Penetration testing is by no means an exact science. Each test tends to be unique, and numerous problems -- server outages, application availability problems, user account lockout and others -- can occur due to the nature of the tests themselves. Equally common are process and political challenges, which may result from lack of proper communication or coordination between solution providers and organizations.
This tip will discuss how to do penetration testing, covering some of the most common issues that arise during pen tests, and providing guidance on how best to overcome them.
Technical issues
Security solution providers, even including the top
penetration testing companies, face a number of technical issues when conducting pen tests. By
far, the most common technical issue is system or application unavailability, which may be caused
by overwhelming network traffic from scanning tools like Nmap and Nessus, or by
application-specific testing tools like HP WebInspect or IBM AppScan.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
After flaws in systems and applications are found, and the final report has been delivered, the organization being tested
may dismiss the findings
as less critical than the solution provider rates them.
In the first case, the network team will likely notice the volume of traffic, and the fix will be straightforward: Throttle back the scanning speed to an acceptable level for the network being tested. In the latter case, the lack of availability will likely be due to a specific application flaw, where application forms or other input acceptance channels are being bombarded with somewhat malicious data. To resolve this, in many cases, the solution provider and the application owners must review log files and discuss what went wrong. Usually the problem is obvious, and the testers can exclude specific testing types or avoid particular pages in the application during the remainder of the test. Meanwhile, the application flaw should be noted in the final report.
Another type of availability issue that can occur during pen testing concerns user account lockout, often caused by solution providers attempting to log in to authentication interfaces rapidly with “brute force” logins. If this happens, there are three possible ways to resolve the issue:
- Remove authentication brute force attempts from the scope of the test.
- Throttle, or limit, the frequency of login attempts with automated tools.
- Have the organization remove or change the user account lockout policy setting for the duration of the test.
Other technical problems may arise from the use of specific exploit code that renders services unavailable or systems unstable. When this happens in a production environment, the solution is to avoid the use of these specific exploit types for the duration of the test, although the vulnerability should be noted in the final report. To allay concerns around any of these technical issues, solution providers should discuss the possibility that services may become unavailable and systems may become unstable during the initial scoping phase, and ensure all involved stakeholders understand the inherent risks of ethical hacking activities.
Managerial issues
Many problems that occur during pen tests are more managerial or political in nature. One
common issue is a lack of communication between the security team requesting the test, and the
business or application owners in other parts of the organization. In many cases, the business unit
finds out about the test after it has already started, or worse, when technical issues occur. This
can cause significant political turmoil, and will usually delay the project. The best way to handle
this issue proactively is by pointedly asking whether all stakeholders are involved at the onset of
the engagement. Doing this, however, provides no guarantee all stakeholders are on
board.
Another common experience solution providers will encounter relates to the delivery of findings. After flaws in systems and applications are found, and the final report has been delivered, the organization being tested may dismiss the findings as less critical than the solution provider rates them. Unfortunately, this is a risk decision that can only be made internally by the customer, and the solution provider is not accountable for this. As long as the findings are valid technically (and the solution provider has vetted them appropriately to remove false positives), under no circumstances should the testing results be changed or reduced in severity solely to “save face” or smooth political or compliance concerns internally at the organization. This represents a common ethical dilemma faced by pen testers, and it is important to uphold the highest integrity standards at all times.
These are the most common issues likely to be experienced during pen tests. Being aware of the issues in advance, and having a plan for how to handle them, will make pen tests much smoother for both solution providers and their customers.
About the author:
Dave Shackleford is the founder and principal consultant with Voodoo
Security, as well as a SANS analyst, instructor, and course author and GIAC technical director. He
has consulted with hundreds of organizations in the areas of security, regulatory compliance, and
network architecture and engineering. He is a VMware vExpert and has extensive experience designing
and configuring secure virtualized infrastructures. He has previously worked as CSO for
Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and
manager for several Fortune 500 companies. Dave is the co-author of Hands-On
Information Security from Course Technology as well as the "Managing Incident
Response" chapter in the Course Technology book Readings and Cases in the Management
of Information Security. Recently, Dave co-authored the first published course on
virtualization security for the SANS Institute. Dave currently serves on the board of directors at
the Technology Association of Georgia's Information Security Society and the SANS Technology
Institute.
This was first published in August 2011