We are currently in the Bronze Age of information security. Even though computer network technology has witnessed the construction of the Internet—a massively redundant worldwide network—only primitive tools exist for information security. These tools, such as firewalls, encryption, and access control lists (ACLs), are generally unwieldy and frequently do not work well together. The predators—or attackers in our case—still have a distinct advantage. Simply put, security professionals do not have the evolved set of tools and the depth and breadth of experience that are available to our network administrator colleagues. Consequently, answering the question "How secure is my network?" is much more difficult than answering "How well is my DCHP server running?"
This book will help you answer that question of how to assess the security of your network, but the assessment process will not be easy. Effective security assessments require a balance of technical and non-technical skills as well as a high degree of diligence. If you are asking, "Is my network secure?" or "How do I know whether I am finished securing my network?" this book will not help, and, furthermore, no book will. Security is not a binary condition. It is not a switch or even a series of switches that you can pull. Don’t let anyone tell you otherwise. Computer and network security is both dynamic and relative. However, you can do a lot to improve the security of your network by taking the offensive rather than waiting for someone to prove your network is not secure, and that is what this book is about.
Most information security is handled from a defensive position. Network administrators attempt to secure information assets (workstations, servers, files, and passwords) from well-known and well-understood attacks. For example, the most elementary defense against attackers is the use of strong passwords. Weak passwords are the Achilles’ heel of network security. Everyone knows this; consequently, most networks that have any reasonable amount of security require passwords to meet minimum standards. In addition to corporate security policies, network administrators often configure system enforcement of password complexity. The default password complexity policy in Microsoft Windows 2000 and later requires that a password have the following minimum attributes:
Is longer than six characters
Does not contain, in any part, the user name of the account
Contains at least one character from three of the following five character sets:
Uppercase Latin letters
Lowercase Latin letters
Arabic numerals (0–9)
Symbols, such as @ or &
Unicode characters, such as Phi or Φ
This default complexity policy is strictly a defensive measure. Does enabling it ensure that users and administrators will use strong passwords? Absolutely not! The complexity policy does not prevent someone from choosing the password Password1, which by any definition is not complex. So how would you, as a network administrator responsible for security, know that users or administrators are following the complexity policy? Take the offensive. Conduct assessments of the password strength being employed by your users and administrators, and test password strength while conducting penetration tests—this is what the attacker will be doing. The point of this example is that you can do only so much defensively to secure your organization’s network. However, by taking the offensive (which the attacker does by definition), you will not only have a much stronger ability to assess your own organization’s security, but you will gain the ability to achieve a much higher level of security than is feasible by simply relying on defensive measures and the goodwill of users and administrators. As Sun Tzu said in the Art of War:
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
This is why you bought the book, to not fear the result of your battles with attackers, right?
Important
Before going any further, be advised that penetration testing or any other type of security assessment should not be used as a substitute for the act of designing and building security or any defensive security measure. Furthermore, although the findings of a single security assessment might reveal invaluable information to assist you in securing your organization’s network, security assessments should never be one-time events. For security assessments to be really effective, they need to be conducted repeatedly. Doing so will uncover your organization’s true security posture, that is, its ability to change over time to handle the demands of new threats and alterations to the network.
A security assessment can serve many different roles in network security. You can perform security assessments to find either common mistakes or computers that do not have the latest security patches installed. You can perform security assessments to provide a metric of how successful the application defensive security measures have been since the previous security update. Performing a security assessment might also reveal unexpected weaknesses in your organization’s security. These are just a few of the roles that security assessments have in network security. The bottom line is that security assessments will help you ensure that network security won’t fail. Defensive security measures alone just can’t do that.
