An introduction to penetration testing
|An Introduction to Penetration Testing - IP Penetration Testing|
Two types of IP Penetration Tests are available - Evidential testing and testing performed under the CHECK scheme.
The latter tends to be employed for those who consider themselves to be potentially greater targets for hostile parties, and is far more structured and comprehensive than the former.
The Evidential Test has the objective of proving that within a short period of time, an intrusion can be achieved, thus providing proof that the system is vulnerable to attack.
Most attempted Internet attacks are performed by Script-Kiddies, uninventive hackers who simply try out others’ new attacks by testing lots and lots of IP addresses for the weakness that can be exploited. There is a great spectrum between these and the ultimate, an engineer with lots of networking experience and probably a wealth of programming knowledge backed up by the commitment to achieve their goal no matter how long or how hard that might be.
Somewhere in between, there are the casual hackers. The Portcullis Penetration Testing Team (PPTT) has determined that, because there are so many of them and they have a fair degree of knowledge, these are the main threat to most Internet-connected organisations. We estimate that on average, unless they have a good reason to attack an organisation, one will spend three days on their own trying to damage or successfully break into an Internet connection. The PPTT goes further than this in determining if any weaknesses exist at the target. If unsuccessful, one can be reasonably sure that the target is secure.
However, for those clients who believe themselves to be greater targets, we recommend the Blind IP Test which is based upon the procedures we created for the CHECK scheme. It should also be noted that the standard evidential test does not include a report.
MAJOR IP PENETRATION TESTING AND THE 'CHECK' SCHEME
The UK government is in the process of implementing one of the most ambitious E-Business systems in the World today. The Government Secure Intranet (GSI) will probably be the largest VPN in Europe encompassing hundreds of large organisations – government departments, local councils, government agencies and the Police National Network (PNN2), an intranet within an intranet – and thousands of firewalls. It is the jewel-in-the-crown of Downing Street’s Open Government plan to ameliorate the inter-working of departments, cutting costs, centralising (or at least interlinking) records on citizens, providing greater accessibility to services for everybody.
Security is a manifest issue. >From the start, CESG (Communications-Electronics Security Group – the government’s ICT security advisors) realised that such a huge project was beyond the resources of themselves and DERA (Defence Evaluation & Research Agency – the MOD’s research agency.). This was not their only concern, with the arrival of information warfare \ cyber-terrorism, major companies such as utilities and banks – the so-called Critical National Infrastructure - have become even more important as targets. Bringing the nation’s gas supply to a halt could quickly bring the country to a halt. Consequently, with the support of the Cabinet Office, CESG set about finding companies it felt could be trusted with such sensitive work and invited them to join. That list can be found at www.cesg.gov.uk.
However, not even all of the companies on that list can currently operate as CHECK testers. For that they need to fulfill the following criteria:
Portcullis (PPTT) is one of these companies and we believe that the licence to perform CHECK tests is the closest one can get to certification for security testing services.
2. The Major Penetration Test
An IP Penetration Test is an exhaustive examination of the client’s Internet connectivity. It covers every conceivable angle to give the client an objective, authoritative and up-to-date report on their security status as seen from the outside world.
The deliverables are two reports authored from the submissions of the whole team. The first is an executive summary discussing the major issues and business risks, the second is an in-depth catalogue of the test covering discovered vulnerabilities, how these might affect security and suggested solutions.
It is very difficult to split the test into easily-defined sections as they so often cross over and are inter-related. Information gained in the later phases will often be recycled into pointers for early phase techniques. However, the test may proceed as follows:
A, Target Acquisition
Once furnished with the client’s IP address or company name, the Team will place that target in the logical world, setting the boundaries within which the Test will take place. This involves data flow checking and open source research to ascertain what the outside world sees of the target. The team will seek to identify alternative access points to the target, such as associated IP addresses belonging to the client, or those of third parties with connection to the target.
The resulting picture is itself useful to the client in recursive engineering.
This is a high-intensity search procedure identifying the probable weak points in the system topology. Using for example:
unblocked data flows, such as FTP, which may allow the incursion of binary (programming) code
software bugs in the operating systems of computers and communications hardware which allow non-standard access
straightforward attacks on systems, buffer overflows for example
C, Vulnerability Exploitation
It is at this point that expertise in systems engineering, programming and hacking systems (both publicly available and Portcullis in-house) becomes really important. All of the information garnered in Stages 1 & 2 will have afforded the team opportunities to break through the barriers around the target and actually get inside the logical entity that is the target system. This will include attacks on hosts within any Demilitarised Zone.
Unless the client wishes the Team to move to the Intrusion Stage, the reports will now be delivered at a mutually agreed date. Although the IPR and copyright remain with Portcullis, the deliverables remain a tangible asset to the customer providing a baseline upon which to conduct future tests, and as a Change Control Document when reconfiguring the associated IT and communications systems. Therefore the PPTT believes care and attention to detail are a prerequisite to the provision of these reports.
There will be two documents. The first a management summary giving an overview of findings, with details on legal issues, business impact, and risk management. The second is an in-depth, blow-by-blow account of findings with concomitant suggestions on how to solve each issue. Examples of such documents are available on request.
Estimates for reporting must include extensive research and the inevitable editing. Drafts will be provided to nominated client personnel before the Post-Test Consultation.
