Penetration Test for an Organization - Term Paper Example

? Penetration Test for an Organization Introduction The al systems and information technology has suffered a major setback over the last decades following the technological advancements. The technological integration and advancement has resulted into an increase in the internet connectivity demand that is characterized by the soaring shortage of IPv4 IPs. The rise in the demand for internet connectivity has also been closely observed by criminals who target network systems of organization. With the rise in technology and computerization of the operations, the organizations often suffer security threats imposed to the organizations by the technological exposure (Allen, 2012). This poses a threat to the ability of the organization to protect their secret information and other essential information that should not be exposure to the public or unauthorized persons. The most commonly deployed security systems include anti-virus software, firewalls, and intrusion detection systems. The organizations and institutions are interested in securing their information systems in order to protect some of the vital information and contents that are restricted to non-executive members of the firm. However, this is not very effective as these institutions are faced with the task of ensuring proper information security. It is reported that most organization incurs losses because their security systems are hacked and critical details of the organization exposure to the competitors and enemies. This therefore lowers the ability of the organization to excel and protects its key information systems. The business community is not spared too. Hackers pose a great security threat to the secrecy of information of organizations and the business community. In attempting to improve information and system securities, organizations and leading institutions are forced to massively investment resources in protecting their systems and safe guarding all the critical information through the construction of thick security walls. One of the approaches that is commonly used by organizations in attempting to protect their systems is conducting penetration test (Wilhelm & Andress, 2011). Penetration Test and Organization A penetration test is basically a method in which the security of a network and the computers that are involved in the network are evaluated so as to determine the degree of security on the network or the strength of the response to the breach of the security. It is also referred to as a pentest which is a short form of the term in full. A penetration test is conducted by simulating an attack to the system from either external or internal threats, or both, on a network or a computer system (Allen, 2012). It is therefore evident that penetration testing is vital for ABC Company which has high presence in the internet. In the present day, the world is indeed a global village and due to the fact that information is power, every organization endeavors to protect its information from people who would go to any length to obtain information from an organization. Organizations and institutions use penetration test as a way of identifying the weakness and vulnerabilities of their security and network systems and making necessary protection measures. The penetration test entails the application of attacking methods that are conducted by professional who are entrusted with the organization’s essential information. However, the same attacking systems are used by the hackers and hostile intruders, hence posing more threat to the organization following the fact that such information are very sensitive to be exposed. Depending on the nature and type of the penetration test to be conducted, the entire security building process entails IP address scan in order to assist in the identification process of machines used in the offering of the system information and other services with known degree of vulnerability and further exploiting the existence of any unpatched operation system that may also be vulnerable to hacking (Singh, 2012). After the penetration test has been conducted, the outcome of the test that shows the level of information and system vulnerability of the organization are then presented and documented by the organization in order to help identify how the vulnerabilities identified in the system may be resolved. The penetration test is conducted on regular interval in order to help in continuous vulnerability identification process and therefore, enhancing the security of the organization’s systems. Penetration test is therefore an attempt by an organization to breach its security networks and system to identify any form of vulnerability, misconfiguration, or weaknesses of the information system with the purpose of testing the intrusion detection capacity of the firm and increasing the security related issue awareness particularly among the top management organs. Secondly, penetration test plays a significant role in assisting the upper management in making rational and informed decisions bearing in mind the system vulnerability standards of the organization. Owing to the economic cost related to addressing the vulnerabilities, the management may choose to only address weaknesses found in the system as the entire vulnerability correction may be unaffordable. Like other security tests, penetration test has its limitations too. The major weakness of this system and network vulnerability test is the fact that if not properly conducted; penetration test is likely to result into congestion and hence causing system crush and compromising the system making it exposure to unauthorized intruders. Penetration Testers: A changing Role Like the hacker system, the penetration tester focuses on breaching the network system of an organization with the aim of improving security and protection. Initially, the patterns and methods employed by penetration testers were similar to those of hackers, with the difference between the two being the fact that penetration testers probe the network with no intension of causing malicious damage. Moreover, penetration testers are limited to particular set of systems and networks that can be analyzed as provided in the contractual obligations. For organizations, they reply on their systems and networks for both back and main office operations, therefore, the testing of systems and networks of an organization should be non-intrusive to minimize on the disruption of service delivery. To avoid future information leakage or any potential damage from potential hacking incident, the organization would hire penetration tester to secure their systems and information. However, in so doing, the corporation must comply with external information standards such as HIPAA, ISO 27001, DSS, PCI, and Sarbanes-Oxley (Allen, 2012), which recommend security review standards for all corporations. Objectives of Penetration Testing The main objective of the penetration test is to find out all the areas of vulnerability of a system or a network in which the penetration test is conducted. In the case of ABC, the test would be