Domain 3C: Security Assessment Activities

To ensure privacy of login information as well as the contents of client to server transactions

use SSH (secure shell) to log in to hosts remotely instead of Telnet.

Social Engineering and Low-Tech Reconnaissance

-Before attackers or testers make an attempt on the organization's systems, they can learn about the target using low-technology techniques such as: -Directly visiting a target's web server and searching through it for information. -Viewing a webpage's source for information about what tools might have been used to construct or run it. -Accessing employee contact information. -Obtaining corporate culture information to pick up internally used lingo and product names. -Identifying business partners. -Googling a target. Attackers perform reconnaissance activity by using search engines that have previously indexed a target site. The attacker can search for files of a particular type that may contain information they can use for further attacks. Google and other search engines can be very powerful tools to a cracker because of the volume of data the search engines are able to organize. Example: Search a particular website for spreadsheet files containing the word "employee" or "address" or "accounting." -Dumpster diving to retrieve improperly discarded computer media and paper records for gleaning private information about an organization. Besides paper, this can include the following hardware: Computer hard drives and removable media (floppies, USB drives, CDs, etc.) thrown away or sold without properly degaussing to remove all private information. Equipment (routers, switches, and specialized data processing devices) discarded without configuration data being removed without a trace. -Shoulder surfing, which means furtively collecting information by standing within view of a person typing a password or sensitive information (e.g., someone else's password). -Engaging in social engineering using the telephone. Attackers often pose as an official technical support person or fellow employee and attempt to build a rapport with a user through small talk. The attacker may ask for the user's assistance with (false) troubleshooting "tests" aimed at helping the attacker collect information about the system. If the attacker finds a particularly "helpful" user, he might be bold enough to ask for their username and password because "we've been having trouble with the router gateway products interfacing with the LDAP directories where the username and password are stored, and we think it is getting corrupted as it passes over the network... So if you could just tell me what it is, that would be great," or some such nonsense aimed at gaining the user's confidence. The other possible scenarios that can be used with social engineering to gain information are limited only by the security practitioner's imagination. -Conducting Usenet searches. Usenet postings can give away information about a company's internal system design and problems that exist within systems. For example: "I need advice on my firewall. It is an XYZ brand system, and I have it configured to do this, that, and the other thing. Can anyone help me?—signed joe@big_company_everyone_knows.com."

Security Monitoring Testing The following traffic types and conditions are those the security practitioner should consider testing for in an IDS environment, as vulnerability exploits can be contained within any of them

-Data Patterns That Are Contained within Single Packets -Data Patterns Contained within Multiple Packets -Obfuscated Data -Fragmented Data -Protocol Embedded Attacks -Flooding Detection

To gauge security effectiveness of authorized APs:

-Discover authorized APs using the tools described herein and ensure they require encryption. -Ensure discovered APs meet other policy requirements such as the type of authentication (802.1x or other), SSID naming structure, and MAC address filtering. -Ensure APs have appropriate layer 2 Ethernet type filters, layer 3 protocol filters, and layer 4 port filters (to match the organization's configuration procedures) so that untrusted wireless traffic coming into the AP is limited to only that which is needed and required.

Penetration Test Software Tools

-Do not let tools drive the security testing. Develop a strategy and pick the right tool mix for discovery and testing based on the overall testing plan. -Use tools specific to the testing environment. For example, if the aim is to test the application of operating system patches on a particular platform, analyze the available ways the security practitioner might accomplish this process by seeing what the vendor offers and compare this against third-party tools. Pick tools that offer the best performance tempered with the budget constraints. -Tool functions often overlap. The features found on one tool may be better than those on another. -Security testing tools can make mistakes, especially network-based types that rely on circumstantial evidence of vulnerability. Further investigation is often necessary to determine if the tool interpreted an alleged vulnerability correctly. -Placement of probes is critical. When possible, place them on the same segment the security practitioner is testing so that filtering devices and intrusion detection systems do not alter the results (unless the security practitioner is planning to test how intrusion detection systems react). -Network tools sometimes negatively affect uptime; therefore, these tests should often be scheduled for off-hours execution due to the fact that they can potentially cause the following to occur: Increasing network traffic load Affecting unstable platforms that react poorly to unusual inputs

The SSCP should do the following:

