White Paper: Assessing Your System Risks Before Attackers Do
By Stephen Northcutt, Jerry Shenk, Dave Shackleford,
Tim Rosenberg, Raul Siles and Steve Mancini
With multi-tier network architectures, Web services, custom applications, and heterogeneous server platform environments, keeping data and information assets secure is more difficult than ever. Coupled with this added complexity is the fact that criminal organizations have organized their hacking efforts; it is no longer just “script kiddies” trying to break into your network. In the past several years, it has become apparent that there is real money to be made from criminal hacking,
and identity theft is one of the world’s fastest growing problems.
Help your clients defer capital gains taxes when selling investment property by using Bayview 1031 as their Qualified Intermediary. Bayview focuses on facilitating 1031 Exchanges of investment real estate with unparalleled quality, speed and competitive pricing. Learn more.
Although there are many ways to secure systems and applications, the only way to truly know how secure you are is to test yourself. By performing penetration tests against your environment, you can actually replicate the types of actions that a malicious attacker would take, giving you a more accurate representation of your security posture at any given time.
Although most penetration testing methods have traditionally been somewhat ad-hoc, that has changed in the last several years. Robust, repeatable testing methodologies now exist, and high-quality commercial tools can be implemented to ensure that both testing parameters and results are high-quality and trustworthy.
Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, price lists, databases and other protected information.
The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested and will be responsible to provide a report. The goal of a penetration test is to increase the security of the computing resources being tested.
In many cases, a penetration tester will be given user-level access and in those cases, the goal would be to elevate the status of the account or user other means to gain access to additional information that a user of that level should not have access to.
Some penetration testers are contracted to find one hole, but in many cases, they are expected to keep looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important for the pen-tester to keep detailed notes about how the tests were done so that the results can be verified and so that any issues that were uncovered can be resolved.
It’s important to understand that it is very unlikely that a pen-tester will find all the security issues. As an example, if a penetration test was done yesterday, the organization may pass the test. However, today is Microsoft’s “patch Tuesday” and now there’s a brand new vulnerability in some Exchange mail servers that were previously considered secure, and next month it will be something else. Maintaining a secure network requires constant vigilance.
Pen-Testing vs. Vulnerability Assessment
The main focus of this paper is penetration testing but there is often some confusion between penetration testing and vulnerability assessment. The two terms are related but penetration testing has more of an emphasis on gaining as much access as possible while vulnerability testing places the emphasis on identifying areas that are vulnerable to a computer attack. An automated vulnerability scanner will often identify possible vulnerabilities based on service banners or other network responses that are not in fact what they seem. A vulnerability assessor will stop just before compromising a system, whereas a penetration tester will go as far as they can within the scope of the contract.
It is important to keep in mind that you are dealing with a “Test.” A penetration test is like any other test in the sense that it is a sampling of all possible systems and configurations. Unless the contractor is hired to test only a single system, they will be unable to identify and penetrate all possible systems and all possible vulnerabilities. As such, any Penetration Test is a sampling of the environment. Furthermore, most testers will go after the easiest targets first.
How Vulnerabilities Are Identified
Vulnerabilities need to be identified by both the penetration tester and the vulnerability scanner. The steps are similar for the security tester and an unauthorized attacker. The attacker may choose to proceed more slowly to avoid detection, but some penetration testers will also start slowly so that the target company can learn where their detection threshold is and make improvements.
The first step in either a penetration test or a vulnerability scan is reconnaissance. This is where the tester attempts to learn as much as possible about the target network as possible. This normally starts with identifying publicly accessible services such as mail and web servers from their service banners. Many servers will report the Operating System they are running on, the version of software they are running, patches and modules that have been enabled, the current time, and perhaps even some internal information like an internal server name or IP address.
Once the tester has an idea what software might be running on the target computers, that information needs to be verified. The tester really doesn’t KNOW what is running but he may have a pretty good idea.
The information that the tester has can be combined and then compared with known vulnerabilities, and then those vulnerabilities can be tested to see if the results support or contradict the prior information.
In a stealthy penetration test, these first steps may be repeated for some time before the tester decides to launch a specific attack. In the case of a strict vulnerability assessment, the attack may never be launched so the owners of the target computer would never really know if this was an exploitable vulnerability or not.
There are a variety of reasons for performing a penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Sometimes, the IT department is aware of reported vulnerabilities but they need an outside expert to officially report them so that management will approve the resources necessary to fix them. Having a second set of eyes check out a critical computer system is a good security practice. Testing a new system before it goes on-line is also a good idea.
Another reason for a penetration test is to give the IT department at the target company a chance to respond to an attack. The Payment Card Industry (PCI) Data Security Standard, and other recent security recommendations and regulations, require external security testing.
