IT Penetration Testing
One of my favorite movies from the 1990s was Sneakers, with Robert Redford, Dan Aykroyd, Sidney Poitier and other notables. It introduced a small band of experts who carried the audience through a seat-gripping intellectual thrill ride. Primarily a group of ex-criminals, the main characters employed a variety of clever devices and techniques to break into banks. They exploited the weaknesses in each bank's security, alarm systems and personnel. After breaking in, they presented the money they absconded along with a full report on the weaknesses they encountered, identifying possible measures to improve security. It was a clever work of fiction but could there really be men and women who make a living at putting security systems to the ultimate test?
In much the same way my silver screen icons outwitted some of the most sophisticated security systems, there are real students in real classrooms learning how to find the vulnerabilities in real computer networks owned and operated by real companies. Once trained and certified, these experts perform IT Penetration Testing or Pentests and then supply the client with detailed information regarding the weaknesses in its software, hardware, and personnel. Such tests provide valuable information and are much more common than what was portrayed on the big screen.
A few organizations have worked to create an industry standard and a set of guidelines and methodologies for the purpose of creating curriculum, providing support for professionals and identifying a measuring stick for performance evaluation. While these benefits are attractive and fall within the realm of measurability, which makes managers, marketers and customers more comfortable, the very idea of creating a standard runs contrary to the most valuable asset a pen-tester possesses. Their ability to think outside of the box and conceive of new and sometimes radical methods of attack make him or her more effective in identifying the chinks in the armor of the system at hand. It is imperative that the pen tester learn to think like and pre-empt the malicious hacker's creative attempts to penetrate the client's systems. The hacker will not follow a pre-determined guideline, so neither should the tester, if he or she really wants to be effective at more than going through the motions and producing a lengthy and redundant report. Standardized methodologies can serve an important function in the education of would-be pentest professionals but once the rudiments are learned, the standard should take a back seat, allowing experience and creativity to commence the learning.
IT Penetration Testing is not the only way to ensure a system is secure but can any system be considered so without it? I recently read about a company that fell victim to the theft of a large amount of customer information, including social security numbers, birth dates, account numbers, passwords, security question answers and other information. The theft occurred over five years ago and yet one IT security professional demonstrated on his blog, just how vulnerable that company's website remained after the attack. He was not intent in doing harm but he showed that such would not have been very difficult if his intentions were less than ethical. I think it is safe to say that the company in question spent a large sum on improving its system security. Is it also safe to say that the company did not hire a competent pentester to examine its systems? The interesting thing was that the methods used by the hacker to do all of that damage were not very advanced. I would contend that an effective penetration test would have saved the company a literal fortune in IT upgrades, court costs and lawyer fees, settlements if any and a virtual public relations nightmare (pun intended). The hope is that you and I will learn from this expensive lesson and save ourselves massive grief in the future by having our servers tested today.