The network security level protection system is one of the important measures to implement the requirements of the national network security law. With the rapid development of information technology, new security vulnerabilities emerge one after another, resulting in more and more security risks in information systems. Therefore, how to timely and accurately discover the security risks existing in the system during the level protection evaluation process has become a very urgent need. Penetration testing simulates the thinking of an attacker and uses manual or technically mature tools to conduct a comprehensive assessment of the security of the system under test, thereby discovering potential security risks in the system to the greatest extent. It has become an indispensable and important link in the level protection evaluation .
1. Overview of Penetration Testing
1.1 The Necessity of Penetration Testing in Class Protection Assessment
On June 1, 2017, the "Cybersecurity Law of the People's Republic of China" was officially implemented, clearly requiring domestically operated information systems to implement a hierarchical protection system, making the hierarchical protection system a basic national system and rising to the legal level. Among the basic requirements for level protection, although there is no corresponding technical standard that clearly stipulates the "anti-penetration" ability of information systems, for information systems rated as level 3 and above, at the security technical level of basic requirements, the system Detailed requirements are made for the ability to resist large-scale malicious attacks, illegal intrusion detection and defense capabilities, anti-malicious code attack capabilities, security incident emergency response and monitoring capabilities. At the same time, at the security management level, information systems are required to undergo fair third-party security testing before they can be put into operation.
In view of the above constraints, if the information system under test does not undergo penetration testing, it will not be able to meet the relevant requirements for level protection. The implementation of penetration testing in the level protection assessment will, on the one hand, check and verify the security vulnerabilities of the information system under test and provide practical repair suggestions; on the other hand, it will help improve the quality of the level protection assessment.
1.2 Principles of Penetration Testing
Penetration testing is mainly based on security vulnerability information published by the industry or mastered by testers. It adopts the attacker's way of thinking and uses tools or manual methods to conduct in-depth exploration of the security of target applications, hosts, networks, databases, etc., and discover the most vulnerable aspects of the system. link process. An important principle of penetration testing is that all testing activities must be conducted under the explicit written authorization and supervision of the user. The purpose of authorized penetration testing is to truly and comprehensively discover the vulnerabilities of the information system and verify its usability. Carry out subsequent penetration operations (such as implanting backdoors, etc.). Therefore, it generally does not cause harm or loss to the information system.
1.3 Penetration testing process
Penetration testing generally includes four stages: test preparation, information detection, test implementation, and report preparation.
(1) Test preparation phase: After obtaining the written authorization from the unit, start the implementation of the penetration test. Communicate specific plans such as implementation scope, methods, tools, time, and personnel with the unit, communicate possible testing risks, and obtain approval from the unit. The entire testing process is conducted under the supervision and control of the unit.
(2) Information detection stage: During the penetration testing process, information related to the information system is collected according to the specified test scope. Some commercial or open source security assessment tools can be used to collect, and the detected ports, services, IP, DNS, OS The information will be organized to provide support for the next test implementation phase.
(3) Test implementation stage: Penetration testers analyze the detected information and conduct testing by formulating penetration strategies, "preparing attack codes", researching bypass mechanisms and other steps. The implementation paths mainly include internal network and external network:
-
- Intranet testing: Initiate testing of information systems from the intranet, with the purpose of avoiding security protection measures of firewalls and other equipment. If this stage is successful, ordinary user permissions may be obtained, and then the highest authority of the system can be obtained through privilege escalation and other operations. Use the controlled server as a springboard for further penetration testing of other targets.
- External network testing: Conduct penetration testing of information systems directly through the Internet. The operation process is similar to intranet testing.
(4) Report preparation stage: Implementers analyze the test results and prepare a system penetration test report, which mainly includes specific test results, vulnerability result assessment, and rectification suggestions.
1.4 Risk avoidance in penetration testing
Penetration testing is dynamic, and the testing process may still have a certain impact on the normal operation of applications, hosts, networks, etc. In order to avoid the impact of the testing process on business operations to the greatest extent, risk avoidance strategies need to be implemented, as follows:
(1) Plan review: Both parties sign a penetration testing power of attorney, formulate and review a penetration testing plan, and obtain approval from both parties.
(2) Time strategy: Choose an appropriate testing time, such as choosing to test at night or during a time period when business volume is not high, to avoid the impact of the testing process on the business to the greatest extent, and to reserve time for risk elimination.
(3) Attack strategy: Choose a core business system with high real-time requirements. In-depth testing is not recommended. Testers can analyze and speculate on the results without verifying dangerous operations.
(4) System backup and recovery: Before the test is implemented, a complete backup of the system under test needs to be made so that it can be restored in time when problems occur. It is recommended to conduct penetration testing of the backup system for core business systems.
(5) Emergency strategy: When the system under test encounters problems such as interruptions and slow response, the testing work must be stopped in time and the unit under test must handle the fault. After the fault is handled, the remaining testing can only be continued with the authorization of the unit.
(6) Communication strategy: Both parties establish a contact list of relevant persons, determine the interface person, communicate in a timely manner on problems that arise during the testing process, and ensure effective communication.
1.5 Introduction to Penetration Testing Tools
During the penetration testing process, testers use the operating system's own network applications, diagnostic tools or open source and commercial software, as well as self-developed security scanning tools. These tools are technically very mature, highly secure and controllable, and can conduct targeted testing based on the actual requirements of testers. However, the security tools themselves are also a double-edged sword and need to be targeted at possible problems that may arise in the system. Propose corresponding countermeasures to ensure that the penetration test process remains under control.
2 Penetration testing implementation
This article uses an example to illustrate how penetration testing is implemented in the classification protection assessment. In the evaluation of a certain unit's Level 3 system, penetration testing of the user's WEB system is required to verify the overall security protection level of the information system.
2.1 Plan formulation
The penetration testing team develops a detailed penetration testing plan based on the scale of the information system and actual business conditions, including formulating a reasonable penetration testing plan, selecting appropriate testing methods, fully preparing testing tools, and analyzing possible risks and corresponding consequences during the testing process. Risk avoidance methods, etc.
2.2 Information collection
Penetration testers use a variety of systems or tools to collect work, including information collection systems and seedlings, etc. After scanning, they find the open ports of the system. These services were analyzed from the system level and WEB level, and it was found that the system has file sharing, remote access, SQL injection, XML injection and other vulnerabilities, which provides a basis for the next step of vulnerability exploitation.
In addition, emergency response strategies were developed for the test methods, test content and possible risks in the information collection stage.
2.3 Test implementation
Based on the obtained vulnerability information, the vulnerability is confirmed based on the characteristics, heterogeneity and other aspects of the information system, and a penetration testing strategy is formulated. The obtained information finds high-risk vulnerabilities, and attempts to directly exploit the high-risk vulnerabilities to verify whether they are available.
2.4 Report output
After the penetration test is completed, the tester organizes the work content and results. According to the discovered security vulnerabilities and security risks, problems existing in the system are proposed, and targeted rectification suggestions are put forward to form a "Penetration Test Report".