Find Holes Now Before Somebody Else Does
At any given time, attackers are employing any number of automated tools and network attacks looking for ways to penetrate systems. Only a handful of those people will have access to 0-day exploits, most will be using well known (and hence preventable) attacks and exploits. Penetration testing provides IT management with a view of their network from a malicious point of view. The goal is that the penetration tester will find ways into the network so that they can be fixed before someone with less than honorable intentions discovers the same holes.
In a sense, think of a Penetration Test as an annual medical physical. Even if you believe you are healthy, your physician will run a series of tests (some old and some new) to detect dangers that have not yet developed symptoms.
Report Problems to Management
If a CSO (or security team) has already pointed out to upper management the lack of security in the environment, penetration testing results help to justify the resources to address those needs.
Often an internal network team will be aware of weaknesses in the security of their systems but will have trouble getting management to support the changes that would be necessary to secure the system. By having an outside group with a reputation for security expertise analyze a system, management will often respect that opinion more.
Furthermore, an outside tester has no vested interest in their results. Inside a corporation of any size, there will be political struggles and resource constraints. Administrators and techies are always asking for budget increases for new technology.
By using an independent third party to verify the need, management will have an additional justification for approving or denying the expenditure of money on security technologies. Similarly, system administrators who know the intricacies of their environment are often aware of how to compromise their network. As such, it is not uncommon for management to assume that without such knowledge, an attacker would be unable to gain unauthorized entry. By using a third party who operates with no inside knowledge, the penetration testing team may be able to identify the same vulnerability and help convince management that it needs to be resolved.
A penetration testing team may also be able to prove that an exploit exists while the internal network staff “knew” it was there but wasn’t quite able to pull all the pieces together to demonstrate the exploit effectively.
Remember that ultimate responsibility for the security of IT assets rests with management. This responsibility rests with management because it is they, not the administrators, who decide what the acceptable level of risk is for the organization.
Verify Secure Configurations
If the CSO (or security team) are confident in their actions and final results, the penetration test report verifies that they are doing a good job. Having an outside entity verify the security of the system provides a view that is devoid of internal preferences. An outside entity can also measure the team’s efficiency as security operators. The penetration test doesn’t make the network more secure, but it does identify gaps between knowledge and implementation.
Security Training For Network Staff
Penetration testing gives security people a chance to recognize and respond to a network attack. For example, if the penetration tester successfully compromises a system without anyone knowing, this could be indicative of a failure to adequately train staff on proper security monitoring. Testing the monitoring and incident handling teams can show if they are able to figure out what is going on and how effective their response is. When the security staff doesn’t identify hostile activity, the post-testing reporting can be used to help them hone their incident response skills.
Discover Gaps In Compliance
Using penetration testing as a means to identify gaps in compliance is a bit closer to auditing than true security engineering, but experienced penetration testers often breach a perimeter because someone did not get all the machines patched, or possibly because a non-compliant machine was put up “temporarily” and ended up becoming a critical resource. In today’s heavily regulated environment, many organizations are looking for better ways to continually assess their compliance posture. Most regulations have multiple components specifically related to system auditing and security.
Testing New Technology
The ideal time to test new technology is before it goes into production. Performing a penetration test on new technologies, applications and environments before they go into production can often save time and money because it is easier to test and modify new technology while nobody is relying on it. Some examples might include a new externally facing web server with SOAP enabled, a new wireless infrastructure, or the introduction of mobile messaging gateways.
There are a wide variety of tools that are used in penetration testing. These tools are of two main types; reconnaissance or vulnerability testing tools and exploitation tools. While penetration testing is more directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less intrusive tools. Then once the targets have been identified the exploitation attempts can begin.
The line between these tools is very muddy. For example CORE IMPACT is a penetration testing tool but it also has a strong reconnaissance piece. Metasploit 2.5 is clearly a penetration testing tool with almost not reconnaissance functionality but version 3.0 will be adding some reconnaissance features.
Nmap is clearly a reconnaissance tool and Nessus is mainly a reconnaissance tool but it has some penetration testing functionality. Many of the single-purpose tools fall more cleanly into either the reconnaissance or exploitation category.
Reconnaissance often begins with searches of internet databases including DNS registries, WHOIS databases, Google, on-line news sources, business postings, and many other on-line resources. The reconnaissance phase often includes print media as well, specifically electronically searchable archives that would be found at a college library or large public library.
Nmap is a popular port scanning tool. Port scanning is typically a part of the reconnaissance phase of a penetration test or an attack. Sometimes attackers will limit their testing to a few ports while other times they will scan all available ports. To do a thorough job, a vulnerability scanner should scan all port and, in most cases, a penetration tester will scan all ports. An actual attacker may chose to not scan all ports if he finds a vulnerability that can be exploited because of the “noise” (excess traffic) a port scanner creates.