conducted on their computer networks internally and externally and generally the internet connections of the company. Vulnerability of the systems is basically anything that may heighten the likelihood that an attack on a company’s system would lead to the disruption of the company’s activities as well as unauthorized personnel accessing intelligence information which may be used against the company. Normally, areas of highest vulnerability may be the design of the system where the system may have design flaws that may prove destructive to the organization when not discovered in time (Wilhelm & Andress, 2011). Besides the design flaws another area of vulnerability is the system configuration errors and also software bugs which may interfere with the functionality and efficiency of a system. However, these can be easily traced by the penetration test since they are not caused by malicious intrusion by are accident that may occur during the development of a system and its implementation and can be quickly resolved by a little re-engineering. On that note, the first step before conducting an in-depth penetration test on ABC Company would be to scout for these common vulnerabilities and fixing the issues first due to their nature since they are less complex and easy to resolve (Allen, 2012). Before conducting further test on the company’s systems, it is important to identify the reason as to why the test is being conducted in the first place. In most cases, organizations conduct penetration tests once they discover anomaly in the operation of its systems and networks. It is therefore, in this case, a reaction to a threat which may have already occurred. On the other hand proactive organizations may conduct the test upon installation of new systems, to want to find out the threats that the organization faces in advance so as to be able to build strong defense against the threats. The test may also be conducted not just on new systems, but also regularly on the existing systems as a routine check. ABC may also be a company that deals with types of data that are highly sensitive whose handling must be secure for example, if it conducts financial services. This kind of data is normally regulated and the regulators insist on the performance of the test as part of regulation requirements. It is therefore important to note the reason for conducting the test (Wilhelm & Andress, 2011). Plan of Action for the Penetration Test The initial step in the process would be to convene an introductory meeting where the details of the test would be conducted and where any questions are to be asked as well as clarifications made. This meeting is expected to cover the scope and goals of the pen-test as well as clarify the parties involved. Besides the scope the duration of the test is also vital so as not to disrupt the daily activities of the organization. This is because some of the tests will need to be conducted when the systems are freed up from much activity since some of the tests are risky and may result to the crushing of the system due to large amounts of traffic in the system. The meeting will also discuss whether the staff of the organization is to be informed about the test or not. This should be well evaluated since the test results may be affected by the actions or inactions of the staff. It is important to identify that the activities to be conducted during the testing are illegal activities and the information obtained is to be treated with high levels of confidentiality. Finally, the meeting should also see the signing of legal documents by ABC company directors so as to protect the penetration testers from being sued due to the illegal activities conducted during the test (Singh, 2012). After the meeting for planning and preparation with the company, the next vital step is to gather all the necessary information from the organization. This would help in the formulation of a hacker’s mentality as to what he would desire to have from the company and how he would go about hacking into the systems. The best way to collect information on the system of the organization is to conduct a survey. The survey will come up with a list of vital information for example, internet service provider information, server names, domain names and IP addresses of hosts as well as information of the registry domain that belongs to ABC company (Neely, Hamerstone & Sanyk, 2012). Once the information has been gathered it is time to conduct the actual test to find out the vulnerability of the system. This is first done by an analysis of the information collected manually a process known as manual vulnerability scanning. This stage is closely followed by an effort to penetrate the system by first identifying all the areas that may be potential targets for a penetration. This will save on time spent to conduct the test and reduce the risk of conducting unnecessary tests. There are a number of areas in which the test would be conducted. Amongst the basic areas to conduct the test would be products such as servers, firewalls, routers, smart phones and fax servers. Besides these, tests can also be conducted on wireless systems like the wireless fidelity (WIFI) networks and also software and applications used by the company. Other forms of physical protection such as mechanical locks and door entry systems as well as CCTV cameras can also be included in the list of areas to conduct the test (Singh, 2012). In conducting the test a number of tools may be employed. Nmap is a tool that is used to conduct the survey in the collection of information just before the actual test begins. It has the capability of scanning large networks in short periods of time. Nessus is also another tool that is used to scan the vulnerabilities of a network and also gives the steps that could be used against these vulnerabilities. Brutus is also another tool that could be used in identifying the vulnerability of passwords used in a system (Long, 2006). After conducting the actual penetration test and collecting the information required the next step would obviously be an in-depth analysis of the findings of the test. This would help in the compilation of the report to be handed back to ABC Company. The report of the test is then given to the organization in form of a summary and also a detailed description of the vulnerabilities found and hoe they can be handled. Finally, in the penetration test is the step of cleaning up any disorder that may have been caused by the process. References Allen, L. (2012). Advanced penetration testing for highly-secured environments: The ultimate security guide. Birmingham: Packt Pub. Long, J. (2006). Penetration tester's open ource toolkit. Rockland, Mass: Syngress Publ. Neely, M., Hamerstone, A., & Sanyk, C. (2012). Wireless Reconnaissance in Penetration Testing: Using Scanners to Monitor Radios during Penetration Tests. Burlington: Elsevier Science. Singh, A. (2012). Metasploit Penetration Testing Cookbook. Birmingham: Packt Publishing. Wilhelm, T., & Andress, J. (2011). Ninja hacking: Unconventional penetration testing tactics and techniques. Burlington, MA: Syngress/Elsevier. Read More