Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 3

Developing Your Security Testing Plan

IN THIS CHAPTER

Setting security testing goals

Selecting which systems to test

Developing your testing standards

Examining hacking tools

As an information security professional, you must plan your security assessment efforts before you start. Making a detailed plan doesn’t mean that your testing must be elaborate — just that you’re clear and concise about what to do. Given the seriousness of vulnerability and penetration testing, you should make this process as structured as possible.

Even if you test only a single web application or workgroup of computers, be sure to take the critical steps of establishing your goals, defining and documenting the scope of what you’ll be testing, determining your testing standards, and gathering and familiarizing yourself with the proper tools for the task. This chapter covers these steps to help you create a positive environment so you can set yourself up for success.

Establishing Your Goals

You can’t hit a target you can’t see. Your testing plan needs goals. The main goal of vulnerability and penetration testing is to find the flaws in your systems from the perspective of the bad guys so that you can make your environment more secure. Then you can take this a step further:

Define more specific goals. Align these goals with your business objectives. Specify what you and management are trying to get from this process and what performance criteria you’ll use to ensure that you’re getting the most out of your testing.
Create a specific schedule with start and end dates as well as the times your testing is to take place. These dates and times are critical components of your overall plan.

Before you begin any testing, you absolutely, positively need everything in writing and approved. Document everything, and involve management in this process. Your best ally in your testing efforts is a manager who supports what you’re doing.

The following questions can start the ball rolling when you define the goals for your security testing plan:

Does your testing support the mission of the business and its IT and security departments?
What business goals are met by performing this testing? These goals may include the following:
- Working through Statement on Standards for Attestation Engagements (SSAE) 18 audits.
- Meeting federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
- Meeting contractual requirements of clients or business partners.
- Maintaining the company’s image.
- Prepping for the internationally accepted security standard of ISO/IEC 27001:2013.
How will this testing improve security, IT, and the business as a whole?
What information are you protecting (such as personal health information, intellectual property, confidential client information, or employees’ private information)?
How much money, time, and effort are you and your organization willing to spend on security assessments?
What specific deliverables will there be? Deliverables can include anything from high-level executive reports to detailed technical reports and write-ups on what you tested, along with the outcomes of your tests. You can deliver specific information that you glean during your testing, such as passwords and other confidential information.
What specific outcomes do you want? Desired outcomes include the justification for hiring or outsourcing security personnel, increasing your security budget, meeting compliance requirements, or enhancing security systems.

After you know your goals, document the steps you’ll take to get there. If one goal is to develop a competitive advantage to keep existing customers and attract new ones, determine the answers to these questions:

When will you start your testing?
Will your testing approach be blind (a.k.a covert testingin which you know nothing about the systems you’re testing) or knowledge-based (a.k.a. overt testing in which you’re given specific information about the systems you’re testing, such as IP addresses, host names, usernames, and passwords)?

I recommend the latter approach.
Will your testing be technical in nature, involve physical security assessments, or use social engineering?
Will you be part of a larger security testing team (sometimes called a tiger team or red team)?
Will you notify the affected parties of what you’re doing and when you’re doing it, and if so, how?

Customer notification is a critical issue. Many customers appreciate that you’re taking steps to protect their information. Just make sure that you set everyone’s expectations properly.
How will you know whether customers care about what you’re doing?
How will you notify customers that the organization is taking steps to enhance the security of their information?
What measurements can ensure that these efforts are paying off?

Establishing your goals takes time, but you won’t regret setting them. These goals are your road map. If you have any concerns, refer to these goals to make sure that you stay on track. You can find additional resources on goal setting and management in the appendix.

Determining Which Systems to Test

After you’ve established your overall goals, decide which systems to test. You may not want — or need — to assess the security of all your systems at the same time. Assessing the security of all your systems could be quite an undertaking and might lead to problems. I’m not recommending that you don’t eventually assess every computer and application you have. I’m just suggesting that whenever possible, you should break your projects into smaller chunks to make them more manageable, especially if you’re getting started out. The Pareto principle (focusing on your highest-payoff tasks) should take precedence. You might decide which systems to test based on a high-level risk analysis, answering questions such as these:

What are your most critical systems?
Which systems, if accessed without authorization, would cause the most trouble or suffer the greatest losses?
Which systems appear to be most vulnerable to attack?
Which systems are undocumented, are rarely administered, or are the ones you know the least about?

