Network security is currently one of the most urgent and challenging problems facing all types of private and public organizations, as well as governments. In addition to the daily bombardment of unwanted traffic such as network port scans, all kinds of viruses (malware, adware, spyware, Trojans, worms, bots), exploit tools, rootkits, social engineering, DoS attacks, accidental breaches, automated attacks, and other unauthorized access mechanisms, organizations must be aware of the existence of malicious insiders who can use digital carriers to secretly steal and disseminate sensitive company information by crossing the perimeter that is supposed to protect the corporate network. CERT statistics on the number of security incidents, unauthorized website access, and the proportion of "hacking attempts" as a percentage of total incidents are growing dramatically. This justifies the increasing use of ethical hacking internationally.
Compliance. Security Policy, Standard, Procedure, and Guide.
IT security plays a critical role in assessing an organization's risk. This involves using penetration testing, vulnerability analysis, compliance measures, and other methods. Compliance can be: (i) Internal. Using policies and standards, security and configuration baselines, codes of best practice (such as ISO 27002), and frameworks like COBIT, ISO, ITIL, NIST, and GAISP. (ii) External. Using SOX (Sarbanes-Oxley) with frameworks such as COSO, HIPAA, PCI-DSS, and Safe Harbor. Security policies are the foundation for implementing IT compliance and governance.
A policy is a set of requirements and directional instructions designed to protect corporate values, assets, and intelligence. Policies serve as the basis for related standards, procedures, and guides. A standard is a set of practices and benchmarks used to meet the requirements established in advance by the policies. A standard should always be derived from a policy, as it is the second step in the company's policy propagation process. A procedure is a set of step-by-step instructions for implementing policy requirements and executing standard practices. A guide is a set of tips and best practices derived from policies and standards. Guides are optional, but they typically document well-known parameters, processes, and procedures under which policies and standards were successfully implemented.
Penetration testing and security testing.
Tools used. Methodologies.
A penetration test (also called ethical hacking, white-hat hacking, or red-teaming) is a set of methods used to assess the security posture of a system, network, or company by simulating various attacks in a non-destructive way. It is a legal attempt to access the company's network to find its weakest links; the tester only reports what they find. A security test is more than just an access attempt; it also includes an analysis of the company's security policies and procedures. The testers offer solutions to secure or protect the network being evaluated. The most common TCP/IP stack protocols (HTTP-Web, SMTP/POP3-IMAP4-email, FTP, TELNET, etc.), used in intranets, extranets, and the Internet, were designed in an era when security was not a priority. This means, for example, according to CERT, that we went from six security incidents in 1988 to a total of 137,529 incidents in 2003.
There are several reasons to perform a penetration test: (i) To determine a company's flaws, defects, and vulnerabilities. (ii) To provide a quantitative metric for evaluating systems and networks. (iii) To measure against pre-established baselines. (iv) To determine risks to the organization. (v) To design controls to mitigate the identified risks.
A penetration test can be divided into the following phases:
(1) Preparation phase. The objective is: (i) Identify targets: company websites, mail servers, extranets, etc. (ii) Sign the contract. A protection agreement is established against any legal issues. The contracts clearly specify the limits and risks of the test. Specify the DoS tests, social engineering, etc. The time window for the attacks and the total test duration must be specified. The level of prior knowledge of the systems and the key personnel who will be made aware of the test must be indicated.
(2) Footprinting phase. The objective of footprinting is: (i) Gather as much information as possible about the target: DNS servers, IP ranges, administrative contacts, and issues reported by administrators. (ii) Use information sources: search engines such as Google; forums; databases: whois, ripe, arin, apnic; tools: ping, whois, traceroute, DIG, nslookup, sam spade.
(3) Discovery, enumeration, and fingerprinting phase. This involves: (i) Determining the specific objectives. (ii) Identifying open UDP/TCP services and ports. (iii) Listing the operating systems used. Methods used for this include: (i) Banner grabbing. (ii) Responses to commands from various protocols (TCP and ICMP). (iii) Port/Service Scanning: TCP connections, TCP SYN, TCP FIN, etc. Tools used include: Nmap (open-source port/security scanner, see http://insecure.org/), FScan, Hping, Firewalk, Netcat, tcpdump, ssh, telnet, and Snmp Scanner. In short, the goal is to collect and obtain information as discreetly as possible, for example, using Nmap. To do this, network information is reviewed and what is known about the networks is confirmed.
