Chapter 3
IN THIS CHAPTER
Setting security testing goals
Selecting which systems to test
Developing your testing standards
Examining hacking tools
As an information security professional, you must plan your security assessment efforts before you start. Making a detailed plan doesn’t mean that your testing must be elaborate — just that you’re clear and concise about what to do. Given the seriousness of vulnerability and penetration testing, you should make this process as structured as possible.
Even if you test only a single web application or workgroup of computers, be sure to take the critical steps of establishing your goals, defining and documenting the scope of what you’ll be testing, determining your testing standards, and gathering and familiarizing yourself with the proper tools for the task. This chapter covers these steps to help you create a positive environment so you can set yourself up for success.
You can’t hit a target you can’t see. Your testing plan needs goals. The main goal of vulnerability and penetration testing is to find the flaws in your systems from the perspective of the bad guys so that you can make your environment more secure. Then you can take this a step further:
The following questions can start the ball rolling when you define the goals for your security testing plan:
After you know your goals, document the steps you’ll take to get there. If one goal is to develop a competitive advantage to keep existing customers and attract new ones, determine the answers to these questions:
Will your testing approach be blind (a.k.a covert testingin which you know nothing about the systems you’re testing) or knowledge-based (a.k.a. overt testing in which you’re given specific information about the systems you’re testing, such as IP addresses, host names, usernames, and passwords)?
I recommend the latter approach.
Will you notify the affected parties of what you’re doing and when you’re doing it, and if so, how?
Customer notification is a critical issue. Many customers appreciate that you’re taking steps to protect their information. Just make sure that you set everyone’s expectations properly.
Establishing your goals takes time, but you won’t regret setting them. These goals are your road map. If you have any concerns, refer to these goals to make sure that you stay on track. You can find additional resources on goal setting and management in the appendix.
After you’ve established your overall goals, decide which systems to test. You may not want — or need — to assess the security of all your systems at the same time. Assessing the security of all your systems could be quite an undertaking and might lead to problems. I’m not recommending that you don’t eventually assess every computer and application you have. I’m just suggesting that whenever possible, you should break your projects into smaller chunks to make them more manageable, especially if you’re getting started out. The Pareto principle (focusing on your highest-payoff tasks) should take precedence. You might decide which systems to test based on a high-level risk analysis, answering questions such as these:
The following list includes devices, systems, and applications on which you might perform vulnerability and penetration tests:
The systems you test depend on several factors. If you have a small network, you can test everything. For larger organizations, onsider testing only public-facing hosts such as email and web servers and their associated applications. The security testing process is flexible. Base your decisions on what makes the most business sense or what you’re required to do based on compliance regulations or demands from business partners and customers.
Start with the most vulnerable systems, and consider these factors:
A previous security risk assessment, vulnerability test, or business impact analysis may have generated answers to the preceding questions. If so, that documentation can help you identify systems for further testing. Bow Tie and Failure Modes and Effects Analysis (FMEA) are additional approaches.
Another factor that helps you decide where to start is your assessment of the systems that have the greatest visibility. It may make more sense (at least initially) to focus on a database or file server that stores critical client information than to concentrate on a firewall or web server that hosts marketing information, for example.
One miscommunication or slip-up can send systems crashing during your security testing. No one wants that to happen. To prevent mishaps, develop and document testing standards. These standards should include:
This list is general best practices; you can apply more standards for your situation. The following sections describe these best practices in more detail.
They say that “it’s all in the timing,” especially when performing security tests. Make sure that the tests you perform minimize disruption to business processes, information systems, and people. You want to avoid harmful situations such as miscommunicating the timing of tests and causing a denial of service (DoS) attack against a high-traffic e-commerce site in the middle of the day or performing password-cracking tests in the middle of the night. It’s amazing what a 12-hour time difference (2 p.m. during major production versus 2 a.m. during a slower period) can make when testing your systems! Even having people in different time zones can create issues. Everyone on the project needs to agree on a detailed timeline before you begin. Having team members’ agreement puts everyone on the same page and sets correct expectations.
