Hack Attacks Testing How to Conduct Your Own Security Audit
Introduction
The objective of this book is to fill a gap found in most books on security: How security
examinations can be conducted via illustrations and virtual simulations. Auditing tools
with simple graphical user interfaces (GUIs) and automation are becoming increasingly
prevalent, and most claim to be the all-inclusive solution for administrators and security
consultants to use for their networks’ security testing. In practice, however, typically
a combination of tools, embraced by the Tiger Box analysis/monitoring system,
is necessary for accurate, up-to-date assessments. In a nutshell, a Tiger Box is a system
designed to provide the necessary tools designed to reveal potential security weaknesses
by discovering, scanning, and in some cases penetrating security vulnerabilities.
Covering Windows in addition to Unix- and Linux-flavored (*NIX) dual-bootconfigurations,
this book explains how to build and operate your own vulnerability
analysis system by using exclusively the top-quality and most popular tools available
Step by step, the book covers how-to drilldowns for setting up your Tiger Box operating
systems, installations, and configurations for some of the most popular auditing
software suites. It discusses both common and custom uses, as well as the scanning
methods and reporting routines of each. It inspects individual vulnerability scanner
results and compares them in an evaluation matrix against a select group of intentional
security holes on a target network.
The Companion CD-ROM
If you seek general hands-on experience of most of the scanners discussed in this book,
look no further than this book’s companion CD-ROM, for it contains an interactive
workbook for the text. It covers basic uses of the scanners, some containing interactive
reports, so that you can familiarize yourself with their interfaces.
This electronic workbook is designed to introduce scanners as simulations from real
uses. For still more experience, simply download product evaluations from the links in
each part.
Who Should Read This Book
This book is written to explain how you can perform your own security audits. It contains
beginner to advanced uses for which no experience with the tools is necessary. It
is intended as a required guide not only for managers, security engineers, network
administrators, network engineers, and internetworking engineers but for interested
laypeople as well.
Building a Multisystem
Tiger Box
Within the International Information Systems Security Certification Consortium’s
Common Body of Knowledge domains, vulnerability scanning and penetration testing
are positioned as part of problem identification auditing for network defense
testing against techniques used by intruders. In other words, regularly scheduled
security audits should be practiced, especially in regard to safeguarding the assets of
all enterprises, from the very large to the small office/home office. An effective security
implementation is composed of several life cycle components, including security
policies, perimeter defenses, and disaster recovery plans, to name a few; however,
auditing the effectiveness of security controls is critical.
This book is intended to serve as a general how-to “cookbook” in regard to discovery,
vulnerability, and penetration testing. With that in mind, let’s begin by
reviewing the National Institute of Security Technology (NIST) list of the eight major
elements of computer security:
1. Computer security should support the mission of the organization.
2. Computer security is an integral element of sound management.
3. Computer security should be cost-effective.
4. Computer security responsibilities and accountability should be made explicit.
5. System owners have computer security responsibilities outside their own
organizations.
6. Computer security requires a comprehensive and integrated approach.
7. Computer security should be periodically reassessed.
8. Computer security is constrained by societal factors.
Whether or not all of the security controls or elements are in place, an analysis can
help provide a solid grasp of how your security solution will protect critical systems
and data. Networks, including those not connected to the Internet, may have security
breaches and other areas that, if not addressed, can invite undesired access to confidential
data. The principal mission of this book is to identify the most popular assessment
tools, illustrate and virtually simulate their modus operandi for local and remote
assessments, and then report our findings and document our corrective procedures.
NOTE This text attempts to adhere to the InfoSec Criteria and Methods
of Evaluations of Information Systems, specifically, Information Technology
Security Evaluation Criteria for effective assessment of a target of evaluation
(TOE) against the following approaches: (1) the suitability of the TOE’s securityenforcing
functions to counter the threats to the security of the TOE identified
in the security target; (2) the ability of the TOE’s security-enforcing functions
and mechanisms to bind in a way that is mutually supportive and that provides
an integrated and effective whole; (3) the ability of the TOE’s security mechanisms
to withstand direct attack; (4) whether known security vulnerabilities in
the construction and the operation of the TOE could, in practice, compromise
the security of the TOE; and (5) that the TOE cannot be configured or used in a
manner that is insecure but that an administrator or end user of the TOE would
reasonably believe to be secure.
Comments