Blind Peneration Tests Pros and Cons

Who told everyone it is a good idea to start a security initiative with White Hat hackers doing a blind penetration test on your network? Or does it just sound cool and impressive?  Or is it really getting the cart in front of the horse.
 
I often see RFPs that ask for blind penetration tests. I wonder if they know what they are asking for. A blind penetration test will require us to blindly find vulnerabilities and then exploit those vulnerabilities to prove that a hacker could breach the system. There is a time and a place for this type of assessment. It however, is not the best assessment to have right out of the gate.
 
Let look at some semantics.
 
Vulnerability scan is an assessment, usually non-intrusive, non-destructive scan of a set of systems to determine if any vulnerability can be discovered by the scanning service or device.
 
Penetration test is an assessment that is intrusive by nature. It starts with a scan to determine what vulnerabilities exist. It then will try to exploit the vulnerabilities. By its nature the scan is intrusive and potentially destructive.
 
A blind test can be either a penetration test or vulnerability scan where by the assessor does not know the addresses of the system to scan. A determination is made as to what the addresses could be and scans are then run against those addresses.
 
Pros and Cons
 
Vulnerability Scans
The pro, vulnerability scans are a must. Especially if you process payment cards as vulnerability scans are required by the Payment Card Industry Data Security Standard (PCI DSS). They are a common control in just about every other industry standard from NIST to ISO. Vulnerability scans give you view of what vulnerabilities a potential hacker could see. Generally the scans are run from a device that is outside the firewall, from the Internet.
 
The con, whiles these scans provide a great picture of how an external hacker sees the system they do not paint a good picture of what vulnerabilities actually exist beyond the firewall. This is because the firewall is doing what it is designed to do, which is limit what access is granted from the Internet. However, the firewall does not generally protect form malicious internal users or malicious code that gets past the firewall. In order to get a complete picture we recommend external scans and internal scans of the Internet facing systems. In this way the organization has a complete picture of their vulnerabilities and can make risk based decisions.
 
Penetration Tests
The pros, penetration test allow an organization to see and know that the vulnerabilities can be exploited. Most external attacks require hackers to 'hop' their way in. The will compromise one system, hop from that system to compromise another and so on. A vulnerability scan will not confirm the vulnerability exists or that they can be exploited. A penetration test is proof that the vulnerability exists and can be exploited.
 
The cons, because the test exploits a found vulnerability it intrusive and potentially destructive in nature. The question remains do we need proof that the vulnerability can be exploited? Is it worth the risk a damaging or bring down a system to prove that a vulnerability is exploitable? Most of the known vulnerabilities have been tested, confirmed and indexed.
 
Blind Tests
The pros, the assessor does not have all the information so you get a good indication of what a hacker would be able to find if the hacker was only targeting that organization.
 
The cons are the blind test is really testing the ability of the hacker to find systems. Many hackers don't target a particular organization they simple sweep the Internet looking for vulnerable systems. Second, a blind test is really testing 'security by obscurity’; a security mind set most security professionals avoid. Just because you don't see a vulnerability does not mean it does not exist.
 
In addition, a blind test could lead the assessor to scan a system that is not owned by the organization and could lead to ethical or legal issues.
 
Recommendation
I recommend that an organization start with adopting a security standard and conducting regularly scheduled vulnerability scans, internal and external. All the major standards require at least the following IT controls, patch management processes and vulnerability management. To simply test systems in an ad hoc fashion will not improve non-existent controls. If you don't have a process, every assessment you perform will indicate that you have vulnerabilities, which in turn just means you don't have a process.

Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.