There is no disputing the facts... the number of hacking and intrusion incidents is increasing year in year as technology rolls out. Equally, there is no hiding place, you can be found through a variety of means: DNS, Name Server Lookup, NSlookup, Newsgroups, web site trawling, e-mail properties and so on. Whether the motivation is financial gain, espionage, political, intellectual challenge, or simply trouble making, you may be exposed to a variety of intruder threats.
For these reasons, professional penetration services are growing in popularity. Organizations are increasingly aware that controlled security vulnerability testing is a major element in identifying exposures, and ensuring that a hostile party does not exploit them.
The objective of penetration testing is of course to investigate the system from the attacker's perspective. The primary aim is to identify exposures and risk before seeking a solution.
The Evidential Test has the objective of proving that within a short period of time, an intrusion can be achieved, thus providing proof that the system is vulnerable to attack.
Most attempted Internet attacks are performed by Script-Kiddies, uninventive hackers who simply try out others' new attacks by testing lots and lots of IP addresses for the weakness that can be exploited.
There is a great spectrum between these and the ultimate, an engineer with lots of networking experience and probably a wealth of programming knowledge backed up by the commitment to achieve their goal no matter how long or how hard that might be.
Somewhere in between, there are the casual hackers. We have determined that, because there are so many of them and they have a fair degree of knowledge, these are the main threat to most Internet-connected organizations.
We estimate that on average, unless they have a good reason to attack an organization, one will spend three days on their own trying to damage or successfully break into an Internet connection.
We go further than this in determining if any weaknesses exist at the target. If unsuccessful, one can be reasonably sure that the target is secure.
IP penetration testing
An IP Penetration Test is an exhaustive examination of the client's Internet connectivity.
It covers every conceivable angle to give the client an objective, authoritative and up-to-date report on their security status as seen from the outside world.
The deliverables are two reports authored from the submissions of the whole team.
The first is an executive summary discussing the major issues and business risks, the second is an in-depth catalogue of the test covering discovered vulnerabilities, and how these might affect security and suggested solutions.
It is very difficult to split the test into easily defined sections as they so often cross over and are inter-related. Information gained in the later phases will often be recycled into pointers for early phase techniques. However, the test may proceed as follows:
A. target acquisition
Once furnished with the client's IP address or company name, the Team will place that target in the logical world, setting the boundaries within which the Test will take place.
This involves data flow checking and open source research to ascertain what the outside world sees of the target.
The resulting picture is itself useful to the client in recursive engineering.
This is a high-intensity search procedure identifying the probable weak points in the system topology. Using for example:
unblocked data flows, such as FTP, which may allow the incursion of binary (programming) code
software bugs in the operating systems of computers and communications hardware which allow non-standard access
straightforward attacks on systems, buffer overflows for example
afforded the team opportunities to break through the barriers around the target and actually get inside the logical entity that is the target system. This will include attacks on hosts within any Demilitarised Zone.
Unless the client wishes the Team to move to the Intrusion Stage, the reports will now be delivered at a mutually agreed date. Although the IPR and copyright remain with 1stGMC, the deliverables remain a tangible asset to the customer providing a baseline upon which to conduct future tests, and as a Change Control Document when reconfiguring the associated IT and communications systems. Therefore 1stGMC believes care and attention to detail are a prerequisite to the provision of these reports.
There will be two documents. The first a management summary giving an overview of findings, with details on legal issues, business impact, and risk management. The second is an in-depth, blow-by-blow account of findings with concomitant suggestions on how to solve each issue. Examples of such documents are available on request.
Estimates for reporting must include extensive research and the inevitable editing. Drafts will be provided to nominated client personnel before the Post-Test Consultation.
The Team Leader and the project manager come to the client's premises on an agreed date to discuss the report.
The client will have the opportunity to make amendments to the documents, discuss findings and conclusions and ask any questions they like about the suggested solutions or indeed anything about the test as a whole.
Before moving to the report-writing, the client will be informed if there are serious security breaches by Security Fault Notice, where Vulnerability Exploitation has been successful and there is\are pathway(s) into the sensitive network.
