Information technology today can not be served without an effective security model. Though software industry is reaping benefits providing efficient security services to their clients, but the concern is about the mature security practices, which yield high end profitable business. There is a great element of doubt whether the ongoing security benchmarks are efficient enough to create an impact or not. Let’s delve deeper to understand better.

This article reflects a thoughtful process of ongoing security practices and business dependency considering the feasibility of core technology. The security jargon is stemming up with a high pace compromising all the barriers. The business sphere is getting increasingly dependent on the automation processes. All the monetary transactions and high end functionality is based on computers. But the positive side is always accompanied with the negative side too.

We cannot overcome the risk of computer generated frauds and crimes that are proliferating day by day. Do you think by making cyber laws we can control the burgeoning computer crimes? Well this sounds great but sorry to say, the applicability of these laws is missing. Business dependency is really high and organizations cannot ignore this enigmatic risk. If the industry has termed “Penetration Testing” as “Ethical Hacking” considering this stated factor, is it right enough to consider this thinking appropriate? What about compliance? Has business being broken down by the reality of compliance and real security? These questions are required to be crystallized without any skeptical thoughts.

Organization Business and Security Artifacts

The security is a prime concern nowadays. The organizations at this point require a unanimous security model that protects their assets while being suitable for business too. Well this is true. The pen testing, whether white box or black box is what organizations look for. But the definition of applicability of this pen testing process is little stringent. The questions revolve around the curvature of compliance or real pen testing. Are organizations carrying pen tests just for compliance or for enforcing real security? The term is used in different ways according to one’s business standards.

This thought is really getting manipulated by every organization by changing the semantics. The security of an organization is scrutinized through pen testing; there is no doubt in that. Designing procedures and policies is not an end task in itself. The real process is the applicability of these policies and ensuring the compliance of every user. The post testing clarifies the working feasibility by testing the deployed entities in the organization environment.

The security has been transformed into business perspective encompassing the quality assurance process. It has been seen that a number of organizations are carrying this activity for assuring security through pen testing. The technical jargon of finding incessant vulnerabilities is on the backside. There is a very thin line between vulnerability assessment, pen testing and regulatory compliance. The articulation of business has even transformed the technical processes into compliance. The real security is getting slithered in the arms of business. As a result of this behavior businesses are losing the essence of quality oriented processes.

The Anatomy of Ongoing Penetration Testing Process

The compliance work is becoming the main source of market business. Every organization wants to flourish their business with the pre defined standards of security i.e. a specific set of guidelines to look into. This has really changed the scenario. This process is guiding the development of efficient resources.

Let’s have a look at the generic testing model in Figure 1:

Figure 1

The applied methodology is too much optimized. The pen testing has to be done in a generic manner. Running a simple set of tools to produce the client side deliverables is what lies beneath the ongoing security business.

Leaving the specialized security companies, all other big organizations are following the path of easy testing. The pen testing aims at vulnerability detection and finding different ways to exploit it. What is the real nature of pen testing which the organizations are missing? Is it so crucial to exploit the vulnerability at a organization level prior to giving recommendation? What do you think the best approach should be in order to circumvent the environment delicacies? The best approach to follow is to leverage as much as information from the systems without invading. The information gathering provides an attack vector against which a specific vulnerability can be exploited. So, it provides a direction to the auditor to trace information for other devices. On the other hand, the exploitation of the vulnerability in a direct manner can cause havoc in the system. One can see services crashing, BSOD screens etc. In order to avoid all this pen testing should be done in a highly skilled way so that maximum information can be gathered with minimum intervention.

The approach is discussed with dual side of practicability. The testing strategy can either be white or black box. Basically, it covers effective strategy to be followed for a well constructed pen test. The major malfunction in conducting a pen test is to perform regular attacks during day to day working of an organization. This is a problem as a number of companies do not want to shut down the business flow for conducting integrity checks through pen testing. This makes the process a bit complex because a small mistake can affect the organizational working flow. So in that case the auditor has to be very tricky and skillful to conduct pen test without hitting the business flow. This is one of the defining reasons for organizations preference towards white box testing. The generic information regarding targets is provided prior to conducting tests. This is because the black box testing is a random process where the attacker or tester does not know much about the system. For Example a mismanaged crash in one of the main system results in a financial loss resulting in a number of transactions failures. The risk factor is always high.