The following list includes devices, systems, and applications on which you might perform vulnerability and penetration tests:

Routers and switches
Firewalls
Wireless access points
Web applications (internal, external (hosted locally or inand the cloud)
Database, email, and file servers
Mobile devices (such as smartphones and tablets) that store confidential information
Physical security cameras and building access control systems
Supervisory control and data acquisition (SCADA) and industrial control systems
Workstations and servers

The systems you test depend on several factors. If you have a small network, you can test everything. For larger organizations, onsider testing only public-facing hosts such as email and web servers and their associated applications. The security testing process is flexible. Base your decisions on what makes the most business sense or what you’re required to do based on compliance regulations or demands from business partners and customers.

Start with the most vulnerable systems, and consider these factors:

Whether the computer or application resides on the network or in the cloud.
Which operating system (OS) and application(s) the system runs.
The amount or type of critical information stored on the system.

A previous security risk assessment, vulnerability test, or business impact analysis may have generated answers to the preceding questions. If so, that documentation can help you identify systems for further testing. Bow Tie and Failure Modes and Effects Analysis (FMEA) are additional approaches.

Vulnerability and penetration testing goes deeper than basic vulnerability scans and higher-level information risk assessments. With proper testing, you might start by gleaning information on all systems — including the organization as a whole — and then further assess the most vulnerable systems. I discuss the vulnerability and penetration testing methodology in Chapter 4.

Another factor that helps you decide where to start is your assessment of the systems that have the greatest visibility. It may make more sense (at least initially) to focus on a database or file server that stores critical client information than to concentrate on a firewall or web server that hosts marketing information, for example.

ATTACK-TREE ANALYSIS

Attack-tree analysis is the process of creating a flow-chart-type mapping of how malicious attackers would attack a system. Attack trees are used in higher-level information risk analyses; they’re also used by security-savvy development teams for planning new software projects. If you want to take your security testing to the next level by thoroughly planning your attacks, working methodically, and being more professional, attack-tree analysis is the tool you need.

The only drawback is that attack trees can take considerable time to draw and require a fair amount of expertise. Why sweat the process, though, when a computer can do a lot of the work for you? A commercial tool called SecurITree, by Amenaza Technologies Ltd. (www.amenaza.com), specializes in attack-tree analysis. You could also use Microsoft Visio (https://products.office.com/en-us/visio/visio-online)) or SmartDraw (www.smartdraw.com). The following figure shows a sample SecurITree attack tree analysis.

Creating Testing Standards

One miscommunication or slip-up can send systems crashing during your security testing. No one wants that to happen. To prevent mishaps, develop and document testing standards. These standards should include:

When the tests are performed, along with the overall timeline.
Which tests are performed.
How much knowledge of the systems you acquire in advance.
How the tests are performed and from what source IP addresses (if performed via an external source via the Internet).
What to do when a major vulnerability is discovered.

This list is general best practices; you can apply more standards for your situation. The following sections describe these best practices in more detail.

Timing your tests

They say that “it’s all in the timing,” especially when performing security tests. Make sure that the tests you perform minimize disruption to business processes, information systems, and people. You want to avoid harmful situations such as miscommunicating the timing of tests and causing a denial of service (DoS) attack against a high-traffic e-commerce site in the middle of the day or performing password-cracking tests in the middle of the night. It’s amazing what a 12-hour time difference (2 p.m. during major production versus 2 a.m. during a slower period) can make when testing your systems! Even having people in different time zones can create issues. Everyone on the project needs to agree on a detailed timeline before you begin. Having team members’ agreement puts everyone on the same page and sets correct expectations.

