INTRODUCTION
Security assessment and testing are critical components of any information security program. Organizations must accurately assess their real-world security, focus on the most critical components, and make necessary changes to improve.
We will discuss two major components of assessment and testing: overall security assessments, including vulnerability scanning, penetration testing, and security audits; and testing software via static and dynamic methods.
ASSESSING ACCESS CONTROL
A number of processes exist to assess the effectiveness of access control. Tests with a narrower scope include penetration tests, vulnerability assessments, and security audits. A security assessment is a broader test that may include narrower tests, such as penetration tests, as subsections.
PENETRATION TESTING
A penetration tester is a white hat hacker who receives authorization to attempt to break into an organization’s physical or electronic perimeter (sometimes both). Penetration tests (called “pen tests” for short) are designed to determine whether black hat hackers could do the same. They are a narrow but often useful test, especially if the penetration tester is successful.
Penetration tests may include the following tests:
• Network (Internet)
• Network (internal or DMZ)
• War dialing
• Wireless
• Physical (attempt to gain entrance into a facility or room)
Network attacks may leverage client-side attacks, server-side attacks, or Web application attacks. War dialing, which gets its name from the 1983 movie WarGames, uses a modem to dial a series of phone numbers, looking for an answering modem carrier tone. The penetration tester then attempts to access the answering system.
Social engineering is a no-tech or low-tech method that uses the human mind to bypass security controls. Social engineering may be used in combination with many types of attacks, especially client-side attacks or physical tests. An example of a social engineering attack combined with a client-side attack is emailing malware with
a subject line of “Category 5 Hurricane is about to hit Florida!”
A zero-knowledge test, also called black-box test, is “blind”; the penetration tester begins with no external or trusted information and begins the attack with public information only. A full-knowledge test (also called crystal-box test) provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers. Partial-knowledge tests are in between zero and full knowledge; the penetration tester receives some limited trusted information.
Penetration testing tools and methodology
Penetration testers often use penetration testing tools, which include the open-source Metasploit (http://www.metasploit.org), and closed-source Core Impact (http://www.coresecurity.com), and Immunity Canvas (http://www.immunitysec.com). Pentesters also use custom tools, as well as malware samples and code posted to the Internet.
Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
Black hat hackers typically follow a similar methodology although they may perform less planning and obviously omit reporting. Black hats will also cover their tracks by erasing logs and other signs of intrusion, and they frequently violate system integrity by installing back doors in order to maintain access. A penetration tester
should always protect data and system integrity.
Assuring confidentiality, data integrity, and system integrity
Penetration testers must ensure the confidentiality of any sensitive data that is accessed during the test. If the target of a penetration test is a credit card database, the penetration tester may have no legal right to view or download the credit cards. Testers will often request that a dummy file containing no regulated or sensitive
data be placed in the same area of the system as the credit card data and protected with the same permissions. If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data.
Penetration testers must ensure the system integrity and data integrity of their client’s systems. Any active attack, as opposed to a passive read-only attack, against a system could potentially cause damage; this can be true even for an experienced penetration tester. This risk must be clearly understood by all parties, and tests are often performed during change maintenance windows for this reason.
One potential issue that should be discussed before the penetration test commences is the risk of encountering signs of a previous or current successful malicious attack. Penetration testers sometimes discover that they are not the first attacker to compromise a system and that someone has beaten them to it. Attackers will often become more malicious if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test and immediately escalate the issue.
Finally, the final penetration test report should be protected at a very high level, as it contains a roadmap to attack the organization.
VULNERABILITY TESTING
Vulnerability scanning or vulnerability-testing scans a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching. A vulnerability-testing tool such as Nessus (http://www.tenable.com/products/nessus-vulnerability-scanner) or OpenVAS (http://www.openvas.org)
may be used to identify the vulnerabilities.
SECURITY AUDITS
A security audit is a test against a published standard. Organizations may be audited for Payment Card Industry Data Security Standard (PCI DSS) compliance, for example. PCI DSS includes many required controls, such as firewalls, specific access control models, and wireless encryption. An auditor then verifies that a site or organization meets the published standard.
SECURITY ASSESSMENTS
Security assessments are a holistic approach to assessing the effectiveness of access control. Instead of looking narrowly at penetration tests or vulnerability assessments, security assessments have a broader scope.
Security assessments view many controls across multiple domains and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits
As the above list shows, a security assessment may include other distinct tests, such as a penetration test. The goal is to broadly cover many other specific tests to ensure that all aspects of access control are considered.
LOG REVIEWS
Reviewing security audit logs within an IT system is one of the easiest ways to verify that access control mechanisms are performing adequately. Reviewing audit logs is primarily a detective control.
The intelligence gained from proactive audit log management and monitoring can be very beneficial; the collected antivirus logs of thousands of systems can give a very accurate picture of the current state of malware. Antivirus alerts combined with a spike in failed authentication alerts from authentication servers or a spike in outbound firewall denials may indicate that a password-guessing worm is attempting to spread across a network.