As network technologies and application features are still evolving at a rate increasing, so have security vulnerabilities associated. But have our efforts to identify these vulnerabilities kept pace with the changes? Have security penetration testing evolved from its roots in years seventy? How have we changed our approach to security testing tools and methodology to meet the challenges of the changing threat landscape? This is the first a series of five articles dealing with how far we've come and the way forward.
The term "penetration testing" refers to the evaluation security levels associated with a network or computer system to simulate an attack. Penetration testing is based on the assumption that in attempting to commit security of a system or network, the more you can learn about their susceptibility to attack, and the specific weaknesses identified and mitigated against. The definition currently accepted has not changed since its inception, while the accepted scope, approach and methodology have changed considerably.
War dialing
The modern digital computer network was born on college campuses. The first phone systems made use of switched networks and were regularly audited both externally (from the attackers, armed with blue boxes and whistles) and the interior by dedicated security personnel.
The modern network is a product of the academy. In those nascent network academic days were largely without worrying about security – networks were largely a mechanism for open and rapid information sharing. Universities also form the backbone of the Internet, and were the source ISP and one of the first to apply e-mail as a communication means.
Former government and military networks were formed in contrast to closed systems. Although the concept of penetration testing was nominated by the Rand Corporation (among others) and the Department of Defense already in the seventies and eighties, did not become popular until the advent of war dialing (which was largely the result the transition from analog to digital).
War dialing was one of the first modern line of formal penetration testing and was used to identify unprotected modems available to the public and allowing unauthorized access to networks. Dialing war was an accepted mechanism for assessing the security posture network technologies until the first nineteen nineties and is still widely used – by security professionals and attackers alike – to assess the safety X.25 networks and other resources.
The nineteen nineties saw the emergence of penetration testing as a formal security activity. In 1988, Robert Morris Junior unleashed a self propagating worm, which had the unintended consequence of crashing, possibly a large part of the emerging Internet.
This, along with seminal research works as 'An Evening with Berferd' (1991, Bill Cheswick) and "improving the security of your site by Breaking Into It "(1993, Dan Farmer and Wietse Venema) raised awareness of the potential activities of external attackers, and testing methodologies that can be used for organizations seeking to emulate them.
A major driving force behind the evolution of the penetration testing not only of management – which were increasingly concerned with risks – but also the security professionals themselves.
Since the early seventies, both the Rand Corporation and the Department of Defense has conducted research related to the security of networked IT environments (hence the publication of many books colors).
On the first security assessment penetration testing applications available to all security professionals had to be developed independently and not until 1989 with the appearance of the police, and later in 1995, with farmers and Venema's SATAN, using tools that automated analysis developed seized abroad – with great relief and anguish of the two testers, and administrators alike.
The Outside / In the analysis of
The first penetration testing IT security engineers involved in acquiring or developing basic attack tools, and trying to exploit the system station or network. Repeatability and reliability were limited due to lack of methodologies and a reliance on human invention. In both processes and evaluation mechanisms (including tools) matured and repeatable testing procedures developed so that an accepted methodology began to emerge.
Testing activities associated with this external focus were designed to simulate the external attackers who had no previous knowledge of the destination network infrastructure. Many of the earliest tools available for penetration testing activities sought to automate common attack (such as war dialing port scans).
If an organization against the possibility of an external attack, it was reasonable to emulate the techniques used by attackers, and in doing so, security systems before endanger their content. The approach was not without its limitations. First, unlike the bombers, organizations are limited in time they could spend the test. Secondly, the scope of the tests often excluded from common application attack vectors (such as social engineering).
Reliance on Outside / In the analysis of the penetration testing process provides a valuable assessment of assets abroad is facing. However, the identification vulnerabilities associated with the generally much higher number of domestic assets is not included.
Testers often use a set of tools operating from a position of "zero knowledge", which gives a little on domestic assets and the networks themselves – beyond the gateway. Inevitably undiscovered vulnerabilities, and rehabilitation counseling is mild (for example, disable the X service, enter a firewall rule to restrict access to the Y). Although the recommendations generated by this approach surface are still of value that do little to improve the overall security of the network and associated applications.
In our next article in this series, see Black Box versus White Box testing approaches
Orthus is a leading professional services firm the focuses on helping clients globally to cost effectively manage technology risk and secure their environments. Find out more about how your organisation can reduce security costs whilst increasing performance see http://www.orthus.com.
How To Use A HTTP Proxy With Firefox Mac OSx