(4) Exploration and Vulnerability Identification Phase. Possible vulnerabilities include: (i) Insecure configuration. (ii) Weak passwords. (iii) Unpatched vulnerabilities in: services, operating systems, and applications. (iv) Potential vulnerabilities in services and operating systems. (v) Insecure programming. (vi) Weak access control. Methods used include: (i) For potential and unpatched vulnerabilities: detection tools and vulnerability information websites. (ii) For passwords Weak vulnerabilities include: default passwords, brute-force and dictionary attacks, social engineering, and eavesdropping on unencrypted traffic (POP3, Telnet, FTP, etc.). (iii) For insecure programming: SQL injection and traffic eavesdropping. (iv) For weak access control: application logic and SQL injection. Tools used include: (i) Vulnerability scanners: Nessus (open-source vulnerability scanner, see http://tenablesecurity.com/), ISS, SARA, SAINT. (ii) Traffic eavesdropping tools: Ethercap, Ethereal, tcpdump. (iii) Password crackers: JTR (John the Ripper), LC4, Pwdump. (iv) Web traffic interception tools: Acholes, Whisker, Legion. Websites used include: (i) For common vulnerabilities and exposures: http://cve.mitre.org . (ii) Bugtraq: http://www.securityfocus.com . (iii) Other vendor websites. Among the targets of This phase includes configuration analysis, identifying and analyzing firewalls/gateways.
(5) Assessment, attack, and exploitation phase. The objective is to obtain as much information as possible about the target, gain normal access, escalate privileges, gain access to other connected systems, and use DoS attacks. The following are performed: (i) Attacks on network infrastructure: connecting to the network via modem, identifying weaknesses in TCP/IP and NetBIOS, and flooding the network to cause a DoS attack. (ii) Attacks on operating systems: attacking authentication systems, exploiting protocol implementations, exploiting insecure configurations, and breaking file system security. (iii) Attacks on specific applications: exploiting application protocol implementations (SMTP, HTTP), gaining access to application databases, SQL injection, and spamming. (iv) Exploits: free exploits from hacker websites and free custom-made exploits. Tools such as Nessus and the Metasploit Framework are used (launching exploits). vulnerabilities). In this phase, the security of the devices is verified. This involves expanding the network mapping, scanning devices for vulnerabilities, and exploiting isolated security vulnerabilities using tools such as Metasploit.
(6) Intrusion and Risk/Impact Analysis Phase. The objective is to perform a network scenario analysis and exploit potential network exposures.
(7) Reporting Phase. The objective is to report all findings and propose practical security solutions.
In an ICT environment, the security penetration testing model consists of four levels, which from the outside in are: (1) Level 1: External attacks (uninformed user). (2) Level 2: External attacks (knowledgeable user). (3) Level 3: Internal attacks. (4) Level 4: Attacks on applications/databases.
Some tools used for penetration testing are: (i) Traffic analyzer level: Ethereal, NAI Sniffer Pro, NetXray, EtherPeek, Solarwinds, Dolch Network. (ii) Password cracking level: L0pht Crack, John-The-Riper, Rainbow Tables. (iii) Wireless networking level: AirSnort, Kismet, Netstumbler. (iv) Database tools level: ISS, Squirrel, IP Locks, AppDetective. (v) Host-based tools level: Bindview, ESM, ISS System Scanner, NetIQ. (vi) Web/application tools level: ScanDo, AppScan, Webinspect Whisker. (vii) War dialing level: THG scan, TeleSweep. (viii) Network assessment level: Nessus, ISS Internet Scanner, Foundscan, Retina, Typhon III. (ix) Network mapping level: NMAP, Ping, Visio. (x) Data recovery level: CIS Scripts.
To access an online port scanning service, visit the website: http://www.grc.com/x/ne.dll ?
rh1dkyd2. To undergo a virus test, you can visit the EICAR website: http://www.rexswain.com/eicar.html .
Three penetration testing methodologies can be identified: (1) White-box model. The tester is told everything about the network topology and technology and is authorized to interview IT staff and company employees, which makes the job somewhat easier. (2) Black-box model. Company personnel know nothing about the test. The tester does not know the network details; their job includes finding them out. This model tests whether security personnel can detect an attack. (3) Gray-box model. This is a hybrid model of the two previous models. Companies provide the tester with
some partial information.
Final considerations:
Our research group has worked for over twenty years in the field of security risk assessment using a growing number of approaches such as penetration testing, intrusion management, compliance policy exploration, etc.
This article is part of the activities developed within the LEFIS-APTICE project (funded by Socrates. European Commission).
Author:
Prof. Dr. Javier Areitio Bertolín – E.Mail:
Literature
- Areitio, J. “Information Security: Networks, Computing and Information Systems”. Cengage Learning-Paraninfo. 2009.
- Areitio, J. “Analysis of Technologies for Information Concealment”. Conectrónica Magazine. No. 109. July-August 2007.
- Areitio, J. “Analysis of Forensic Security, Anti-Forensic Techniques, Incident Response and Digital Evidence Management”. Conectrónica Magazine. No. 125. March 2009.
- Cranor, LF and Garfinkel, S. “Security and Usability: Designing Secure Systems that People Can Use”. O'Reilly. 2005.
- Lininger, R. and Vines, RD “Phishing: Cutting the Identity Theft Line”. Wiley. 2005.