-Ensure that antivirus and antimalware software is installed and is up to date with the latest scan engine and pattern file offered by the vendor. -Use products that encourage easy management and updates of signatures; otherwise, the systems may fail to be updated, rendering them ineffective to new exploits. Use products that centralize reporting of problems to spot problem areas and trends. -Use system logging. Logging methods are advisable to ensure that system events are noted and securely stored, in the event they are needed later. -Subscribe to vendor information. Vendors often publish information regularly, not only to keep their name in front of the security practitioner but also to inform the security practitioner of security updates and best practices for configuring their systems. Other organizations such as Security Focus (http://www.securityfocus.com) and CERT (http://www.cert.org) publish news of vulnerabilities. Some tools also specialize in determining when a system's software platform is out of compliance with the latest patches.

sample baseline for the Internet perimeter systems for edge routers

-For management—Telnet disabled; SSH enabled. -An authentication system that verifies that the person logging onto the router (for managing it) is who they say they are; accomplished with one-time password system. -An authorization system that verifies that the logged on administrator has the privileges to perform the management routines they are attempting to invoke. -An accounting system that tracks the commands that were invoked; this forms the audit trail. -Basic intrusion detection signature recognition functionality. -Syslog event reporting to an internal host. -Blocking of RFC1918 (non-routable addresses) and packets sourced from 0.0.0.0 inbound and outbound. -Blocking of inbound MS networking, MS SQL communication, TFTP, Oracle SQL*Net, DHCP, all types of ICMP packets except for path MTU and echo replies. It should be noted that some of these ports may be necessary for business operations, and they must be examined on a case-by-case basis before blocking.

sample baseline for the Internet perimeter systems for firewalls

-For management—Telnet disabled; SSH or SSL enabled. -An authentication system that verifies that the person logging onto the firewall (for managing it) is who they say they are; accomplished with one-time password system. -An authorization system that verifies that the logged on administrator has the privileges to perform the management routines they are attempting to invoke. -An accounting system that tracks the commands that were invoked (this forms the audit trail). -Event report logging to an internal host. -Network address translation functionality, if required, is working properly. -Enabling inbound transmissions from anywhere to the organizational web server, FTP server, SMTP mail server, and e-commerce server (for example). -Enabling inbound transmissions back to internal users that originally established the connections. -Enabling outbound HTTP, HTTPS, FTP, and DNS from anyone on the inside (if approved in the policy). -Enabling outbound SMTP from the mail server to any other mail server. -Blocking all other outbound access

vulnerability testing software is often placed into two broad categories

-General vulnerability -Application-specific vulnerability

benefits of vulnerability testing include

-It identifies system vulnerabilities. -It allows for the prioritization of mitigation tasks based on system criticality and risk. -It is considered a useful tool for comparing security posture over time, especially when done consistently each period.

disadvantages of vulnerability testing include

-It may not effectively focus efforts if the test is not designed appropriately. Sometimes testers bite off more than they can chew. -It has the potential to crash the network or host being tested if dangerous tests are chosen. (Innocent and noninvasive tests have been known to cause system crashes.)

Advanced firewall testing will test a device's ability to perform the following (this is a partial list and is a function of the firewall's capabilities):

-Limit TCP port scanning reconnaissance techniques (explained earlier in this domain) including SYN, FIN, XMAS, and NULL via the firewall. -Limit ICMP and UDP port scanning reconnaissance techniques. -Limit overlapping packet fragments. -Limit half-open connections to trusted side devices. Attacks like these are called SYN attacks, when the attacker begins the process of opening many connections but never completes any of them, eventually exhausting the target host's memory resources.

Scanner Tools

-Nessus open source scanner—http://www.tenable.com/products/nessus -eEye Digital Security's Retina—http://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/ -SAINT—http://www.saintcorporation.com/ For a more in-depth list, see http://sectools.org/web-scanners.html

Disabling Insecure Services Certain programs used on systems are known to be insecure, cannot be made secure, and are easily exploitable; therefore, use only secure alternatives. These applications were developed for private, secure LAN environments, but as connectivity proliferated worldwide, their use has been taken to insecure communication channels. Their weakness falls into three categorie

-They usually send authentication information unencrypted. For example, FTP and Telnet send username and passwords in the clear. -They usually send data unencrypted. For example, HTTP sends data from client to server and back again entirely in the clear. For many applications, this is acceptable; however, for some it is not. -SMTP also sends mail data in the clear unless it is secured by the application (e.g., the use of Pretty Good Privacy [PGP] within Outlook).

