After managing the performance of over 20,000 infrastructure and applications penetration tests, I have come to realize the importance of technical testing and providing information security assurance.

This book accurately defines a pure technical assessment methodology, giving you the ability to gain a much deeper understanding of the threats, vulnerabilities, and exposures modern public networks face. The purpose for conducting the tens of thousands of penetration tests during my 20+ years working in information systems security was "to identify technical vulnerabilities in the tested system in order to correct the vulnerability or mitigate any risk posed by it." In my opinion, this is a clear, concise, and perfectly wrong reason to conduct penetration testing.

As you read this book, you will realize that vulnerabilities and exposures in most environments are due to poor system management, patches not installed in a timely fashion, weak password policy, poor access control, etc. Therefore, the principal reason and objective behind penetration testing should be to identify and correct the underlying systems management process failures that produced the vulnerability detected by the test. The most common of these systems management process failures exist in the following areas:

  • System software configuration

  • Applications software configuration

  • Software maintenance

  • User management and administration

Unfortunately, many IT security consultants provide detailed lists of specific test findings and never attempt the higher order analysis needed to answer the question of "why." This failure to identify and correct the underlying management cause of the test findings assures that, when the consultant returns to test the client after six months, a whole new set of findings will appear.

If you are an IT professional who is responsible for security, use this book to help you assess your networks; it is effectively a technical briefing of the tools and techniques that your enemies can use against your systems. If you are a consultant performing security assessment for a client, it is vital that you bear in mind the mismanagement reasons for the vulnerabilities, as discussed here.

Several years ago, my company conducted a series of penetration tests for a very large international client. The client was organized regionally; IT security policy was issued centrally and implemented regionally. We mapped the technical results to the following management categories:

OS configuration

Vulnerabilities due to improperly configured operating system software

Software maintenance

Vulnerabilities due to failure to apply patches to known vulnerabilities

Password/access control

Failure to comply with password policy and improper access control settings

Malicious software

Existence of malicious software (Trojans, worms, etc.) or evidence of use

Dangerous services

Existence of vulnerable or easily exploited services or processes

Application configuration

Vulnerabilities due to improperly configured applications

We then computed the average number of security assessment findings per 100 systems tested for the total organization and produced the chart shown in Figure P-1.

Figure P-1. Average vulnerabilities by management category

We then conducted a comparison of the performance of each region against the corporate average. The results were quite striking, as shown in Figure P-2 (above the average is bad, with more findings than the corporate average).

Figure P-2. Regional comparisons against the corporate average

Figure P-2 clearly shows discernible and quantifiable differences in the effectiveness of the security management in each of the regions. For example, the IT manager in region 3 clearly was not performing software maintenance or password/access controls management, and the IT manager in region 1 failed to remove unneeded services from his systems.

It is important that, as you read this book, you place vulnerabilities and exposures into categories and look at them in a new light. You can present a report to a client that fully documents the low-level technical issues at hand, but unless the underlying high-level mismanagement issues are tackled, network security won't improve, and different incarnations of the same vulnerabilities will be found later on. This book will show you how to perform professional Internet-based assessment, but it is vital that you always ask the question "why are these vulnerabilities present?"