Penetration testing should be considered whenever control systems
are already in place and their functioning has to be tested. Penetration
testing also verifies the functioning of a business's Intrusion
Detection System. In addition, penetration testing identifies vulnerabilities
in proprietary systems. Penetration testing takes place at 3 levels:
Initial testing occurs with only the information
that might be discovered by an outside intruder: zero-knowledge
The second level of testing checks for illegitimate
or legal use of a machine by a legitimate user armed with the information
legitimately available to him or her.
In the third level of testing, the intrusion
test works as a well-informed malicious individual with strong computer
knowledge and access to sophisticated tools.
The penetration testing methodology used by
ESTec ensures that all potential weaknesses are tested, including
all currently identifiable vulnerabilities. It stresses the application
in ways that the developers never expected. Where an application
exists on multiple machines (typical client/server architecture),
we test each machine and the communications channel between systems.
We also attempt to exploit 'features' of the applications to gain
Customer: Major American Power and Gas Utility
Services: Penetration Test the SAP Accounting system
Problem: The utility was preparing to convert all accounting functions
to SAP R/3. Management wanted to ensure that the controls in place
adequately protected the system, which would soon handle billions
of dollars in Receivable and Payables.
Solution: We conducted penetration testing on the accounting network,
including a penetration attempt from the Internet. ESTec then provided
a report detailing findings and recommendations. ESTec identified
more than 80 critical vulnerabilities, and recommended additional
control procedures to properly secure the accounting system. The
recommendations included a change to the firewall configuration.
Result: After completing the majority of the recommendations, the
accounting switchover took place, replacing an aging accounting
system with a new Y2K compliant system.