To search for rogue (unauthorized) access points, the security practitioner can use some of the following techniques:

-Use a network vulnerability scanner with signatures that specifically scan for MAC addresses (of the wired port) of vendors that produce AP units, and then attempt to connect to that interface on an HTTP port. If the unit responds, analyze the web code to determine if it is a webpage related to the management of the AP device. This requires periodic scanning and will leave the server vulnerable until the next scan. -Use a laptop or handheld unit loaded with software that analyzes 802.11x radio frequency (RF) transmissions for SSIDs and WAP wired side MAC addresses that do not belong to the company or are not authorized. Make sure discovery tools pick up all bands and 802.11x types; that is, if the security practitioner only tests for 802.11b, the security practitioner may miss rogue 802.11a units. This requires periodic scanning by physically walking through the organization's grounds and will leave the organization vulnerable until the next scan. -Up and coming solutions allow for authorized APs and wireless clients to detect unauthorized RF transmissions and "squeal" on the rogue access point. This information can be used to automatically disable an infrastructure switch port to which a rogue has connected.

Security Gateway Testing Gateways perform their analysis on these communications based on a set of rules supplied by the organization—rules driven by policy—and pass them along if they are deemed appropriate and exploitation-free, or block them if they are not. Security gateway types include the following:

Antivirus Gateways—These systems monitor for viruses contained within communications of major application types like web traffic, e-mail, and FTP. Java/ActiveX Filters—These systems screen communications for these components and block or limit their transmission. Web Traffic Screening—These systems block web traffic to and from specific sites or sites of a specific type (gambling, pornography, games, travel and leisure, etc.).

Examining Applications for Weakness

Applications should prevent privilege escalation and buffer overflows and a myriad of other threatening problems. However, this is not always the case, and applications need to be evaluated for their ability not to compromise a host. Insecure services and daemons that run on hardened hosts may by nature weaken the host. Applications should come from trusted sources. Similarly, it is inadvisable to download executables from websites the security practitioner knows nothing about. Executables should be hashed and verified with the publisher. Signed executables also provide a level of assurance regarding the integrity of the file.

Phase 3: Information Evaluation and Risk Analysis

Before active penetration, the security practitioner needs to evaluate the findings and perform risk analysis on the results to determine which hosts or services the security assessor is going to try to actively penetrate. The security practitioner should not perform an active penetration on every host until the organization has fully completed Phase 2. The security practitioner must also identify the potential business risks associated with performing a penetration test against particular hosts. The security practitioner can and probably will interrupt normal business processes if they perform a penetration test on a production system. The business leaders need to be made aware of that fact, and they need to be involved in making the decision on which devices to actively penetrate.

Weeding Out False Positives

Even if a scanner reports a service as vulnerable or missing a patch that leads to vulnerability, the system is not necessarily vulnerable. Accuracy is a function of the scanner's quality, that is, how complete and concise the testing mechanisms are built (better tests equal better results), how up to date the testing scripts are (fresher scripts are more likely to spot a fuller range of known problems), and how well it performs OS fingerprinting (knowing which OS the host runs helps the scanner pinpoint issues for applications that run on that OS). Double-check the scanner's work. Verify that a claimed vulnerability is an actual vulnerability. Good scanners will reference documents to help the security practitioner learn more about the issue.

Problems that may arise when using vulnerability analysis tools include

False Positives Crash Exposure Temporal Information

To lock down the enterprise from the possibility of rogue APs, the security practitioner can do the following

Enable MAC address filtering on the infrastructure switches. This technique matches each port to a known MAC address. If someone plugs in an unapproved MAC to a switch port expecting another MAC address, the AP will never be able to join the network from the wired side unless it has its MAC changed.

Firewall and Router Testing

Firewalls are designed to be points of data restriction (choke points) between security domains. They operate on a set of rules driven by a security policy to determine what types of data are allowed from one side to the other (point A to point B) and back again (point B to point A). Similarly, routers can also serve some of these functions when configured with access control lists (ACLs). Organizations deploy these devices to not only connect network segments together but also to restrict access to only those data flows that are required. This can help protect organizational data assets. Routers with ACLs, if used, are usually placed in front of the firewalls to reduce the noise and volume of traffic hitting the firewall. This allows the firewall to be more thorough in its analysis and handling of traffic. This strategy is also known as layering or defense in depth.

Making Sure File System Permissions are as Tight as Possible

For UNIX-based systems, remove all unnecessary SUID (set used ID) and SGID (set group ID) programs that embed the ability for a program running in one user context to access another program. This ability becomes even more dangerous in the context of a program running with root user permissions as a part of its normal operation. For Windows-based systems, use the Microsoft Management Center (MMC) "security configuration and analysis" and "security templates" snap-ins to analyze and secure multiple features of the operation system, including audit and policy settings and the registry.

