Penetration testing is growing in popularity among regional enterprises, but there are several things organisations need to keep in mind to get the most from their investment.
There are several analogies that one can provide for penetration testing (PT).
"PT is where you go around checking, and when you find that a particular door is unlocked, or provides you free entry, you go inside and very deliberately spill something," says Judhi Prasetyo, Middle East consulting manager at Fortinet.
One of the major mistakes that enterprises make is scheduling a test. From personal experience I would say that is the first thing they should avoid. They should not schedule, or be specifically prepared, for a PT.
This is as opposed to risk assessment processes, where "when you find a door unlocked, or somehow manage to gain access to the room, you roam around and look for other weaknesses that can be found (like whether the drawer is open, or the cupboard, or a laptop is lying around), and then you go back and write a report on it," says Prasetyo.
In simpler terms, PT is where an enterprise deliberately tests the strength of its defence systems, by trying to punch holes in it. And, according to most industry stakeholders, the importance of these tests to the modern-day organisation cannot be exaggerated.
"PT is an absolute must. It is part of the overall risk assessment that an organisation does. Again, PT should definitely be an ongoing exercise rather than a point exercise, simply because threats evolve if not hourly, then on a daily basis. New patches for systems come into being on a very regular basis. So it should be an ongoing exercise," says Guru Prasad, head of the networking division at FVC.
RV Ramani, principal security consultant at Paramount Computer Systems agrees, adding: "Investing in security solutions without performing a risk assessment or PT services, is like buying ingredients without knowing a recipe.
You must know your risks and vulnerabilities before you plan for any security investment. Assurance services such as PT and risk assessment will identify all the vulnerabilities, and will help IT managers in prioritising their security initiatives.
In recent times, PT has been gaining importance, and growing in popularity among companies in the region.
"Though we do not offer these services, we offer some of the tools that can be used for PT provision. Indirectly, we see demand for these services growing as more and more providers are buying these tools from us. And many of them state, that their existing and older customers are asking them for this particular service. So it is not as if they are buying these tools to attract new clients.
They are using these tools because they are seeing demand for these services from their existing clients, and they want to provide these services so they don't lose that revenue stream," points out Prasetyo.
Due to its relative newness to the Middle East market, and the nascent character of several providers, PT does not happen here the same way that it does in more developed markets.
"Many security providers are still doing the defacto tool-based exercise when it comes to PT in the region. It has matured over time. I can see some of the new entrants and existing ones taking a more rounded approach about PT.
They are taking a more consultative, more development oriented approach to doing PT, rather than just doing tools based testing. We are definitely catching up, primarily because of more established players coming into the Middle East. I see the approach has changed as well over time. I think they are slowly getting there, but I would stil say there is still some ways to go in terms of the approach," says Prasad.
He insists, like many others in the industry, that PT has to be a necessarily consultative process that changes according to the needs and specific nature of an organisation, rather than being a tool-based one where a particular application is just plugged in to check an enterprise's defences.
Before entering into an agreement with a provider, the end-user will need to check the provider's previous record as well as the tools he will use to conduct the test.
"The first thing to do is to ask the provider what tools they use. Based on this knowledge, you can judge the quality of the PT that will happen. One of the most important ways of doing PT today is on a protocol subject, since most vulnerabilities occur due to badly written apps. Protocol vulnerability tests can happen only in custom built penetration apps.
The tester typically writes an app, understanding the protocols that are in use in an enterprise and then develops the PT plan. Expertise in this area should also be checked," warns Prasad.
PT costs an enterprise a lot of resources, but unless the organisation is clear on what it wants with these checks, it can prove to be a wasted exercise.
Basics of examination
PT, to most people in the industry, still involves only the simulation of an external attempt to get into organisational networks. However, a true-blue test would have to look at information lifecycle practices and employee behaviour to give a complete picture of the security scenario.
"PT can be anything from self tests to external tests. It depends on the nature of the business and what they do. Most commonly, PT is implemented against the external interface. However, it can be done to internal apps as well," says Greg Day, EMEA security analyst at McAfee's Avert Labs.
Testing process involves several stages. The most basic divisions on this is black box, white box and grey box testing.
