art," said Skoudis. "Although there are tools and methodologies, you have to be creative in finding problems in target systems and applications."
This story, "Penetration tests: 10 tips for a successful program" was originally published by CSO.