THE TERM HACKER is often associated with the spotty teen gaining illegal access to critical systems, but these skills can be used to benefit companies in the form of penetration testing or, simply, the 'pentest'.
According to an expert in the field who preferred not to be named, the most common definition of penetration testing is the engagement of 'ethical hackers' to attempt to compromise the security of an IT system. The results of a pentest will describe where a network has been compromised and how.
"Penetration testing forms a vital part of an information security audit because it tells administrators and all others involved in preserving critical business data, exactly how vulnerable the network infrastructures are," says Dino Covotsos, MD at Telspace Systems.
HOW IT WORKS
Penetration testing occurs in three phases.
The hacker is provided with the 'rules of engagement' or a set of targets and some constraints. Covotsos describes this as the discovery stage. He says, 'It involves the identification of victim nodes, all of which belong to the target network."
The next phase is the assessment stage where network vulnerabilities are identified and possible methods of attack can be devised.
"A hacker will have a box of different scanners and tools as well as some tricks and techniques he's learned along the way. He will probably also have a network of friends online that he can approach for advice or assistance, and may also apply techniques like social engineering and other forms of subterfuge. His output is a journal of what he achieved, a list of weaknesses he discovered, and perhaps some recommendations," says the anonymous penetration testing expert.
The third is an attack phase in which the previously discovered vulnerabilities are exploited and the target is broken into. Covotsos says there could also be a cleaning phase, in which telltale signs of the intrusion are eliminated. "It is usually left out during an attack and penetration test for obvious reasons."
Covotsos says these phases are repeated as the attacker penetrates further into a network. Once the penetration test is complete, the network owner is presented with an analysis report of the various entry points, attack methods used and vulnerabilities that were exploited.
IT'S NOT VULNERABILITY ASSESSMENT
Experts do not have a consensus on the scope of penetration testing, but some differentiate between a pentest and a vulnerability assessment (VA), says the expert.
"VA usually just entails the deployment of vulnerability scanner against the target systems. Ultimately their job is to produce a list of programming bugs, configuration errors or other issues that may in some way weaken the security of the system. The output of the VA is generally just a list of security vulnerabilities found per target system," he concludes.
A VA does not actually exploit the system's vulnerabilities.
EXPERT HACKERS - HARD TO COME BY
Covotsos says, "A high level of technical expertise involved means that a limited amount of individuals exist who are able to competently perform a penetration test." As a result some companies overcharge for the service.
"But if you consider the cost that might be incurred from losing vital data or worse yet, having confidential data fall into the hands of competitors, it is worth it," says Covotsos.
Field experts say that penetration testing is simply one of the mechanisms a business must use to manage its risk. Most large corporations, governments, financial institutions and online businesses perform some kind of penetration testing on a regular or even continuous basis. For small businesses, or businesses with a negligible investment in information, experts suggest that resources should rather be spent on other security 'basics' like patch management, malware, user management or firewalling.
Like any other security investment, there is no tangible financial return, but information security breaches can send business into a downward spiral.
MARTIN CZERNOWALOW
![[West and Central Africa Com]](/images/bnrWCA_120x120.gif "West and Central Africa Com")