PENETRATION TESTING

Penetration Testing



Penetration Testing

Overview

Due to the increasing vulnerability to hacking in today's changing security environment, the protection of an organization's information security system has become a business imperative1. With the access to the Internet by anyone, anywhere and anytime, the Internet's “ubiquitous presence and global accessibility” can become an organization's weakness because its security controls can become more easily compromised by internal and external threats. Hence, the purpose of the research paper is to strengthen the awareness of ethical hacking in the Chartered Accountants (CA) profession, also known as penetration testing, by evaluating the effectiveness and efficiency of the information security system (American Society For Testing And Materials 2006, p. 12-18).

Penetration testing generally consists of small group of teams from external auditors or consulting firms that provide penetration testing services. These teams are also known as “red teams”8. Internal staff should not be part of the red team because it violates the basic principle of self-reviewing one's own system. Thus, it is expected that external personnel have minimal or no previous knowledge of the system and can conduct a closer and more realistic simulation as malicious hackers. Nevertheless, background checks, such as qualifications, good reputation, and experience, should be performed because the team will be dealing with confidential and sensitive information. They should also be supervised by someone who will be held responsible for any failures9. Thus, the main objective of the red team is to simulate the same or similar hacker activities by exploiting security vulnerabilities under a controlled testing environment. By doing so, these security gaps can be eliminated by the organization before unauthorized users can truly exploit them.

In order to conduct a penetration testing, threats and risks should first be identified and analyzed because this forms the basis of the test in which ethical hackers would attempt to attack an organization's system to expose those vulnerabilities. In the same manner, CA practitioners should be fully aware of the information security risks that are relevant to any organization because it can adversely affect their business operations and cause their security systems vulnerable to unauthorized access, increasing both business and information risks respectively. In the following, two major risks will be discussed - internal and external.

Regardless of how strong a computer security system is designed, employees' lack of knowledge about security issues and other malicious employees can inflict enormous damages to any organization. With limited employee security awareness, simple actions of opening a “joke email”, which may be infected with a virus, can place the organization at risk with thousands of lost revenue. Key statistics from a medium-size company case study have indicated that 100% of all employees use instant messaging, which should have been prevented by the corporate firewalls, and 44 out of 102 users use common dictionary words as legitimate and valid passwords13 which can be easily guessed by other employees for unauthorized access. In addition, less than 25% of the employees have used an external device to copy files off-site and 33% have transmitted confidential documents ...