Technical (Bottom-Up) Methodology 107
Do backdoors or inappropriate chains of trust exist? There are a number
of different ways that this could be happening. Is an end user running
pcAnywhere as a means of getting around the corporate virtual private
network (VPN)? Another inappropriate chain of trust could exist inside
UNIX systems in the /etc/rhosts and the /etc/hosts.equiv files.
Is there evidence of intrusion? Keep your eyes open when performing the
tests. If you see results that really make you believe that an intrusion has
occurred, stop your testing and alert the responsible party immediately.
Any further security testing that you do at this point could overwrite the
forensic evidence of how the system was compromised.
Are detection measures effective? There are two primary ways to perform
an NVA. The first method is to use “stealth mode,” where your testing is
known only to the management teams involved for approval. This allows
you to catch the network administrators “napping” and also gives you a
great opportunity to test the intrusion detection systems of the target
network. The other method is the “plain sight” method. In this method,
everyone involved in the network and security staff knows that you are
coming and can provide you with documentation and access to the systems
that you may not get when using the stealth method.
Step 3: Building the Toolkit
This is the step that always gets the most interest — the tools. We are going
to tie Steps 3 and 4 of the six-step process pretty tightly together because
they are very closely related. An important fact to keep in mind is the overlying
methodology of performing the network vulnerability assessment testing, and
not a specific focus on the exact tool or tools that you run. The reason for
this is that tools will change — manufacturers will go out of business, tools
will stop being supported, tool will be purchased by different manufacturers,
and better tools emerge all the time. It is also noteworthy that the tools
discussed here are not an exhaustive list of all the tools available, but rather
a representation of the tools in each particular area. The tools that we discuss
range from freeware tools, to shareware tools, to purchase-only products. And
because the tools and information about them changes so rapidly, the best
we can say is that the information is current as of this writing.
Exhibit 9 denotes the expense of the different tools that we will be looking
at in subsequent subsections:
The vulnerability assessment model illustrated in Exhibit 10 shows the
process that you will be going through when conducting a vulnerability
assessment. The horizontal line denotes the number of hosts that test level
will be run against in comparison to the level that follows. The vertical line
denotes the length of time it takes to run each successive test level. The model
shows that you will run the tests that take the least amount of time against
the largest number of hosts, and the tests that take the most time against the
fewest number of hosts. As we complete each level of the model, we will
use the output from the previous layer as seed information for the next layer
108 Managing Network Vulnerability Assessment
in the model. Remember, as previously discussed, that we have put up a
“Chinese wall” and we will begin these tests as any hacker would. In the
example we use in this book, we only begin with the name of the company
that we are looking to compromise.
The types of tools we discuss include:
Zero-information-based tools
Network enumeration tools
OS fingerprint tools
Port scan tools
Scanning tools
Types of specialty tools
NetBIOS tools
Web security tools
Firewall auditing tools
Trojan detecting tools
Exhibit 9. Pricing Chart
Symbol Price
Free Free for anyone
$ Up to $500
$$ $500 up to $5000
$$$ $5000 up to $15000
$$$$ Greater than $15000
Exhibit 10. The Vulnerability Assessment Model
Number of Hosts
Length of Time
Technical (Bottom-Up) Methodology 109
War dialing tools
Miscellaneous tools
Application tools
Wireless network testing tools
Network sniffers
War dialers
Zero-Information-Based Tools
The zero-information-based tools (see Exhibit 11) are tools that help us
understand the basic information about the target network we will assess. In
this layer we are looking for information that has been posted to a number
of publicly available Internet sources. Common sources that we will search are:
Internet
SEC
ARIN
DNS servers
IRC channels
News servers
The end result of the zero-information-based tools will be a network
diagram and printed copies of any alarming information uncovered on the
Exhibit 11. The Vulnerability Assessment Model: Zero Information Layers
Zero-Information-Based (ZIB) Tools
Number of Hosts
Length of Time
Information In: Company name
Information Out: Domain name, IP address block,
E-mail server, critical hosts, and
general background information
110 Managing Network Vulnerability Assessment
Internet that pertains to the target network. While performing the zero-
information-based portion of the vulnerability, we will begin to look for
common vulnerabilities as well as the necessary background information. At
a minimum, the common vulnerabilities we will look for include:
Web sites that contain either embarrassing or compromising information
about the target network
If any information about the target network can be found in the posted
financial records
Single point of failure in the DNS server record
Too much accurate information given for social engineering in the “Who
Is” record
If the DNS server allows zone transfer
If the mail server allows spam relay
If a Web site is listed in the DNS information
What type of Web server the target network is running
Simple checks to see if the Web server is a virtual host
Look to see if the domain is listed in the abuse or blacklist databases
A traceroute to the target network to check for routers and firewalls
A check of the American Registry of Internet Numbers to see if the IP
block has been registered for the specific company
This information will then be used in the next layer of the vulnerability
assessment model — network enumeration.
The first tool we will use is a standard Web browser. We begin by checking
the http://www.sec.gov Web site (see Exhibit 12) for information about our
company. The two major documents of interest are the 10-K and 10-Q
documents. These report the major financial transactions for the company we
are assessing. We are mostly looking for information on mergers and acqui-
sitions because when two companies merge, the primary focus seems to be
on sharing the information, and a secondary concern involves the security
controls that will be set between the two networks. This can also be true for
the announcement of a “strategic business partnership.” Either of the situations
can lead to any easy backdoor in the target network for an Internet attacker.
Information is generally only posted on publicly held companies and not
those that are privately held. So, if you are assessing a privately held company,
you can skip this step.
The second Web site we will search contains profanity in the title. We will
search http://www.fu**edcompany.com (Exhibit 13) for any references to the
target network. This Web site contains a number of different types of postings.
In general, these postings pertain to poor financial decisions by a company
or to lay-offs. However, frustrated employees often “dish the dirt” after they
have been let go. Any dirt that may be useful to a potential attacker is
something we need to check. The unfortunate part of the Web site is that
you need to pay for premium services to get access to all information about
the company you are assessing. The positive side of this is that the Web site
will let you know if there is information posted, but just will not let you into
Technical (Bottom-Up) Methodology 111
Exhibit 12. The SEC.gov Web Site
Exhibit 13. The Fu**Edcompany.Com Web Site
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.196.175