Mission Possible: Next-Gen Penetration Test vs. Next-Gen Firewall
A Confident and Difficult Client
One Tuesday afternoon the Business Development team head, Nora dashed to the Professional Services Team in a rush saying a corporate client asking for penetration test service. "It is a big deal but starts small with a multi-platform mobile apps and its back-end infrastructure", she said.
After going through all the paper works, the project started as usual. Soon the Professional Services Team became aware they were facing an almost insurmountable challenge.
Mission Almost Impossible
Everything seemed as on the track. The security consultant, Jim pulled out the network mapping tool to scan the open ports and services of the target. He then walked steadfastly to grasp a cup of hot coffee. With the cup still in hand, he was surprised to find no open ports and services visible on Internet for a public facing system. He felt puzzled and pulled out two other tools to cross check on the layers of network, application and database. All to no avail - absolutely nothing was identified. Jim reported to the Team Lead, Carmen saying no findings and the job was done.
Carmen was furious. She shouted to Jim, "The *Job* has just started, we are facing a next-generation firewall which is aware of the patterns of major penetration test tools. It shut us out." Jim was annoyed by saying he had played by the rules and used the penetration testing tools available to him. He insisted that the job was done. Carmen threw him a question, "If all ports and services are really shut, how the users can buy and sell financial instruments." She added that "we are the masters and the tools are slaves; and not the other way round!"
Jim sat there for almost half an hour reflecting the next move. The next-generation firewall was akin to Jericho. He wondered whether he needed horns and trumpets instead of pen test tools.
Mission Goes On
Jim went through the whole scenario from end to end - where the threats were, where the defenses and vulnerabilities were, and where to do this job in a meaningful way. If there were people going in and out, then there must be a way.
Carmen gave Jim a hint - going through steps by steps like a normal user and capturing and recording every steps and every data packets. It was by hand and craft.
The Collapse of Jericho
Jim was half believed. Nonetheless he set up a proxy to capture and record everything as told by Carmen. It was thrilling to find out tons of holes in the application itself - weak authentication mechanisms and broken error handling routines.
Lessons Learnt
Carmen asked Jim, "What do you learn out of this?" Jim apologetically said, "Tools are slaves and we are the masters. Also we need to understand the big picture of potential threats and vulnerabilities instead of a push-button worker." Carmen said, "Ok, let's call it a day and have a cup of decent coffee."