Recently I gave a presentation at the “SANS Penetration Testing Summit ” titled "Zen and The Art Of An Internal Penetration Testing Program". This presentation outlines the steps required to create a successful program and perform internal penetration testing. There are several key components that must exist to create a successful program:
- Getting Management Buy-In - This is the first and most important step. Management must understand the testing strategy and be kept in the loop on the results and remediation. Business units must also be consulted to determine the impact scanning will have on their environment to establish a schedule for scanning. It does not matter what kind of testing you plan to perform, from vulnerability scans with Nessus to full-blown penetration testing, you must get the approval from management.
- Identify The Types Of Testing You Will Perform - This step is essential as it helps you define goals and develop a plan to accomplish them. To have a successful test you must accurately define the targets, enumerate the services, and determine the operating system of the hosts you will be testing. Without this information it is difficult to determine the vulnerabilities and associated risk each host/service will present. Nessus, in conjunction with Security Center and PVS, is a great tool to collect this information. There are several methods of target identification and service enumeration included in these products. The Security Center console provides an interface to manage the scanning and produce reports.
- Create A Workflow For Reporting - Reports are similar to logs in that they are only useful if the right people are reading them. There are two important points with respect to report workflow. First, make sure the group responsible for the security and administration of the systems you are testing is made aware of your findings and given a chance to respond before the report goes to their management. Making administrators look bad tends to foster resentment instead of cooperation. Second, create a management plan to remediate all of the vulnerabilities. It is counterproductive to find vulnerabilities and not work with the respective teams to implement the appropriate fixes.
The presentation also provides several tips for internal penetration testing, including:
- Target identification
- Detect OS & Services
- Identify Vulnerabilities
In my experience, Nessus has been a key component to an internal penetration or vulnerability assessment program. It automates a key portion of the testing, allowing you to find the areas of risk in your network and remediate them on a regular basis. You can download the slides from my presentation and use them as a guide to create your own internal assessment program.