Perimeter
10/14/2011
04:36 PM
Vincent Liu
Vincent Liu
Commentary
50%
50%

Pro Pen Testing: The Zero-Knowledge Approach

Special care must be taken in a penetration test that locates targets with 'zero-knowledge'

Do you ever wonder how many kinds of penetration-testing approaches exist? Broadly speaking, there are three types of penetration testing: zero-knowledge, partial-knowledge, and full-knowledge. The difference between each type is the amount of information that the assessor is given before the testing begins. Within each one of those types, two perspectives are usually taken: external and internal. Combining these, you get six different ways of conducting a penetration test.

The two that we’ll focus on here are both variances of zero-knowledge: zero-knowledge, external penetration testing; and zero-knowledge, internal penetration testing.

Zero-Knowledge
Zero-knowledge testing is defined by having little to no information before the assessment begins. In the strictest interpretation, the assessor would not be given any information at all. However, it’s very rare to receive no information whatsoever from a client. A tester usually needs to be given a set of acceptable targets lest they attack unknowing victims. In-scope URLs and IP addresses are usually provided along with exclusions, such as IP address blacklists and restrictions, on testing time windows.

In some cases, the scope of testing will be an organization’s entire external presence. With this approach, it’s common for the assessor to begin with zero-knowledge, and to attempt to identify all external assets as an exercise in replicating what a real-world attacker might find.

Special care must be taken when you ask an assessor to locate targets with zero-knowledge. In particular, no testing should take place until every asset identified has been confirmed to belong to the organization being tested. You don’t want the assessor attacking someone unrelated who happens to be in an adjacent IP range or who might have been assigned a range previously belonging to you. I’ve often found that being asked to identify and confirm the initial target set proves to be a beneficial exercise that helps my clients verify their asset databases and keep them up-to-date.

Internal Testing
Most penetration testing is performed from the external perspective, with the most common scenario being an external attacker who has targeted the company but has no prior knowledge. While this is a popular scenario, there’s a lot to be gained from conducting an internal penetration test. Several major studies indicate that around 50 percent of security incidents involve an insider threat. So if you want to better understand the other side of the coin, then consider testing from an insider’s perspective.

Common scenarios in which an inside attacker might begin with zero-knowledge include contractors who have been granted temporary access to the network for the duration of their project. With targeted attacks against users and the increasing popularity of malware, the compromised user workstation is another situation that is frequently simulated.

Final Suggestions
When conducting a pen test from the zero-knowledge standpoint, it’s best to try and limit the amount of information provided to a tester to stay as close as possible to a real-world situation. One thing you should never give to any applications or systems in a zero-knowledge pen test is credentials. That only occurs in partial- or full-knowledge testing situations. That being said, those types of situations can be extremely valuable as well. In our next entry, we’ll take a closer look at the partial-knowledge testing approach.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless 1st and 2nd editions, Hacking Exposed Web Applications 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?