So why does network security fail? This is a fundamental question that a security specialist must ask, especially when planning or performing a security assessment. When you assess security, you investigate many different areas of potential security failure. In short, you are looking for the same things that attackers look for. Network security fails in several common areas, including:
Human factors
Policy factors
Misconfiguration
Poor assumptions
Ignorance
Failure to stay up-to-date
Users, developers, managers, and administrators (yes, it is true!) are all very common sources of network security failure. Certainly the most common way that people introduce vulnerabilities to network security is by creating weak passwords. Human beings are incredibly bad at generating, remembering, and using random characters. Furthermore, the word password itself might lead users to create very weak passwords. The first password most people think of is a word that appears in the dictionary, or worse yet, the name of a family member. There are approximately 350,000 words in the American Heritage Dictionary of the English Language, 3rd Edition. It might not be feasible to attack a password through the console (although it’s almost shocking how often well-known bad passwords, like password, admin, or root, are used), but a computer that made 10,000 attempts per second would find the password within 17.5 seconds on average or within 35 seconds in a worst-case scenario.
Tip
A better approach to teaching users to rethink passwords is to call passwords pass phrases. Often users find pass phrases easier to use and can remember them more than shorter passwords, even when they are 20 to 30 characters long. For example, the pass phrase The last good book I bought cost $49.99! has 38 characters and uses a wide range of characters including spaces. By creating pass phrases that have a strong mnemonic value, users and administrators can remember and use codes that are computationally infeasible to crack and difficult to guess. User education can help prevent the human factor failure mode.
The human factor also comes into play as a major failure mode outside of the scope of technology. One of these areas is physical security; the other is social engineering. In terms of physical security, people often leave doors open or unlocked, leave their workstations unattended and unlocked, and leave their laptop computers in the back seat of their cars while they stop at the grocery store. For example, in 2000, the laptop belonging to the CEO of Qualcomm was stolen after he delivered a presentation at an industry conference. According to the media, the CEO was fewer than 30 feet away from the podium where he had been speaking when his laptop was stolen.
Social engineering is another attack vector. What is the easiest way to get a password? Ask for it, of course. Exploiting the basic trust, fears, and ego of humans is an incredibly powerful way to break into a network. In 2002, a student at the University of Delaware who was going to fail her math and science courses decided to take corrective action through exploiting the university’s computer system. She simply called the university’s human resources department, posed as the professor for each course, and asked to have the password reset. It worked—she not-so-magically received A grades. The human resources employee changed the password even though password changes over the phone were prohibited. According to police records, "The human resources worker complied, even though she later told police the voice on the phone sounded ’young, high-pitched, and desperate.’"
More Info
See Chapter 23, for detailed information about physical penetration testing and social engineering.
The heart and soul of network security is the security policy of the organization. The quality and completeness of an organization’s security policy strongly correlates to the overall effectiveness of its network security. Security policy, however, is not the least bit sexy for most IT administrators. It is pretty rare to see any IT admin jump out of his chair and say "Why yes, I would like to work with Human Resources, Management, and the Legal Department to make policy!" Policy breakdowns can cause network security to fail in several ways, most prominently when developers and administrators take the path of least resistance to meet a poorly conceived or nonexistent policy. Security policies frequently fail because they are:
Draconian. Security policies that fail to take the element of risk into account often result in the lunch menu having the same degree of security as trade secrets. This means that you have a lunch menu that is super secure that few people can use (and you spent a lot of time and money making it so), or you have very poorly secured intellectual property. Which do you think is more likely?
Vague. Security policies that are vague can result in situations in which developers and administrators take the path of least resistance to comply or experience a general state of confusion about compliance. For example, you might have a security policy for your in-house development that states, "Security code review is mandatory before product release." The policy does not say who should do the review, what should be done with the results, what is being reviewed against, and so on. The path of least resistance would be a developer reviewing his own code the day before the product releases. Can’t you just hear the developer proclaiming, "Yes! We did the mandatory code review."
Provide no compliance guidelines. In general, users and administrators want to comply with security policy; however, frequently the security policy itself provides no guidance on how to comply. For example, a security policy might dictate that no financial information be sent across the network unencrypted but not prescribe methods for ensuring the information is encrypted. This puts the burden of figuring out how to comply with the policy on the user, which is generally a losing proposition, because the user will most likely either disregard the policy or, at a minimum, spend significant amounts of time tracking down someone to help her.
Outdated. Security policies that are outdated are often just as useful as security policies that do not exist. Networks, security, and organizations are in constant flux—new IT systems and applications are brought online, old ones are decommissioned, new security threats emerge, and organizations internally reorganize and merge with other companies. All these events can result in security polices becoming obsolete. For example, an organization might find itself with security policies pertaining to a mainframe computer that it no longer owns.
