^

Business

Penetration testing – the basics

- KPMG corner By  Jeannine Roxas-Ducusin -
May 20, 2008 | 12:00am

Penetration testing as defined is the process of exploiting weaknesses in a computer or the network infrastructure.  A real-world hacking technique is used to exploit targeted system or network. It helps organization to accurately define the level of information security and identify the weak elements that need to be addressed. More so, it aids in evaluating an organization’s detection and response capabilities and determines whether proper controls are in place. Penetration testing, for some, is perceived as Vulnerability Assessment. Although the two processes comes hand-in-hand in terms of identifying technical security weaknesses, penetration testing is more intrusive in nature and involves active analysis of systems for any weakness, vulnerabilities or technical flaws.

There are two main approaches in conducting penetration testing, the black-box testing and the white-box testing.  Black-box testing, also known as the “zero-knowledge,” is a test approach with no prior knowledge of the infrastructure or target network. White-box is a test approach with complete knowledge of the target network. Black-box tests are similar to a real life hacking attempt. When organizations hire third party consultants, generally only people with need-to-know will be informed about the whole idea of the testing. During white-box testing, all information about the infrastructure including network devices and servers are provided by the organization. The type of test has to be decided by the organization as there are pros and cons for each. The main idea being, organizations should decide whether to skip the time consuming part of the information gathering, to conduct a shorter more in-depth white box test or to experience a real simulation of an actual attack on the network. 

What are vulnerabilities?

A vulnerability is essentially a weakness or flaw within the information technology (IT) infrastructure, this may be physical, technical or human in nature.  The most basic definition would be “any flaw in computer security that could allow an unauthorized user to gain control of a system.”

It is important to identify the vulnerabilities within the computer system, the risks associated with it, as well as the probability of exploiting it. With this in mind, a matrix of risk associated with all important assets of the organization may be defined. This is a fairly important practice in managing vulnerabilities. 

What do you want to achieve?

There are two major goals in conducting penetration testing/vulnerability assessment. First is to assess and/or test everything possible. A holistic approach should be considered as an intruder needs only one hole to break into the network which may bring the whole infrastructure down. It does not matter if the hole lies in the primary firewall or through a modem connected to an executive’s computer. Often, time and cost are two factors that get in the way of a complete and comprehensive vulnerability assessment/penetration testing. The time spent in conducting the assessment/test cannot be shared with other tasks and the cost may even limit the tools and resources to be used. For an organization with budget constraint, there are a number of tools that are completely free. However, usage of such should be restricted to the technical people or to those who are very well trained in handling such powerful tools. The second goal is to generate a clear, concise report that can be read, understood and used by management. One of the most common mistakes in running vulnerability assessment tools is to run it with all the default options. As this is set to the default mode, a default report will be generated and then print out thousands of pages with every vulnerabilities found – from the non-password protected telnet session on the organization’s primary servers, down to the very detail such as a workstation responding to a ping request. This method carried with it a significant number of pages for the technical people to read, and numerous vulnerabilities; the big question is – what is the value of this type of vulnerability assessment?

Some professionals and even organizations rely solely on the latest available scanning tools to perform assessments, but scanners are only one part of the complete vulnerability assessment process.  Over reliance to such tool can leave holes which may lead to information security compromise. Methodology is one of the most crucial factors in the success of a penetration testing/vulnerability assessment. An important area to consider is the trustworthiness and reputation of consultants who will be conducting the testing.  A penetration testing professional’s skills need to be specialized for the task and job to be done, and the approach should have a formal methodology and should provide a disciplined framework when conducting penetration testing/vulnerability assessment. 

In summary

The ultimate goal of a penetration testing/vulnerability assessment is to produce useful results, directed towards addressing technical issues and how will it benefit the business as a whole.  While a CEO may be more concerned on how the entire security system of the organization is doing as compared with industry standards, a chief technology officer (CTO), would be more interested in the details of a potential security hole.

