Penetration Testing Methodology - Infosec Engineers can mitigate security risks and assure continued business continuity by demonstrating to thier organizations that thier digital assets are safe. Organizations can often implement internal or external penetration tests to simulate real-world attacks on their systems. The goal is to expose security gaps and demonstrate the effectiveness (or ineffectiveness) of their current network security methods. Because of its clandestine approach, penetration testing is also used to improve executive management's security awareness and can demonstrate the need to financially support security-related projects. An Infosec Manager, knows how hard it can be to sell the value of an abstract security program or project. When concepts like PKI, SSO or ESM, are discussed, it isn't long before the CEO's eyes start to glaze over in disinterest. A structured penetration test, however, can quickly demonstrate just how easily host systems can be compromised, and illustrate in black and white what the potential consequences of such a breach might be.
A Zero-Knowledge Attack - performed by testers who have no real information about the target environment, is designed to provide the most realistic penetration test possible. It usually includes gathering a significant amount of information about the target system before launching an attack. Typically, an independent third party performs this type of exercise because internal security personnel are too knowledgeable of their own environment to have anything close to "zero knowledge." A full-knowledge attack, on the other hand, is performed with the tester having as much information about the target environment as possible. It's designed to simulate an attacker who has intimate knowledge of the target organization's systems-such as a real employee. Simply put, all the security information related to an environment-network diagrams, technology inventory, etc.-is considered when formulating the attack target and methodology. It's a "take your best shot" approach to breaking the security barriers. While this approach has certain advantages, there are also inherent risks involved with full-knowledge attacks, partic- ularly when they're performed by (or under the supervision of) an inside employee (see "Hacker School," below).
Hacker School? - Penetration testing can be a valuable tool in any organization's information security program. However, be aware of the risks that could undermine the benefits yielded by an intrusion exercise. By purposely exposing a system to penetration testing-particularly those by third-party consultants-you run the risk of temporarily or permanently damaging your systems, exposing your security weaknesses to the outside world, training your own staff in penetration techniques and building overconfidence through incomplete or incorrect test results. Only skilled, experienced professionals who use clearly defined parameters and objectives should perform penetration testing. Unfortunately, penetration testing is fertile territory for "hackers in training." The hiring of ill-equipped or inexperienced testers could have disastrous results for your organization. There are numerous examples of amateur or malicious hackers crashing networks, disclosing confidential information and destroying valuable digital assets.
While third-party testing can provide objective results, organizations could fall prey to unscrupulous testers who will use a simulation to find vulnerabilities for their own purposes. Before an organization knows it, it could fall victim to a well-targeted intrusion that results in the loss of proprietary information or assets. Some organizations may try to insulate themselves against unscrupulous penetration testers by having their IT staff supervise the exercise, but this could also backfire. The contracted testers could very well train their in-house supervisors in the skills and techniques needed for malicious attacks. Lastly, a single test provides only a snapshot of your organization's security profile, not a top-to-bottom review of your system's defenses. The risk is that management will take the results of a single test at greater than face value, believing their system is secure if no serious holes are found in the initial review. This overconfidence could leave holes unaddressed and vulnerable to future attacks.
What Do You Want to Accomplish? - The penetration test should have clearly defined methodologies and goals. The target can be specific, such as payroll information stored in a SQL Server database, or more general, like a Web server. Lucrative or high-profile targets are often referred to as a "trophy selection." If the goal of the penetration test is to raise awareness of security risks, the tester will usually target high-impact trophies, such as the corporate Web site or databases housing corporate intellectual property. While target selection is important, the methodology or techniques to be used during testing is often overlooked. Consider that the goal of penetration testing is to mimic real-world attacks. Whom are you worried about? A bored 15-year-old or a temporary employee? A competitor's spy or a nation-state? Pinpointing the nature of the threat behind an attack allows the penetration team to emulate that threat.