The client will be given the option to have these pursued in order to find out what each pathway allows and how great the risk is to internal security. Once in, the aim is intelligence and control:
There is always the threat of the insider. In this case, someone with inside knowledge of the network structure, the gateway configuration, user names, remote administration systems, security systems, has an advantage over the outsider.
Although it may not make it easy, the attacker might be aware of the limitations of the firewall or the intrusion detection systems; know which boxes to attack in the first place; or may know a specific time when liberal access is allowed to certain hosts.
There is a simple example of the latter: 1stGMC once found a systems administrator running a Quake server on a client's internal network. Between 9pm and 7am, outsiders could make a direct connection to the host, straight through the firewall. This was the major step in making a successful intrusion.
He will then be able to quiz the client about traffic flows, security policies, user IDs or whatever he deems necessary knowledge for the project.
The Test would then proceed as normal though the customer may opt not to have the Target Acquisition stage (1stGMC does advise this remains, though, as this stage is also used to find company information that the client may not be aware exists in the public domain.).
New or improved technology is implemented; different configurations are required for new projects; security is tightened up; people change their minds.
Evolution is a good thing. Unfortunately, even where security is being improved by the implementation of a new system, reconfiguration or the installation of a patch or fix, the change or the change procedure may incur another security problem.
Therefore, the test report can quickly become an anachronism, no longer a reflection of the actual system.
Re-testing then becomes very important. Using the original report as a baseline document, 1stGMC revisits the target with three aims:
Denial of Service Testing
1stGMC advises clients not to have Denial of Service (DoS) testing. No matter how secure the organization, a determined aggressor can bring down any target.
It is the nature of the Internet that this is possible: the ease of acquired anonymity, the capability to launch attacks from third-party routers, distributed attacks make it impossible to fully combat DoS.
Every organization is susceptible to loss of availability due to DoS attacks.
All DoS testing can do is test for the successful implementation of patches for known attacks based on software weaknesses. 1stGMC is happy to do this where necessary.
A penetration test is not carried out as if it was a real attack. The client has requested a test and the team need not avoid detection.
In general, testing is carried out in a 'noisy' way because this is best for completeness and it takes less time (and therefore, costs the customer less money).
Using the stealthiest techniques that the law will allow, the test is carried out.
Should it be detected, this does not spell the end of the test. Although, greater vigilance is more likely after detection, 1stGMC will use a different IP address and different methods and try again.
The aim for the team is to remain undetected at all times, while still trying to achieve a successful penetration.
The normal report will include a section on detecting attacks: how successful the client was and what might be done to improve the current situation.
Any organizations rely on dial-in systems, whether for travelling salespeople to keep in contact with the office, for shops to send in sales s, for engineers to remotely monitor and control IT systems, or perhaps for regional offices to make requests of a central knowledge repository such as a database on a mainframe.
Furnished with the relevant phone numbers, 1stGMC's first move is to make a connection.
From then on, the test is rather similar to that of a Major IP Penetration Test. However, here, it is easier to concentrate on the smaller number of targets presented by the server's operating system, any internal routing and the security of the dial-in software on the server.
The aim is to make privileged access first to the server and then to the internal services that users necessarily acquire.
Once successful, the Team will stop testing and leave a footprint to prove their success. Further intrusion testing will then be an option.
Those modems that are set to dial out only are more secure. Unlike dial-in modems, the outsider cannot attempt to trespass at their leisure.
Instead, they must wait for the user to make a connection to the Internet themselves.
However, this is one of their few security advantages, overcome by the attacker waiting for the connection to appear, made easier when -
- as is often the case - the user is assigned a fixed IP address, or address range.
The attack is then very much like an attack on a fixed connection except that there is generally less security: no firewall and sometimes no router. The test follows the same format as that of the Major IP Penetration Test.
This is a simple technique with tools for it readily available on the Internet. When the client wants a more realistic test (hackers are unlikely to know what phone numbers modems are on) or wishes to find and test unknown modems,wardialling comes into play
The process is simple. Take 1stGMC as an example: our phone number is 01642 468888, so an attacker would guess that any modems would be assigned in the range 01642 460000 to 01642 469999.
