S 5.150 Performing penetration tests

Initiation responsibility: IT Security Officer, Head of IT, Top Management

Implementation responsibility: Head of IT, Administrator

Conducting penetration tests is a proven and suitable method for determining the current security status of an IT network, of an individual IT system, or of a (web) application. They can be used to estimate the chances of success of a deliberate attack to an information system or an individual IT system in advance, derive the supplemental required security safeguards to avert such attacks, and check the effectiveness of the security safeguards already implemented. Penetration tests should be performed regularly on networks and systems critical to security.

In detail, the installed applications (web application, email server, etc.) and/or the underlying support systems (operating system, database, etc.) are examined in a penetration test.

Typical starting points for a penetration test include the following:

• network switching elements (routers, switches, gateways)
• security gateway (packet filters, intrusion detection systems, virus scanners, etc.)
• servers (database servers, web servers, file servers, storage systems, etc.)
• telecommunications systems
• web applications (e.g. Internet presence, workflow processing, or web shop)
• clients
• wireless networks (wireless LAN, Bluetooth)
• infrastructure facilities (access control mechanisms)

There are basically two types of penetration tests; black box tests and white box tests. Within the framework of a black box test, the penetration testers are only provided with the address of the target and is not provided with any further information. A black box test is therefore intended to simulate an attack by a typical outsider who does not have full knowledge of the target system. In contrast, the penetration testers in a white box test are provided with extensive information they require regarding the systems to be tested. This includes, for example, information on the IP addresses, the internal network, the software and hardware used, etc. This information is provided in advance by the customer.

However, whether or not it still makes sense to differentiate between black box tests and white box tests is questionable today. For example, there is a higher, yet completely avoidable risk when performing a black box test of causing damage unintentionally due to a lack of information. Furthermore, some vulnerabilities may go undetected because certain information was not provided.

There is also a risk when performing a black box test that attacks by well-informed insiders will not be taken into account.

For these reasons, today's penetration testers should be provided with all information on the systems to be tested that is needed to perform the test. This allows the potential risks associated with the test to be minimised and also allows the fullest vulnerability scan possible.

According to current knowledge, it is more practical and success-oriented to classify penetration tests into vulnerability scans, which are automated for the most part, and security audits, which are performed manually for the most part.

Personnel and technical requirements regarding a penetration testing service provider

Penetration tests are sophisticated and difficult tests that can also have an impact on IT operations. For this reason, only adequately qualified and reliable personnel with interdisciplinary knowledge in the following fields and subjects should be allowed to conduct penetration tests:

• administration of operating systems and applications
• network protocols and network traffic analysis
• security products (e.g. security gateways, intrusion detection systems, etc.)
• programming languages
• vulnerability scanners
• audit and administration software

If external service providers are contracted to perform penetration tests, then it should be ensured that a qualified and trustworthy service provider is selected (see also S 2.252 Choice of a suitable outsourcing service provider) who is able to provide correspondingly qualified and reliable employees.

Furthermore, providers of penetration test services should be able to present the customer with a structured methodology for performing the penetration tests that can then be used as a basis for developing the corresponding individual procedures.

Structure and procedure for a penetration test

In the preparation phase, the customer and the contractor must define the goals as well as the scope of the penetration tests as precisely as possible. The penetration tester should present the customer with a structured procedure that is then adapted and coordinated accordingly by the two parties.

During the coordination process, it must be noted that it may be necessary to involve third parties in the planned penetration test and/or inform them of the test under certain circumstances.

For example, it is generally necessary to involve the personnel representative and the Data Protection Officer, and in many cases external entities such as the internet service provider or the web host as well, in the penetration test.

Certain prerequisites should be agreed to in advance by the customer and the service provider. This includes the following in particular:

• agreements regarding confidentiality obligations
• agreements on the use of hardware and software
• agreements on which IT systems and IT applications will be tested
• specification of the authorised and unauthorised activities of the penetration tester to avoid possible damage
• agreements on handling data media before, during, and after completion of the penetration test, since the data media may contain sensitive information on the results of the tests, for example
• specifications of the penetration test site as well as of the penetration test assessment and reports
• specification of a schedule including a maintenance window for performing the tests
• detailed agreements on access to the internet and the connection of test systems to the internet while performing and assessing penetration tests
• agreements on the corresponding responsibilities and the accessibility of contact persons as well as on contingency planning

In the subsequent information phase, the penetration testers collect as much information as possible on the object to be tested. The information obtained is then evaluated in terms of potential vulnerabilities to prepare for the tests.

In the actual test phase of a penetration test, any test procedures that could have a destructive impact on the IT systems or IT applications to be tested should be avoided, if possible.