Presenting the return on investment (ROI) for a penetration testing/vulnerability assessment can be difficult as it is a proactive maneuver. Sadly, this is not the way most organizations act when it comes to information security, everything is reactive. An action is not taken unless a breach or intrusion had occurred. Information security, as well as local regulation (i.e., BSP Circular 542) awareness, is rising, so the understanding in going through a Penetration Testing and Vulnerability assessment is growing. As part of a computerized organization, whether you are a with the technical or the business group, I would like to leave the following questions:  How secure do you think your technical environment is? Who is inside and watching your network? Who has access to your data? Are all confidential information appropriately secured?..... Where are you now in terms of information security?

(Jeannine Roxas-Ducusin  is a Manager  for Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. This article is for general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email [email protected] or [email protected])

vuukle comment

ASSESSMENT

JEANNINE ROXAS-DUCUSIN

PENETRATION

TESTING

VULNERABILITY
  • Latest
  • Trending
Trending
Latest
Trending
abtest
abtest
Marcos signs law imposing 12% VAT on foreign digital services

Marcos signs law imposing 12% VAT on foreign digital services

By Cristina Chi | 1 day ago
President Ferdinand Marcos Jr. has signed into law a measure that taxes foreign digital services, which includes overseas-based...
Business
fbtw
Why is oil price yet to ignite on Middle East escalation?

Why is oil price yet to ignite on Middle East escalation?

By Polmalo Lebris | 1 day ago
"Until the geopolitical situation in the Middle East deescalates, oil prices will clearly remain at risk of spiking high...
Business
fbtw
Marcos opens first EV battery plant in Philippines

Marcos opens first EV battery plant in Philippines

2 days ago
President Ferdinand Marcos inaugurated on Monday the first factory for electric vehicle batteries in the Philippines, calling...
Business
fbtw
New Cebu Pacific Airbus jets to land in 2029

New Cebu Pacific Airbus jets to land in 2029

By Elijah Felice Rosales | 9 hours ago
Low-cost carrier Cebu Pacific will start receiving its new batch of Airbus aircraft in 2029, and plans to assign these units...
Business
fbtw
BIR unlikely to meet collection target

BIR unlikely to meet collection target

By Louise Maureen Simeon | 9 hours ago
With a quarter left in the year, the Bureau of Internal Revenue may have to settle with a missed collection target even with...
Business
fbtw
Latest
abtest

Fixing a national shame

By Boo Chanco | 9 hours ago
Our international airport in Metro Manila has been a constant source of embarrassment and annoyance for many Filipinos over the past years. It is a national shame that captures all that is bad about the Filipino’s...
Business
fbtw
Meat imports breach 750,000 MT in 7 months

Meat imports breach 750,000 MT in 7 months

By Jasper Emmanuel Arcalas | 9 hours ago
The country’s meat imports continue to grow this year as total volume at the end of July rose by almost eight percent...
Business
fbtw

Phl economy remains resilient resilient

By Marianne Go | 9 hours ago
We must be doing something right even though we all feel that the cost of living has gotten more expensive, as some foreign economists still see the Philippines as performing better economically than some of its...
Business
fbtw
‘India can be a viable source of imported rice’

‘India can be a viable source of imported rice’

By Jasper Emmanuel Arcalas | 9 hours ago
The Philippines can turn to India to source more affordable supplies after the South Asian country lifted its export ban on...
Business
fbtw
Philippines air travel to fully recover in 2025 – IATA

Philippines air travel to fully recover in 2025 – IATA

By Elijah Felice Rosales | 9 hours ago
The Philippines is expected to climb back to pre-pandemic levels of air travel next year, lifted by the expansion of its international...
Business
fbtw
Recommended
Are you sure you want to log out?
X
Login

Philstar.com is one of the most vibrant, opinionated, discerning communities of readers on cyberspace. With your meaningful insights, help shape the stories that can shape the country. Sign up now!

Get Updated:

Signup for the News Round now

FORGOT PASSWORD?
SIGN IN
or sign in with