They input this range into the wardialler program and it then automatically dials every single number, recording if the number is assigned, if it is a phone or a modem, and screen capturing any access screen found.
The attacker then has the right numbers to attack.
It is not guaranteed that modem numbers will be in the same range but the limits can always be extended.
Once a connection is made, the test can proceed as above.
1stGMC only advises this method when the client suspects that unauthorised modems are plugged into PCs or devices on their internal network.
Despite the meteoric rise of hackers in the public consciousness and the very real increase in the number of external attacks on company's websites and internet connections, reputable authorities such as the National Audit Office still maintain that internal attacks are much more common.
Survey s show that between 65% and 80% of security breaches come from employees or contractors of the victim organization.
Access Control Systems
the attacker and the information on that machine, and, perhaps, important areas of the network.
The test will consist of three stages:
1. Direct Attack
The Team researches specific security information on them, the results of which are included as an annex to the report even when the client's implementation has avoided them.
2. Operating System
The boot-up process before the access control system activates is a major target for attacks.
In some cases, the machine will get as far as the disk operating system before any user is forced to authenticate, such as in the example below.
This situation gives the test team various opportunities to subvert the process through known bugs and weaknesses but more commonly through the use of disk-editing tools, which can be run from the floppy disk.
Where user profiles are not encrypted, these tools may give the attacker access to user names and passwords, as well as other files.
3. Hardware Attacks
Many access control systems can be easily overcome by making physical changes to the machine.
For example, removing the hard disk and placing it in another machine can sometimes remove the access control from the start-up process.
The security of the network- for example, access permissions and network encryption - is important for two reasons: firstly, to stop employees from gaining unauthorised access to those parts of the network they don't belong; secondly, to stop outsiders from gaining any access at all to parts of the network.
The first stage requires the Team to have a standard internal user account. The client will want to ensure that ordinary users cannot gain privileged access to their own machine (or anyone else's) or gain access to important data unnecessary for their work.
The second stage generally deals with the implementation of encryption and the security of the physical network structure: for example, can someone plug a box
onto the network via the cables and copy all the packets that travel down the cables?
Internal IP Test
The Internal IP Test follows a very similar strategy to the Major IP Penetration Test and is generally run in conjunction with such a test.
The aims are to disable the gateway security systems; attempt illegal activities that should be blocked by the security systems; and attack the systems involved in e-business from the back office systems to the DMZ or externally hosted site.
Unlike the standard test, the attacker is already on the internal corporate network but this should not make it easier to breach the security of the client's Internet activities: a server holding credit card details, for example, should remain inaccessible to almost everyone, even inside the company.
The stages - including Target Acquisition - are the same as in a Major IP Penetration Test.
E-Commerce \ VPN Hosts
Any target that gives privileged access to external users either for an e-commerce application or for trusted third parties via VPN needs a further level of testing.
is often just an examination of the security implementation: is the encryption strong enough? Are the user IDs and passwords easily guessed? Can other user accounts be recovered from the server's memory?
Covert Physical Testing
Using security-cleared personnel, 1stGMC will attempt to trespass on the client's premises to reach an agreed goal. Possible targets:
This is usually performed outside of office hours as a break-in but the client can stipulate office hours only.
Locate user names and passwords written down near workstations or on lists in the IT support office.
Access to unattended and unsecured live workstations or servers.
This is usually achieved either by breaking into the building outside of office hours or by masquerading as an employee\contractor. It is the client's choice to decide how the test will take place.
This is also performed covertly. 1stGMC, using pseudonyms, will contact client employees and ask questions about the network environment and try to garner usernames and passwords. Any information will then be used to further the success of the test.
Please note, Social Engineering can only be performed as part of another test set to gain extra knowledge about the target.
1stGMC believes it unethical to report the actual findings of social engineering specifically as this can incriminate employees and may make them liable to company discipline or even prosecution. Instead the report will mention that social engineering was used and what success was made. Recommendations about avoiding such espionage will also be made.
Call us now
We would welcome the opportunity to discuss your requirements further. If we can be of any assistance to you, please contact us or one of our ad sponsors.
:: :: :: ::