If possible and practical, notify your Internet service providers, cloud service providers, and hosting co-location providers. Many companies require such notification in advance before they approve your testing. These companies have firewalls or intrusion prevention systems (IPSes) in place to detect malicious behavior. If your provider knows that you’re conducting tests, it may be less likely that they block your traffic, and you’ll get better results.

Your testing timeline should include specific short-term dates, the times of each test, the start and end dates, and any specific milestones. You can enter your timeline in a simple spreadsheet program or project-focused Gantt chart, or in a larger project plan. A timeline such as the following keeps things simple and provides a reference during testing:

Test Performed	Start Time	Projected End Time
Web application vulnerability scanning	June 1, 21:00 EST	June 2, 07:00
Network host vulnerability scanning	June 2, 10:00 EST	June 3, 02:00
Network host vulnerability analysis/exploitation	June 3, 08:00 EST	June 6, 17:00

Running specific tests

You may have been charged with performing some general vulnerability scans, or you may want to perform specific tests such as cracking passwords or trying to gain access to a web application. You may even be performing a social engineering test or assessing Windows on the network. However you test, you may not want to reveal the specifics of the testing. Even when your manager or client doesn’t require detailed records of your tests, document what you’re doing at a high level. Documenting your testing can eliminate potential miscommunication and keep you out of hot water. Also, you may need documentation as evidence if you uncover malfeasance.

Enabling logging on the systems you test along with the tools you use can provide evidence of what and when you test. Such logging may be overkill, but you could even record screen actions by using a tool such as TechSmith’s Camtasia Studio (www.techsmith.com/camtasia.html).

Sometimes, you know the general tests that you perform, but if you use automated tools, it may be next to impossible to understand every test completely. This situation is especially true when the software you’re using receives real-time vulnerability updates and patches from the vendor each time you run it. The potential for frequent updates underscores the importance of reading the documentation and readme files that come with the tools you use.

A CASE STUDY IN SELF-INFLICTED DENIAL OF SERVICE

An updated program once bit me. I was performing a vulnerability scan on a client’s website — the same test that I’d performed the previous week. The client and I had scheduled the test date and time in advance. But I didn’t know that the software vendor had made some changes in its web form submission tests, and I accidentally flooded the client’s web application, creating a DoS condition.

Luckily, this condition occurred after business hours and didn’t affect the client’s operations. The client’s web application was coded to generate an email for every form submission, however, and there was no CAPTCHA on the page to limit successive submissions. The application developer and company’s president received 4,000 emails in their inboxes within about 10 minutes. Ouch!

My experience is a perfect example of not knowing how my tool was configured by default and what it would do in that situation. I was lucky that the president was tech-savvy and understood the situation. Be sure to have a contingency plan in case a situation like that occurs. Just as important, set people’s expectations that trouble can occur, even when you’ve taken all the right steps to ensure that everything’s in check.

Conducting blind versus knowledge assessments

Having some knowledge of the systems you’re testing is generally the best approach, but it’s not required. Having a basic understanding of the systems you hack can protect you and others. Obtaining this knowledge shouldn’t be difficult if you’re testing your own in-house systems. If you’re testing a client’s systems, you may have to dig a little deeper into how the systems work so that you’re familiar with them. Doing so has always been my practice, and I’ve had only a small number of clients ask for a full blind assessment, because most people are scared of them. I’m not saying that blind assessments aren’t valuable, but the type of assessment you carry out depends on your needs.

The best approach is to plan on unlimited attacks, wherein any test is fair game, possibly even including DoS testing. The bad guys aren’t poking around on your systems within a limited scope, so why should you?

Consider whether the tests should be performed so that they’re undetected by network administrators and any managed security service providers or related vendors. Though not required, this practice should be considered, especially for social engineering and physical security tests. I outline specific tests for those purposes in chapters 6 and 7.

If too many insiders know about your testing, they might improve their habits enough to create a false sense of vigilance, which can negate the hard work you put into the testing. Still, it’s almost always a good idea to inform the owner of the system who may not be your sponsor. If you’re doing this testing for clients, always have a main point of contact — preferably someone who has decision-making authority.

