Penetration tests and internal auditing
By Sebastian Schreiber, Managing Director of SySS GmbH
Within the framework of audit testing, the testing of IT and especially IT security is still of secondary, but for good reason constantly increasing, importance. Companies have long been implementing a number of measures to ensure IT security, ranging from various ISO and BSI certifications to audits of all kinds. However, these measures are evidently insufficient, as can be seen even from a brief look at the press. IT security incidents in organizations, companies and authorities frequently make news headlines.
IT security incidents in the recent past demonstrate emphatically that the IT systems even in international high-tech companies and major state institutions are not given sufficient protection. Widespread IT quality assurance measures may suffice to safeguard 99 per cent of systems. However, the decisive factor is that the remaining 1 per cent vulnerability provides a target for digital attacks: Every gap, however tiny, is sufficient to render an otherwise well-secured IT infrastructure vulnerable in its entirety.
Simulating hacker attacks on a regular basis
Real attackers have experience-based knowledge, with which they can identify and exploit this one per cent of uncertainty. And this point – or rather just before – is precisely where penetration testers start; expressed simply, a penetration test is the simulation of hacker attacks. The tester takes the perspective of those who attempt to attack a company, and thus exposes security gaps before they can be misused for an attack. However, one thing should be borne in mind: Every day, new security gaps appear in software products – thus also providing new potential gateways for hackers. Penetration tests should therefore be firmly integrated in the test plans of audits and frequently implemented at fixed intervals accordingly. This ensures that the many hacker attacks, of which the companies concerned are not even aware, are no longer dependent on accidental discovery. Instead, weak points are specifically identified and eliminated before, for example, a Trojan infects the computer and remains undiscovered for many years.
An attractive test concept
From the perspective of the internal auditing department, penetration tests – apart from their demonstrably positive effect on IT security – have another practical advantage: The tests can be carried out rapidly, are cost-effective and do not involve great effort on the part of the auditor. When the test report is available, another advantage becomes apparent: The result of a penetration test is usually extremely precise. The identified weak points and their consequences leave hardly any room for interpretation and are in general very comprehensible even to non-computer scientists; for example, if a penetration tester proves that it is possible for him to read out all the supplier data from the respective database within just a few hours, it will then be unlikely that anyone else will be able to bring forth an objective counter-argument. It will then be clear: The IT security in the company evidently has a leak at this point and immediate counter-measures are necessary.
Also with regard to these measures, a penetration test proves to be constructive for the auditing. At the end of each test, there is always a concluding report, which not only documents in detail all the gaps found, but also includes concrete suggestions on how to eliminate them. The auditor can thus provide his company IT with specifications, and, within the framework of a follow-up test, also check with relatively little effort whether the security weaknesses identified have been successfully eliminated. The auditor can now again sleep in peace – at least for the time being. For one decisive difference to other test procedures must always be borne in mind for the penetration test: The systems are not given a “Secure IT” test seal with a specified validity period. Much rather, it cannot be excluded that, even just a few days after a successfully completed penetration test, somewhere in the world of the internet new security weak points may be found which make secure systems vulnerable in a new way. Precisely for this reason, it is so important – depending on the complexity and worthiness of protection of the respective IT landscape – to integrate penetration tests systematically in regular test plans. Whoever systematically and continually scrutinizes his own IT security measures in this way will also minimize the scope for hacker attacks.
In a live hacking presentation at this year’s infosecurity Europe, Schreiber will give an impressive demonstration of how fast and easily digital attackers – despite all counter-measures – can penetrate IT systems day in day out: “You Have Just Been Hacked – Live on Stage” (16:40 – 17:05, Technology Showcase).