The best known method for assuring that your network is secure against intrusion is to attack it. By entrusting a highly skilled engineering team with the task of attacking your network, you can be made aware of security vulnerabilities in your network that would not be known to you by any other method.
Our engineering team places themselves in the mindset of your top competitors, or of a malicious hacker determined to penetrate into the depths of your information infrastructure. The engineering team then analyzes your information resources with the intent of discovering every vulnerability in your corporate security. Your Internet connections are examined, as well as your telephone connections and any connections to any other networks. The management of most corporations find themselves amazed when they discover how many external connections into their network are available to the determined attacker.
A written report, often accompanied by a presentation, is issued. After your information systems staff has been given an opportunity to correct the vulnerabilities outlined in the report, a second attack is often done to confirm the new, more effective, security posture.
The Assessment Process
Several phases are required to provide a complete attack against any network in order to provide a complete and comprehensive picture of the overall security posture of a network. The first phase in an external assessment of enterprise security is the Remote Data Collection Phase. In this phase, the engineering team will determine where your enterprise network may be vulnerable to attack. The engineering team will search for Internet domains and addresses belonging to your company. They will also search for ranges of telephone numbers that your company leases from the telephone company. On-line research may be accompanied by research of your company at the library and telephone calls to selected employees.
Once this information is collected, the engineering team will conduct a Data Sorting Phase where they determine where to attack your network. Corporate information assets that are vulnerable and potentially valuable are given the highest priority by the engineering team.
Once the Data Sorting Phase is completed, work will continue with the Remote Attack Phase. The Remote Attack Phase is concerned with actually penetrating your corporate Intranet. Extreme care is taken to ensure that no interruption of service is caused. Servers and workstations belonging to your corporation are accessed and a working map of accessible portions of your corporate Intranet is made. Every attempt is made to gain access to as much of your corporate Intranet as possible.
The penetration exercise continues with the Local Attack Phase. The purpose of the Local Attack Phase is to expand the level of access gained within each host on your network. For example, if the Engineering Team is able to access a machine HR-SERVER as user Bob, attempts are made to upgrade access to SUPERVISOR.
The last of the penetration phases is the Local Data Collection Phase. In the Local Data Collection Phase, the hosts and accounts accessed are searched for information. Data collected in this phase is then used in a new Remote Attack Phase. These three phases are repeated until no new data is collected in a Local Data Collection Phase.
This effort is followed up with the Reporting Phase. In the Reporting Phase, you are presented with a written report detailing the vulnerable spots in your corporate information infrastructure. Your Information Systems staff can take this data and shore up your network defenses against attack. Common measures that have to be implemented are changing
user passwords to secure passwords, removing analog telephone lines to user workstations, applying recent patches to server operating systems, and securely configuring servers that provide services to the Internet.
Phase One – The Remote Data Collection Phase
The Remote Data Collection Phase can be started from a number of different points.
- Analysis of only specific systems
- Analysis of all systems, some of which are known beforehand
- Analysis of all systems, with no data known beforehand
An analysis of only specific systems occurs when you have a list of systems under your management and authorize a penetration analysis of only those systems. This type of penetration analysis is appropriate when you manage only a subset of hosts within an enterprise. This type of penetration is also appropriate when you do not wish certain mission
critical systems to be analyzed. In this type of penetration, the Chief Information Officer will provide a conclusive list of hosts to be attacked and the specific authorized methods of connecting to those systems.
An analysis of all systems, some of which are known beforehand, is the most common type of analysis. Most Chief Information Officers can provide information as to the IP address ranges used by their organizations, telephone number ranges assigned to their organizations, and X.25 or other network addresses used by their organizations. However, a penetration analysis often discovers access methods to the corporate network that were previously unknown to the CIO.
An analysis of all systems, with no data known beforehand, is the most difficult type of analysis. This type of analysis simulates an attack by someone with no prior knowledge of your corporate information infrastructure. In this type of penetration, the Chief Information Officer gives no information at all to the Engineering Team. This type of analysis greatly extends the time and effort required in the Remote Data Collection Phase, but also yields the most realistic results.
