This document explains the need for information security for all organizations and also the standards to be followed for doing the same. It also gives vendor selection criteria for selecting a consultancy firm for information security. It gives guidelines as to how to stop ethical hacking of your web application, be it any critical data from getting hacked, scripts being run, without the knowledge of the owner.

1. Penetration Testing and Information Security
like
Think like a Thief to catch a Thief
|
Deltecs Infotech Pvt. Ltd
Ph: 022-28488746 | 022-28481451
Web: www.deltecs.com
Email: info@deltecs.com

2. INTRODUCTION
Penetration Testing and Information Security is often a confused term. Deltecs Infotech
Pvt. Ltd, a leader in information security and penetration testing gives you a broad
overview of the same with the help of the following questions.
What is penetration test?
Much of the confusion surrounding penetration testing stems from
the fact it is a relatively recent and rapidly evolving field.
Additionally, many organizations will have their own internal
terminology (one man’s penetration test is another’s vulnerability
audit or technical risk assessment).
At its simplest, a penetration-test (actually, we prefer the term
security assessment) is the process of actively evaluating your
information security measures. Note the emphasis on ‘active’
assessment; the information systems will be tested to find any
security issues, as opposed to a solely theoretical or paper-based
audit.
The results of the assessment will then be documented in a report,
which should be presented at a debriefing session, where questions
can be answered and corrective strategies can be freely discussed.
Why conduct a penetration test?
From a business perspective, penetration testing helps safeguard
your organization against failure, through:
• Preventing financial loss through fraud (hackers, extortionists and
disgruntled employees) or through lost revenue due to unreliable
business systems and processes.
• Proving due diligence and compliance to your industry regulators,
customers and shareholders. Non-compliance can result in your
organization losing business, receiving heavy fines, gathering bad
PR or ultimately failing. At a personal level it can also mean the
loss of your job, prosecution and sometimes even imprisonment.
• Protecting your brand by avoiding loss of consumer confidence
and business reputation.
From an operational perspective, penetration testing helps shape
information security strategy through:
• Identifying vulnerabilities and quantifying their impact and
likelihood so that they can be managed proactively; budget can be
allocated and corrective measures implemented.

3. What should be tested?
Ideally, your organization should have already conducted a risk
assessment, so will be aware of the main threats (such as
communications failure, e-commerce failure, loss of confidential
information etc.), and can now use a security assessment to
identify any vulnerabilities that are related to these threats. If you
haven’t conducted a risk assessment, then it is common to start
with the areas of greatest exposure, such as the public facing
systems; web sites, email gateways, remote access platforms etc.
Sometimes the ‘what’ of the process may be dictated by the
standards that your organization is required to comply with. For
example, any web application has a lot of sensitive data like
confidential documents, user related information which the users
give considering the privacy policy of the organization.
What do you get for the money?
While a great deal of technical effort is applied during the testing
and analysis, the real value of a penetration test is in the report
and debriefing that you receive at the end. If they are not clear
and easy to understand, then the whole exercise is of little worth.
Ideally the report and debriefing should be broken into sections
that are specifically targeted at their intended audience. Executives
need the business risks and possible solutions clearly described in
layman's terms, managers need a broad overview of the situation
without getting lost in detail, and technical personnel need a list of
vulnerabilities to address, with recommended solutions.
What to do to ensure the project is a success
Defining the scope
The scope should be clearly defined, not only in the context of the
components to be (or not to be) assessed and the constraints
under which testing should be conducted, but also the business
and technical objectives. For example penetration testing may be
focused purely on a single application on a single server, or may be
more far reaching; including all hosts attached to a particular
network.

4. Choosing a Vendor
Another critical step to ensure that your project is a success is in
choosing which supplier to use.
As an absolute fundamental when choosing a security partner, first
eliminate the supplier who provided the systems that will be
tested. To use them will create a conflict of interest (will they really
tell you that they deployed the systems insecurely, or quietly
ignore some issues).
Detailed below are some questions that you might want to ask
your potential security partner:
Is security assessment one of their core businesses?
•
How long have they been providing security assessment services?
•
Do they offer a range of services that can be tailored to your
•
specific needs?
Are they vendor independent (do they have NDAs with vendors
•
that prevent them passing information to you)?
Do they perform their own research, or are they dependent on out-
•
of-date information that is placed in the public domain by others?
What are their consultant’s credentials?
•
How experienced are the proposed testing team (how long have
•
they been testing, and what is their background and age)?
Are they recognized contributors within the security industry (white
•
papers, advisories, public speakers etc)?
Are the CVs available for the team that will be working on your
•
project?
How would the supplier approach the project?
•
Do they have a standardized methodology that meets and exceeds
•
the common ones, such as OSSTMM, PCI and OWASP?
Can you get access to a sample report to assess the output (is it
•
something you could give to your executives; do they communicate
the business issues in a non-technical manner)?
What is their policy on confidentiality?
•
Do they outsource or use contractors?
•
Are references available from satisfied customers in the same
•
industry sector?

5. Standards compliance
There are a number of good standards and guidelines in relation to
information security in general, for penetration tests in particular,
and for the storage of certain types of data. Any provider chosen
should at least have a working knowledge of these standards and
would ideally be exceeding their recommendations. Notable
organizations and standards include:
PCI
The Payment Card Industry (PCI) Data Security Requirements were
established in December 2004, and apply to all Members,
merchants, and service providers that store, process or transmit
cardholder data. As well as a requirement to comply with this
standard, there is a requirement to independently prove
verification.
OSSTMM
The aim of The Open Source Security Testing Methodology Manual
(OSSTMM) is to set forth a standard for Internet security testing. It
is intended to form a comprehensive baseline for testing that, if
followed, ensures a thorough and comprehensive penetration test
has been undertaken. This should enable a client to be certain of
the level of technical assessment independently of other
organization concerns, such as the corporate profile of the
penetration-testing provider.
OWASP
The Open Web Application Security Project (OWASP) is an Open
Source community project developing software tools and
knowledge based documentation that helps people secure web
applications and web services. It is an open source reference point
for system architects, developers, vendors, consumers and security
professionals involved in designing, developing, deploying and
testing the security of web applications and Web Services.
The key areas of relevance are the forthcoming Guide to Testing
Security of Web Applications and Web Services and the testing
tools under the development projects. The Guide to Building
Secure Web Applications not only covers design principals, but also
is a useful document for setting out criteria by which to assess
vendors and test systems.