Another capability of nmap is its ability to determine the operating system of the target computer.
Different networking implementations will respond differently to different network packets. Nmap maintains a type of database and will match the responses to make a guess at what type of operating system the target computer is running. This OS detection isn’t perfectly accurate but it can help the attacker tailor his attack strategy, especially when coupled with other pieces of information.
Nessus is a popular vulnerability scanner that many security professionals use regularly. Nessus has a huge library of vulnerabilities and tests to identify them. In many cases, Nessus relies on the responses from the target computer without actually trying to exploit the system. Depending on the scope of a vulnerability assessment, the security tester may choose an exploitation tool to verify that reported vulnerabilities are exploitable.
Nessus includes port scanning and OS detection, so sometimes a vulnerability assessment will just use Nessus and let Nessus call nmap or other scanners for these components of the test. For a stealthy scan, a security professional or an attacker may choose to run these tools separately to avoid detection.
Packet Manipulation and Password Cracking Tools
There are many other reconnaissance tools within the penetration tester arsenal, but two categories bear special mention here: packet manipulation tools and password cracking tools. The former category includes tools like hping, that allows a penetration tester or attacker to create and send all types of specially crafted TCP/IP packets in order to test and exploit network-based security protections, such as firewalls and IDS/IPS. The password cracking category includes tools like John the Ripper or Cain and Able, which is used to detect and obtain weak password for multiple authentication mechanisms, such as the ones supported by most Unix and Windows operating systems.
Exploitation tools are used to verify that an actual vulnerability exists by exploiting it. It’s one thing to have vulnerability testing software or banners indicate the possibility of an exploitable service, but quite another to exploit that vulnerability. Some of the tools in this category are used by both attackers and penetration testers. There are many more exploitation tools than the ones listed here. Many tools in this category are single-purpose tools that are designed to exploit one vulnerability on a particular hardware platform running a particular version of an exploitable system. The tools that we’ve highlighted here are unique in the fact that they have the ability to exploit multiple vulnerabilities on a variety of hardware and software platforms.
Metasploit Version 2.5
Metasploit is a relatively new addition to the penetration tester’s tool belt. It provides attack libraries attack payloads that can be put together in a modular manner. The main purpose of Metasploit is to get to a command prompt on the target computer. Once a security tester has gotten to a command-line, it is quite possible that the target computer will be under his total control in a short time.
This is a tool that attackers would use to take over, or own, a computer. Once an attacker can gain this level of access to a computer, they would often install code that would allow them to get back onto the computer more easily in the future. In some cases, a penetration tester would also install tools on the computer, but often they would simply document the access and what data was available and move on to other testing.
This would depend on the defined scope of the testing. The security professional also would want to be careful about causing data loss or server instability that may result in lost productivity. A malicious attacker may be more cavalier about using the computer without regard to lost productivity, though a highly skilled attacker targeting a specific company may be very careful not to damage the system so that they
can avoid detection.
SecurityForest Exploitation Framework
Although still technically in Beta version, the SecurityForest Exploitation Framework is another open-source tool that can be leveraged by penetration testers. This framework leverages a collection of exploit code known as the ExploitTree, and the Exploitation Framework is a front-end GUI that allows testers to launch exploit code through a Web browser (similar to Metasploit’s Web interface). The Framework is very similar to Metasploit, in fact, with a few key differences. ExploitTree has a remarkable number of exploits included, but the vast majority of these are in pre-compiled format (most likely in a C file) or exist as Perl executables.
For most systems, CORE IMPACT will work well, but as Core Security Technologies states in their documentation, it isn’t meant to be a replacement for an experienced penetration tester. One of the areas we ran into some trouble on was when a single IP address had different ports mapped to different servers with different operating systems. Sometimes CORE IMPACT would identify a host as having a given operating system and then refuse to launch a vulnerability against a service that did not match that operating system. In one tested network, a single public IP address was in use by three different computers: an Exchange server, an IIS web server, and a Linux computer running SSH. The OS had been identified as being in the Linux family so an attack against IIS vulnerability wasn’t an option. We were able to work around this by re-scanning the machine using only the ports that mapped to the Windows system.
The reporting feature of CORE IMPACT is quite good. It includes an executive report, a report that lists vulnerabilities and all the machines affected by those vulnerabilities, a detailed report of all hosts and an exhaustive report of every test that was run, when it ran, how long it ran and detailed results of the running.
Penetration testing is like the annual physical at your doctor’s office. CORE IMPACT and Metasploit Framework are diagnostic tools, much like a blood test or an X-ray. A blood test will check for many things, but it still takes a doctor to review the data, make inferences, perform additional tests and then reach a diagnostic conclusion. Penetration testing is no different. CORE IMPACT will test for many things, but it will always take a human to review the results and make inferences based on knowledge and experience that you will never be able to put in a tool.