Is a thorough third-party penetration test ultimately the best way to determine whether our data store, which contains customer data and is made accessible to several Internet-facing Web apps, can’t be accessed improperly?
Hopefully your data store has been developed using a secure development framework such as Microsoft’s Security Development Lifecycle (SDL). Embedding secure practices into its design and development from the beginning will have helped to create a fairly robust application. However, despite secure coding practices and static code reviews, errors can still make it through to the final version. Even if these aren’t serious, the way in which the data store is deployed and configured, and the environment in which it is running may mean it is still vulnerable to attack.
A penetration test is essential to determine whether your data store can be compromised once it is live and accessible to anyone with an Internet connection. You may have a secure data store, but the network on which the data store sits should be protected by perimeter defenses such as firewalls, intrusion detection systems and antivirus gateways. It’s important to test that these devices are performing as intended and are effectively safeguarding the network. The interaction of multiple devices, services and functions can generate unanticipated weaknesses during system integration or deployment, which can often only be found by subjecting the system as a whole to a pen test.
These tests can also assess the trust relationships between services and see how access points to the data store standup to attempts to exploit them as well as the ability of network defenses to successfully detect and respond to the tests. As a penetration test mimics the role of a potential attacker, it is the most realistic of the security tests that you can perform. This is why a penetration test is a mandatory requirement for so many regulations and standards, such as PCI DSS and ISO 27001.
Even if pen testers fail to access your data store, you can’t be 100% sure it is completely secure. Many current attacks against well-known sites are preceded by sophisticated phishing attacks where key individuals are targeted to try and extract information that will help in accessing the application. By collecting a key user’s credentials, attackers don’t need to launch a traditional attack whereby they would try to take advantage of a potential vulnerability in either the application or the system it’s running on. Instead, they can simply access the data using the stolen credentials.
Given the likelihood today of this type of scenario, a thorough penetration test should encompass testing the organization’s defenses against spear phishing and other attacks using social engineering. If the pen testers can obtain information to access the data store from your employees or from social networking sites, then your overall information security needs reviewing and improving. Remember that it’s not just technology that provides security but people and processes, too.
This was first published in December 2011