For the most useful results, a penetration team should use the same methodology or techniques that a specific adversary would. While it's nearly impossible to have a thorough understanding of all of the threats, they can be broken down into four broad categories: Script kiddie, Malicious insider, Temporary employee, and "Über hacker." For example, a security manager at a pharmaceutical company might be concerned about the security threat posed by animal rights activists acting as temporary employees. A simulated attack on her network would give the penetration team the same accesses and credentials as a temporary employee. Likewise, if the threat were an über hacker-someone with extensive hacking skills and experience-the simulation would measure the response to unknown attack vectors.
Penetration Testing Methodology - Whether you outsource the pentration exercise or perform the tests yourself, it's important to follow a structured methodology. To ensure a thorough and safe execution of a penetration test, the tester should execute the following steps: discovery, enumeration, vulnerability mapping and exploitation.
Discovery - No matter what environment is being tested, it's import to obtain as much information as possible about the target organization within a reasonable period of time. Typically, this is referred to as "footprinting," and it's often the most im- portant (yet overlooked) component of zero-knowledge attacks. The Internet is a good source for all sorts of footprint information, including mirroring the target's Web site with tools such as wget or Teleport Pro, which create mirror twins (or close copies) of the target Web site (for links to tools mentioned in this article, see p. 94). In addition, the tester can perform thorough searches of the various whois databases, which often reveal many more Internet connections than the organizations expect. It is important to leverage Usenet postings using search sites, such as www.dog pile.com. Many organizations are amazed by how willing their employees are to divulge information that is useful to an attacker. For network-based attacks, you can use mass ping sweep utilities such as fping or icmpenum to determine potential targets that are responding to network traffic. These utilities fire off ICMP packets against specific ranges of addresses to determine what systems are hidden away. Of course, a healthy dose of nmap, the king of port scanning utilities, will help identify all those pesky open TCP and UDP ports.
Enumeration - Once specific domain names, networks and systems have been identified through discovery, the penetration tester should gain as much information as possible about each one. The key difference between discovery and enumeration is the level of intrusiveness. Enumeration involves actively trying to obtain user names, network share information and application version information of running services (e.g., IIS 4.0, Apache 1.3.X, BIND 8.2.1). This information is obtainable by connecting to the various platforms and extracting data through mechanisms such as anonymous connections and banner grabbing. For example, an inordinate amount of information can be gleaned from an unsecured Windows NT/2000 system just by using a null session (also called an "anonymous" connection-Microsoft Q143474). This can be performed manually or with tools like gnit. Other enumeration techniques include using netcat, which can be used to perform simple banner grabbing. In addition, user names can be gleaned from many systems and used during the exploitation phase to circumvent security barriers.
Vulnerability Mapping - Vulnerability mapping, one of the most important phases of penetration testing, occurs when security practitioners map the profile of the environment to publicly known-or, in some cases, unknown-vulnerabilities. The tester's most mundane but critical work is performed during the discovery and enumeration phase. If executed haphazardly, the vulnerability-mapping phase will be less effective. One method that can be used to accomplish this task is mapping specific system attributes against publicly available sources of vulnerability information, such as Bugtraq, Computer Emergency Response Team (CERT) advisories and vendor security alerts. For example, if you find a target Linux system running BIND 8.2.1, a popular DNS server, you need to determine if there are associated vulnerabilities with this version. A quick check of CERT's BIND advisories (www.cert.org/advisories/ CA-99-14-bind.html) will reveal any known buffer overflows that could make it vulnerable to attack. Although this is a tedious process, it can provide a thorough analysis of potential weaknesses without actually exploiting the target system. Remember, only script kiddies will skip the vulnerability-mapping stage by throwing everything including the kitchen sink at a system-without knowing how or why an exploit works or doesn't work. For instance, many real-life attackers use Unix exploits against a Windows NT system. Needless to say, these sophomoric assaults are unsuccessful.
Exploitation - The exploitation phase begins once the target system's vulnerabilities are mapped. The penetration tester will attempt to gain privileged access to a target system by exploiting the identified vulnerabilities. This may take the form of launching a password guessing attack using user names collected during the enumeration phase. (A fantastic resource of known/default accounts and associated passwords is located at www.securityparadigm.com/de faultpw.htm. For example, published exploit code (http://packetstorm.securify.com/ 9911-exploits/adm-nxt.c) can be used to exploit the buffer overflow vulnerability noted above in the BIND example.) Whatever the method used, the goals of the test are user-level and privileged access.