Grey Box

Grey box testing involves giving some information to the penetration testing team. Sometimes this may involve publically discoverable information, and it may also include some information about systems inside the protective boundaries of the organization. Grey box testing allows the penetration testing team to focus on attacking the organization and trying to get access and reducing time on discovery. Organizations who feel they have a good grasp on what is publically available about them often use this approach to maximize the resources focused on specific system attacks.

Another technique for mapping a network is commonly known as "firewalking," which uses traceroute techniques to discover which services a filtering device like a router or firewall will allow through. These tools generally function by transmitting TCP and UDP packets on a particular port with a time to live (TTL) equal to at least one greater than the targeted router or firewall. If the target allows the traffic, it will forward the packets to the next hop. At that point, the traffic will expire as it reaches the next hop, and an ICMP_TIME_EXCEEDED message will be generated and sent back out of the gateway to the test host. If the target router or firewall does not allow the traffic, it will drop the packets and the test host will not see a response. Available firewalking tools include

Hping—http://www.hping.org/ Firewalk—http://www.tucows.com/preview/8046

Network mapping can involve a variety of techniques for probing hosts and ports. Several common techniques are

ICMP Echo Requests (ping)—If the security practitioner pings a host and it replies, it is alive (i.e., up and running). This test does not show what individual services are running. Be aware that many networks block incoming echo requests. If the requests are blocked and the security practitioner pings a host and it does not reply, the security practitioner has no way of knowing if it is actually running or not because the request is blocked before it gets to the destination. TCP Connect Scan—A connect scan can be used to discover TCP services running on a host even if ICMP is blocked. This type of scan is considered "noisy" (noticeable to logging and intrusion detection systems) because it goes all the way through the connection process. This basic service discovery scan goes all the way through a TCP session setup by sending a SYN packet to a target, receiving the SYN/ACK from the target when the port is listening, and then sending a final ACK back to the target to establish the connection. At this point, the test host is "connected" to the target. Eventually the connection is torn down because the tester's goal is not to communicate with the port but only to discover whether it is available. TCP SYN Scan—SYN scanning can be used to discover TCP services running on a host even if ICMP is blocked. SYN scanning is considered less noisy than connect scans. It is referred to as "half-open" scanning because unlike a connect scan (above), the security practitioner does not open a full TCP connection. Your test host directs a TCP SYN packet on a particular port as if it were going to open a real TCP connection to the target host. A SYN/ACK from the target indicates the host is listening on that port. An RST from the target indicates that it is not listening on that port. If a SYN/ACK is received, the test host immediately sends an RST to tear down the connection to conserve resources on both the test and target host sides. Firewalls often detect and block these scan attempts. TCP FIN Scan—FIN scanning can be used to discover TCP services running on a host even if ICMP is blocked. FIN scanning is considered a stealthy way to discover if a service is running. The test host sends a TCP packet with the FIN bit on to a port on the target host. If the target responds with an RST packet, the security practitioner may assume that the target host is not using the port. If the host does not respond, it may be using the port that was probed. Caveats to this technique are Microsoft, Cisco, BSDI, HP/UX, MVS, and IRIX-based hosts that implement their TCP/IP software stack in ways not defined by the standard. These hosts may not respond with an RST when probed by a FIN. However, if the security practitioner follows up a nonreply to one of these systems with, for example, a SYN scan to that port and the host replies, the security practitioner has determined that the host is listening on the port being tested and a few possible operating systems (see OS fingerprinting). TCP XMAS Scan—XMAS scans are similar to a FIN scan (and similarly stealthy), but they additionally turn on the URG (urgent) and PSH (push) flags. The goal of this scan is the same as a TCP FIN scan. The additional flags might make a packet be handled differently than a standard packet, so the security practitioner might see different results. TCP NULL Scan—NULL scans are similar to a FIN scan (also stealthy), but they turn off all flags. The NULL scan is similar to the others noted earlier; however, by turning off all TCP flags (which should never occur naturally), the packet might be handled differently, and the security practitioner may see a different result. UDP Scans—A UDP scan determines which UDP service ports are opened on a host. The test machine sends a UDP packet on a port to the target. If the target sends back an ICMP port unreachable message, the target does not use that port. A potential problem with this methodology is the case where a router or firewall at the target network does not allow ICMP port unreachable messages to leave the network, making the target network appear as if all UDP ports are open (because no ICMP messages are getting back to the test host). Another problem is that many systems limit the number of ICMP messages allowed per second, which can make for a very slow scanning rate.

