Pen Tests
Typical Pen Test Scenario
For the past two years in a row, you hired a security company or consultant to run a penetration test against your network. They ran a scanner against your network, and provided a pretty report. You were told that there were a few improvements that could be made, but overall, you were above average, and generally compliant with relevant regulations and “standards.” You paid a lot of $$ for this analysis. Sound familiar?
This year, you tried Hurricane Labs, because you wanted a different company to take a look at your network. You inform Hurricane Labs up front that the network has been tested by other security companies, is very secure, and in compliance with regulation xyz. And, for good measure, you mention that a certain well-known MSSP is monitoring the network for malicious activity.
Hurricane Labs provides you with a report, including evidence and software exploit code, informing you that we were able to penetrate many web applications and access internal databases, with write access. We show you user names and passwords of internal applications. We show you examples of how your applications are vulnerable to cross-site scripting and SQL injection attacks. We find a bunch of things that are just blatantly weak from a security standpoint. And, we show you how to fix things.
You ask: “How were you able to do this, when those other companies that are supposed to be security experts couldn’t do any of that?” “Oh, and by the way, why didn’t our security monitoring company detect you?”
Why is Hurricane Labs different? The problem in the pen test business is that most security companies have taken the easy, point and click way out. Kind of a lazy approach, really. With the plethora of software scanning tools out there, some commercial, some open source, security companies have adopted a point and click mentality toward pen testing. Put in the IP address, click a button, and produce a detailed, pretty report your mom would be proud of. Problem is, an attacker might not be so lazy. Sad news is, that probably satisfied just about every regulation out there.
There is a role for automated scanning tools. They just shouldn’t be relied on for the final results. Hurricane Labs uses them as part of the pen test process – the initial discovery part.
Hurricane Labs approaches pen test engagements from a very practical point of view. While we use automated scanners to do some of the up front discovery work, most testing is done manually; work that no automated scanner can do. When we come across code that appears to be vulnerable, we write scripts to test the defenses. Usually, applications are not all that well secured, and we can get right into them. Right past the firewall. Right past the IDS. Right past the MSSP.
You still get a pretty report, but it’s full of useful ideas to help improve your network security. And your mom would still be proud.
Pen Test Criteria |
|---|
| Software Updates |
 Are vendor supplied updates applied? |
| Is server software secure against known attacks? |
| Firewall Configuration |
| Is the firewall configured to block unneeded inbound connections? |
| Does the firewall protect against known application level attacks? |
| Extraneous Functionality Disabled |
| Are unneeded services disabled on servers? |
| Are exposed applications configured to provide minimum possible functionality? |
| Secure Programming Practices |
| Is input verified before it is used? |
| Are sensitive characters in strings discarded before they are used? |
| Access Controls |
| Do applications and data which ought to require authentication require it for access?
|