For example, the goal of a denial-of-service (DoS) attack is to block access to individual services, systems, or network segments. It is often possible to determine in advance if these types of attacks are possible by performing a system analysis, which makes simulating such attacks during a penetration tests unnecessary.

However, if DoS attacks or similar destructive attacks are simulated within the framework of a penetration test, they should be conducted when the system is not in productive use. It is also possible to simulate this kind of attack on a test system. The corresponding procedures must be agreed to explicitly by both parties.

The actual penetration tests are only performed after these tasks have been completed. The maintenance window and schedule agreed to for the penetration tests must be strictly maintained. If the schedule needs to be changed, then these changes must be agreed to by the customer.

Otherwise there is a higher risk that the customer could mistake certain activities of the penetration tester for a real attack. It is therefore recommended to record and document the penetration tests in full.

To obtain the most informative results possible, it should be ensured that the penetration tests are also performed directly on the IT system to be tested as well as upstream of the intermediate network switching elements (e.g. packet filters).

Typical attack techniques

• Network and port scanning: Network and port scanning is used to find active IT systems in a network and identify the services (ports) they offer.
  
  In the context of IT administration, these types of queries are used to obtain the current status of IT systems in use. However, an attacker may be able under some circumstances to identify vulnerabilities in the individual IT systems with the help of this information and then conduct an attack based on this information.
• Exploitation of poor input checks: An input check refers to a procedure for filtering, cleaning up, or rejecting the user input (data) entered in an application for further processing.
  
  This filtering is intended to prevent malicious code from being passed to the application. Such code can provoke user errors such as the disclosure of confidential information.
  
  Examples of attack methods intended to provoke such user errors include cross-site scripting, SQL injection, LDAP injection, OS injection, and fuzzing.
• Denial-of-service attacks (DoS): These attacks are aimed at IT systems or networks in order to put one or more of the services provided out of operation. This can be accomplished by sending numerous requests and increasing the load on the system, through a massive increase in the volume of data (e.g. emails), but also by specifically exploiting potential software errors. A well-known example of a DoS attack is the "Ping of Death".
• Information gathering: Information gathering refers to the gathering of all information that could be useful for a subsequent attack. An example of such information is the numbering scheme used to number directories or servers.
• Social engineering: Social engineering refers to the use of fake calls or other methods of making contact with the people operating the desired IT system. The goal of this method is usually to obtain confidential information such as passwords (see also T 5.42 Social engineering).
• War dialling: This method is understood to be the automated and systematic attempt to scan for telephone numbers of modems. In this type of attack, the telephone numbers of the target system are called and examined to see if a modem answers any of the calls.
• Password attacks: In this case, the security and/or the strength of passwords is tested using dictionary attacks, brute-force attacks, or by attempting to decrypt the passwords.
• Exploitation of software vulnerabilities: These types of attacks test if the installed software is susceptible to certain exploits, is configured incorrectly, possesses vulnerabilities, or is outdated, for example. In many cases, the attacker also examines if any known vulnerabilities present in a standard installation of the corresponding product can be exploited on the systems being tested.
• Cryptographic attacks: In this case, the strength and the implementation of encryption mechanisms and key management system used are examined.
• Infrastructure tests: Within the framework of infrastructure tests, the constructional security measures, access and locking equipment, and other such items are examined, but how materials are disposed of is also examined. One version of this is referred to as dumpster diving, in which an attacker searches for useful documents or data media in the garbage (e.g. in waste paper bins, waste containers, etc.).

In the evaluation and reporting phase, the results are collected, evaluated, and presented in the form of a report. All of the information obtained during the penetration test must be stored in a correspondingly secure location. The customer should require the contractor in advance to promise he will pass all records of the penetration test in full to the customer or will destroy these records.

The report should contain a list of the vulnerabilities found as well as the measures recommended for handling the vulnerabilities discovered. It is also recommended in this context to create an implementation plan for the safeguards recommended in the report together with their priorities. The final report for management should also contain a summary of the most important test results and an overview of the additional procedures recommended. The final report must be given to the IT Security Officer and the managers responsible.

It is recommended to have the customer and the contractor document each of the agreements made and the test results throughout all phases of a penetration test.

Review questions:

• Are only reliable and qualified personnel allowed to conduct penetration tests?
• Has it been ensured that only trustworthy and qualified service providers are contracted to perform penetration tests?
• Has it been ensured that the results of penetration tests are adequately protected and handled confidentially?
• Are the final reports of the penetration tests given to the IT Security Officer and the responsible managers?
• Were detailed agreements on the execution and assessment of penetration tests signed in advance by all providers contracted to perform penetration tests?
• Was consent obtained from all parties responsible in advance of the penetration tests?
• Were the contact persons for the penetration tests specified and has it been ensured that they are available while the penetration tests are being conducted?