Penetration Testing - Essay Example

Penetration Testing al Affiliation Penetration testing hopes to achieve flawless systems thathave an all-round protection from any kind of intrusion. This is a report to show the findings and recommendations for penetration tests conducted to a high-end financial firm that deals with processing of loans for college students. The penetration tests conducted in the firm’s business system follow the (Trusted Computer System Evaluation Criteria, (TCSEC) standards of security testing (Department of Defense, 1985). In the standards documentation, of importance will be the testing of behavioral aspects of the system to identify possible security control breaches. E-commerce systems tend to be high-end targets to security breaches and vulnerabilities. Such vulnerabilities can be exploited by conducting certain attack tests that target to steal information and corrupt the system functioning. The tests are carried out in a controlled environment where due damages may be reversed and the system retracted back to a stable state. However, not all systems use the same principles for penetration testing. Various systems call for various methods so as to exploit their varied vulnerabilities. An e-commerce system, for instance, stands to suffer security risks more through attacks where it crosses through networks. Therefore, for an e-commerce system, a unique testing methodology is carried out, where the authentication systems used are inspected and exploited to show any possible vulnerabilities. This form of tests are carried out in an environment where they can exactly mimic the behavior of such attacks. That is, they occur in real-time, parallel to the system as such attacks would. E-commerce systems keep on growing in functionalities and complexities by the day. E-commerce systems are now being spread out to include applications in mobile devices and web-based application systems. As these functionalities continue to grow, so do the security risks for such a system. For such an extensive system, to effectively do the penetration tests they need to include applications penetration tests. These penetration tests will cover the normal vulnerabilities such as SQL injections and Cross Site Scripting and Cross Site Request Forgery tests. Penetration tests conducted for this firm cover the major cross-interaction gateways in the systems. That is; payment integration flaws, flaws in the system’s content manager amongst other vulnerability tests. Several conventional attacks in e-commerce systems are carried out on the payment gateways. For example, an attacker may use price identifications displayed on websites and alter them on the client side. That is, if a service is displayed to go for $10, the attacker may make changes that may even make the system accept zero values. Tests on payment gateways may be carried out to check the possibility of callback URLs at the specific address of price alterations during run-time. The system will be tested in a Linux environment, defining and exploiting problems. Reason for this being that, the Linux environment is stable and vast enough to manipulate a system in. A Linux operating system provides wide access to features that can be of use in exploiting a system. The main tool that is to be used to exploit vulnerabilities and loopholes in the system’s security is Netfilter. Netfilter is used to specifically test firewall vulnerabilities. For other less specific tests, the cURL will be used as the main command line tool. Its use will be vast for the system but will mostly be utilized on the data transferring aspect of the system. Other tools will be used in various sections alongside cURL. The reason for using cURL as the main tool is its ability to support several protocols. These protocols include, HTTP, IMAP, HTTPS, SMTPS, TFTP, FTP and Telnet amongst others. The tool is also impressive in its ability to relocate and support form uploads and SSL certificates and more data transfer techniques. In frame distribution, a performance may be carried out with the Netfilter tool to identity the throughput of TCP. Determining a TCP’s transfer size is essential in identifying the optimal operational size. In this test, two computers will be connected to each other using a crossover patch cable. This test is essential in determining the number and amount of packets being transferred from one computer to another. Low bandwidth may affect the rate of packet transfer. The size needs to be huge enough to accept data packets of a given input size evenly in between computers. For the test, different sizes of frames will be used. The frame sizes contain values of an IPtable on which they are tested against. The results for this test show that output. Increasing the rule sets decreases the output for the IPtables. A conclusion, on this test only, can be stated that the performance of the TCP decreases with increase in number of rules. There may be other theoretical factors that may affect the performance but since this test deals with the worst case, taking only the rules factor into consideration (Kadlecsik & Pasztor). As there may be practical problems revolving penetration testing, there are many legal issues that need attention before any penetration tester may begin working. One most important legal issue is legal authority. When carrying out a penetration test, one is usually in the act of breaking in a system. For this reason, as a penetration tester/ ethical hacker, it is best to first start off by ensuring that you have the right permission to do so from a system’s owner. That is, test the system with confirmed permission or break into one with a sense of consent. According to Rasch (2013), it is a computer crime to attempt or access a network, computer or a system without the owner’s permission. One other issue that should always be considered is that of damage control. Before a penetration tester attempts to start working on a system, there needs to be an agreement by both parties on the extent of damage that may be allowed. Also, there should be an agreement on what ought to happen should the damage control go beyond its set limits. It is best practice that a pen tester (penetration tester), being the expert, analyses the system then informs the owner on all possible damages that may occur and the most likely to occur during the pen tests. This way, responsibility is accounted for as the system gets tested. Privacy issues may act as resistance to getting a system optimally tested by a pen tester. With many organizations, confidentiality of their data is a crucial part of the pen test processes. It may actually be a main reason as to why the pen tests are being carried out. Pen tests usually tend to reveal confidential of data that may not only put an organization at risk, but also the general public who happen to be their clientele. It is in such cases that agreement issues between the system owner and the pen tester arise. The pen tester could be asked to sign Business Associate Agreements or None Disclosure Documents. Most of these issues get solved depending on how the pen tester and the system owner relate in terms of agreements (Rasch, 2013). Another legal and ethical issues that may be experienced during penetration testing exercises is that of Data ownership. This usually comes as a disagreement after the work where both the system owner and the pen tester want the results of the tests as their own property. This should, however, not be a huge problem as the standards are already laid out as explained by Rasch, (2013). In the standards of operational, a pen tester should be accredited for the methodology used in performing the tests but the results obtained and the recommendations given are always the system owner’s property. This is the case unless otherwise agreed upon. A system owner and a pen tester may agree to both have the results of the test, but that only comes after the standards have been identified and rejected according to the two parties’ preferences. For a pen tester to be in operation, they need to show proof of their certification and licensing to perform tests on various business systems. Certifications in penetration testing may be acquired from well recognized institutions such as Information Assurance Certification Review Board (IACRB) and Global Information Assurance Certification (GIAC) which offer Certification in Pen Testing Proficiency and Certification in Penetration Testing respectively. Depending on where a pen tester is operating, requirements and law may be different. Some states only require the certifications while others need pen testers to have licensing such as IP Licensing. The drawing in the appendix below shows a re-make in the design of the business network to a more secure one. From the results of the pen tests, the management network may be vulnerable due to its size and immediate access to the employee side LAN. From the results, the firm under study carries out most of it sensitive data in between the management computers. To maintain security and confidentiality of data, it is best to create a separate, much harder to reach LAN for the management. It should act as a detached network from the employee LAN, only sharing certain resources in the inter-LAN. System vulnerabilities in this system exist where file transfer is massively used. Between transferring customer information from the web based server to the main server and data transfers between the partnering companies, a more secure system would need to implement a restricted intranet. The intranet should join LANs or wireless connections in between partnering companies. This was, restricted access on a hardly accessible network will ensure that attack threats are eliminated right from the access points. References Department of Defense, (1985), Trusted Computer System Evaluation Criteria. Kadlecsik, J. and Pasztor, G. Netfilter Performance Testing. Rasch, M. (2013), Legal Issues in Penetration Testing, Security Current. Retrieved from, http://www.securitycurrent.com/en/analysis/ac-analysis/legal-issues-in-penetration-testing Appendix Read More