Penetration Testing: An IT Organization Must Do!

I. Introduction

Due to the increasing vulnerability to hacking in today’s changing security environment, the protection of an organization’s Information Security Management System (ISMS) has become a business imperative. With the access to the Internet by anyone, anywhere and anytime, the Internet’s ubiquitous presence and global accessibility can become an organization’s weakness because its security controls can become more easily compromised by internal and external threats. Hence, the purpose of this article is to strengthen the awareness of ethical hacking in the IT Organization, also known as penetration testing, by evaluating the effectiveness and efficiency of the ISMS.

II. What is Ethical Hacking/Penetration Testing?

Ethical hacking and penetration testing is a preventative measure which consists of a chain of legitimate tools that identify and exploit a company’s security weaknesses. It uses the same or similar techniques of malicious hackers to attack key vulnerabilities in the company’s security system, which then can be mitigated and closed. In other words, penetration testing can be described as not “tapping the door”, but “breaking through the door”. These tests reveal how easy an organization’s security controls can be penetrated, and to obtain access to its confidential and sensitive information asset by hackers. As a result, ethical hacking is an effective tool that can help assist IT professionals to better understand the organization’s information systems and its strategy, as well as to enhance the level of assurance and IS audits if used properly.

III. Basic Characteristics of Penetration Testing

Different Types of “Hat Hackers”

There are different types of “hat hackers” that should be distinguished: black, grey, and white. “Black hat hackers” perform unauthorized penetration attacks against information systems, which may or may not be illegal in the country they are conducting. On the other hand, ethical hackers are known as “white hat hackers” because they legitimately perform security tests bounded by a contractual agreement. Their main purpose is to improve the system which can then be closed before a real criminal hacker penetrates within the organization. “Grey hat hackers” are those in-between the black and white that perform their activities within legal legislations and regulations but may slightly go over the boundaries. Since penetration testing is an authorized attempt to intrude into an organization’s network, the focus of the paper will be on the “white hat hackers”.

IV. Threats/Risks Relevant to Organizations

In order to conduct a penetration testing, threats and risks should first be identified and analyzed because this forms the basis of the test in which ethical hackers would attempt to attack an organization’s system to expose those vulnerabilities. In the same manner, IT practitioners should be fully aware of the information security risks that are relevant to any organization because it can adversely affect their business operations and cause their security systems vulnerable to unauthorized access, increasing both business and information risks respectively. In the following, two major risks will be discussed – internal and external.

a.  Internal Threat/Risks

Regardless of how strong a computer security system is designed, employees’ lack of knowledge about security issues and other malicious employees can inflict enormous damages to any organization. With limited employee security awareness, simple actions of opening a “joke email”, which may be infected with a virus, can place the organization at risk with thousands of lost revenue. Key statistics from a medium-size company case study have indicated that 100% of all employees use instant messaging, which should have been prevented by the corporate firewalls, and 40 out of 100 users use common dictionary words as legitimate and valid passwords which can be easily guessed by other employees for unauthorized access. In addition, less than 25% of the employees have used an external device to copy files off-site and 33% have transmitted confidential documents to a laptop. Employees also run the chance of using cloud services, such as Google Docs or Dropbox, for the convenience of transferring corporate data, and this bypasses the IT department for proper procedures and policies. As a result, companies are now exposed in ways that the cloud can compromise its sensitive and confidential information, increasing the risk of rogue IT. This ultimately demonstrates that employees who are key personnel to running an organization successfully may also be the greatest weakness at the same time due to the unprotected exposure of unauthorized access.

b.   External Threat/Risks

External threats include a wide range of activities that are performed by real criminal hackers. By identifying the security gaps in an organization’s system, external hackers can exploit the system and gain authorized access to copy or delete sensitive information, such as customer’s credit card information.

In any security system, “information is crown”. This essentially means that whenever an organization’s information asset is compromised, this is a security issue which may be caused by technical issues, human errors or processing weaknesses. As a result, both internal and external threats must be identified and proactively addressed by organizations because it can bring financial and non-financial losses, including lawsuits related to release of confidential, private, commercial or other highly-sensitive information, lost in revenue, damaged reputation, loss of credibility in the eyes of customers and loss of control in computer system.