E, Post-Test Consultation
The Team Leader and the project manager come to the client’s premises on an agreed date to discuss the report. The client will have the opportunity to make amendments to the documents, discuss findings and conclusions and ask any questions they like about the suggested solutions or indeed anything about the test as a whole.
Before moving to the report-writing, the client will be informed if there are serious security breaches by Security Fault Notice, where Vulnerability Exploitation has been successful and there is\are pathway(s) into the sensitive network. The client will be given the option to have these pursued in order to find out what each pathway allows and how great the risk is to internal security. Once in, the aim is intelligence and control:
What information can be discovered?
What information can be manipulated?
Can root user access \ privileged user access be gained?
How strong are password mechanisms?
Can onward connections be made to suppliers’ or customers’ networks?
Can a back door be placed?
Can the attack stay undetected?
How effective are the content analysis systems?
The final act is to leave a footprint. Reporting would then be the next stage.
Although the Major Penetration Test provided by PPTT is based upon the rigorous strategy devised for CHECK testing, there are still some important differences.
The Test Team must be lead by a CHECK-qualified test engineer and that engineer becomes legally responsible for the sign-off. Should the system under examination be considered secure by that engineer, he has to sign the documentation to state his confidence in its security. Although 100% security can never be guaranteed, should there be a breach and it is discovered that the vulnerability should have been covered by the test, the engineer and company may lose their CHECK status, permanently.
However, it is still preferable to avoid any breach to begin with and there are three principles in place to stop this.
The start of a CHECK test is the scoping exercise when a qualified CHECK engineer visits the examined system’s site and discusses the topology, external connections, physical security, security policy and personnel arrangements. The results from this exercise are written into a Terms of Reference by the engineer. This is the plan for the test, containing what must be covered to ensure a sign-off. This is agreed by CESG, the testing company and the client before the test commences.
The examination itself must contain comparison of the system to an up-to-date database, a catalogue of all known security weaknesses. Every one relevant to the attacked system must be checked and ticked off. Only 100% pass ensures a sign-off. The client then knows that what the government’s security authority considers must be covered is covered.
Finally, CESG reviews the report to ensure that everything has been done properly and that the correct conclusions and recommendations have been made.
The reasons for a Blind IP Test are obvious: it more closely replicates the work of a real hacker. However, there is always the threat of the insider. In this case, someone with inside knowledge of the network structure, the gateway configuration, user names, remote administration systems, security systems, has an advantage over the outsider. Although it may not make it easy, the attacker might be aware of the limitations of the firewall or the intrusion detection systems; know which boxes to attack in the first place; or may know a specific time when liberal access is allowed to certain hosts. There is a simple example of the latter: the PPTT once found a systems administrator running a Quake server on a client’s internal network. Between 9pm and 7am, outsiders could make a direct connection to the host, straight through the firewall. This was the major step in making a successful intrusion.
The test starts with a half-day meeting where the Test Team Leader is given documentation about the network infrastructure, including a complete network diagram. He will then be able to quiz the client about traffic flows, security policies, user IDs or whatever he deems necessary knowledge for the project. The Test would then proceed as normal though the customer may opt not to have the Target Acquisition stage (the PPTT does advise this remains, though, as this stage is also used to find company information that the client may not be aware exists in the public domain.).
Change is natural to ICT. New or improved technology is implemented; different configurations are required for new projects; security is tightened up; people change their minds. Evolution is a good thing. Unfortunately, even where security is being improved by the implementation of a new system, reconfiguration or the installation of a patch or fix, the change or the change procedure may incur another security problem.Therefore, the test report can quickly become an anachronism, no longer a reflection of the actual system. Re-testing then becomes very important. Using the original report as a baseline document, the PPTT revisits the target with three aims:
DENIAL OF SERVICE TESTING
The PPTT advises clients not to have Denial of Service (DoS) testing. No matter how secure the organisation, a determined aggressor can bring down any target. It is the nature of the Internet that this is possible: the ease of acquired anonymity, the capability to launch attacks from third-party routers, distributed attacks make it impossible to fully combat DoS. Every organisation is susceptible to loss of availability due to DoS attacks. All DoS testing can do is test for the successful implementation of patches for known attacks based on software weaknesses. The PPTT is happy to do this where necessary.
A penetration test is not carried out as if it was a real attack. The client has requested a test and the team need not avoid detection. In general, testing is carried out in a ‘noisy’ way because this is best for completeness and it takes less time (and therefore, costs the customer less money).
However, some clients wish to know how successful a real attack might be so the PPTT does its job knowing that Intrusion Detection Systems (IDS), firewalls and vigilant IT personnel have to be avoided. Using the stealthiest techniques that the law will allow, the test is carried out. Should it be detected, this does not spell the end of the test. Although, greater vigilance is more likely after a detection, the PPTT will use a different IP address and different methods and try again.
The aim for the team is to remain undetected at all times, while still trying to achieve a successful penetration. The normal report will include a section on detecting attacks: how successful the client was and what might be done to improve the current situation.
HOME ~ WEBLINKS ~ CONTACTS
Copyright © 1993-2001 The Penetration Testing Group
Other Resources: EPIC ISO 17799 and Gateway Listed