Problem solve Get help with specific problems with your technologies, process and projects.

Proper preparation necessary for successful penetration test

Penetration testing can be a valuable tool for financial firms. Without proper preparations for penetration testing, however, the tool is rendered useless. In this tip, learn some important steps that financial firms should keep in mind for a successful penetration test.

More on testing
Vulnerability assessments: Steps to success

How to integrate social engineering into an information security assessment

Enter penetration testing.

Penetration testing is the probing of a computer and/or network system to seek out known and unknown vulnerabilities that an attacker could exploit, and then simulate an attack to determine its business impact. The tester, sometimes known as an ethical hacker, uses the same methods and tools as a real attacker.

When implementing the penetration testing tool, the ultimate goal is to probe the system and secure it quickly. To achieve this, financial services firms should do the following steps:

Conduct a site analysis to ensure the penetration testing tool can collect all the required data on network and system vulnerabilities. The analysis should include the capacity, expandability and scalability of storage devices, as well as storages or means of holding data that penetration test collects. It should also include the capacity of failover servers and off-site backups to hold penetration testing data.

Review the organization's security policies to ensure that security regulations have been met and the storage of data can be retained for a specified period of time. Include whether the storage capacity can be expanded.

Conduct a pilot study by performing penetration testing on a sample portion of a financial enterprise system. This will help the testers solve any potential problems before performing penetration testing on a large scale, as well as determine what education and training the testers will need to quickly solve unusual problems during the testing.

As part of the study, choose a penetration testing method: black, white or grey testing. Black box testing simulates an attack from someone who is not familiar with the system, such as an outside hacker. White box testing simulates what might happen during an inside job or after a leak of sensitive information, in the case, for example, that the attacker had access to source code, network diagrams, IP addressing information or even some passwords.

Determine who will be performing the test: In-house or an outside party? By contracting with an outside party to perform penetration testing, it's possible to give the testers as much or as little information about the institution's security/network architecture as is deemed necessary. With in-house, that control might not be possible.

Define scopes of penetration testing. Delineate, for example, what can be compromised in the DMZ (de-militarized zone), the network and/or database server and what must not be breached.

Spell out technical vulnerabilities the penetration testing should look for. Some examples include URL manipulation, SQL injection, cross site scripting, password-in-memory, session hijacking, buffer overflow and server configurations.

Minimize the risks to the targeted systems. Conduct tests at off-production times as it may slow the organization's network response time due to network and vulnerability scanning.

As part of the risk minimization process, assess financial business risks to the targeted systems. Some examples include personal information modification, unauthorized stock price modification, unauthorized funds transfer and Radio Frequency Identification (RFID)-based credit card data transfer.

Implementing the penetration tools can be a challenge for a financial services firm, but following these proper implementation techniques can make the job easier.

About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide system, database technologies, application development, network management, computer security, information assurance, financial, RFID technologies and project management.

Most financial organizations rely on firewall implementations for privacy and data protection. But today's networks are becoming more intricate due to an increase in configuration and topology complexity, as well in number of hosts, users and services in the network. Add to that the number of server misconfigurations, successful exploits, outdated patches, backdoors and disgruntled employees, and there's a lot to be wary of.

Dig Deeper on Auditing, testing and assessment for financial services compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.