Intrusion Prevention Systems (IPS) Security Monitoring

IPSs are technical security controls designed to monitor and alert for the presence of suspicious or disallowed system activity within host processes and across networks and then take action on suspicious activities. Likewise, the security practitioner can use testing to confirm that IPS detects traffic patterns and reacts as claimed by the vendor. When one is auditing an IPS, its position in the architecture is slightly different from that of an IDS; an IPS needs to be positioned inline of the traffic flow so the appropriate action can be taken. Some of the other key differences are as follows: The IPS acts on issues and handles the problems, while an IDS only reports on the traffic and requires some other party to react to the situation. The negative consequence of the IPS is that it is possible to reject good traffic and there will only be the logs of the IPS to show why the good traffic is getting rejected. Many times, the networking staff may not have access to those logs and may find network troubleshooting more difficult.

Ensuring Least Privilege File System Permissions

Least privilege is the concept that describes the minimum number of permissions required to perform a particular task. This applies to services/daemon processes as well as user permissions. Often systems installed out of the box are at minimum security levels. Make an effort to understand how secure newly installed configurations are, and take steps to lock down settings using vendor recommendations.

Use patch reporting systems that evaluate whether systems have patches installed completely and correctly and which patches are missing.

Many vulnerability analysis tools have this function built into them, but be sure to understand how often the V/A tool vendor updates this list versus another vendor who specializes in patch analysis systems. Oftentimes, some vendors have better updating systems than others.

Mid-Tech Reconnaissance

Mid-tech reconnaissance includes several ways to get information that can be used for testing. Whois Information—Whois is a system that records Internet registration information, including the company that owns the domain, administrative contacts, technical contacts, when the record of domain ownership expires, and DNS servers authoritative for maintaining host IP addresses and their associated friendly names for the domains the security practitioner is testing. With this information, the security practitioner can use other online tools to dig for information about the servers visible on the Internet without ever sending a single probing packet at the Internet connection. The contact information provided by Whois can also be used for social engineering and war dialing. The following are example attacks: Using Whois, collect information about DNS servers authoritative for maintaining host IP addresses for a particular domain. Using Whois, identify the administrative contact and his telephone number. Use social engineering on that person or security-unaware staff at the main telephone number to obtain unauthorized information. Using Whois, identify the technical contact and her area code and exchange (telephone number). Using war dialing software against the block of phone numbers in that exchange, the security practitioner attempts to make an unauthorized connection with a modem for the purpose of gaining backdoor entry to the system. There are many sources for Whois information and tools, including: http://www.internic.net http://www.networksolutions.com

Wireless Tools There are a variety of useful wireless tools available

Netstumbler (http://www.netstumbler.com)—Windows software that detects 802.11b information through RF detection including SSID, whether communication is encrypted, and signal strength. Kismet (http://www.kismetwireless.net)—Linux software that detects 802.11b and 802.11a information through RF detection including SSID, whether communication is encrypted, and signal strength. It features the ability to rewrite the MAC address on select wireless cards. Wellenreiter (http://sourceforge.net/projects/wellenreiter/?source=directory)—Linux software that detects wireless networks. It runs on Linux-based handheld PDA computers. Nessus (http://www.nessus.org)—Linux software for vulnerability assessment that includes 30-plus signatures to detect WAP units. Aircrack-NG (http://www.aircrack-ng.org/doku.php)—Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wireless networks.

Some programs can help evaluate a host's applications for problems. In particular, these focus on web-based systems and database systems:

Nikto (http://www.cirt.net) evaluates web CGI systems for common and uncommon vulnerabilities in implementation. Web Inspect (http://www.purehacking.com.au) is an automated web server scanning tool. Trustwave (https://www.trustwave.com) evaluates applications, especially various types of databases, for vulnerabilities.

Available mapping tools include

Nmap—http://www.insecure.org Solarwinds—http://www.solarwinds.net Superscan—http://www.mcafee.com/us/downloads/free-tools/index.aspx Lanspy—http://lantricks.com/lanspy (only available for Windows 2000/XP/2003)

Vulnerability testing usually employs software specific to the activity and tends to have the following qualities:

OS Fingerprinting Stimulus and Response Algorithms Privileged Logon Ability Cross-Referencing Update Capability Reporting Capability

Cross-Referencing

OS and applications/services (discovered during the port-mapping phase) should be cross-referenced to identify possible vulnerabilities. For example, if OS fingerprinting reveals that the host runs Red Hat Linux 8.0 and that portmapper is one of the listening programs, any pre-8.0 portmapper vulnerabilities can likely be ruled out. Keep in mind that old vulnerabilities have resurfaced in later versions of code even though they were patched at one time. While these instances may occur, the filtering based on OS and application fingerprinting will help the security practitioner better target systems and use the security practitioner's time more effectively.

