An introduction to penetration testing
|An Introduction to Penetration Testing - Internal Testing|
Despite the meteoric rise of hackers in the public consciousness and the very real increase in the number of external attacks on company’s websites and internet connections, reputable authorities such as the National Audit Office still maintain that internal attacks are much more common. Survey figures show that between 65% and 80% of security breaches come from employees or contractors of the victim organisation.
Access Control Systems
The basic level of security in any network is physical security, the level above that is desktop. If physical security is compromised and a laptop is stolen or someone can gain access to a desktop machine, perhaps in an empty room, the access control system is all that stands between the attacker and the information on that machine, and, perhaps, important areas of the network.
The test will consist of three stages:
1. Direct Attack
Attempts will be made to overcome the access control system itself. This may be achieved by using password libraries, overflow attacks and probing the access control system itself for weaknesses. The Team researches specific security information on them, the results of which are included as an annex to the report even when the client’s implementation has avoided them.
2. Operating System
The boot-up process before the access control system activates is a major target for attacks. In some cases, the machine will get as far as the disk operating system before any user is forced to authenticate, such as in the example below.
This situation gives the test team various opportunities to subvert the process through known bugs and weaknesses but more commonly through the use of disk-editing tools which can be run from the floppy disk. Where user profiles are not encrypted, these tools may give the attacker access to user names and passwords, as well as other files.
3. Hardware Attacks
Many access control systems can be easily overcome by making physical changes to the machine. For example, removing the hard disk and placing it in another machine can sometimes remove the access control from the start-up process.
The security of the network– for example, access permissions and network encryption – is important for two reasons: firstly, to stop employees from gaining unauthorised access to those parts of the network they don’t belong; secondly, to stop outsiders from gaining any access at all to parts of the network.
The first stage requires the Team to have a standard internal user account. The client will want to ensure that ordinary users cannot gain privileged access to their own machine (or anyone else’s) or gain access to important data unnecessary for their work. It is also important to ensure that users cannot gain remote access to network devices and machines such as content analysers, routers, web servers, back office applications or administrator PCs.
The second stage generally deals with the implementation of encryption and the security of the physical network structure: for example, can someone plug a box onto the network via the cables and copy all the packets that travel down the cables?
Internal IP Test
The Internal IP Test follows a very similar strategy to the Major IP Penetration Test and is generally run in conjunction with such a test. The aims are to disable the gateway security systems; attempt illegal activities that should be blocked by the security systems; and attack the systems involved in e-business from the back office systems to the DMZ or externally-hosted site. Unlike the standard test, the attacker is already on the internal corporate network but this should not make it easier to breach the security of the client’s Internet activities: a server holding credit card details, for example, should remain inaccessible to almost everyone, even inside the company.
The stages – including Target Acquisition – are the same as in a Major IP Penetration Test.
E-Commerce Customers \ VPN Hosts
Any target that gives privileged access to external users either for an e-commerce application or for trusted third parties via VPN, needs a further level of testing.
In many cases, these connections are made using SSL, SSH or a VPN client so the testing is often just an examination of the security implementation: is the encryption strong enough? Are the user IDs and passwords easily guessed? Can other user accounts be recovered from the server’s memory?
Covert Physical Testing
Using security-cleared personnel, the PPTT will attempt to trespass on the client’s premises to reach an agreed goal. Possible targets:
This is usually achieved either by breaking into the building outside of office hours or by masquerading as an employee\contractor. It is the client’s choice to decide how the test will take place.
This is also performed covertly. The PPTT, using pseudonyms, will contact client employees and ask questions about the network environment and try to garner usernames and passwords. Any information will then be used to further the success of the test.
Please note, Social Engineering can only be performed as part of another test set to gain extra knowledge about the target. The PPTT believes it unethical to report the actual findings of social engineering specifically as this can incriminate employees and may make them liable to company discipline or even prosecution. The European Convention of Human Rights is meant to protect against this. Instead the report will mention that social engineering was used and what success was made. Recommendations about avoiding such espionage will also be made.
Content Analysis Systems
The insertion of the QAZ worm and the more famous Melissa and explore.zip, show that e-mail is a major security issue. Portcullis has been involved in the Anti-Virus industry since its inception, supplying Dr Solomon’s, F-Prot, Sophos and gateway systems of the MIMEsweeper family and SurfinGate. In-house developments have included the Defuse Macro Analyser and Guardian Angel’s boot protection system. This extensive experience has given the PPTT lots of experience in analysing the source code of viruses, worms and trojans, providing an expert knowledge of programming codes, Visual Basic and Java, and a great awareness of the weaknesses of various content analysis systems.
The test would be agreed in advance with the client but the aim would be to assess if any of the e-mailable \ web-downloadable families of attacks could successfully penetrate.
Please note, these are only simulated attacks, there is no payload: this test demonstrates the potential for success by these various methods.
HOME ~ WEBLINKS ~ BS7799
Copyright © 1993-2001 The Penetration Testing Group
Other Resources: ODP ISO 17799 and Gateway Listed