Licence to HackFor the uninitiated, penetration testing or ‘pen testing’ is nothing rude or to do with biros; It is sometimes known as ethical hacking. That is, breaking into computer systems, legitimately, to test the strength of the security mechanisms protecting them and to provide recommendations for addressing problems found. The University of Glamorgan recently created a Postgraduate Certificate in Penetration Testing & Information Security, which encompasses training and qualifications for penetration testers. The education programme, in association with 7Safe, is designed to ensure that would-be pen testers have the required training and knowledge to prove their skills. As a relatively young profession, pen testing is now showing its maturity with qualifications like this. When the concept was fairly new, hackers sometimes offered their services as ‘guns for hire’ for hefty fees to companies who had perhaps already suffered breaches. Now, many organisations regularly have their electronic assets pen tested in order to find what weaknesses they need to address before a malicious attacker exploits them. All this will be nothing new to chartered accountants, however, who have been doing this kind of thing for years – it is, after all, merely a hi-tech variation of good old fashioned auditing. There are, however, detractors of this sometimes controversial concept. They argue that this “showing people how to hack” should perhaps not be taught as it could get into the wrong hands. The supporters, on the other hand, argue that you need to be able to at least have the knowledge of what the hacker is capable of and understand his/her modus operandi so that they can be thwarted. I suppose one could also comment that karate shouldn’t be taught as it can be deadly if used in the wrong spirit or manner. The MethodologySo what would the pen tester be looking to achieve during a test? First off is examining the target from a distance and finding out as much as possible without actually setting off any alarm bells. This could involve use of Internet search engines (it can be surprising just how much is out there that can be of assistance) and a variety of utilities, like Sam Spade, specifically designed to gather this type of data. Next on the agenda could be to start looking at the subject more directly. Port scanning, a way of finding out what openings are available on a remote machine, would be employed as an equivalent of ‘casing the joint’, before moving on to using vulnerability scanning techniques to ascertain where weaknesses may exist on the target. These weaknesses may actually be falsely reported, however, and therefore the most effective way to determine whether they are real or not is to attempt to exploit them. This is where the security of the target machine is really put to the test, and is the difference between “vulnerability assessment” and penetration testing. Pen testing involves a high level of skill and specialist knowledge. Perhaps the tester is able to penetrate the defences of the particular machine and is able to get a low-privileged account on it. There is also security exploit code that will provide high-level access immediately, like the recent Microsoft Plug and Play vulnerability which was quickly picked up by virus writers once disclosed. In the former case, ‘privilege escalation’ code can assist in the quest for root or Administrator user levels. Once inside a network, it will be an exploratory mission for the pen tester to discover yet further weaknesses to exploit. Often, they will end up with access to all machines and this is where the similarity to a malicious cracker/hacker ends. The pen tester will report on findings and how to resolve security issues, whereas the malicious version might start wreaking havoc by stealing/deleting/altering data, implanting back doors on machines and covering tracks so that their little jaunt will not be detected. The possibilities are many and varied. As with many professions, penetration testers should demonstrate a commitment to their vocation by obtaining relevant ongoing training and qualifications in order to validate their purported skills. For further information on these new qualifications, visit www.7safe.com/training.html. Alan Phillips, 7Safe Information Security |