Host Scanning

Organizations serious about security create hardened host configuration procedures and use policy to mandate host deployment and change. There are many ingredients to creating a secure host, but the security practitioner should always remember that what is secure today might not be secure tomorrow, because conditions are ever changing. There are several areas to consider when securing a host or when evaluating its security. These are discussed in the following sections.

Optimally, tools should test to see if once a patch has been applied to remove a vulnerability, the vulnerability does not still exist

Patch application sometimes includes a manual remediation component like a registry change or removing a user, and if the IT person applied the patch but did not perform the manual remediation component, the vulnerability may still exist.

Establishing and Enforcing a Patching Policy

Patches are pieces of software code meant to fix a vulnerability or problem that has been identified in a portion of an operating system or in an application that runs on a host.

Penetration testing consists of five different phases:

Phase 1—Preparation Phase 2—Information gathering Phase 3—Information evaluation and risk analysis Phase 4—Active penetration Phase 5—Analysis and reporting

several pros and cons to consider with the grey box approach

Pros—The grey box approach provides the combined benefits of white and black box testing techniques and allows for the creation of really focused testing scenarios. Cons—Test coverage may be limited due to the level of access granted.

several pros and cons to consider with the black box approach

Pros—The security practitioner can get a better overall view of the network's real responses without someone being prepared for the testing. Cons—The staff may take the findings personally and show disdain to the testing team and management.

There are several pros and cons to consider with the white box approach

Pros—The security practitioner should get good reaction and support from the organization being tested, and fixes can occur more rapidly. It is also good to use as a dry run for testing the organization's incident response procedures. Cons—An inaccurate picture of the organization's network response capabilities may appear because the organization is prepared for the "attack."

Phase 2: Reconnaissance and Network Mapping Techniques

Reconnaissance—Collecting information about the organization from publicly available sources, social engineering, and low-tech methods. This information forms the test attack basis by providing useful information to the tester. Network Mapping—Collecting information about the organization's Internet connectivity and available hosts by (usually) using automated mapping software tools. In the case of internal studies, the internal network architecture of available systems is mapped. This information further solidifies the test attack basis by providing even more information to the tester about the services running on the network and is often the step before vulnerability testing, which is covered in the next section. Note Penetration testing is an art. This means that different IT security practitioners have different methods for testing. This domain attempts to note the highlights to help the security practitioner differentiate among the various types and provides information on tools that assist in the endeavor. Security testing is an ethical responsibility. Testing must always be authorized, and the techniques should never be used for malice. This information on tools is presented for the purpose of helping the security practitioner spot weaknesses in the systems the security practitioner is authorized to test so that they may be improved.

Update Capability

Scanners must be kept up to date with the latest vulnerability signatures; otherwise, they will not be able to detect newer problems and vulnerabilities. Commercial tools that do not have quality personnel dedicated to updating the product are of reduced effectiveness. Likewise, open-source scanners should have a qualified following to keep them up to date.

Temporal Information

Scans are temporal in nature, which means that the scan results the security practitioner has today become stale as time moves on and new vulnerabilities are discovered. Therefore, scans must be performed periodically with scanners that are up to date with the latest vulnerability signatures.

DNS Zone Transfers

Secure systems should lock down DNS. Testers should see how the target does this by keeping the following in mind: Attackers will attempt zone transfers; therefore, configure DNS servers to restrict zone transfers to only approved hosts. Attackers will look for host names that may give out additional information—accountingserver.bigfinancialcompany.com. Avoid using Host Information Records (HINFOs) when possible. HINFO is the Host Information Record of a DNS entry. It is strictly informational in nature and serves no function. It is often used to declare the computer type and operating system of a host. Use a split DNS model with internal DNS and external DNS servers. Combining internal and external functions on one server is potentially dangerous. Internal DNS will serve the internal network and can relay externally bound queries to the external DNS servers that will do the lookup work by proxy. Incoming Internet-based queries will only reveal external hosts because the external hosts only know these addresses.

Disabling Unneeded Services

Services that are not critical to the role the host serves should be disabled or removed as appropriate for that platform. For the services the host does offer, make sure it is using server programs considered secure, make sure the security practitioner fully understands them, and tighten the configuration files to the highest degree possible. Unneeded services are often installed and left at their defaults, but since they are not needed, administrators ignore or forget about them. This may draw unwanted data traffic to the host from other hosts attempting connections, and it will leave the host vulnerable to weaknesses in the services. If a host does not need a particular host process for its operation, do not install it. If software is installed but not used or intended for use on the machine, it may not be remembered or documented that software is on the machine and therefore will likely not be patched. Port mapping programs use many techniques to discover services available on a host. These results should be compared with the policy that defines this host and its role. One must continually ask the critical questions, for the less a host offers as a service to the world while still maintaining its job, the better for its security (because there is less chance of subverting extraneous applications).

