Everyone who has seen our business card always asks, I might add with eyes wide open, What exactly is a Penetration Test? I'll take a brief minute to explain exactly what it is. More than likely, if you are here reading this, you already know.
First, a few definitions:
What is a cracker?
A cracker is someone who gains unauthorized access to a computer system, usually without the system owner aware that it has been 'cracked'. The reason crackers gain unauthorized access are many. They may be there for theft of information such as client lists, credit card numbers, banking account information, to use the system to attack another system, just to see if they could, or many other reasons. It could even be a disgruntled employee who has been denied access to a share, server, or service or one that may be leaving your employment and wishing to have your client list when they leave to help promote their new employers business.
What is a hacker?
A hacker is someone with the knowledge to learn everything there is to know about a topic down to its inner workings, be it a software hacker or an automobile hacker. A hacker does not 'harm' or 'break in' to computer systems without your knowledge. The term is used loosely by media, and they often confuse the terms 'hacker' and cracker'.
What is a penetration test?
A penetration test is the systematical testing of the internal and external workings of a computer system or network looking for and using known and widely available information concerning vulnerabilities specific to hardware and software in use on the computer or network being tested. It can also be bugs found by the individual or company performing the testing that did not release the information under "full disclosure". It is also often the step by step dissemination of codes and scripts which may be exclusive to the clients network. The reason for performing penetration testing is to identify security weaknesses in a clients computers or networks and close them before a 'cracker' or even an 'employee' finds them and exploits the weaknesses, usually giving them unauthorized access to files or services. Once the weaknesses are identified, the client can then work on getting them fixed.
RHP Studios approach to Penetration Testing is rather unique and constantly changes to accommodate each clients needs. RHP Studios supports 'full disclosure' and releases any bugs or vulnerabilities we find in hopes that the bugs will be fixed more quickly. We often support the manufacturers in fixing the problems. We do not always immediately release the information until we give the software or hardware manufacturer adequate time to make repairs. This often keeps the script kiddies from looking for systems containing those specific vulnerabilities. RHP Studios tests both on and off the clients site. We feel this gives us better control in getting the problems identified and fixed. It also lets us review custom code and scripts that may be exclusive to the clients location and network use.
There are commercial vulnerability scanners available from reputable sources. Are these scanners sufficient in detecting vulnerabilities?
RHP Studios identifies these systems as scanning for common and well known vulnerabilities. They may in fact find most of the vulnerabilities on your network. Fact is, it only takes 1 vulnerability for a successful crack to occur, possibly ruining your business image as a secure business partner. The commercial scanners also can not analyze individual lines of code that may be exclusive to your use, such as network scripts used for authentication of services, databases, other forms of inputs and validations, or CGI scripts used on web servers.
Is an internal audit necessary if we have an external audit performed?
We find that employees will often go out of their way to get what they want. If it takes administrative rights to get it, they will resort to the many different ways to get Administrator or Root just like an external 'cracker'. The difference though is they are at an advantage because they have 'real' console access. They can bring floppy disks in from home that contains programs or code which the system administrator is not aware of being installed.
One of the most common exploits available is to give NT users Administrative access. Once they have Administrator Access, they can then try to get Domain Administrator rights or other rights that would allow them to reconfigure services they may not normally have access. Also, once they have Administrator rights to their workstation, they could install any program they wanted. Once they have Domain Administrator access, they could join Domains they would not normally be able to view. The list goes on and on, but the facts remain the same, "he who sits at keyboard has greater power of that system and the network in which it connects than he who doesn't.". - (sorry, couldn't resist.....)
How long does penetration testing take?
The time varies depending on network size, services, operating systems, and many other variables. It could be as little as a few hours and as long as several weeks.
What kind of reports will we receive concerning the penetration test?
Once the testing process is completed and analyzed, you will be presented with a full report containing exactly what we found, along with its severity, how we recommend you fix the problems, detailed instructions that may contain reworked code or links to patches, recommendations on configuration settings we find are too "lax" (i.e. no password required to access hard drive on reboot or BIOS passwords not set are good examples), and the overall security or insecurity of your network compared to pre and post penetration testing. You may also opt to have RHP Studios make the necessary repairs for an additional cost.
Is that all that we receive?
Once a client, always a client. The initial penetration test is time consuming. By the time the initial penetration test is completed, we often known your network better than your system administrators. We have baselined your assets by identifying your systems, network and its associated services, software, hardware such as firewall and routers. We add all this information to our database. We will work with your system & network administrators to insure your network stays secure. We will conduct a 2nd full audit to insure all repairs have successfully been completed. We notify you when new vulnerabilities are discovered that affects your systems. We will also conduct additional audits as new vulnerabilities are discovered to make sure you stay secured. Not only that, we are there for your questions should you ever need us 24/7/365....once a client, always a client. We also encourage you to consult us whenever you are adding or removing hardware and services so that we can work with you to insure it does not disrupt the security of your network.
Is information that you find ever disclosed to another source?
All clients are given 100% confidentiality. RHP Studios does not ever disclose information to anyone concerning our clients. RHP Studios employees are restricted in their discussion of client related material, i.e. employees are not permitted to discuss any client information unless the information is needed in a joint project such as employees working together with a specific client. Still then, employees are not permitted to discuss client information in unsecured locations or in public places. RHP Studios does not disclose client information to any business or financial partners. RHP Studios will not disclose client information in any form of publications, with the exception of "web sites" that are under construction and linked from our projects page. These web site projects are placed online with client approval and do not resemble or disclose any security related information about the clients.