Not enforced or poorly enforced. Toothless or nonexistent enforcement of security policies often leads to the wholesale disregard of security policy, which can in turn lead to the absence of security best practices. The best way to ensure that security policies are enforced is to conduct regular operational audits.
More Info
See Chapter 5, for more information about security policy assessment.
Not read. Although an organization might have a well-thought-out security policy, if users and administrators do not read the policy and are not aware of the guidance it provides, this policy does little good.
The breakdown of security policy often leads to the greater breakdown of network security; consequently, assessing the effectiveness of security policies in your organization is essential.
Computers do exactly what human beings (administrators included) tell them to do, no matter how little sense the instructions have. Administrators and developers are bound to make configuration and other types of mistakes that can easily lead to security vulnerabilities and ultimately to the compromise of an organization’s information.
Most operating systems and applications come out of the box configured to use the most popular features or to provide a generic state of operation that might or might not meet your organization’s security requirements. Unfortunately, the trouble with default configurations is that everyone, including the bad guys, knows what the default configuration is, weaknesses and all. But just as easily, an administrator or developer might introduce new weaknesses by misconfiguring an operating system or application, or by writing code that does not follow security best practices. For example, developers often introduce vulnerabilities by not carefully tracking how data is copied into memory buffers, resulting in buffer overrun conditions that can lead to remote compromise of the system.
With proper training, documentation, and systematic controls, organizations can minimize these types of errors; however, it is unlikely that preventative measures will stop all incidents. Proactive security assessment can not only help locate these vulnerabilities before attackers exploit them, but can also demonstrate how vulnerabilities in unrelated systems and applications can, in aggregate, lead to a major security compromise. This most often occurs when systems of different trust levels are connected, as shown in Figure 1-1.
For example, an attacker might want to get access to the customer database in Figure 1-1; however, the attacker has no means to access the server. To gain access to the customer database:
The attacker locates a wireless network without strong security by conducting remote surveillance, giving the attacker the ability to connect to the wireless network on the LAN.
The attacker locates servers by studying internal DNS records, including the IP address of the customer database.
After discovering that the router does not allow traffic to pass from the LAN to the high-security network, the attacker turns his attention to the company’s Web server, which likely connects to the database server. The attacker uses SQL injection to create a user account on the database server.
The attacker uses a remote desktop to log on to the database server, where he is able to directly attack the customer database server. The attacker discovers that the database server does not have a critical security patch installed that prevents a remote exploit available on the Internet.
The attacker downloads and runs the exploit, which gives him system privileges on the database server.
Making poor, misguided, or unjustified assumptions is the root cause of many security vulnerabilities. Administrators can make poor assumptions about user behavior, about how technology works, or about whether tasks have been completed. It takes only one small oversight resulting from an unjustified assumption for an attacker to compromise a network or application. Preventing administrators and developers from making unjustified assumptions is one of the single biggest ways you can improve security. Conversely, when assessing the security of a network, your job is all about discovering where administrators and developers have made unjustified assumptions.
Closely associated with making poor assumptions is ignorance. Often administrators and developers simply are not aware of the consequences of their actions or the threats that attackers pose to their network or application. Network management might also be the source of ignorance regarding how to properly secure information assets or what the threats to information assets are. The adage that nobody believes it happens until it happens to him has been very applicable to computer crime; however, with ever-increasing media and popular culture attention paid to computer crime, this type of ignorance might come to an end soon. It is unlikely, though. The bottom line is that there are bad guys out there and, given the opportunity, they will break into your organization’s network, even without any overwhelming motivation.