Analyzing Testing Result

Tests should conclude with a report and matrices detailing the following: Information derived publicly Information derived through social engineering or other covert ways Hosts tested and their addresses Services found Possible vulnerabilities Vulnerability ratings for each System criticality Overall vulnerability rating Vulnerabilities confirmation Mitigation suggestions

Privileged Logon Ability

The ability to automatically log onto a host or group of hosts with user credentials (administrator-level or other level) for a deeper "authorized" look at systems is desirable.

Stimulus and Response Algorithms

These are techniques to identify application software versions and then reference these versions with known vulnerabilities. Stimulus involves sending one or more packets at the target. Depending on the response, the tester can infer information about the target's applications. For example, to determine the version of the HTTP server, the vulnerability testing software might send an HTTP GET request to a web server, just like a browser would (the stimulus), and read the reply information it receives back (the response) for information that details the fact that it is Apache version X, IIS version Y, etc.

Black Box

These testers generally perform unannounced tests that even the security and IT staff may not know about. Sometimes these tests are ordered by senior managers to test their staff and the systems for which the staff are responsible. Other times, the IT staff will hire covert testers under the agreement that the testers can and will test at any given time, such as four times per year. The objective is generally to see what they can see and get into whatever they can get into, without causing harm, of course. Qualities include: Play the role of hostile attacker Perform testing without warning Receive little to no guidance from the organization being tested

White Box

These testers perform tests with the knowledge of the security and IT staff. They are given physical access to the network and sometimes even a normal username and password. Qualities include -Full cooperation of organization -Planned test times -Network diagrams and systems configurations are supplied

Phase 4: Active Penetration

This bears repeating. Think twice before attempting to exploit a possible vulnerability that may harm the system. For instance, if the system might be susceptible to a buffer overflow attack, it might be enough to identify the vulnerability without actually exploiting it and bringing down the system. Weigh the benefits of succinctly identifying vulnerabilities against potentially crashing the system. Here are some samples: Vulnerability testing shows that a web server may be vulnerable to crashing if it is issued a very long request with dots (i.e., ../../../../../../../../../ 1000 times). The security practitioner can either try to actually crash the server using the technique (although this may have productivity loss consequences) or alternatively and perhaps for the better they can note it for further investigation, perhaps on a test server. Make sure permission is explicitly granted before attempting this type of actual exploitation. Vulnerability testing shows that a UNIX host has a root account with the password set to root. You can easily test this find to determine whether this is a false positive. Vulnerability testing shows that a router may be susceptible to an SSH attack. You can either try the attack with permission or note it for further investigation.

OS Fingerprinting

This technique is used to identify the operating system in use on a target. OS fingerprinting is the process where a scanner can determine the operating system of the host by analyzing the TCP/IP stack flag settings. These settings vary on each operating system from vendor to vendor or by TCP/IP stack analysis and banner grabbing. Banner grabbing is reading the response banner presented for several ports such as FTP, HTTP, and Telnet. This function is sometimes built into mapping software and sometimes into vulnerability software.

By all means, do not forget about the use of basic built-in operating system commands for discovering hosts and routes. Basic built-in and other tools include

Traceroute (Windows calls this tracert)—Uses ICMP or TCP depending on the implementation of a path to a host or network. Ping—See if a host is alive using ICMP echo request messages. Telnet—Telnetting to a particular port is a quick way to find out if the host is servicing that port in some way. Whois—Command-line Whois can provide similar information to the web-based Whois methods previously discussed.

Crash Exposure

V/A software has some inherent dangers because much of the vulnerability testing software includes denial-of-service test scripts (as well as other scripts), which, if used carelessly, can crash hosts. Ensure that hosts being tested have proper backups and that the security practitioner tests during times that will have the lowest impact on business operations.

War Dialing

War dialing attempts to locate unauthorized, also called rogue, modems connected to computers that are connected to networks. Attackers use tools to sequentially and automatically dial large blocks of numbers used by the organization in the hopes that rogue modems or modems used for out-of-band communication will answer and allow them to make a remote asynchronous connection to it. With weak or nonexistent authentication, these rogue modems may serve as a back door into the heart of a network, especially when connected to computers that host remote control applications with lax security. Security testers can use war dialing techniques as a preventative measure and attempt to discover these modems for subsequent elimination. Although modems and war dialing have fallen out of favor in the IT world, a security practitioner still needs to check for the presence of unauthorized modems connected to their network.

