An introduction to penetration testing  
Portcullis penetration test and  
security testing services  

 An Introduction to Penetration Testing - IP Penetration Testing Contact Us Front Page
 

IP Penetration Testing

Two types of IP Penetration Tests are available - Evidential testing and testing performed under the CHECK scheme.

The latter tends to be employed for those who consider themselves to be potentially greater targets for hostile parties, and is far more structured and comprehensive than the former.


EVIDENTIAL TEST

The Evidential Test has the objective of proving that within a short period of time, an intrusion can be achieved, thus providing proof that the system is vulnerable to attack.

Most attempted Internet attacks are performed by Script-Kiddies, uninventive hackers who simply try out others’ new attacks by testing lots and lots of IP addresses for the weakness that can be exploited. There is a great spectrum between these and the ultimate, an engineer with lots of networking experience and probably a wealth of programming knowledge backed up by the commitment to achieve their goal no matter how long or how hard that might be.

Somewhere in between, there are the casual hackers. The Portcullis Penetration Testing Team (PPTT) has determined that, because there are so many of them and they have a fair degree of knowledge, these are the main threat to most Internet-connected organisations. We estimate that on average, unless they have a good reason to attack an organisation, one will spend three days on their own trying to damage or successfully break into an Internet connection. The PPTT goes further than this in determining if any weaknesses exist at the target. If unsuccessful, one can be reasonably sure that the target is secure.

However, for those clients who believe themselves to be greater targets, we recommend the Blind IP Test which is based upon the procedures we created for the CHECK scheme. It should also be noted that the standard evidential test does not include a report.


MAJOR IP PENETRATION TESTING AND THE 'CHECK' SCHEME

    1. Introduction

    The UK government is in the process of implementing one of the most ambitious E-Business systems in the World today. The Government Secure Intranet (GSI) will probably be the largest VPN in Europe encompassing hundreds of large organisations – government departments, local councils, government agencies and the Police National Network (PNN2), an intranet within an intranet – and thousands of firewalls. It is the jewel-in-the-crown of Downing Street’s Open Government plan to ameliorate the inter-working of departments, cutting costs, centralising (or at least interlinking) records on citizens, providing greater accessibility to services for everybody.

    Security is a manifest issue. >From the start, CESG (Communications-Electronics Security Group – the government’s ICT security advisors) realised that such a huge project was beyond the resources of themselves and DERA (Defence Evaluation & Research Agency – the MOD’s research agency.). This was not their only concern, with the arrival of information warfare \ cyber-terrorism, major companies such as utilities and banks – the so-called Critical National Infrastructure - have become even more important as targets. Bringing the nation’s gas supply to a halt could quickly bring the country to a halt. Consequently, with the support of the Cabinet Office, CESG set about finding companies it felt could be trusted with such sensitive work and invited them to join. That list can be found at www.cesg.gov.uk.

    However, not even all of the companies on that list can currently operate as CHECK testers. For that they need to fulfill the following criteria:

    • CHECK tests may only be performed by personnel cleared to SC level.
    • Test Team Leaders must have passed the hacking assault course set by DERA’s penetration test team.
    • CHECK tests must be conducted under ISO-9001, so suppliers must have ISO-9001 certification or be in the process of certification.

    Portcullis (PPTT) is one of these companies and we believe that the licence to perform CHECK tests is the closest one can get to certification for security testing services.


    2. The Major Penetration Test

    An IP Penetration Test is an exhaustive examination of the client’s Internet connectivity. It covers every conceivable angle to give the client an objective, authoritative and up-to-date report on their security status as seen from the outside world.

    The deliverables are two reports authored from the submissions of the whole team. The first is an executive summary discussing the major issues and business risks, the second is an in-depth catalogue of the test covering discovered vulnerabilities, how these might affect security and suggested solutions.

    It is very difficult to split the test into easily-defined sections as they so often cross over and are inter-related. Information gained in the later phases will often be recycled into pointers for early phase techniques. However, the test may proceed as follows:

    A, Target Acquisition

    Once furnished with the client’s IP address or company name, the Team will place that target in the logical world, setting the boundaries within which the Test will take place. This involves data flow checking and open source research to ascertain what the outside world sees of the target. The team will seek to identify alternative access points to the target, such as associated IP addresses belonging to the client, or those of third parties with connection to the target.

    The resulting picture is itself useful to the client in recursive engineering.


    B, Vulnerability Assessment

    This is a high-intensity search procedure identifying the probable weak points in the system topology. Using for example:

        unblocked data flows, such as FTP, which may allow the incursion of binary (programming) code

        software bugs in the operating systems of computers and communications hardware which allow non-standard access

        straightforward attacks on systems, buffer overflows for example

        E-mail


    C, Vulnerability Exploitation

    It is at this point that expertise in systems engineering, programming and hacking systems (both publicly available and Portcullis in-house) becomes really important. All of the information garnered in Stages 1 & 2 will have afforded the team opportunities to break through the barriers around the target and actually get inside the logical entity that is the target system. This will include attacks on hosts within any Demilitarised Zone.


    D, Report-Writing

    Unless the client wishes the Team to move to the Intrusion Stage, the reports will now be delivered at a mutually agreed date. Although the IPR and copyright remain with Portcullis, the deliverables remain a tangible asset to the customer providing a baseline upon which to conduct future tests, and as a Change Control Document when reconfiguring the associated IT and communications systems. Therefore the PPTT believes care and attention to detail are a prerequisite to the provision of these reports.

    There will be two documents. The first a management summary giving an overview of findings, with details on legal issues, business impact, and risk management. The second is an in-depth, blow-by-blow account of findings with concomitant suggestions on how to solve each issue. Examples of such documents are available on request.

