Overwhelmed with penetration testing? Many people are. The tide of penetration testing requirements in the name...
of PCI DSS, business partner and customer demands, or similar obligations is never-ending. Penetration testing can be so daunting -- given the number of systems and applications combined with the complexity of the network environment -- that many InfoSec pros are merely "going through the motions" to meet compliance requirements or finding ways to skip these tests altogether. But at what cost? As with anything in life, a half-hearted approach to penetration testing is going to get half-hearted results. That's where the trouble with compliance, information risk and the inevitable breaches begins.
But those who struggle with this essential business function can take the approach of many other information security management tasks and automate. InfoSec pros have been able to automate things such as log management, patching and source code analysis for years. By adding some automation to penetration testing, it is possible to minimize the resources required while maintaining the integrity of the penetration testing process. It's important, though, to take a measured approach.
Taking a measured approach to automation
First, honestly define what "penetration testing" means in context by identifying what you're trying to accomplish. Some people see it as running simple vulnerability scans to appease an auditor. Others try to prove they can find a single flaw to exploit. I prefer a broader vulnerability assessment, where everything with an IP address or URL is fair game for attack.
Begin with the most critical systems. Eventually pros need to consider the network, because external hackers and malicious employees know no boundaries. Test every aspect of your system vulnerable to attack, regardless of what you call it. Otherwise, this security program is being set up for failure.
The approach is especially important in the context of "automated" penetration testing. Why? Because you can't automate every test of every system and application with current tools. For instance, most functions that find weak passwords on network hosts can be automated, but not the processes associated with going beyond the login prompt to browse the network, manipulate files and so on. Typically called authenticated vulnerability scans, these types of tests could be scripted, eventually, but it's not true automation.
The same goes for uncovering and exploiting flaws in Web application login mechanisms, user session management and SQL injection. Again, individual functions -- such as finding SQL injection and extracting data from the database -- can be automated, but the entire process can't be made click-and-go. Human interaction and expertise are needed to know where to target the exploitation and how to get the best results.
Tools are only aids
The desire for automation led to a number of new features in popular vulnerability scanners, such as Acunetix Web Vulnerability Scanner (which is adept at cracking passwords in Web applications) and Metasploit Pro (which can be used for obtaining command prompts and setting up backdoors).
But even these tools don't fully automate the processes. With Metasploit Pro, for example, IT must first run a vulnerability scanner such as Nexpose or Nessus to identify vulnerabilities. The user interface of Metasploit Pro and commercial vulnerability scanning tools are straightforward, but not every tool for penetration testing is, which is a problem for those who lack technical training.
The great thing about penetration testing today is the wealth of security testing tools available that allow pen testers to crack passwords in unencrypted laptops or on wireless networks in minutes or launch an email phishing campaign painlessly. Network shares and access to unsecured PII can be enumerated very quickly. But nothing's click-and-go. Like radiologists and home inspectors, pen testers may employ sophisticated tools, but the discovery, the enumeration and reporting of findings can't be fully automated, and I suspect it'll remain that way.
An in-depth security review requires more than merely entering an IP address or URL and clicking Go. Certainly processes and workflows can be tweaked to be more efficient but creativity and good old-fashioned hands-on expertise will determine the outcome. In the end, regardless of how many "exploits" the penetration testing uncovers, IT pros will still need to determine what's a true security risk and what is not.
About the author:
Kevin Beaver is an information security consultant, writer, professional, speaker, and expert witness with Atlanta-based Principle Logic LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web and mobile applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.
Gain further insight into the manual vs. automated pen testing debate.