Results of penetration tests (pentests) research theme
In 2013 DNB conducted surveys of pentesting good practices at a number of financial institutions. A pentest is a simulated attack on the IT infrastructure of an institution with a view to finding and exploiting any vulnerabilities in order to actually break into the system. A pentest is normally carried out for legitimate reasons and with the consent of the owner of the IT infrastructure. Pentests are offered as a service by external contractors, but may also be carried out by the institution's own personnel.
As pentests provide a realistic assessment of the level of security in practice, DNB believes that they form an essential element of the total package of security measures.
For the purposes of the survey, the process of pentesting has been divided into four steps: (1) Preparation, (2) tendering by and selection of contractors, (3) testing, and (4) reporting. The following good practices have been identified for each step of the process:
- Select and prioritise pentests on the basis of the results of the IT risk assessment process.
- Formulate an explicit research objective for the pentest.
Tendering by and selection of contractors
- Use a modular structure for tenders, with optional sections for in-depth specifications.
- Rotate contractors and/internal testers periodically. This prevents 'blindness' to security issues as the different testers have different perspectives and different methods.
- Carry out a second test immediately after the issues revealed by the test output have been resolved.
- Carry out a ‘holistic’ pentest whose scope is broader than just the technology.
- Perform source code reviews to check compliance with secure coding principles.
- Allow different testers to test the same system, as this provides a more complete picture of the vulnerabilities.
- Make a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack part of the pentest.
- Apply a standard approach to pentesting.
- Determine the impact of the identified vulnerabilities on the chain where it forms part of the tested system.
- Translate the identified technical vulnerabilities into business risks.
- Include the test output as an annexe to the report.
- Set out specific solutions for the identified vulnerabilities.
- Adjust the content/style of the recommendations to suit the intended target group and thus maximise support for solutions to the security issues.
The following is also apparent from the results of the survey:
- There is no difference in the quality of the testing or the approach to the testing between the institution itself and the external contractors.
- There is no quality mark for pentesting contractors. Professional contractors devote much time to training their personnel internally. However, this was not demonstrated during this survey.
- Secure coding has been found to be an important preventive measure for eliminating the underlying cause of various security leaks.
- Some institutions have a backlog in testing environments and systems.
- It is important to assign responsibility for coordinating all process steps explicitly to a central control function. In practice, this may be a Security Operating Centre or Risk Management.
DNB advises financial institutions to examine to what extent they themselves actually apply these good practices. DNB will assess this on a risk basis.
Elements of governance system