Picking your location

The tests you perform dictate where you run them from. Your goal is to test your systems from locations that by malicious hackers or insiders can access. You can’t predict whether you’ll be attacked by someone inside or outside your network, so cover your bases as much as you can. Combine external (public Internet) tests and internal (private network) tests.

You can perform some tests, such as password cracking and network infrastructure assessments, from your office. For external tests that require network connectivity, you may have to go offsite (a good excuse to work from home), use an external proxy server, or simply use guest Wi-Fi. Some security vendors’ vulnerability scanners can even be run from the cloud. Better yet, if you can assign an available public IP address to your computer, plug into the network outside the firewall for a hacker’s-eye view of your systems.

Internal tests are easy because you need only physical access to the building and the network. You may be able to use a DSL line or cable modem that’s already in place for visitor and guest use.

Responding to vulnerabilities you find

Determine ahead of time whether you’ll stop or keep going when you find a critical security hole. You don’t need to keep testing forever. Just follow the path you’re on until you’ve met your objectives or reached your goals. When in doubt, have a specific goal in mind and stop when you meet that goal.

If you don’t have goals, how are you going to know when reach your security testing destination?

If you discover a major hole, I recommend contacting the right people as soon as possible so that they can begin fixing the issue right away. The right people may be software developers, product or project managers, or even chief information officers. If you wait a few hours, days, or weeks, someone may exploit the vulnerability and cause damage that could have been prevented, potentially creating bigger legal issues.

Making silly assumptions

You’ve heard what you make of yourself when you assume things. Even so, you make assumptions when you test your systems. Here are some examples of those assumptions:

All the computers, networks, applications, and people are available when you’re testing. (They won’t be.)
You have all the proper testing tools. (When you start your sting, you’ll be lucky to have half of what you actually end up needing.)
The testing tools you use minimize your chances of crashing the systems you test. (Nope, especially if you don’t know how to use them properly.)
You understand the likelihood that you’re going to overlook something. (You will.)
You know the risks of your tests. (The risks can be especially high when you don’t plan properly.)

Document all assumptions. You won’t regret doing that.

Selecting Security Assessment Tools

Which security assessment tools you need depend on the tests you’re going to run. You can perform some security tests with a pair of sneakers, a telephone, and a basic workstation on the network, but comprehensive testing is easier when you have good, dedicated tools.

The tools I discuss in this book aren’t malware. The tools and even their websites may be flagged as such by certain antimalware and web filtering software, but they’re not malware. I cover only legitimate tools, many of which I’ve used for years. If you experience trouble downloading, installing, or running the tools I cover in this book, consider configuring your system to allow them through or otherwise trust their execution. Keep in mind that I can’t make any promises. Use checksums where possible by comparing the original MD5 or SHA checksum with the one you get using a tool such as CheckSum Tool (http://sourceforge.net/projects/checksumtool). A criminal could always inject malicious code into the actual tools, so there’s no guarantee of security. You knew that anyway, right?

If you’re not sure what tools to use, fear not. Throughout this book, I introduce a wide variety of tools —free and commercial — that you can use to accomplish your tasks. Chapter 1 provides a list of commercial, freeware, and open-source tools. The appendix contains a comprehensive list of tools.

It’s important to know what each tool can and can’t do, as well as how to use each one. I suggest reading the manual and other help files. Unfortunately, some tools have limited documentation, which can be frustrating. You can search forums and post a message if you’re having trouble with a tool.

Security vulnerability scanning and exploit tools can be hazardous to your network’s health. Be careful when you use them. Always make sure that you understand what every option does before you use it. Try your tools on test systems if you’re not sure how to use them. Even if you’re familiar with the tools, this precaution can prevent DoS conditions and loss of data on your production systems.

If you’re like me, you may despise some freeware and open-source security tools. Plenty of them have wasted hours or even days of my life that I’ll never get back. If these tools end up causing you more headaches than they’re worth or don’t do what you need them to do, consider purchasing commercial alternatives, which are often easier to use and typically generate better high-level executive reports. Some commercial tools are expensive, but their ease of use and functionality may justify the initial and ongoing costs. In most situations with security tools, you get what you pay for.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.