War Driving

War driving is the wireless equivalent of war dialing. While war dialing involves checking banks of numbers for a modem, war driving involves traveling around with a wireless scanner looking for wireless access points. Netstumbler was one of the original products that people used for war driving. From the attacker perspective, war driving gives them a laundry list of access points where they can attach to a network and perform attacks. The best ones in a hacker's eye are the unsecured wireless access points that allow unrestricted access to the corporate network. The hacker will not only compromise the corporate network but will then use the corporate Internet access to launch attacks at other targets that are then untraceable back to the hacker. From a security standpoint, war driving enables the security practitioner to detect rogue access points in and around the physical locations. Is an unsecured wireless access point that is not on the network a security threat to the network? It certainly is. If a user can connect their workstation to an unknown and unsecured network, they introduce a threat to the security of the network.

False Positives

When scanners use generalized tests or if the scanner does not have the ability to deeply scan the application, it might not be able to determine whether the application actually has vulnerability. It might result in information that says the application might have vulnerability. If it sees that the server is running a remote control application, the test software may indicate that the security practitioner has a "High" vulnerability. However, if the security practitioner has taken care to implement the remote control application to a high standard, the organization's vulnerability is not as high.

Network Mapping Network mapping is a process that paints the picture of which hosts are up and running externally or internally and what services are available on the system. Commonly, the security practitioner may see mapping in the context of external host testing and enumeration in the context of internal host testing, but this is not necessarily ironclad, and mapping and enumeration often seem to be used interchangeably. They essentially accomplish similar goals, and the terms can be used in similar ways.

Which hosts are up and running or "alive"? What is the general topology of the network (how are things interconnected)? What ports are open and serviceable on those hosts? What applications are servicing those ports? What operating system is the host running?

Penetration testing also has three different modes,

White box—Tester has complete knowledge of the systems and infrastructure being tested. Grey box—A hybrid between white and black box. This mode can vary greatly. Black box—Assumes no prior knowledge of the systems or infrastructure being tested.

Phase 1: Penetration Testing Goals

Without defined goals, security testing can be a meaningless and costly exercise. The following are examples of some high-level goals for security testing, thereby providing value and meaning for the organization: -Anyone directly or indirectly sanctioned by the organization's management to perform testing should be doing so to identify vulnerabilities that can be quantified and placed in a ranking for subsequent mitigation. -Since a security test is merely the evaluation of security on a system at a point in time, the results should be documented and compared to the results at other points in time. Analysis that compares results across times paints a picture of how well or poorly the systems are being protected across those periods (otherwise known as base lining). -Security testing can be a form of self-audit by the IT staff to prepare them for the "real" audits performed by internal and external auditors. -In the case of covert testing, testers aim to actually compromise security, penetrate systems, and determine if the IT staff notices the intrusion and an acceptable response has occurred.

Reporting Capability

Without the ability to report, a scanner does not serve much purpose. Good scanners provide the ability to export scan data in a variety of formats, including viewing in HTML or PDF format or to third-party reporting software, and are configurable enough to give the ability to filter reports into high-, mid-, and low-level detail depending on the intended audience for the report. Reports are used as basis for determining mitigation activities later. Additionally, many scanners are now feeding automated risk management dashboards using application portal interfaces.

Use SSH as a secure way to send insecure data communications between hosts

by redirecting the insecure data into an SSH wrapper. The details for doing this are different from system to system.

Patches should be tested for

functionality, stability, and security. You should also ensure that the patch does not change the security configuration of the organization's host. Some patches might reinstall a default account or change configuration settings back to a default mode. You need a way to test whether new patches will break a system or an application running on a system. When you are patching highly critical systems, it is advised to deploy the patch in a test environment that mimics the real environment. If the security practitioner does not have this luxury, only deploy patches at noncritical times, have a back-out plan, and apply patches in steps (meaning one by one) to ensure that each one was successful and the system is still operating.

Use SCP (Secure Copy)

instead of FTP (File Transfer Protocol).

Wireless Networking Testing

periodic wireless testing to spot unofficial access points is needed. -Wireless-enabled devices (e.g., laptops) can associate with wireless access points or other wireless devices to form a bridged connection to the wired network. -Without some form of authentication, rogue devices can attach to the wireless network. -Without some form of encryption, data transferring between the wired and the wireless network can be captured.