Security Audit

A Brief History of Penetration Testing

Published on: December 27, 2022

A Brief History of Penetration Testing

The histories of cybercrime and penetration testing are knit together so closely that the discussion of one without the other is neither complete nor sensible. So, you can put your geek hats on as we dive into the activities of the angels and the demons of computer security and trace the 60 years old lineage and history of penetration testing that has presently led us to on-demand penetration testing and subscription-based cyber security. 

Let’s Start at MIT in 1961

Fernando Corbató was the first to conceptualize and build an operating system that could allow multiple users at the same time. It was called CTSS or the Compatible Time Sharing System. This recorded the first official usage of a password-based system (Corbató didn’t even realize he was pioneering the use of computer passwords at that time). Each user had a password and the CTSS could authenticate them by matching the passwords with passwords from a master-password file. This was one of the first instances of shared computation and what soon followed was one of the first instances of a hack.

Allen Scherr, the Genius who Hacked the CTSS

Allen Scherr was a computer science researcher at MIT when the CTSS came into use. Scherr was not satisfied with the meager 4 hours a week he was getting on the system. His research required him to run calculations on the operating system. It was a privilege not granted to all users, and Scherr decided to leverage it. He started putting clandestine code into the system that zeroed out the odometer built into the CTSS. That meant he had unlimited and unregulated access to the CTSS. 

In 1966, Allen Scherr completed his research and lost the privilege of inserting code into the CTSS. So, he exploited a different vulnerability in the system. Scherr realized that there was nothing to stop him from getting a printout of the master-password file. He did that exactly and started stealing time from his peers.

This hack wasn’t discovered until the late 1980s when Allen Scherr confessed during the 25th anniversary of the CTSS. At the time of the hack in the 60s, those affected attributed the issues to a software bug.

The point of the story is to establish the inextricable relationship between shared computing and cybercrime (although what Allen Scherr did was more of a mischief than a crime).  

1965 – the Beginning of Serious Conversations about Security

A conference of US computer security experts organized in 1965 by the System Development Corporation recorded the first serious discussion about the risk of sharing information through communication lines. This is not far from the time when Allen Scherr is already getting the better of a password-protected system to get more hours on a time-sharing computation system. 

Spring of 1967, Computer Security Specialists Gather

By that time timesharing systems were being used actively in the US military. In the Spring of 1967 computer security specialists met at the Joint Computer Conference. Computer security experts from RAND corporation  Willis Ware, Harold Petersen, Rein Turn, and Bernard Peters of the US National Security Agency worked on a report later that year. It was called the Willis Report. This report declared that the communication channels between computers were easily penetrable (in fact, that’s when the term penetration for breaching computer security was first coined, in all likelihood).

Now, The History Of Penetration Testing

These are not easy times that we are talking about. The Cold War between the USA and the then USSR was unfolding the first information warfare of the modern world. The Vietnam War was also well underway. The US military and National Security Agency could not have sat idle even after being warned about serious computer security vulnerabilities.

The US Department of Defense (DOD), the military, and the NSA decided to build “Tiger Teams” under the supervision of Willis Ware. The job of the Tiger Teams was to examine computer networks to find security vulnerabilities. There, you have the first penetration tests and the first pen testers.

The National Institute of Standards and Technology (NIST) defines Penetration Testing as security testing which imitates cyber-attacks to identify the vulnerabilities of a system or a network before they can be taken advantage of by adversaries in the real world. 

Weissman (1995) called Penetration Testing “a pseudo-enemy attack by a friendly evaluation team on a computer system of interest to discover ways to breach the system’s security controls, to penetrate the security perimeter of protection to obtain sensitive information, to obtain unauthorized services, or to cause damage to the system that denies service to legitimate users”. 

1972, James P. Anderson

The Tiger Teams were not as successful as you would imagine. They were quite easily undermined by hackers and while their methods were pioneering at that point in time, they were not enough.

In 1972, J.P. Anderson wrote a report that provided step-by-step guidelines to the tiger teams. These steps, formalized by J.P. Anderson, in 1972, still form the basis of penetration testing. The steps mentioned by Anderson were 

  1. Find an exploitable vulnerability. 
  2. Design an attack around it. 
  3. Test the attack. 
  4. Seize a line in use for ACS operations. 
  5. Enter the attack.
  6. Exploit the entry for information recovery.

The MULTICS and Its Pitfall

Multiplexed Information and Computing Service was thought of as the most secure way of computing. It is still used in a number of sectors. It was truly a great improvement from what the world had seen earlier.

In 1974, the US Airforce decided to conduct a penetration test on its MULTICS system and found a host of vulnerabilities. This established penetration testing as a key practice in the world of computer security.

SANTA Arrived in 1995

Security Administrator Tool for Analyzing Networks or SATAN was released in 1995. As you can imagine the name started a fuss and it was reconfigured into SANTA later. 

SANTA was one of the first full-scale tools that security administrators could use to run tests on their networks to look for vulnerabilities. SANTA is no longer under development and it has been replaced by other tools.

OWASP, 2001

One year into the new millennium, Open Web Application Security Project or OWASP was founded. In 2003, OWASP published its first framework for penetration testing. The framework was updated in 2014 to reach pretty much what we use today. There are other frameworks like NIST and SANS in action too. OWASP is among the most popular in terms of regulating pentests and keeping track of vulnerabilities.

Penetration Testing has Changed

Unlike the government-sponsored broad pentest exercises of the past, penetration testing today is more democratic. Take Kali Linux for instance, it is a tool kit for penetration testing and digital forensics that combines eight standard security testing tools – Nmap, Aircrack-ng, Kismet, Wireshark, Metasploit Framework, Burp Suite, and John the Ripper. 

We now have on-demand penetration testing combined with automated vulnerability scans. Human pentesters work in tandem with automated scanners to create a complete vulnerability profile of an organization. 

It is still expensive. Hiring and employing a security testing team comes at a steep price. And if your team is unavailable, you can land into a tight situation.

Subscription-Based Penetration Testing

The best part of modern penetration testing is that you do not need to retain a security team in order to test your security posture. You can subscribe to the services of a penetration testing provider like  Astra Security. That pentest provider runs a number of automated and manual tests on your systems and sends you a report containing the list of vulnerabilities, and recommendations to fix them.

Astra's External Vulnerability Scanner

Astra, for example, makes it even easier for you by offering a pentest dashboard where you can visualize the vulnerabilities, the risk associated with them, and the ROI on fixing them, as they are found. Experts at Astra vet the vulnerabilities for genuineness so that you do not have to chase false positives.

The combination of automated and manual penetration testing ensures you get a complete picture of your security posture and do not miss out on logic-based vulnerabilities.

The Future

Thanks to the improving capabilities around computation and data processing penetration testing methodologies are getting better and better with every test that is conducted. Hacker-style pentest ensures that hackers do not get an upper hand. Yet, there will be zero-day vulnerabilities, and businesses will lose money to hackers. The future probably holds pentest tools and methods that minimize human intervention further, to what degree, time will tell.

Was this post helpful?

Nivedita James

Nivedita is a technical writer with Astra who has a deep love for knowledge and all things curious in nature. An avid reader at heart she found her calling writing about SEO, robotics, and currently cybersecurity.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany