The histories of cybercrime and penetration testing are knit together so closely that the discussion of one without the other is neither complete nor sensible. So, you can put your geek hats on as we dive into the activities of the angels and the demons of computer security and trace the 60 years old lineage and history of penetration testing that has presently led us to on-demand penetration testing and subscription-based cyber security.
Let’s Start at MIT in 1961
Fernando Corbató was the first to conceptualize and build an operating system that could allow multiple users at the same time. It was called CTSS or the Compatible Time Sharing System. This recorded the first official usage of a password-based system (Corbató didn’t even realize he was pioneering the use of computer passwords at that time). Each user had a password and the CTSS could authenticate them by matching the passwords with passwords from a master-password file. This was one of the first instances of shared computation and what soon followed was one of the first instances of a hack.
Allen Scherr, the Genius who Hacked the CTSS
Allen Scherr was a computer science researcher at MIT when the CTSS came into use. Scherr was not satisfied with the meager 4 hours a week he was getting on the system. His research required him to run calculations on the operating system. It was a privilege not granted to all users, and Scherr decided to leverage it. He started putting clandestine code into the system that zeroed out the odometer built into the CTSS. That meant he had unlimited and unregulated access to the CTSS.
In 1966, Allen Scherr completed his research and lost the privilege of inserting code into the CTSS. So, he exploited a different vulnerability in the system. Scherr realized that there was nothing to stop him from getting a printout of the master-password file. He did that exactly and started stealing time from his peers.
This hack wasn’t discovered until the late 1980s when Allen Scherr confessed during the 25th anniversary of the CTSS. At the time of the hack in the 60s, those affected attributed the issues to a software bug.
The point of the story is to establish the inextricable relationship between shared computing and cybercrime (although what Allen Scherr did was more of a mischief than a crime).
1965 – the Beginning of Serious Conversations about Security
A conference of US computer security experts organized in 1965 by the System Development Corporation recorded the first serious discussion about the risk of sharing information through communication lines. This is not far from the time when Allen Scherr is already getting the better of a password-protected system to get more hours on a time-sharing computation system.
Spring of 1967, Computer Security Specialists Gather
By that time timesharing systems were being used actively in the US military. In the Spring of 1967 computer security specialists met at the Joint Computer Conference. Computer security experts from RAND corporation Willis Ware, Harold Petersen, Rein Turn, and Bernard Peters of the US National Security Agency worked on a report later that year. It was called the Willis Report. This report declared that the communication channels between computers were easily penetrable (in fact, that’s when the term penetration for breaching computer security was first coined, in all likelihood).
Now, The History Of Penetration Testing
These are not easy times that we are talking about. The Cold War between the USA and the then USSR was unfolding the first information warfare of the modern world. The Vietnam War was also well underway. The US military and National Security Agency could not have sat idle even after being warned about serious computer security vulnerabilities.
The US Department of Defense (DOD), the military, and the NSA decided to build “Tiger Teams” under the supervision of Willis Ware. The job of the Tiger Teams was to examine computer networks to find security vulnerabilities. There, you have the first penetration tests and the first pen testers.
The National Institute of Standards and Technology (NIST) defines Penetration Testing as security testing which imitates cyber-attacks to identify the vulnerabilities of a system or a network before they can be taken advantage of by adversaries in the real world.
Weissman (1995) called Penetration Testing “a pseudo-enemy attack by a friendly evaluation team on a computer system of interest to discover ways to breach the system’s security controls, to penetrate the security perimeter of protection to obtain sensitive information, to obtain unauthorized services, or to cause damage to the system that denies service to legitimate users”.
1972, James P. Anderson
The Tiger Teams were not as successful as you would imagine. They were quite easily undermined by hackers and while their methods were pioneering at that point in time, they were not enough.
In 1972, J.P. Anderson wrote a report that provided step-by-step guidelines to the tiger teams. These steps, formalized by J.P. Anderson, in 1972, still form the basis of penetration testing. The steps mentioned by Anderson were
- Find an exploitable vulnerability.
- Design an attack around it.
- Test the attack.
- Seize a line in use for ACS operations.
- Enter the attack.
- Exploit the entry for information recovery.
The MULTICS and Its Pitfall
Multiplexed Information and Computing Service was thought of as the most secure way of computing. It is still used in a number of sectors. It was truly a great improvement from what the world had seen earlier.
In 1974, the US Airforce decided to conduct a penetration test on its MULTICS system and found a host of vulnerabilities. This established penetration testing as a key practice in the world of computer security.
SANTA Arrived in 1995
Security Administrator Tool for Analyzing Networks or SATAN was released in 1995. As you can imagine the name started a fuss and it was reconfigured into SANTA later.
SANTA was one of the first full-scale tools that security administrators could use to run tests on their networks to look for vulnerabilities. SANTA is no longer under development and it has been replaced by other tools.
One year into the new millennium, Open Web Application Security Project or OWASP was founded. In 2003, OWASP published its first framework for penetration testing. The framework was updated in 2014 to reach pretty much what we use today. There are other frameworks like NIST and SANS in action too. OWASP is among the most popular in terms of regulating pentests and keeping track of vulnerabilities.
Penetration Testing has Changed
Unlike the government-sponsored broad pentest exercises of the past, penetration testing today is more democratic. Take Kali Linux for instance, it is a tool kit for penetration testing and digital forensics that combines eight standard security testing tools – Nmap, Aircrack-ng, Kismet, Wireshark, Metasploit Framework, Burp Suite, and John the Ripper.
We now have on-demand penetration testing combined with automated vulnerability scans. Human pentesters work in tandem with automated scanners to create a complete vulnerability profile of an organization.
It is still expensive. Hiring and employing a security testing team comes at a steep price. And if your team is unavailable, you can land into a tight situation.
Subscription-Based Penetration Testing
The best part of modern penetration testing is that you do not need to retain a security team in order to test your security posture. You can subscribe to the services of a penetration testing provider like Astra Security. That pentest provider runs a number of automated and manual tests on your systems and sends you a report containing the list of vulnerabilities, and recommendations to fix them.
Astra, for example, makes it even easier for you by offering a pentest dashboard where you can visualize the vulnerabilities, the risk associated with them, and the ROI on fixing them, as they are found. Experts at Astra vet the vulnerabilities for genuineness so that you do not have to chase false positives.
The combination of automated and manual penetration testing ensures you get a complete picture of your security posture and do not miss out on logic-based vulnerabilities.
Thanks to the improving capabilities around computation and data processing penetration testing methodologies are getting better and better with every test that is conducted. Hacker-style pentest ensures that hackers do not get an upper hand. Yet, there will be zero-day vulnerabilities, and businesses will lose money to hackers. The future probably holds pentest tools and methods that minimize human intervention further, to what degree, time will tell.