"Blackbox testing refers to a PT expert who has absolutely no knowledge of an enterprise network host, or any inside knowledge of apps that are running. Basically it is an open approach where the ethical hacker attacks networks without any internal knowledge.
White box testing is done with the full knowledge of systems within an enterprise. The penetration tester knows exactly what systems, networks and architecture they have and approach that with the full knowledge," explains Prasad.
Grey box testing falls into areas between black-box and white-box testing.
Prasad continues: "PT can be divided into three. The first is the most vulnerable, and involves web apps PT. Any enterprise that has any site or any app that is exposed on the extranet or on the internet is the first target for this. Second is the external PT, where the hacking technique is involved.
This includes tests on the internet from the outside into the enterprise network. And then there is the internal PT, where the hacker sits inside the network and emulates an inside job. These are the most typical testing methodologies and approaches that one follows in the industry."
PT activities, especially in the region, do not always follow these processes. This and other factors, creates multiple challenges for enterprise end-users when they invest in tests. Obstacle-strewn path
The most critical aspect that needs to be resolved before an end-user gets into the testing game is the scope of the exam.
"End-user and vendor alike need to be very clear about the scope of the test. If the boss wants you to assess only the front door, providers should not check the back door. Later, after the check gives a clean bill, if the enterprise gets attacked from the back door, the end-user cannot complain since the provider was asked to test only the front door," says Prasetyo.
Tests should also be conducted in as unscheduled a manner as possible.
"One of the major mistakes that enterprises make is scheduling a test. From personal experience I would say that is the first thing they should avoid. They should not schedule, or be specifically prepared, for a PT, because then it is not a real environment, it is a pseudo environment you are testing against," says Prasad.
Ramani adds: "Before the PT we advise all our customers to take necessary back up of their important data. It would also be worthwhile to conduct the PT of the test bed initially in case of mission critical applications, like the banking applications.
During the actual PT, we advise the customer's representative to be available onsite to oversee what is happening. Finally, customers should insist that the PT is done from a static IP and should get the IP address of the tester."
These measures are meant to ensure that the enterprise is ready to address any inadvertent mistakes that might happen during the test.
"The common mistake made by most companies is that they do not conduct PTs on a regular basis. They resort to PTs only when there is a breach of security. Companies should definitely be proactive rather than reactive. Mainly, companies should realise that PTs are a way of life if they want their network to be secure," Ramani continues.
Prasad agrees, adding: "Too often, PT is a one-off exercise, rather than an ongoing exercise. Another big mistake made by organisations, after they get a report on PT, there is no follow-up or framework laid to ensure that the core route cause analysis is performed and a framework laid to ensure that there is ongoing security assessments, rather than just resorting to a point-fix.
I have seen companies where they point out patches to be done, apps to be upgraded and firewalls to be changed, as single instances. But yet, they would not really put a framework to continuously assess if everything is fine, put a protocol to analyse plans, or lay a framework on a penetration evaluation when you choose any new product."
"Laying a framework on the technology risk assessment, from the penetration perspective is very important as well. It does not need to be very elaborate but it should be a simple framework, which says this is what you do everytime you choose a new product as part of the IT initiatives. And this is what you should be doing on an ongoing basis. That should come out of a PT," he continues.
The biggest mistake, however, might be the consideration of PT as a singlular instance in security measures, instead of as a part of the whole.
"Every organisation has to consider security from the perspective of information lifecycle management and has to protect its data likewise. PT is one part of a much larger set of exercises that have to be performed, sometimes on a regular basis, to ensure the continuing safety of organisations, both regionally and globally," says Ahmed Abdella, regional manager of RSA, the security division of EMC, for the Middle East, North and West Africa.
Day agrees pointing out, "Often, the focus in organisations is placed primarily on the part of vulnerabilities, and not essentially on the information handling processes within the company, which means inaccurate testing can take place."
As the global threat environment continues to evolve, regional enterprises will continue to look to PT and risk assessment to guide their security investments.
This period of growth and change will involve several trials and errors, but with a few basic points to guide them, enterprises can, more often than not, hope to gain success from each of the penetration tests they perform.
For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.