Phase Two – The Data Sorting Phase
The Data Sorting Phase does not involve any contact with your corporate Intranet. The Data Sorting Phase is a strategy phase where the Engineering Team determines where to attack your network. The Engineering Team reviews all information discovered in the Remote Data Collection Phase, which usually consists of thousands of pages of data. The engineering team bases its decisions upon two criteria:
- How vulnerable is the information?
- How valuable is the information?
The engineering team determines how vulnerable a system might be based upon the data collected in the Remote Data Collection Phase. If it is possible that the system contains valuable data, or that the system might be used as a gateway to other systems in your corporate Intranet, the system is attacked in the Remote Attack Phase.
Phase Three – The Remote Attack Phase
The Remote Attack Phase is where the skills and experience of the engineering team really come into play. Unlike the Remote Data Collection Phase, which often utilizes automated tools, the Remote Attack Phase is a largely manual process. For example, if the Remote Data Collection Phase discovered that one of your hosts was exporting a file system using NFS, the engineering team would attempt to break into that system using approximately 30 known vulnerabilities in various NFS implementations.
At Network System Architects we maintain a database of thousands of known security vulnerabilities. This vulnerability database is compiled from a variety of sources, including:
- Hardware and software vendors
- Security organizations (CERT, etc.)
- Security Mailing Lists (Bugtraq, etc.)
- Spying on the “hacker underground”
- Research by Network System Architects engineers
This extensive database allows us to be extremely confident when we report on the security of your network. Organizations with a less than fully developed vulnerability database cannot provide any real assurance
regarding the security of your corporate information infrastructure.
Phase Four – The Local Attack Phase
In the Remote Attack Phase, access was gained to several hosts on your corporate Intranet. The purpose of the Local Attack Phase is to upgrade that access. If the engineering team was able to login to a user account on a Unix system, they will attempt to gain root level access on that system. If user level access was gained on a Novell server, the engineering team will attempt to gain SUPERVISOR access. If a Windows login was compromised, the engineering team will attempt to gain Administrator access.
Phase Five – The Local Data Collection Phase
In the Local Data Collection Phase, the engineering team examines the hosts that were penetrated in the Remote Data Collection Phase. These hosts are searched for two types of data:
- Data of value to your organization
- Data of value to gain further access
Data of value to your organization is collected to demonstrate to you the losses that may have occurred to your corporation in the past. Your confidential corporate data may not have been as confidential as you thought. This type of data is often useful in gaining the cooperation of department heads, which often believe that security problems simply do not occur in their departments. This part of the Local Data Collection Phase is optional, and certain clients request that their data be examined as little as possible.
Data of value to gain further access is collected in an attempt to gain access to other systems on your corporate Intranet. This data includes, but is not limited to:
- The /etc/hosts file (Unix)
- The /etc/hosts.equiv file (Unix)
- Every .rhost file on the system (Unix)
- The /etc/exports file (Unix)
- The UUCP configuration files (Unix)
- The /etc/resolv.conf file (Unix)
- The /etc/passwd file and any accessible shadow password file (Unix)
- Routing table (Unix and Windows)
- Network connections (Unix and Windows)
- Network shares (Windows)
- Network password policies (Windows)
- Network view (Windows)
- Network groups (Windows)
- Network users (Windows)
- Remote name cache (Windows)
- Session table (Windows)
- Show accounting (VMS)
- Show audit (VMS)
- SYSAUF.DAT (VMS)
- Access codes (OS/400)
- Audit journal entries (OS/400)
- Authorized users (OS/400)
- Expiration schedule (OS/400)
At this point, the engineering team takes any information gained and returns to the Remote Attack Phase. These three phases are then repeated until no further information is gained in a Local Data Collection Phase.
Phase Six – The Reporting Phase
The Reporting Phase is where everything comes together. The Reporting Phase always consists of a written report detailing the vulnerabilities discovered in your corporate Intranet. The Reporting Phase also sometimes
consists of a meeting with the Chief Information Officer or with the Chief Information Officer and several of the people responsible for correcting the vulnerabilities discussed in the report.
Many organizations choose to contract Network System Architects to repair the discovered vulnerabilities. Organization that do not have a full-time information security team, or even a full-time information security officer, may choose to contract Network System Architects to conduct quarterly reviews of their security posture.
In addition, Network System Architects can design and build security infrastructure and provide security policies custom tailored to your organization. These written policies provide guidelines to assist your staff in protecting your corporations information assets.