The security of a network is only as good as its last update. Remember, security is dynamic—it is not a fixed state. Consequently, you must be vigilant about both securing information assets and maintaining the security of those assets. Certainly this is no more evident than with security patching for operating systems and applications. There is in effect a race between administrators and attackers each time a security patch is released. The administrators race to test and deploy the patch before attackers can develop an exploit and attack networks. For example, on July 16, 2003, Microsoft published the security bulletin MS 03-026 and corresponding patch. The subject of the bulletin was product vulnerability in various versions of Windows operating systems that could lead to the remote compromise of the operating system through a remote procedure call (RPC). Within 11 days, exploit tools were published on the Internet, including source code and executable files. The Blaster virus, which took advantage of the RPC/DCOM product vulnerability, was not live until early August, approximately three weeks after the patch was released. About half a million computers were infected by Blaster nonetheless. Although vendors, Microsoft included, must develop better technologies to reduce vulnerabilities and to patch operating systems and applications, administrators must stay up-to-date on security to protect the organization’s network.
Your organization can use different types of security assessments to verify its level of security on network resources. You must choose the method that best suits the requirements of your situation. Each type of security assessment requires that the people conducting the assessment have different skills, so you must be sure that the people—whether employees or outsourced security experts—have extensive experience with the type of assessment you are interested in. Each assessment type is discussed in detail in this book.
Vulnerability scanning is the most basic type of security assessment. Vulnerability scanning assesses a network for potential security weaknesses that are well known and well understood. Vulnerability scanning is generally carried out by a software package but can also be accomplished through custom scripts. Vulnerability scanning software frequently requires administrative rights on a network because of technical reasons or controls built into the scanning software, but some scanning does not require this level of access. In general, vulnerability scanning assessments assume that the person carrying out the scan is an administrator. Most commercial vulnerability scanning software packages do the following:
Enumerate computers, operating systems, and applications.
Identify common security mistakes.
Search for computers with known vulnerabilities.
Test for exposure to common attacks.
Vulnerability scanning software searches network segments for IP-enabled devices, including computers and network devices. It also identifies the configuration of the devices, including the operating system version running on computers or devices, the IP protocols, and the Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening, and the applications installed on computers.
This software scans for common security mistakes, such as accounts that have weak passwords, files and folders with weak permissions, default services and applications that might need to be uninstalled, and mistakes in the security configuration of common applications.
Vulnerability scanning software scans computers for publicly reported vulnerabilities in operating systems and applications. Most vulnerability scanning software packages scan computers against the Common Vulnerabilities and Exposures (CVE) index and security bulletins from software vendors. The CVE is a vendor-neutral listing of reported security vulnerabilities in major operating systems and applications and is maintained at http://cve.mitre.org.
This software tests computer and network devices to see whether they are vulnerable to common attacks, such as the enumeration of security-related information and denial of service (DoS) attacks.
Vulnerability scanning is effective for assessing a common weakness discovered on a network that has not been previously scanned, and for verifying that security policy is being implemented on software configuration. Because vulnerability scanning reports can expose weaknesses in arcane areas of applications and frequently include many false positives, network administrators who analyze vulnerability scan results must have sufficient knowledge and experience with the operating systems, network devices, and applications being scanned and their roles in the network.
For example, a vulnerability scan of a server running Windows 2000 might reveal that global system objects and process tracking are not audited. An inexperienced administrator who has no knowledge of the functionality of global system objects and process tracking might see this report and decide to enable auditing on these two components, reasoning that auditing is a recommended security measure. In reality, enabling auditing on global system objects and process tracking does little to augment an organization’s security and will almost certainly result in filling up the event log.
Important
Vulnerability scanning software is limited in that it detects problems at one point in time. Just as antivirus software requires the signature file to be updated when new viruses are discovered, vulnerability scanning software must be updated when new vulnerabilities are discovered and improvements are made to the software being scanned. Thus, the vulnerability software is only as effective as the maintenance performed on it by the software vendor and by the administrator who uses it. Vulnerability scanning software itself is not immune to software engineering flaws that might lead it to miss or misreport serious vulnerabilities.
The Microsoft Baseline Security Analyzer (MBSA) is an example of a vulnerability scanning application. The MBSA can scan computers that are running Microsoft Windows NT 4.0, Windows 2000, and Windows XP, as well as applications such as Microsoft Internet Information Services (IIS) and SQL Server. The MBSA scans for the installation of security updates and service packs, common vulnerabilities such as weak passwords, and security best practices such as checking to see whether auditing is enabled.
