Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Pen Tests: Under Attack

Can your systems really benefit from pen testing?

By

October 01, 2003CSO — Something was wrong with the Web server. It was nearly 5:30 p.m., and no mail had been delivered for roughly an hour. When I logged on, I discovered that the disk partition dedicated to incoming e-mail was pegged at 102 percent of capacity. And on my server, the system loada measure of how hard the computer is workinghad jumped from its normal level of 0.5 to an all-time high of 27. Perhaps all this was related to the fact that my server, which normally takes close to 8,000 hits a day, had received more than 20,000 hits during the past two hoursmany of those hits requesting URLs that looked suspicious.

My system was clearly under attack. But by whom? Then I remembered: I had asked SPI Dynamics to unleash its website auditing tool, WebInspect, against my home server. Not just any auditing tool, WebInspect is specifically designed for pen tests - shorthand for penetration testing - Web-based applications. The program uses a Web spider to map out every page on the server, examines each page for Web errors that an outsider could exploit, and then tries to exploit them.

"Go ahead and whack my system," I had told the company two days before the incident. And so it did.

Now if this had been a normal attack, I would have responded by setting up a rule blocking my server from the attacker's IP address. But not this time, because I wanted SPI Dynamics to use its tool against my websiteI wanted to know if I had any vulnerabilities. What I hadn't expected was that the tool would find the one script on my Web server that required 10 CPU seconds to run, and then repeatedly run that script 30 times a minute, firing off each new request long before the previous one had a chance to finish. That's why the load on my server had spiked.

Accidents like that have given penetration testing a bad name in the past. The goal of penetration testing is to find vulnerabilities in production systems so that those vulnerabilities can be patched. But if the person conducting the test doesn't apply extreme care, the test itself can become destructive. Such situations quickly escalate from being mere embarrassments to becoming full-fledged money-losing events. Oops.

Penetration testing goes back decades. In the 1970s, members of the U.S. military set up "tiger teams" or "red teams" with hotel rooms filled with communications equipment. Their goal was to see if they could break into sensitive computer systems or communications links run by other groups inside the military. A few security-conscious companies outside the defense establishment started pen-testing in the 1980s. Sometimes the attacks were physical, sometimes they relied on social engineering, and sometimes they were purely electronic. Alas, they were almost always effective.

RESOURCE CENTER