Penetration tests conducted by a group of non-IT students has set the cat among the pigeons in the security community, spurring analysts and security professionals to emphasise the importance of certified penetration tests.
The results of the tests, announced last week, found severe network security flaws in 79 percent of the 200 largest Australian enterprises surveyed.
The tests, held at the Australian Graduate School of Policing, saw 25 non-IT students breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet.
Computerworld readers questioned the motives behind the test, the methods and tools employed and the level of legal clearance required to conduct the examinations.
LogicaCMG chief security officer Ajoy Ghosh, who headed-up the test, said it is performed about twice a year, and was conducted to show the students made up of lawyers, prosecutors and criminal investigators how hackers can steal confidential data.
"It was an opportunity for them to experience for themselves the opportunities that hackers have online," Ghosh said.
Computerworld reader and Asia Pacific general manager at security-assessment.com Drazen Drazic was one of the respondents who expressed concern that the tests could devalue professional penetration testing in the eyes of business managers.
"Anyone can get free hacking tools off the Internet and hack to a certain level, but it takes many years of experience to be able to do a penetration test to a level where you can give a CEO a good snapshot of their security vulnerabilities," Drazic said.
"It would surprise me, given Ajoy's industry experience, that the message was that anyone can do penetration testing because some CEO's could read it and think they can get one of their [non-security professionals] to do it instead of paying $20,000 for penetration tests."
Debunking penetration tests was far from the objective of the project, according to Ghosh.
"A number of my peers have raised the issue (voiced by Drazic) saying 'how dare you go out and show how easy penetration testing is' - but it is what it is - it was not a professional penetration test, it was a classroom exercise conducted by non-IT people," he said.
"I would expect a professional penetration test to include a lot more technical testing and to undercover a whole suite of problems over and above what we did."
Another respondent, Big Galoot, posting on Drazic's IT security blog Beast or Buddha joined others in expressing concerns about the legality of the tests.
"Either you accept as fact that the top 200 companies knowingly allowed their systems to be hacked by a bunch of uni students, or you don't. As a shareholder in some of the top 200 Australian companies, I'm very annoyed and I will want answers as to why they allowed the exercise to proceed," the blogger wrote.
Internet services company Biko Technolgies director of technology Greg Kowalski was equally concerned about the tests. He asked of the legal status of the intrusion attempts, and whether they are considered separate to unauthorized criminal hacks.