The aim of this article is to define the framework for the performance of an intrusion test from an external network (internet) into a private internal network. The aim is mostly to modify the image of such a test performed by a "well-informed handyman" and to realise the importance of such an operation in a contractual context.

As a first step, it is important to understand the limits of an intrusion test. Indeed, people tend to believe that the technique will systematically reveal the different security problems that will then be corrected. This is not the case!

There is neither exhaustive identification nor guarantee... An intrusion test does not provide you with any formal proof on the security of a computer system. It allows some flaws to be revealed, but most of the time those elements are well known or easily detectable in the conditions of an intrusion test. An audit will tend to test only the first protection layer, the one closest to the external connection. He will stop at the first major flaw without necessarily looking for further problems.

It should be noted that the intrusion test only deals with technical elements. It is nevertheless also important to analyse the weaknesses at the procedure and organization level.

To reach a sufficient confidence level on the security of the computer system, the performance of a security audit is even more efficient when an intrusion test is performed simultaneously.

Clear objectives...

Define a security level and quantify its resistance while raising the consciousness of the company. An intrusion test quantifies a protection level in the same way as the industrial quantification methods (resistance of an engine for example). The duration and the area of the test are very important factors for the contract to be properly carried out.

The results of an intrusion test are an important tool to help the company decision makers make their employees conscious of the importance of their computer system security. Sometimes, it also allows to realise how much inadequate it is to multiply protections, as some of them cancel the others or supplement them in the wrong way.

However, when an intrusion test is not concluding, its power to raise consciousness is reduced to nothing. Worst of all, it often gives a false security feeling that is difficult to fight.

A methodology...

An intrusion test consists of three main phases when it is performed blindly from the internet.

intrusion en

  • First approach: the aim is to discover the area of the study with no prior information.
  • Search for pieces of information and vulnerabilities: the aim is to discover which services are available on the machines identified on the first step. This listing will disclose some security problems linked to the configuration of the machine.
  • Exploitation of the vulnerabilities and intrusion: Considering the elements gathered previously, the aim is to concretely exploit the security flaws in order to break into the company. It is advised to inform the company immediately when substantial flaws are disclosed during step 2 rather than exploit them.

Other news