Onus on the client
In the race to embrace new technologies, companies often find their networks
vulnerable to all kinds of intrusions irrespective of their security layers. Now
with the increasing awareness about new security checks that we have discussed,
newer methods and concepts such as ethical hacking have made companies shift
their stance on their security policies.
But before a company decides to go for ethical hacking, there are certain
things that the clients have to be clear about. Factors ranging from providing
right information to the right people and what to expect from such tests. Every
intrusion team will ask for some information upfront. Any information that is
easily obtained and is public information (DNS records, InterNIC information,
registered IP addresses) should be provided to reduce the information gathering
time. The bottomline for every client in his own interest is to know what info
to provide, how much to provide and when to provide as otherwise the whole
purpose is lost. The client should never provide information like firewall rule
sets, internal network diagrams, user account names/passwords, modem numbers or
other non-public information. Similarly, a good intrusion team should not ask
for this information, and if they do, then their genuineness comes under a
cloud.
Apart from that, before testing begins, a clear understanding of the scope
and timeframe should be defined. This is in order to avoid the creeping
deadlines the team faces in case of an unsuccessful attempt. Also, care should
be taken to avoid making the timeframes unnecessarily short, as this will not
allow the team to carry out a thorough investigation to provide accurate
results. Often, the intrusion test will occur over a couple of weeks.
Significantly, another decision that needs to be taken is whether to perform
Denial of Service (DOS) attacks against systems. It depends on when a company
would like to go for these tests, as hacking either ethical or unethical is not
preferred during production hours. For them it’s ideal to schedule these tests
during maintenance period, or during the least active time of the day to
minimize the impact. Another factor is the ability of the intrusion team to
identify atleast some possible DOS attacks and to give the appropriate
protective measures.
Every intrusion test should have a specific and focussed goal and in this
case, arguably, it is the most valuable information that are put on the site.
But the information depends and varies for different companies and segments
accordingly. Take for instance, in a dot-com, the customer list or their credit
card information could be the valuable info and for a publishing company, it is
most likely the published content.
Another important aspect are the results of the penetration test is that it
need not provide details about overall security vulnerabilities. They may
provide a single, specific issue that the testers might have used to gain entry,
and may provide some general details about security improvements. But this will
not provide any insight into the security issues of their systems. However, a
penetration test will provide an itemized list of exact security breaches in
avenues such as dial-up connections, mobile devices and Web servers. Precisely,
it's always best to perform a penetration test after the security review.
The clients should make it a point to view the deliverables they receive from
the intrusion team including all attacks attempted (successful, or not), all the
information gathered (paper and electronic) and recommendations on how to fix
any holes found. It would be better on the client’s part to insist that the
intrusion team sign a statement saying that they have returned any and all
information at the end of the intrusion test.
It’s advisable that the clients keep an open mind, while receiving the
final report and do not jump to conclusions based on the results Even if the
intrusion team is unsuccessful at breaking in, the fool-proof security cannot be
taken for granted. Infact the saying "to expect the unexpected" suits
them best and hence it is advisable to make sure, to have the full security
audit done. This also helps in identifying security issues other than
technological ones, including organizational and processes-related issues.