Migrated HP 3000 sites have usually just put sensitive corporate information into a wider, more public network. The next audit their business applications will endure is likely to have a security requirement far more complicated to pass. For those who are getting an IT audit on mission-critical apps hosted on platforms like Windows or Linux, we offer this guide to penetration testing.
By Steve Hardwick
CSIPP, Oxygen Finance
Having just finished installing a new cable modem with internal firewall/router, I decided to complete the installation by running a quick and dirty on-line penetration test. I suddenly realized that I am probably a handful of home users that we actually run a test after installing the model. I used the Web utility Shields Up, which provides a quick scan for open ports. Having completed the test -- successfully I may add -- I thought it would be a good opportunity to review Pen, or penetration, testing as a essential discipline.
Penetration testing is a crucial part of any information security audit. They are most commonly used to test network security controls, but can be used for testing administrative controls too. Testing administrative controls, i.e. security rules users must follow, is commonly called social engineering. The goal of penetration testing is to simulate hacker behavior to see if the security controls can withstand the attack.
The key elements of either tests fall into three categories
1) Information gathering: This involves using methods to gain as much information about the target without contacting the network or the system users.
2) Enumeration: To be able to understand the target, a set of probing exercises are conducted to map out the various entry points. Once identified, the entry points are further probed to get more detail about their configuration and function.
3) Exploitation: After review of the entry points, a plan of attack is constructed to exploit any of the weaknesses discovered in the enumeration phase. The goal is get unauthorized access to information in order to steal, modify or destroy it.
Let's take a look at how all this works in practice.
There are a lot of techniques that can be used to gain information about a target. A simple whois on target URLs may reveal contact information that can be used in social engineering for example. (I used it once to get a personal cell phone number of a target by looking at the registration of their web page).
Another commonly used method is dumpster diving This is where trash from a target is examined for any useful information. Finding out the middle name of a CIO can often confuse an IT admin and open the door to masquerading as a company employee (I have person experience of this one). There may even be old network diagrams that have been thrown out in the trash.
Another good technique is Google hacking. This is a technique where advanced Google commands are used to find information that may not be immediately apparent. For example, searching a website for any text files that contain the word “password.” Sounds amazing, but it can work. For more information, download a copy of this book published by the NSA.
For social engineering, this can be as simple as chatting to people on their smoke breaks. Other activities can include taking zoom photographs of employee badges, or walking around a building looking for unlocked exits and entry doors.
For networks this typically comes in multiple stages. First, the externally facing portions of the network are probed. Ports are scanned to see which ones are accepting traffic -- or open. Equipment can be queried for its make and its installed software. Also, the presence of other network devices; this can include air conditioning controllers, security camera recorders, and other peripherals connected directly to the Internet.
An obvious question at this point: How can you tell if the person attacking your security systems is a valid tester or an actual hacker? The first step in any penetration test is to gain the approval of someone who can legitimately provide it. For example, approval should be from a CEO or CIO, not a network admin. The approval should also include the scope of any testing. This is sometimes called a get out of jail card.
Once a list of potential entry points and their weakness has been compiled, a plan of attack can be put together. In the case of social engineering, this can include selecting a high-ranking employee to impersonate. Acting as a VP of Sales, especially if you include their middle name, and threatening a system admin with termination if they don't change their password can be a good way of getting into a network.
On the technical side, there are a lot of tools out there that can be used to focus on a specific make of equipment with a specific software level. Especially if it has not been patched in a while. Very often the enumeration and exploitation steps are repeated as various layers of defense are breached. There is a common scene in movies as the hacker breaches one firewall after another. Each time it is a process of enumeration followed by exploitation.
Once of the most useful tools for performing penetration testing is BackTrack. This is a useful site for two reasons. One, it contains a set of penetration testing tools on a live CD version of Linux (now maintained by Kali). The live CD version is very useful if you gain physical access, as you may be able to use it on an existing PC. Two, it contains a wide set of how-to's and training videos. This is a good first stop for those looking to understand what is available and how penetration testing is done. The tools and training is targeted to both beginners and experienced practitioners.
Another site that provides a variety of tools is insecure.org. The site provides links to individual tools that are focused on various parts of pen testing. The listing is broken down for the various sections and the tools listed. Both free and commercial tools are listed in the site's compendium. There is also a directory of relevant articles on different security topics.
Finally, there is Open Web Application Security Project (OWASP). This site is hosted by a non-profit organization that is solely focused on Web application security. OWASP provides a great deal of information and tools regarding testing and securing web applications, as this is a very common target for hackers. This can include a corporate web site, but also a web interface for controlling an HVAC unit remotely. There is even a sample flawed website, web goat, that can be used to hone testing skills.
Penetration testing is a very important part of security audit. It provides a methodology for analyzing vulnerabilities in security controls within a company's infrastructure. In many cases testing will be performed by internal resources on a more frequent basis, with annual or semiannual tests conducted by qualified third-party testers. In all cases, the testing should be performed by someone who is qualified to the level required. A improperly executed pen test provides a dangerous level of false security. Plus in many cases, security compliance will necessitate a pen test.