by Esam Nimer
4:00 min. read | Audio
The CIS controls have covered basic network practices, user and account management, software protection, hardware issues, and human concerns. In the end, the question remains, do these measures adequately prevent or combat hostile actions? Being successfully attacked by a hostile party isn't the best way to discover vulnerabilities. CIS Control #20 covers penetration testing and Red Team penetration exercises, two different but related ways to discover vulnerabilities within a network. Both ways are used to test an organization's data defenses without suffering actual damage.
Penetration testing aims to discover flaws and interpret their impact on the business. The results are then used to develop a remediation plan to better secure the organization’s environment and build a more robust security stance. By utilizing a range of available tools, penetration testers are able to perform different types of actions including information gathering, scanning, exploitation, and password / application attacks.
The goal of a penetration test is NOT to cause harm to the network. Although approval may be granted to perform potentially harmful tests on specific systems, this should not be performed unless a well-documented recovery plan exists. If sensitive data is discovered during testing, rather than exposing all data, it is best practice to sample a couple of items and then alert the appropriate personnel of the exposure. Downtime type of attacks such as denial-of-service should not be performed. It is best to provide the business-risk associated with any identified denial of service vulnerability.
Running both internal and external penetration tests will measure a network's vulnerability to both kinds of attack. A network which limits available protocols and services (Control #9) and access rights (Control #14) will make it difficult for most internal attacks to get far, and testing will let the administrators find out just how good the protection is.
One way to reduce risk is to run penetration tests on a system that is exactly like the production system, but without live data. However, making it truly equivalent in its protections and weaknesses can be difficult.
Red Team exercises
In the Pink Panther movie Inspector Clouseau's assistant, Cato, was under orders to attack him at any time in order to keep him vigilant. This is similar to how a Red Team operates for a computer network. Along with penetration testing, the team can use social engineering and other personal tricks including phone calls, impersonating people in authority, or leaving a quasi-malicious USB stick lying around. A skilled red team can combine multiple approaches and use manual or automated penetration methods to accomplish their tasks.
As with penetration testing, the Red Team has to stop short of real harm. The best people for Red Teams are often people with a hacker mindset. It's necessary to agree on parameters in advance, or monitor actions carefully, to make sure permitted limits are not exceeded.
Scope of the tests
A good test aims for specific goals rather than poking around at random. The scope of a test should be predefined to cover an organization’s security concerns. A tester might try to install software on a machine, log into an account, run a tailored SQL statement, or gain direct access to a database. Critical intrusions are not required to meet every goal; even acquiring information about the network's organization or viewing logs can be a first step toward deeper penetration that reveals a weakness.
A Red Team may operate over an extended period of time, discovering small weaknesses at first and then building on those. If a team takes a week to discover a password, it can make rapid progress from that point. The results of each step of the test should be documented in order to assess the findings and measure progress.
Administrators should be aware that tests are in progress, and their response is vital. They can't ignore an action if they think it’s a test and at the same time, they can't let the testing derail them from their normal duties (including the discovery of real threats). Indeed, a Red Team's purpose may be to confuse them, so they can't tell tests from genuine attacks.
Although awareness of ongoing attacks is the norm, there are some advantages of performing unannounced tests. These may provide evidence of unauthorized web servers hosting video games or supporting unauthorized personal side business.
Simulated attacks need careful planning and supervision so they don't create their own risks even while they're a necessary part of the methods used to protect highly sensitive information.
The results of a Red Team or penetration test can be extremely beneficial for an organization since it will provide management and security personnel with a clear picture of the security weaknesses that can affect the organization. A real-world understanding of the identified vulnerabilities and available exploits will bring greater awareness of the impact to the business should it be hit with a real attack. The results and recommendations will outline the different ways a vulnerability can be remediated and validated, thus strengthening the organization’s overall security posture.