Advantages of Penetration Testing - Penetration testing is a useful tool for vividly illustrating the potential impact of exploited security vulnerabilities. Show any CEO a printout of their company's payroll or an audit, and chances are they'll recognize the need for improvements in security. For the test results to have maximum impact, the tester needs to put them in terms easily understood by the target organization's management. Many non-technical managers either don't care or won't understand the need for systems security until the consequences of an attack are spelled out in plain language. A tester needs to detail the potentially costly and damaging ramifications-ranging from loss of records to loss of business-should someone gain access to an organization's systems in the same manner as the testing team. Penetration tests are ideal for testing detection and response capabilities. Given that most computer emergency response teams are woefully unprepared and inexperienced, the penetration test provides a great opportunity to gain experience in a consequence-free exercise. Penetration tests are a great tool for determining the current security posture of an organization. A new CIO will often order a penetration test to get a quick understanding, or "snapshot," of problem areas. The results will provide direction on allocating limited resources.
Test Limitations - Despite its advantages, penetration testing has several limitations. A typical penetration exercise is not a comprehensive evaluation of security, since many security issues and configuration problems may not be identified. If the limited nature of penetration tests is not understood, the exercise can give an organization a false sense of security. For instance, if a host is not compromised during network attacks, the penetration testers will not be able to check its configuration for privilege-escalation vulnerabilities. Moreover, the results of a test only reflect the security status for the testing period. Even minor administrative and architectural changes to the environment performed only moments after a penetration test could alter the system's security profile. It may be obvious, but it's still worth stating: A penetration test is only as good as the people conducting it. The difference between identifying potential vulnerabilities and gaining interactive remote access to hosts requires a quantum leap in skill level.
Commercial vulnerability scanners and free information-gathering tools provide the average systems administrator with the ability to identify potential vulnerabilities. Exploiting those vulnerabilities, escalating privileges and leveraging vulnerabilities in a complex, heterogeneous network environment requires highly skilled, experienced individuals. Teams with diverse, complementary skill sets usually perform the best penetration tests. Future of Penetration Testing While the media focuses a lot on network and operating system vulnerabilities, the future of penetration testing is at the application level. Most organizations have or plan to deploy e-commerce-related applications. These plans include transactional Web servers with back-end databases and connections to various systems within an organization. The old-school mentality of "put a firewall up to keep people out" doesn't work in today's environment. While most sites have some sort of firewall, attackers can breach security barriers by exploiting vulnerabilities in the various Web-facing applications. Testing these apps is a difficult and time-consuming task because each environment has a slightly different implementation.
The requisite skills necessary to perform these specialized reviews include extensive knowledge of Web technologies, such as HTML, ASP, Java, Java- Script, cookies, PERL, VB scripting, SQL and CGI programming, to name a few. There is a prodigious gap in the skill level needed to perform traditional network and operating system testing vs. a structured e-commerce application penetration review. Systems managers should choose wisely when selecting a vendor to test an e-commerce application environment. Remember: The browser is the new millennium's security weapon. GARY NEUBAUER, Founder of vSpaceLab, has over 12 years as an Infosec Engineer and Network Security Consultant.
TESTER'S toolkit
Bugtraq - www.bugtraq.com
gnit - http://security.ellicit.org/programs/
icmpenum - www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz
nmap - www.insecure.org/nmap
whois sites - www.crsnic.net/whois/
Home - Services - Works - Tools - Contact - Virtual Space Lab - Web Space Lab - Gary Neubauer II - SEO Assault - Page Rank Lab - Web Design Quote - Contact vSpaceLab Web Design - Web Site Design Support Best Domain Names - Affordable Web Design - Best Web Hosting - Build Custom Ecommerce - Streaming Audio and Video
No comments:
Post a Comment