VI. Penetration Testing Techniques

There are various technical and non-technical techniques that can be utilized as part of the penetration testing process to address the internal and external threats. The following is a list of the most common tools used in a penetration test:

1.   Web Applications Software: Since many organizations sell many business applications over the Internet, testing can consist of evaluating the level of encryption used for processing confidential and sensitive information (128 or 256-bits), firewalls, the use of cookies stored on their customers’ computers31, the length and strength of passwords (upper and lower cases with numbers/letters) and the security of software configurations. For instance, a message should not plainly indicate that there was an incorrect password only, and no problem with the login username.

2.    Denial of Service: This testing depends on the organization’s commitment of having continuous availability of the information system. The red team evaluates the system’s vulnerability to attacks that will either cause the system to deny service from legitimate access, or to become totally unavailable due the inability to handle high volume of traffic, such as instantly sending millions of spam messages to the organization’s mail server.

3.   War Dialing: This testing consists of systematically calling numerous telephone numbers in order to identify “modems, remote access devices and maintenance connections” that are present in an organization’s network. Once identified, exploitation techniques, such as strategic attempts to guess the username and password, are performed to assess whether the connection can be used as a way to penetrate into its information security system.

4.    Wireless Network: Penetration testers will drive or walk around the office buildings to identify opened wireless networks of the organization that should have not been present in the first place. The purpose is to identify security gaps or errors in the “design, implementation and operation” of a company’s wireless network system.

5.    Social Engineering: Penetration testers would attempt to deceive the organization’s employees and suppliers in order to gather sensitive information and penetrate into an organization’s systems, such as claiming to be an IT representative and asking for the users’ login and passwords. Even though this is a non-technical testing which involves human-related features, it is viewed as equally important to determine whether unauthorized users can gain access to the information system.

6.    Google Hacking: Since Google is the one of the most common search engines widely used by organizations, penetration testers should consider Google hacking as an effective web security practice. It uses the search engine to locate personal or sensitive information by taking advantage of Google’s function of optimizing the search results anywhere in the websites. For instance, tests have found a directory with the social insurance number of more than 70 million deceased persons, and passport documents.

VII. Benefits of Penetration Testing

Penetration testing can help close the gap between safeguarding of an organization’s security system and the exposure of its security risks by assessing whether the security controls are adequate and working effectively.

As IT attacks are always changing in “nature, complexity and method”, penetration testing can be viewed as a solution to the evolving security threat environment and assist the organization’s IT system to stay constantly attentive and updated as part of the its overall security strategy. According to PCI and ISO 27001, managing security risks and threats is an essential management and IT process. The rationale behind this is that organizations should fully understand their weaknesses before they can effectively defend and protect themselves from unauthorized access. Hence, penetration testing can become a “hacker’s-eye” of any organization’s security system. Instead of possessing the wrong attitude towards security in hopes of not being hacked, organizations should take the appropriate actions to mitigate and control risk. Penetration testing can strengthen an organization’s security procedures and processes, as well as further improve the efficiency and effectiveness of its risk management. It can also consist of increasing the degree of transparency by assessing the type of sensitive data that can be potentially exposed, and how the network can be compromised by human elements. Ultimately, the main benefit is that organizations can learn from the penetration testing experience and further improve its security systems by thoroughly analyzing its weaknesses, properly implementing the changes, and informing all parties in a timely manner.

VIII. Limitations of Penetration Testing

Penetration testing cannot be expected to identify all possible security weaknesses, nor does it guarantee that it is 100% secure. New technology and hacking methods can create new exposures not anticipated during the penetration testing. Thus, it is certainly possible that after a penetration testing, there could be hacking incidents thereafter because it is impossible to have full but rather only good protection for an organization’s security system.

In addition, a penetration testing is usually performed within limited resources over a specific period of time. Therefore, once an ethical hacker has identified the current risk and threats exposed to the system, the organization should immediately take corrective action to mitigate these security loopholes and decrease the potential exposure to malicious hackers.

XIV: Conclusion

Penetration testing is an important component of an organization’s overall security strategy and can definitely add value if there are major security weaknesses in its system controls, and a high risk of unauthorized access due to the nature and operations of the business. Through controlled attempts to intrude into computer’s network system, a combination of penetration testing techniques and strategies can be developed to fit an organization’s needs in terms of nature of business, size and complexity of its operations. This will in turn enhance the assurance provided from auditors in assessing a company’s internal controls and security system at the same time. On the whole, ethical hacking and penetration testing should be considered as an efficient and effective means to mitigate and close security gaps and deficiencies before malicious hackers can otherwise exploit them.