Penetration testing, often called pen testing, is a much more sophisticated type of security assessment than vulnerability scanning. Unlike vulnerability scanning, which generally examines the security of only individual computers, network devices, or applications, penetration testing assesses the security of the network as a whole. Also, penetration testing, by definition, assumes that the pen tester does not yet have administrator rights. (In fact, the goal of every pen test is to ultimately obtain administrator credentials.) Penetration testing can help educate network administrators, IT managers, and executives about the potential consequences of a real attacker breaking into the network. Penetration testing also reveals security weaknesses missed by vulnerability scanning: how vulnerabilities are exploited, and weaknesses in people and processes.
A penetration test points out vulnerabilities; documents how the weaknesses can be exploited and how several minor weaknesses can link those exploited vulnerabilities; and how, combined, these weaknesses compromise a computer or network. Most networks inevitably have vulnerabilities that you will not be able to resolve because of business or technical reasons. By knowing how these vulnerabilities can be exploited, you might be able to take other types of security measures to prevent them from compromising the network without disrupting business continuity.
Because vulnerability scanning is based on software, it cannot assess security that is not related to technology. Both people and processes can be the source of security vulnerabilities just as easily as technology can. A penetration test might reveal that employees routinely allow people without identification to enter company facilities where they have physical access to computers. Similarly, a penetration test might reveal process problems, such as not applying security updates until a week after they are released, which would give attackers a 7-day window to strike known vulnerabilities on servers.
Because a penetration tester is differentiated from an attacker only by intent, you must use caution when allowing employees or external experts to conduct penetration tests. Penetration testing that is not completed professionally can result in the loss of services and disruption of business continuity. For example, an inexperienced pen tester might carry out a DoS attack on an application by inadvertently rebooting a database server.
Caution
Before conducting any type of penetration testing, you must get the appropriate approval from management. If you are not an employee of the company and specifically employed to perform pen tests, you should ensure that you have the appropriate contract in place for performing any type of security assessment. The contract should include a clear description of what will be tested and when the testing will take place. Because of the nature of penetration testing, failure to obtain this approval might result in committing computer crime, despite your best intentions. Because national and local laws on computer crime and contracts vary greatly, you are best advised to consult a lawyer before accepting consulting engagements that include pen testing.
IT security auditing differs greatly from vulnerability scanning and penetration testing. IT security auditing generally focuses on the people and processes used to design, implement, and manage security on a network. In an IT security audit, the auditor and your organization’s security policies and procedures use a baseline. A proper IT security audit will help determine whether your organization has the necessary components to build and operate a risk-appropriate, secure computing environment.
Unlike vulnerability scanning and penetration testing, IT security audits can be conducted by people without significant technical skills; conversely, the skills needed to perform a good audit are not necessarily those possessed by technical employees. IT security audits are essential elements of regulatory compliance. For example, if you work in the health care industry in the United States, your organization might be subject to the HIPAA (Health Insurance Portability and Accountability Act) security and privacy regulation. There is a reasonable chance that your organization’s insurance company will ask for some type of proof of compliance, and this is where the IT security audit comes in.
Q. | What would happen if I conducted a penetration test on my organization’s network without permission? | ||||||||||||
A. | You could go to prison. Seriously—don’t do this. Get permission in advance. | ||||||||||||
Q. | How do I get management to understand the benefits of security assessments? | ||||||||||||
A. | Keep reading. This is discussed later in the book. | ||||||||||||
Q. | Why do security assessments have to be performed regularly? | ||||||||||||
A. | A security assessment might reveal some scary possibilities, but the real benefit of security assessments to the organization (and to you) is improving security. Without a baseline for comparison, it is very difficult, if not impossible, to show improvement or decline in your security. By comparing results from previous security assessments, you might be able to get yourself a raise! | ||||||||||||
Q. | How do I get that raise? | ||||||||||||
A. | By showing how you improved the security of the network, you have measurable proof of your work. Management-type people love measurable things! (More on this in later chapters.) | ||||||||||||
Q. | Can you quickly compare the three types of security assessments? | ||||||||||||
A. | Sure, see Table 1-1. Table 1-1. Comparison of Security Assessment Types
|