Security Assessments and Penetration Testing
Companies with security offerings these days often have a security assessment as their first step in assisting a client in securing their network. A security assessment is an excellent first step for an organization concerned with understanding the extent of the security on their network (and its effectiveness). A strongly recommended practice is that individuals outside your organization perform security assessments on a yearly basis. This provides an objective and honest evaluation of your security, and because vulnerabilities are always being discovered, your network would be evaluated often enough to understand its effectiveness. A variety of available types of security assessments exist:
• Internal vulnerability and penetration
• External vulnerability and penetration
Before arranging a security assessment of any sort, you should learn more about the processes and procedures that the vendor is going to use. Too many security service companies exist to risk your company’s security without some due diligence; you should review the following paragraph:
Understand the plan for the security assessment. If not planned and understood, assessing the actual network vulnerabilities can cause havoc in your network. There must be a legal agreement on the scope of the testing and the extent to which it will go; this protects both parties. Finally, it is important to define the success criteria of an assessment so that both parties understand what is to be accomplished.
The following sections examine the recommended approach that you should take and the benefits to the security of your network for each type of assessment.
Internal Vulnerability and Penetration Assessment
According to a recent study by the FBI, internal users and processes account for more than 60 percent of network security threats in today’s enterprises. These threats are a result of improper configuration of network devices, lack of effective security procedures, and outdated and unpatched software. Security consultants should be able to identify these threats to determine your network’s level of risk to intentional or accidental threats.
Today’s organizations find it difficult to stay up to date on the numerous new vulnerabilities found each day in operating systems and applications. Security consultants should be aware of the latest vulnerabilities and help you assess the state of your internal network security mechanisms. They should also be able to recommend corrective steps for moving forward with your organization’s security goals.
Assessment Methodology
Internal network security assessments must be performed onsite at your location and focus on internal security risks associated with policies, procedures, and networked hosts and applications. At a minimum, a security consultant should perform the following work:
• Gather customer-provided network information, if applicable.
• Gather and document publicly available network information for your review so that you can understand what an attacker would know.
• Perform network mapping techniques to determine the topology and physical design of your network.
• Perform network application probing and scanning.
• Consider OS fingerprinting and vulnerability detection to expose vulnerable hosts.
• Identify traffic patterns and flows to compare with expected normal business expectations.
• Detect any potentially weak user authentication systems, such as users who never change passwords or insecure wireless networks.
• Vulnerability analysis using public, private, and custom tools.
• Manually verify all detected vulnerabilities to ensure that false positives are not reported.
• Observe internal security practices and policies throughout your network.
• Analyze findings and report analysis along with specific recommendations for moving forward.
The end result of an internal risk assessment should be a document that contains the assessment methodology, work performed, and details gathered on every system, including the high-risk systems found vulnerable to attack and detailed lists of vulnerabilities. The assessment results document provides a clearer picture of your network architecture and security risks. The document should also contain the results of all work performed and conclusions from each test phase about the remediation required and the relative priority of these recommendations. Of course, this document must also include recommendations for mitigating detected network security risks in a cost-effective manner.
External Penetration and Vulnerability Assessment
As traditional business systems become more distributed among an organization’s geographically disperse locations, the risk of external attacks increases. These risks are further exaggerated by improper router and firewall configuration and insecure, outdated, or improperly configured web-based applications.
Today’s small and medium-sized businesses find it difficult to stay up to date on the numerous new vulnerabilities found each day in operating systems and applications. There are numerous security firms that can help you assess the state of your current perimeter defense mechanisms and recommend steps for moving forward with your organization’s security awareness.
Assessment Methodology
External penetration and vulnerability assessments are performed against your network at places where it interacts with the outside world. This could be through connections to the Internet, wireless, phone systems, and other remote access locations. The intent of this type of security assessment is to determine where and how your network is vulnerable to external attacks.
In many cases, an external assessment and an internal security assessment look at the same types of things. The difference is the point of view, and in this case it is from the outside trying to look in to see what can be discovered. The following list examines the work that should be done for an external penetration and vulnerability assessment:
• Gather customer-provided network information, if applicable.
• Gather and document publicly available network information for your review so that you can understand what an attacker would know.
• Perform stealthy network mapping techniques to determine your network’s topology and physical design and to see whether these simulated attacks can be detected.
• Perform network application probing and scanning.
• Look for firewalking, wardialing, and wardriving, as needed. Firewalking has already been discussed. Wardialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code, to search for computers, bulletin board systems, and fax machines. Wardriving is the act of searching for Wi-Fi hotspots or wireless networks by a person in a moving vehicle, using a laptop, PDA, or smartphone (there is an “app” for that), and even game consoles (Nintendo DS and Sony PSP); Treasure World for the DS is a commercial game in which gameplay completely revolves around wardriving.
• Use OS fingerprinting and vulnerability detection to expose vulnerable hosts.
• Identify traffic patterns and flows to compare with expected normal business expectations.