Your testing timeline should include specific short-term dates, the times of each test, the start and end dates, and any specific milestones. You can enter your timeline in a simple spreadsheet program or project-focused Gantt chart, or in a larger project plan. A timeline such as the following keeps things simple and provides a reference during testing:
Test Performed |
Start Time |
Projected End Time |
Web application vulnerability scanning |
June 1, 21:00 EST |
June 2, 07:00 |
Network host vulnerability scanning |
June 2, 10:00 EST |
June 3, 02:00 |
Network host vulnerability analysis/exploitation |
June 3, 08:00 EST |
June 6, 17:00 |
You may have been charged with performing some general vulnerability scans, or you may want to perform specific tests such as cracking passwords or trying to gain access to a web application. You may even be performing a social engineering test or assessing Windows on the network. However you test, you may not want to reveal the specifics of the testing. Even when your manager or client doesn’t require detailed records of your tests, document what you’re doing at a high level. Documenting your testing can eliminate potential miscommunication and keep you out of hot water. Also, you may need documentation as evidence if you uncover malfeasance.
Sometimes, you know the general tests that you perform, but if you use automated tools, it may be next to impossible to understand every test completely. This situation is especially true when the software you’re using receives real-time vulnerability updates and patches from the vendor each time you run it. The potential for frequent updates underscores the importance of reading the documentation and readme files that come with the tools you use.
Having some knowledge of the systems you’re testing is generally the best approach, but it’s not required. Having a basic understanding of the systems you hack can protect you and others. Obtaining this knowledge shouldn’t be difficult if you’re testing your own in-house systems. If you’re testing a client’s systems, you may have to dig a little deeper into how the systems work so that you’re familiar with them. Doing so has always been my practice, and I’ve had only a small number of clients ask for a full blind assessment, because most people are scared of them. I’m not saying that blind assessments aren’t valuable, but the type of assessment you carry out depends on your needs.
The best approach is to plan on unlimited attacks, wherein any test is fair game, possibly even including DoS testing. The bad guys aren’t poking around on your systems within a limited scope, so why should you?
Consider whether the tests should be performed so that they’re undetected by network administrators and any managed security service providers or related vendors. Though not required, this practice should be considered, especially for social engineering and physical security tests. I outline specific tests for those purposes in chapters 6 and 7.
The tests you perform dictate where you run them from. Your goal is to test your systems from locations that by malicious hackers or insiders can access. You can’t predict whether you’ll be attacked by someone inside or outside your network, so cover your bases as much as you can. Combine external (public Internet) tests and internal (private network) tests.
You can perform some tests, such as password cracking and network infrastructure assessments, from your office. For external tests that require network connectivity, you may have to go offsite (a good excuse to work from home), use an external proxy server, or simply use guest Wi-Fi. Some security vendors’ vulnerability scanners can even be run from the cloud. Better yet, if you can assign an available public IP address to your computer, plug into the network outside the firewall for a hacker’s-eye view of your systems.
Internal tests are easy because you need only physical access to the building and the network. You may be able to use a DSL line or cable modem that’s already in place for visitor and guest use.
Determine ahead of time whether you’ll stop or keep going when you find a critical security hole. You don’t need to keep testing forever. Just follow the path you’re on until you’ve met your objectives or reached your goals. When in doubt, have a specific goal in mind and stop when you meet that goal.
If you discover a major hole, I recommend contacting the right people as soon as possible so that they can begin fixing the issue right away. The right people may be software developers, product or project managers, or even chief information officers. If you wait a few hours, days, or weeks, someone may exploit the vulnerability and cause damage that could have been prevented, potentially creating bigger legal issues.
You’ve heard what you make of yourself when you assume things. Even so, you make assumptions when you test your systems. Here are some examples of those assumptions:
Document all assumptions. You won’t regret doing that.
Which security assessment tools you need depend on the tests you’re going to run. You can perform some security tests with a pair of sneakers, a telephone, and a basic workstation on the network, but comprehensive testing is easier when you have good, dedicated tools.
It’s important to know what each tool can and can’t do, as well as how to use each one. I suggest reading the manual and other help files. Unfortunately, some tools have limited documentation, which can be frustrating. You can search forums and post a message if you’re having trouble with a tool.
If you’re like me, you may despise some freeware and open-source security tools. Plenty of them have wasted hours or even days of my life that I’ll never get back. If these tools end up causing you more headaches than they’re worth or don’t do what you need them to do, consider purchasing commercial alternatives, which are often easier to use and typically generate better high-level executive reports. Some commercial tools are expensive, but their ease of use and functionality may justify the initial and ongoing costs. In most situations with security tools, you get what you pay for.
3.129.211.87