Practical Security Assurance

If we traverse along the semantics of security, then certain assurance steps are needed to be followed. But this does not mean that we have to compromise with the technical behavior when it comes to organizational business. The in depth structure of security depends on the incessant process of putting all the nuts and bolts together to design a robust environment free from all type of attacks simulated in a real world. This is quite right in every sphere of security.

Let’s have a look a statistical model in Figure 2:

Figure 2

The time plays a very critical role in this. Sometimes pen tester has very less time to complete the required target. During that phase, non invasive approach is better and more robust. The choice depends on the business integrity factor and the amount of risk that organization can take. There can be a serious impact on the systems during pen testing even if a low level exception occurs in the network. Most of the organizations have prohibited the service degradation and exploitation attacks on the real targets. That’s where invasive approach is different from the non invasive. On the contrary, the pen tester capability is always at a test. Scanning for certain numbers of open ports need not to be carried by sending large number of packets and can be done with a single packet. So efficiency is considered an output of skill. In order to reduce the business risk, companies are moving more towards vulnerability assessment rather real penetration testing. Vulnerabilities assessment reports provides a kind of compliance report card of organization’s critical infrastructure. But security is a process and vulnerabilities should be patched even before thinking of compliance. That’s exactly how the system works.

Understanding Business Driven Security Practices

Looking at this point of time, the organizations which are not mature in their security practices and in providing efficient set of services need to work out in designing a unanimous set of components combined together to form a hierarchical benchmark. This structure should levy individual characteristics based on a singular component. The question is that policies and functioning should be clear with respect to organization’s business. There should be equality between business and technology for providing mature services to the client. The development of security practices is a must. Continuous business without any development will not yield any fruitful results except generic outputs. The outcomes will not be good enough to set the monetary deeds for the vision oriented business. It is very critical to define the benchmarks of enterprise cyber environment.

If the components are structured appropriately, keeping the essence of innovation in mind, the business will be much better than the general norms. The same pattern will become sluggish in the future if the change is not applied in business and technology while catering to the ongoing environment. The components are mentioned below:

1. Penetration Testing

2. Vulnerability Assessment

3. Threat Modeling and Assessment Practices

4. Sanitizing Security Repositories

5. Compliance and Security Benchmarks

6. Uniform Business Ethics based on Security Services

7. Innovation and Development

These seven pillars should not be cross referenced for providing services. The components should be devised individually rather in a collaborative functioning which is in itself is a complex state. The fidelity of information should be maintained in all the spheres of security practices and development keeping the business ethics alive. Effective steps can fill the ongoing loopholes to some extent and will result in a different face of matured security business.

Conclusion

The security is a kind of trade off which has to be taken care of. If we are even dwelling the security into business the quality should not be trimmed down. This is applicable for both the service provider and the organization. Well it seems implausible that organizations do not require security when the entire world is getting structured over technology. The information needs to be tackled and secured in the best possible way. Either pen testing or regulatory compliance, the adherence to benchmark is a must. If you are dealing with technical entities, the methodology should revolve around the technical aspects and not compliance. The pointers of applied security and compliance related to technology should be cleared. Business requires compliance but technology is a core entity which needs to be applied in a definite context. So what ever the path is, destination should be conquered with at most applied security. That’s the way a Loaded Gun behaves. So be secure by securing your systems.

About Author

Aditya K Sood is a Security Researcher at Vulnerability Research Labs (VRL), COSEINC. He has been working in the security filed for past 7 years. He is also running an independent security research arena, SecNiche Security. He is an active speaker at security conferences and already has spoken at EuSecWest, Xcon, Troopers, Owasp, Xkungfoo, CERT-IN etc. He has written number of whitepapers for Hakin9, Usenix, Elsevier and BCS. He has released number of advisories to forefront companies. Besides from normal job routine he loves to do lot of web based research and designing cutting edge attack vectors.

Personal websites: http://www.secniche.org | http://zeroknock.blogspot.com

—By: Aditya K Sood