The IT Chief's New Clothes

The terms “white-hat hacker” and “penetration testing” are back in vogue. Security folks — everyone from certified systems security professionals to high school kids who can use a couple of scanning tools — have jumped on the hacker-penetration bandwagon and promote pen tests to sell various services with little regard to an agency’s true needs.

That leaves government information technology managers in the position of needing to understand what testing they really should undertake and how it should fit into their security efforts.

The recent annual Federal Information Systems Management Act score of “C–” highlights the pressure on federal IT managers to prove they can adequately protect their information assets. A popular approach to concerns about information protection is to bring in an expert to conduct penetration testing. The thinking is that if a pro can’t hack in, then the system is secure and the rest is a paperwork shuffle. If, on the other hand, this white hat does get in, then all the agency has to do is close that door and its security problems are solved — warm fuzzies and congratulations abound. Unfortunately, as with most magic-bullet solutions, penetration testing falls far short of being a one-stop security tool. True penetration testing is inappropriate in most cases. That nice warm, fuzzy feeling when the hack fails to breach the network is as illusory as a certain monarch’s new wardrobe.

The Complete Picture

Most organizations that ask for penetration testing in reality need a vulnerability scan (see sidebar, below). They want someone to run scans from outside the network and come back to them with a report of the vulnerabilities that need to be addressed.

Although dealing with the vulnerabilities can be helpful, it does not mean that all the security needs have been resolved. Vulnerability scanning is of limited value by itself, as it only provides insight into a piece of the overall security picture. It is useful only when it is part of a comprehensive information security process in which an organization’s security requirements and the technical, procedural and physical means by which they are met are also evaluated. By itself, vulnerability scanning will leave an agency with major blind spots in the information it has about risk. As with the penetration tests, vulnerability scanning can lead to a dangerous and false sense of security.

To really have a good grasp of the agency’s risk posture, the IT security team must take into account all of the threats and vulnerabilities. Plus, it must understand all the security requirements and how and where they are met. Vulnerability scan results provide only a view of how well some of the technical requirements are met.

The solution to those security concerns is to implement a proactive security program commensurate with the value of the information the agency is protecting and with the risk environment in which it operates — often this will encompass multiple layers and degrees within a single agency. For the federal arena, FISMA and the Defense Department Information Assurance Certification and Accreditation Process provide agencies with guidance on how to do that.

Before the CIO and/or the chief information security officer order up a batch of penetration tests, they need to think again. The resources spent on that effort could be better spent developing and implementing or improving an agency’s information assurance program. If a good program is in place, then vulnerability scanning and even penetration testing can be useful to the ongoing management of the agency’s security posture and a critical component of the certification and accreditation process.

Now What?

What does an agency do once it has decided it needs vulnerability scanning and possibly some level of pen testing? How does it find someone to do it? Don’t troll the hacker boards looking for someone. Security professionals exist, inside the government and out. Use them.

The International Information Systems Security Certification Consortium — more commonly known by its shortened name, (ISC)2 — tests and certifies security professionals with the CISSP certification. The SANS Institute and Information Systems Audit and Control Association (ISACA) also have professional security certifications. The EC-Council has a certified ethical hacker certification program.

Certification doesn’t guarantee skill, but it can help gauge ability and experience. Agencies need to take the following steps:

• Check the resumes of the people who will perform the work.
• Look for professional standing as well as experience doing systems hardening and scanning.
• Seek experts with many years of experience.
• Ask to review examples of typical results, and get references.

Vulnerability scanning can be dangerous if it’s not planned and thorough. Before an agency begins a scan, it should define the rules of engagement for the scan team, make sure the team understands the limit for the scan set by the agency, and ask the team to explain how it will protect the agency’s systems.

All of this should be standard fare for most security professionals, whether they work for the agency already or the agency will hire them as contractors. Be wary of anyone who is reluctant to be clear and up front about what they will do. Have them describe exactly what they plan, what information they will generate and how they will report their results. If they are just going to pass on raw scan tool reports, get someone else to do the scans. It’s important that an agency also receives an interpretation of the findings so that it can guide the development of responses to any identified vulnerabilities. The idea is to get something useful for risk management — not to fill a binder with mind-numbing port scan reports.

Finally, plan to repeat scans over time. Sometimes changes go unnoticed. Regular scans, as part of a comprehensive information assurance program, can catch vulnerabilities that arise and help an agency bring home good — or better — FISMA grades.