Hack Attacks Testing How to Conduct Your Own Security Audit 2

Seven Phases of Analysis

Whether your home or business is newly connected to the Internet or you have long

had your Internet connectivity and/or network infrastructure in place, an analysis can

help determine whether you are sufficiently protected from intrusion. The typical

guidelines for performing a security analysis are to develop a plan, perform the audit,

and then report your findings. This section proposes the common assessment phases

of a detailed security audit. We’ll cover the following:

■■ Site scans, to test port and application layer against internal defenses.

■■ Remote audits, to test against external services—for example, Internet service

provider (ISP) hosting, servers, and conduits.

■■ Penetration tests, to test Internet security and validate current risks. You should

be responsible to clearly articulate the specific objectives, requirements, and

timeframes associated with the testing, and exercise due care to ensure that

data and systems are not damaged by the testing, that the target site is notified

Building a Multisystem Tiger Box

of any vulnerabilities created during testing, and that testing is stopped

immediately at the request of the site.

■■ Internet protocol (IP), mail spoof, and spam tests

■■ Dial-up audit, to ensure remote access connectivity security for products such as

PC Anywhere, Reachout, and/or Citrix.

An external audit should be performed remotely, that is, off-site or from outside any

perimeter defense, such as a firewall. This should be first performed blind, that is to

say, without detailed infrastructure knowledge.

Following this first phase, a knowledgeable penetration test will determine the

extent and risk (if any) of an external attack. This audit is valuable for testing the configuration

of perimeter security mechanisms, the respective Web, File Transfer Protocol

(FTP), e-mail, and other services. This scan and simulated attack are done remotely over

the Internet. Preferably, this phase should be performed with limited disclosure (blind

to all but select management) as an unscheduled external penetration assessment.

Many times penetration tests should be limited to passive probes so as not to cause

any manner of disruption to business. Optionally, penetration tests may include the

attack and evaluation of modem dial-ups and physical security, which may be accomplished

by a method known as wardialing, a procedure used to scan and detect misconfigured

dial-ups and terminal servers, as well as rogue and/or unauthorized modems.

When audits are aimed at Web sites, source code audits of the common gateway

interface (CGI), Java, JavaScript, and ActiveX should be performed. As audits are being

performed, a detailed, time-stamped log should be maintained of all actions. This log

will be used in further testing against current station logging facilities by comparing

audit logs and target site logs. Most important, if you perform an audit for reasons

other than personal, you should initiate it only upon gaining written permission on

company letterhead from the appropriate company officer.

Security audits should be performed regularly. Based on the techniques, tools, and

software evaluated in books such as Hack Attacks Revealed, Second Edition, a good analysis

can be divided into seven phases.

Phase 1: Blind Testing

In blind, or remote, testing, one lacks detailed knowledge of the target infrastructure.

Site Scan

The site scan includes the following:

■■ Network discovery

■■ Port scan of all ports identified during the discovery

■■ Application scan to identify system services as they pertain to discovered ports

■■ Throughput scans for port utilization levels to identify vulnerabilities

■■ Documentation

Remote Audit

During a remote audit, one does the following:

¡¡ Tests the configuration, stability, and vulnerabilities of perimeter defenses,

external ISP services, and any other network services acting as conduits

through a firewall or proxy

¡¡ Provides documentation

Penetration Tests

During penetration tests, one does the following:

■■ Attacks and evaluates the physical security, with intent to penetrate, of all

items that were identified during the site scan and remote audit

■■ Audits the source code for CGI, JavaScript, and ActiveX

■■ Initiates Object Database Connectivity (ODBC) calls from customer-identified

databases

■■ Performs IP flood tests

■■ Initiates standard Windows NT, Novell NetWare, and Unix IOS cracks

■■ Carries out Domain Name Service (DNS) spoofing

■■ Initializes sniffer-passive probes to capture traffic

■■ Prepares documentation

IP, Mail Spoof, and Spam Tests

During IP, mail spoof, and spam tests, one does the following:

■■ Performs penetration attacks to drive infrastructure equipment into making damaging

statements and/or releasing sensitive information (e.g., password keys)

■■ Tests the ability to forge e-mail and control any Simple Mail Transfer Protocol

(SMTP), Post Office Protocol (POP3), and Internet Message Access Protocol

Version 4 (IMAP4) server that utilizes the customer’s expensive bandwidth for

sending external mail blasts

■■ Prepares documentation

Phase 2: Knowledgeable Penetration

In knowledgeable penetration testing, one has knowledge of the target infrastructure.

This testing involves the following:

■■ IP and Internetwork Packet Exchange (IPX) addressing schemes

■■ Protocols

■■ Network/port address translation schemes

■■ Dial-up information (e.g., users, dial-up numbers, and access methods)

■■ Internetworking operating system configurations

■■ Privileged access points

■■ Detailed external configurations (e.g., ISP and Web hosting)

■■ Documentation

■■ Site scan, which includes the following:

■■ Network discovery

■■ Port scan of all ports identified during the discovery

■■ Application scan to identify system services as they pertain to discovered

ports

■■ Throughput scans of port utilization levels to identify vulnerabilities

■■ Documentation

■■ Remote audit, in which one does the following:

■■ Tests the configuration, stability, and vulnerabilities of perimeter defenses,

external ISP services, and any other network services acting as conduits

through a firewall or proxy

■■ Prepares documentation

■■ Penetration tests, in which one does the following:

■■ Attacks and evaluates the physical security of, with intent to penetrate, all

items that were identified during the site scan and remote audit

■■ Audits the source code for CGI, JavaScript, and ActiveX

■■ Initiates ODBC captures (databases)

■■ Performs IP flood tests

■■ Initiates standard Windows NT, Novell NetWare and Unix IOS cracks

¡¡ Carries out DNS spoofing

¡¡ Initializes sniffer-passive probes to capture traffic

¡¡ Prepares documentation

¡¡ IP, mail spoof, and spam tests, in which does the following:

¡¡ Performs penetration attacks to coerce infrastructure equipment into

making damaging statements and/or releasing sensitive information

(e.g., passwords)

¡¡ Tests the ability to forge e-mail and control any SMTP, POP3, and IMAP4

server that uses the customerfs expensive bandwidth for sending external

mail blasts

¡¡ Prepares documentation

Phase 3: Internet Security and Services

During phase 3, penetration tests are conducted. They include the following:

■■ Attacks and evaluates the physical security of, with intent to penetrate, all

items that were identified during the site scan and remote audit

■■ Audits the source code for CGI, JavaScript, and ActiveX

■■ Initiates ODBC calls from customer-identified databases

■■ Performs IP, Hypertext Transfer Protocol (HTTP), and Internet Control Message

Protocol (ICMP) flood tests

■■ Carries out DNS spoofing

■■ Prepares documentation