How Security Penetration Testing Has Evolved

As network technologies and application features continue to evolve at an ever increasing rate, so too have the associated security vulnerabilities. But have our efforts to identify these vulnerabilities kept pace with the changes? Has security penetration testing evolved since its origin in the seventies? How have we changed our security testing approach, tools and methodology to meet the challenges of the changing threat landscape? This is the first in a series of five articles which looks at how far we’ve come and the road ahead.

The term “penetration testing” refers to the evaluation of the levels of security associated with a computer network or system by the simulation of an attack. Penetration testing is based around the assumption that by attempting to compromise the security of a system or network, more can be learnt about its susceptibility to attack, and specific weaknesses identified and mitigated against. The present accepted definition has not changed since its inception while the accepted scope, approach and methodology have altered considerably.

War dialling

The modern digital networked computer was born on university campuses. Early telephone systems made use of analogue switched networks and were regularly audited both externally (from attackers armed with blue boxes and whistles) and internally by dedicated security personnel.

The modern network is a product of academia. In those nascent networking days academics were largely unconcerned with security – networks were largely a mechanism to openly and rapidly share information. Universities also formed the backbone of the Internet, and were the original ISPs, as well as being among the first to implement email as a communication medium.

Early governmental and military networks in contrast were formed of closed systems. Although the concept of penetration testing was first posited by the Rand Corporation (amongst others) and the US Department of Defense as early as the seventies and eighties, it did not become popular until the emergence of war dialling (which was largely a result of the switch from analogue to digital).

War dialling was one of the first modern strains of formal penetration testing and was used to identify unprotected and publicly available modems which would allow unauthorised access to networks. War dialling was an accepted mechanism to assess the security posture of networked technologies until the early nineteen nineties and is still widely used – by security professionals and attackers alike – to assess the security of X.25 networks and other resources.

The early nineteen nineties saw the emergence of penetration testing as a formal security activity. In 1988 Robert Morris Junior unleashed a self propagating worm, which had the possibly unforeseen consequence of crashing large parts of the emerging Internet.

This coupled with seminal research papers including ‘An Evening with Berferd’ (1991, Bill Cheswick) and “Improving the Security of Your Site by Breaking Into It” (1993, Dan Farmer & Wietse Venema) raised awareness of the potential activities of external attackers as well as testing methodologies that may be used by organisations looking to emulate them.

A major driving force behind the evolution of penetration testing was not only management – who were growing increasingly concerned with the risks – but also IT security practitioners themselves.

Since the early nineteen seventies both the Rand Corporation and the US Department of Defense had conducted research concerned with the security of networked IT environments (hence the publication of the many coloured books).

The earliest security assessment / penetration testing applications available to security professionals all had to be independently developed and it was not until 1989 with the emergence of COPS, and later in 1995 with Farmer and Venema’s SATAN, that automated scanning using externally developed tools took hold – much to the relief and distress of both testers and administrators alike.

The Outside / In Approach

Early penetration tests involved IT security engineers acquiring or developing basic attack tools, and attempting to exploit the target system or network. Repeatability and reliability were extremely limited due to an absence of methodologies and a reliance on human invention. As both processes and assessment mechanisms (including tools) matured and repeatable testing procedures developed, so an accepted methodology began to emerge.

Testing activities associated with this external approach were designed to emulate external attackers who had no previous knowledge about the target network infrastructure. Many of the earliest available penetration testing tools sought to automate common attack activities (such as war dialling or port scans).

If an organisation faced the possibility of external attack, it was reasonable to emulate the techniques employed by attackers, and in doing so, secure systems prior to external compromise. The approach was not without its limitations. Firstly, unlike attackers, organisations were limited in the time they could spend testing. Secondly the scope of testing often excluded commonly applied attack vectors (such as social engineering).

Reliance on the Outside / In approach to the penetration testing process provides a valuable assessment of externally facing assets. However, the identification of vulnerabilities associated with usually a much higher number of internal assets is not included.

Testers typically use a tool set that operates from a position of “zero knowledge” which offers little insight into the internal assets and networks themselves – beyond the gateway. Inevitably vulnerabilities go undiscovered, and remediation advice is slight (e.g. disable service X; introduce a firewall rule to restrict access to Y). Although the superficial recommendations generated by this approach are still of value they do little to improve the overall security of the network and associated applications.

Learn more on learn ethical hacking or learn ethical hacking.

 Print