Penetration testing (sometimes called "pen testing") is a valuable part of any security program. You may think
you've covered all the bases, configured your firewalls correctly, and closed the loopholes, but it's hard -- actually impossible -- to be sure. Penetration testing tools help uncover the things you may have missed, and point out issues and security problems you may not have thought of.
I've seen people treat penetration testing as their worst nightmare: someone trying to break into their network and show their boss how bad of a job they've done. However, that's the wrong way to think about it. Properly done, penetration testing is an invaluable tool that can give you an entirely different perspective on your network and system security. Don't fear the penetration test; get excited by it!
If you have a penetration test scheduled, or even if you don't, it's always a good idea to try some penetration testing of your own beforehand. (Get permission first! Over-zealous network managers have faced serious consequences for testing their own network without permission.) This has a couple of advantages. First, you can find some obvious errors and repair them before a third party comes through your network. You don't want to waste your time, or the time of the company you've hired to test your network, looking at things that are easy to find and easy to fix. The second advantage is that you'll get a taste beforehand of what a penetration test is like and what kind of results to expect. Remember, the value in the penetration test is not in the test itself. It's in the report and debriefing you get after the test that helps you to improve your security posture.
If you've never run your own penetration test, you'll probably want to begin with some open source pen test tools. That way, you can get familiar with pen testing without paying for commercial pen testing software and still benefit from a broad support community on the Internet. The top three tools on your list should be Nmap, Nessus and Nikto. All three can be run on Windows, and both Nessus and Nikto have a wide range of Windows-specific tests. Using these tools will also help you understand very quickly the value that a third-party penetration tester brings to the table: an extensive explanation of what these tools are really telling you about your security. Quick hint: If a penetration tester drops off a Nessus report at the end of their project and then leaves without hours (or days, in some cases) of explanation and discussion, don't pay the bill; you didn't get anything out of the engagement.
Nmap is one of the pen test tools that many security professionals choose for network discovery. There are faster and more esoteric discovery tools, but everyone knows Nmap, and it's easy to find and use. Launch it against your network -- inside the firewall -- and let it tell you what systems are running and what ports are open on each system. That inventory information alone can be invaluable because it offers a starting point for all future testing. Your first task should be to reconcile what Nmap is telling you with what you thought was running on your network. Pay close attention to servers and their open ports. You may find you're running services you didn't know about, and if you turn unused services off, you'll save the time of having to test them. Once you have your inside-the-firewall inventory complete, you should also run Nmap outside the firewall to compare what you thought your firewall was doing to what it is really doing.
Your next step is to launch Nessus against the systems you've discovered, especially servers and network infrastructure. Nessus and the massive vulnerability database it contains are not exactly fully open source anymore. Read the restrictions on the Tenable Network Security Inc. (owner of Nessus) website to get all the details. If you are simply doing a one-off scan for personal use and are content to be a little bit out-of-date with the vulnerability signature database, you won't have to pay any fees. If you like what you see and want to run Nessus regularly against a commercial network, you'll have to pay for a subscription to the signature updates.
When using Nessus, be careful with old systems and old software. Nessus can, and will, crash devices that are slow and old, especially embedded devices like UPSes, thermostats and the like. Old applications can also suffer lock-up after a Nessus scan, so make your initial scan runs on off-hours until you've figured out what pieces of your infrastructure are too fragile to be scanned.
For systems with Web servers on them, you'll also want to run Nikto, the open source Web application security scanning tool. While Nessus concentrates mostly on the network and operating system layers, Nikto is all about Web server testing. There's some overlap between Nessus and Nikto, but as long as you're doing this on your own, trying both of them will give you more information than either one alone.
For Windows administrators, a critical part of a successful penetration test is giving the scanner adequate credentials, typically in the form of an administrator username and password. This lets the scanner reach deeper into your Windows servers and look for more potential issues. The same thing is true when you are testing Web applications: You have to share basic login credentials in order to get past the front door and actually do any testing.
Some network administrators balk at providing any credentials (privileged or otherwise) or scanning inside their firewalls, because they are only interested in knowing what an unarmed Internet attacker would find when trying to break in. That's OK, as long as you think the only security threats you have to worry about are Internet attackers who haven't found or stolen any credentials. That's usually called "black-box" testing, and while those results on their own can be interesting, they won't help you improve your security posture in the way that a full inside-the-firewall scan will.
You'll find a wealth of information when penetration testing your network with just these three penetration testing tools. Take the time to understand what these tools can tell you, and you'll not only improve your security posture, but you'll also be better prepared to take full advantage of third-party pen testing in the future.
About the author:
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
Preparing for a network security audit starts with monitoring and remediation
How Nessus compares to other network vulnerability scanners