    Estimates for reporting must include extensive research and the inevitable editing. Drafts will be provided to nominated client personnel before the Post-Test Consultation.


    E, Post-Test Consultation

    The Team Leader and the project manager come to the client’s premises on an agreed date to discuss the report. The client will have the opportunity to make amendments to the documents, discuss findings and conclusions and ask any questions they like about the suggested solutions or indeed anything about the test as a whole.


    OPTIONAL STAGES

    F, Intrusion

    Before moving to the report-writing, the client will be informed if there are serious security breaches by Security Fault Notice, where Vulnerability Exploitation has been successful and there is\are pathway(s) into the sensitive network. The client will be given the option to have these pursued in order to find out what each pathway allows and how great the risk is to internal security. Once in, the aim is intelligence and control:

        What information can be discovered?

        What information can be manipulated?

        Can root user access \ privileged user access be gained?

        How strong are password mechanisms?

        Can onward connections be made to suppliers’ or customers’ networks?

        Can a back door be placed?

        Can the attack stay undetected?

        How effective are the content analysis systems?

    The final act is to leave a footprint. Reporting would then be the next stage.


    3. The CHECK Test

    Although the Major Penetration Test provided by PPTT is based upon the rigorous strategy devised for CHECK testing, there are still some important differences.

    The Test Team must be lead by a CHECK-qualified test engineer and that engineer becomes legally responsible for the sign-off. Should the system under examination be considered secure by that engineer, he has to sign the documentation to state his confidence in its security. Although 100% security can never be guaranteed, should there be a breach and it is discovered that the vulnerability should have been covered by the test, the engineer and company may lose their CHECK status, permanently.

    However, it is still preferable to avoid any breach to begin with and there are three principles in place to stop this.

    The start of a CHECK test is the scoping exercise when a qualified CHECK engineer visits the examined system’s site and discusses the topology, external connections, physical security, security policy and personnel arrangements. The results from this exercise are written into a Terms of Reference by the engineer. This is the plan for the test, containing what must be covered to ensure a sign-off. This is agreed by CESG, the testing company and the client before the test commences.

    The examination itself must contain comparison of the system to an up-to-date database, a catalogue of all known security weaknesses. Every one relevant to the attacked system must be checked and ticked off. Only 100% pass ensures a sign-off. The client then knows that what the government’s security authority considers must be covered is covered.

    Finally, CESG reviews the report to ensure that everything has been done properly and that the correct conclusions and recommendations have been made.


WITH INFORMATION

The reasons for a Blind IP Test are obvious: it more closely replicates the work of a real hacker. However, there is always the threat of the insider. In this case, someone with inside knowledge of the network structure, the gateway configuration, user names, remote administration systems, security systems, has an advantage over the outsider. Although it may not make it easy, the attacker might be aware of the limitations of the firewall or the intrusion detection systems; know which boxes to attack in the first place; or may know a specific time when liberal access is allowed to certain hosts. There is a simple example of the latter: the PPTT once found a systems administrator running a Quake server on a client’s internal network. Between 9pm and 7am, outsiders could make a direct connection to the host, straight through the firewall. This was the major step in making a successful intrusion.

The test starts with a half-day meeting where the Test Team Leader is given documentation about the network infrastructure, including a complete network diagram. He will then be able to quiz the client about traffic flows, security policies, user IDs or whatever he deems necessary knowledge for the project. The Test would then proceed as normal though the customer may opt not to have the Target Acquisition stage (the PPTT does advise this remains, though, as this stage is also used to find company information that the client may not be aware exists in the public domain.).


REPEAT TESTING

Change is natural to ICT. New or improved technology is implemented; different configurations are required for new projects; security is tightened up; people change their minds. Evolution is a good thing. Unfortunately, even where security is being improved by the implementation of a new system, reconfiguration or the installation of a patch or fix, the change or the change procedure may incur another security problem.

Therefore, the test report can quickly become an anachronism, no longer a reflection of the actual system. Re-testing then becomes very important. Using the original report as a baseline document, the PPTT revisits the target with three aims:

  • To check if weaknesses discovered in the original test have been resolved.
  • To look for new weaknesses that may have been created by new configurations and/or implementations.
  • To check for new systems vulnerabilities.

  • DENIAL OF SERVICE TESTING

    The PPTT advises clients not to have Denial of Service (DoS) testing. No matter how secure the organisation, a determined aggressor can bring down any target. It is the nature of the Internet that this is possible: the ease of acquired anonymity, the capability to launch attacks from third-party routers, distributed attacks make it impossible to fully combat DoS. Every organisation is susceptible to loss of availability due to DoS attacks. All DoS testing can do is test for the successful implementation of patches for known attacks based on software weaknesses. The PPTT is happy to do this where necessary.


    COVERT TESTING

    A penetration test is not carried out as if it was a real attack. The client has requested a test and the team need not avoid detection. In general, testing is carried out in a ‘noisy’ way because this is best for completeness and it takes less time (and therefore, costs the customer less money).

    However, some clients wish to know how successful a real attack might be so the PPTT does its job knowing that Intrusion Detection Systems (IDS), firewalls and vigilant IT personnel have to be avoided. Using the stealthiest techniques that the law will allow, the test is carried out. Should it be detected, this does not spell the end of the test. Although, greater vigilance is more likely after a detection, the PPTT will use a different IP address and different methods and try again.

    The aim for the team is to remain undetected at all times, while still trying to achieve a successful penetration. The normal report will include a section on detecting attacks: how successful the client was and what might be done to improve the current situation.


    Back to First Page



    HOME ~ WEBLINKS ~ CONTACTS



    Copyright © 1993-2001   The Penetration Testing Group  
    Other Resources: EPIC ISO 17799 and Gateway Listed