Most financial organizations rely on firewall implementations for privacy and data protection. But today's networks are becoming more intricate due to an increase in configuration and topology complexity, as well in number of hosts, users and services in the network. Add to that the number of server misconfigurations, successful exploits, outdated patches, backdoors and disgruntled employees, and there's a lot to be wary of.
Enter penetration testing.
Penetration testing is the probing of a computer and/or network system to seek out known and unknown vulnerabilities that an attacker could exploit, and then simulate an attack to determine its business impact. The tester, sometimes known as an ethical hacker, uses the same methods and tools as a real attacker.
When implementing the penetration testing tool, the ultimate goal is to probe the system and secure it quickly. To achieve this, financial services firms should do the following steps:
Conduct a site analysis to ensure the penetration testing tool can collect all the required data on network and system vulnerabilities. The analysis should include the capacity, expandability and scalability of storage devices, as well as storages or means of holding data that penetration test collects. It should also include the capacity of failover servers and off-site backups to hold penetration testing data.
Review the organization's security policies to ensure that security regulations have been met and the storage of data can be retained for a specified period of time. Include whether the storage capacity can be expanded.
Conduct a pilot study by performing penetration testing on a sample portion of a financial enterprise system. This will help the testers solve any potential problems before performing penetration testing on a large scale, as well as determine what education and training the testers will need to quickly solve unusual problems during the testing.
As part of the study, choose a penetration testing method: black, white or grey testing. Black box testing simulates an attack from someone who is not familiar with the system, such as an outside hacker. White box testing simulates what might happen during an inside job or after a leak of sensitive information, in the case, for example, that the attacker had access to source code, network diagrams, IP addressing information or even some passwords.
Determine who will be performing the test: In-house or an outside party? By contracting with an outside party to perform penetration testing, it's possible to give the testers as much or as little information about the institution's security/network architecture as is deemed necessary. With in-house, that control might not be possible.
Define scopes of penetration testing. Delineate, for example, what can be compromised in the DMZ (de-militarized zone), the network and/or database server and what must not be breached.
Spell out technical vulnerabilities the penetration testing should look for. Some examples include URL manipulation, SQL injection, cross site scripting, password-in-memory, session hijacking, buffer overflow and server configurations.
Minimize the risks to the targeted systems. Conduct tests at off-production times as it may slow the organization's network response time due to network and vulnerability scanning.
As part of the risk minimization process, assess financial business risks to the targeted systems. Some examples include personal information modification, unauthorized stock price modification, unauthorized funds transfer and Radio Frequency Identification (RFID)-based credit card data transfer.
Implementing the penetration tools can be a challenge for a financial services firm, but following these proper implementation techniques can make the job easier.
About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide system, database technologies, application development, network management, computer security, information assurance, financial, RFID technologies and project management.
