Vulnerability Assessments and Penetration Testing • Vulnerability Assessment o Physical / Administrative/ Logical o Identify weaknesses • Penetration Testing o Ethical hacking to validate discovered weaknesses o Red Teams (Attack) / Blue Teams (Defend) • NIST SP 800‐42 Guideline on Security Testing
Degree of Knowledge • Zero Knowledge (Black Box Testing) ‐ Team has no knowledge of the target and must start with only information that is publically available. This simulates an external attack • Partial Knowledge ‐ The team has limited knowledge of the organization • Full Knowledge ‐ This simulates an internal attack. The team has full knowledge of network operations
Attack Methodology Test Attacks 1 of 2 1. Reconnaissance • Who Is Database, Company Website, Job Search Engines, Social Networking 2. Footprinting • Mapping the network (Nmap) • ICMP ping sweeps • DNS zone transfers 3. Fingerprinting • Identifying host information • Port scanning 4. Vulnerability assessment • Identifying weaknesses in system configurations • Discovering unpatched software
Attack Methodology Test Attacks 2 of 2 5. The “attack” • Penetration • Privilege escalation ‐ Run As, SU • Root kits ‐ Collection of tools to allow continued access. Includes o Back Door software o Can update the kernel of the operating system o Very difficult to detect • Cover tracks o Trojan Programs: The Attacker replaces default utilities with ones that masquerade as system utilities that provide normal services, with the exception of helping identify the backdoor software o Log Scrubbers
Testing Guidelines • Why Test? o Risk analysis o Certification o Accreditation o Security architectures o Policy development • Develop a cohesive, well‐planned, and operational security testing program
Penetration Testing Considerations • Three basic requirements o Meet with Senior management to determine the goal of the Assessment o Document Rules of Engagement o Get sign off from Senior Management • Issue ‐ it could disrupt productivity and systems • Overall purpose is to determine subject’s ability to withstand an attack and determine effectiveness of current security measures • Tester should determine effectiveness of safeguards and identify areas of improvement. o ****TESTER SHOULD NOT BE THE ONE SUGGESTING REMEDIATION. THIS VIOLATES SEPARATION OF DUTIES*****
Rules of Engagement • Specific IP addresses/ranges to be tested o Any restricted hosts • A list of acceptable testing techniques • Times when testing is to be conducted • Points of contact for the penetration testing team, the targeted systems, and the networks • Measures to prevent law enforcement being called with false alarms • Handling of information collected by penetration testing team
Types of Penetration Tests • Physical Security o Access into building or department o Wiring closets, locked file cabinets, offices, server room, sensitive areas o Remove materials from building • Administrative Security o Help desk giving out sensitive information, data on disposed disks • Logical Security o Attacks on systems, networks, communication
Approaches to Testing • Do not rely exclusively on high‐tech tools o Dumpster diving • Stealth methods may be required • Do not damage systems or data • Do not overlook small weakness in search for the big ones • Have a toolkit of techniques
Software Test • Static (code) Test ‐ reviewing the software’s code while it isn’t running, reviewing for errors in syntax or performing walkthroughs of the programmed logic • Dynamic Test ‐ evaluating the code while is it running to reveal additional flaws that may not otherwise be identified
• Synthetic Transactions ‐ building automated or manual scripts to simulate
the normal activities an application can be expected to perform. These transactions can be used to not only probe for errors or weaknesses, but they can also allow an organization to establish performance baselines
Software Test • Fuzzing ‐ submitting random, error‐filled data as inputs into software to make it crash. Often facilitated with tools to maximize a high level of inputs, applications that hang or crash can signal larger development errors, or security vulnerabilities are present, such as buffer overflow or boundary checking issues
• Misuse Case Testing ‐ purposefully stressing an application with the sole
goal of simulating real attacks. Also known as a part of threat modeling, misuse case testing can help a development team understand what vulnerabilities are present in an application and what security impacts they may have
Password Cracking • Goal is to identify weak passwords • Passwords are generally stored and transmitted in an encrypted form called a hash • Password cracking requires captured password hashes • Hashes can be intercepted • Can be retrieved from the targeted system
Rogue Infrastructures • Unauthorized DHCP Servers can be used to redirect hosts to rogue DNS servers • Rogue DNS Servers can direct traffic to spoofed hosts • DNS zone transfer information contains MUCH information about a network and its configuration • Countermeasure o Secure physical access to the network, require DHCP servers to require authorization, User DHCP reservations and MAC addressing to control assignment of IPs, Secure DNS zone transfers only to specific hosts