The automated penetration test plays an important role in the security professional's toolkit. As part of a comprehensive...
security program, these tools can quickly evaluate the security of systems, networks and applications against a wide variety of threats. But security pros should view them as a supplement, rather than a replacement, for traditional manual testing techniques.
What is automated penetration testing?
During a penetration test, security professionals conduct deliberate attacks on systems and applications to determine whether it is possible to gain unauthorized access. The goal of these tests is to assume the "hacker mindset" and probe for security vulnerabilities using the same tools and techniques employed by real attackers. Penetration testing is widely considered the best test of a system's security, as it most closely approximates real-world attacks. Conducting these tests properly requires time-consuming work by highly skilled individuals. Ideally, the engineers performing the tests have a level of skill equal to or exceeding the skill level of the likely attacker.
The highly manual nature and great expense associated with penetration tests leads many organizations to automate parts of the process. The test is still guided by a skilled professional, but many steps are automated to remove the rote components of the test. For example, the testers might employ vulnerability scanners to test a large number of systems for the presence of vulnerabilities. Similarly, automated exploit tools might be used to carry out a multi-step attack.
Why use automated testing?
The use of these tools provides organizations with several key benefits. , the use of frequent scanning increases the speed of detection when vulnerabilities arise. Second, tools can broadly test a large number of systems for a huge number of known vulnerabilities, compared to a tedious manual testing process. Finally, automated tools relieve highly skilled individuals of monotonous work, allowing them to focus their energy on coordinating the test and applying their expertise where it is most valuable.
Automated testing tools can also be a key component of IT compliance programs. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires regular vulnerability assessments of card-processing systems. Automation is the only realistic way of meeting this requirement. It is important to note, however, that automation is not a silver bullet for PCI compliance. The standard recognizes this: "Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment."
Choosing your tool set
The penetration tester's toolkit should include a variety of automation tools that allow him or her to automate as much work as possible and supplement that automation with manual follow-up when necessary. The set of tools employed should include a network vulnerability management suite, such as Nessus, Qualys or Rapid7. These tools perform rapid, broad scans across an enterprise for network-facing vulnerabilities. In addition, penetration testers should have access to a Web penetration-testing tool, such as Acunetix or WebInspect, which probe Web applications for common security flaws, such as SQL injection or cross-site scripting vulnerabilities.
Finally, every tool set should include the open-source Metasploit Framework. This collection of vulnerability information and exploit tools bridges the gap between automated and manual testing, allowing testers to probe the vulnerabilities detected by network and Web assessment tools to determine whether an attacker can actually exploit them to gain unauthorized access. The basic Metasploit Framework is available for free, and several commercial vendors produce graphic interfaces and other tools that build upon the framework.
Automated penetration testing techniques can provide significant benefits to security programs. The tools give rapid, comprehensive assessments of system security that is a great supplement to manual testing techniques.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as a site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.
Learn more about integrating automated penetration testing into an enterprise vulnerability management program.