• Detect any potentially weak user authentication systems, such as users who never change passwords or unsecure wireless networks.
• Perform vulnerability analysis using public, private, and custom tools.
• Manually verify all detected vulnerabilities to ensure that false positives are not reported.
• Analyze findings and report analysis along with specific recommendations for moving forward.
The end result of an external penetration and vulnerability assessment is a document that contains the same level and type of information as an internal assessment, except from an external point of view. Although this chapter separately examines internal and external assessments, these assessments are best performed together in the real world. They then provide a clearer picture of your network’s security, end-to-end.
Physical Security Assessment
This book focuses on the logical security of networks, which is only part of the coverage that this type of assessment provides. Many assets are physical in nature and can be harmed through cruder and perhaps simpler methods than have been discussed. For example, are your IT resources kept in a room with overhead water-based sprinklers? If so, that is not physically secure because microchips and water do not mix. A simple DoS would be to trigger the fire alarm in your building and let the water do the rest. I hope your tape backups are protected from water damage and that they are current.
Although this is a digital age, today’s IT systems still depend on physical hardware and reside in physical locations. Without the use of proper physical security mechanisms, all other security measures in place can be defeated. As the sensitivity of an organization’s information increases, physical security takes a more important role. What good is it to have the latest firewall, IDS, and VPNs if you leave the door open to your equipment?
Physical security controls can be either deterrent or detective in nature and are designed to limit your organization’s exposure to physical threats. A physical security risk assessment can help your organization design and implement cost-effective physical security measures to deter would-be attackers, monitor suspicious activities, and ultimately protect your valuable corporate resources from tampering, compromise, or destruction.
Assessment Methodology
A physical security assessment must be performed onsite at your location and focus on physical security measures and internal practices of a physical nature that are in place to protect your network resources. A physical security assessment should entail the following:
• Observe external building access points and safeguards in place.
• Observe physical safeguards in place, such as closed-circuit cameras, badge access, and visitor sign-in practices.
• Review physical protection mechanisms for IT resources, but also paper records.
• Determine physical safeguards in place for securing IT equipment, such as restricted access to computing environment, floppy-drive locks, redundant power sources, and protected data communication channels.
• Observe employee habits as related to physical security.
• Observe the physical disposal methods of critical data; do you recall dumpster diving?
• Make recommendations for securing your IT resources from physical security breaches.
• Understand the backup procedures and storage of critical data.
• Examine vendor and visitor access policies (if they exist) to determine how unknown individuals are handled.
The end result of a physical risk assessment is a document that contains the methodology followed, the work performed, the results of the work performed, and recommendations for mitigating detecting physical security risks in a cost-effective manner.
Many of these assessments cannot be automated to any great degree, so you must open your network and its resources to a trusted outside organization. When selecting this organization, you should request the following:
• Review of industry standard certifications to ensure that there is at least a measurable level of competence associated with those who are assessing your network.
• Contact several references of the company you are thinking about using and make sure that the references are relevant to the services you need performed.
• Ask for and review sample assessments. This can be difficult to do because assessments usually contain sensitive customer data, but any company committed to providing security services should have the capability to show you a sanitized version.
• Set expectations and deliverables clearly in the agreement to proceed or contract and so forth, thereby protecting yourself and the vendor’s employees. Clear communication can solve 99 percent of the world’s problems.
• Ask the security company to walk you through the assessment process before it comes to your location. If it cannot recite the process from memory, chances are it has either not been in business very long or the person you are speaking with is not a field technician.
Miscellaneous Assessments
Following are other types of assessments related to security in some ways that you should consider:
• Procedural risk assessment: This assessment enables security professionals to review your security policies and procedures to ensure that they conform to best practices. Chapter 2, “Security Policies,” discusses policies and procedures of this nature.
• Disaster recovery: If your organization is based in an area of the world that is susceptible to tornados, hurricanes, earthquakes, lightning strikes, floods, fire, or some combination of these, the need for a plan to recover your network infrastructure and critical data becomes more important with every passing day. The influence and persuasiveness of IT is ever-increasing.
• Information handling security assessment for banks and medical offices: With new legislation for the security of financial and medical records (HIPPA for medical and Gramm-Leach-Bliley Act for financial) coming out each year, professions tasked with maintaining these types of records must meet increasingly higher data security standards or face jail time.
Assessment Providers
A simple Google search on security assessments reveals more than 400,000 hits, and this number will continue to grow. Some companies, such as the following, are worth mentioning as excellent providers of assessments services:
• Cisco Secure Consulting Services: Provides enterprise customers with comprehensive security analysis of large-scale, distributed client networks externally from the perspective of an outside hacker and internally from the perspective of a disgruntled employee or contractor, according to its website. You can learn more at www.cisco.com/go/securityconsulting.
• Qoncert: Provides customized security solutions and assessments for customers of all sizes with a specialization in ensuring that business focus drives the security solution versus the more common occurrence of IT driving business. You can learn more at www.qoncert.com.