Security: Penetration Testing

Penetration tests are falling in popularity. Here are the keys to making them valuable again.

"I have hundreds of locations with thousands of hosts, and a lot have bandwidth that's sub-128K—there is no way on God's green Earth that I could do a pen test across all these hosts," Gold says. But he can do a vulnerability assessment of them, and then compare vulnerabilities with the known potential dangers. Some vulnerabilities simply won't be problems, he says. An unprotected 56k modem sitting in an airport is one example. It's a vulnerability, and should be identified as such in a good vulnerability assessment. However, the low bandwidth may make that modem a rotten launchpad for attacking the network. And there may be additional controls on the network that further protect against exploitation of that modem. Gold certainly has to know what those controls are, and a penetration test can help determine whether the controls are in fact preventing the vulnerability from actually endangering the network. That type of information can help a CISO prioritize his work. A vulnerability that is covered by internal controls or other defenses may move lower on the fix-it list than one that is proven accessible through an outside penetration test.

In Gold's nearly 10 years at Continental, the first seven as director of Internet services, he's seen scores of penetration tests. The methodology, he says, remains similar to what it was in 1996 (though it has naturally expanded to include such new protocols as SOAP and variants of XML). But the process and the tools have changed—the tests don't take as long, in part because the tools are more automated. In 1996, DNS searches, server pings and manual telnetting were all common parts of information gathering during a penetration test, and now these are handled by tools like Nmap, Gold says. He also says vulnerability scanners can find potential configuration errors and buffer overruns, which was not the case in the late '90s. There are even commercial-grade exploit tools like Core Impact, which Continental uses internally, particularly after installing new application releases. Continental used to outsource a broad range of work, including audits, vulnerability assessments and pen tests. Now, the company does much of this work in-house, security working together with the internal audit group.

Gold's bottom line on pen tests: Audits and assessments are well and good. Companies need such tools. But they can't prove whether a vulnerability equals a corporate liability, where a pen test can. A good pen test, then, provides peace of mind.