Ch18 - 18.02 - Performing a Security Assessment Flashcards
Open Vulnerability and Assessment Language (OVAL)
Open Vulnerability and Assessment Language is an
international standard for assessing vulnerabilities to a system. OVAL has three stages to the assessment: represent system information, assess vulnerabilities, and report on the vulnerabilities.
Learn more about OVAL from http://oval.mitre.org/about/index.html.
Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE)
Operationally Critical Threat, Asset, and Vulnerability
Evaluation is a self-directed security assessment methodology. “Selfdirected” means that an organization chooses a team from its own employees to do the security assessment. OCTAVE has four phases:
(1) Develop risk management criteria consistent with the goals of the business,
(2) Create a profile for each information asset that identifies the security requirements,
(3) Identify threats to each of those assets, and
(4) Identify and analyze risks and begin mitigation approaches.
Learn more about OCTAVE at www.cert.org/octave/.
Open Web Application Security Project (OWASP)
Open Web Application Security Project is a project that
standardizes web application security-testing procedures. You can learn more about OWASP from www.owasp.org/index.php. They have some great guides published on web application testing and code review.
Pivoting
Before looking at the hacking process, which many pen-testers follow, you should be aware of the term pivot, or pivoting, in the context of penetration testing. Pivoting is when the tester compromises a server, such as a web server, and then uses that system to gain access to other systems on the network being attacked. It is important to note that penetration testing is a long-drawn-out process, like hacking, and may take time before the final system is attacked.
Hacking Process
- Profiling
- Scanning and Enumeration
- Gaining Access/Initial Exploitation
- Maintaining Access/Persistence
- Covering Tracks
Hacking Process - 1. Profiling (Reconnaissance) Phase
The first phase of the hacking process is known as the
reconnaissance phase or the profiling phase. In this phase, the hacker uses Internet resources to discover information about your organization.
Note that 85 percent of the hacking process is spent on the profiling phase and on collecting information that the hacker can use in an attack.
Hacking Process - 2. Scanning and Enumeration
After the hacker has collected the IP addresses
in the profiling phase, the hacker moves into the scanning phase. The hacker is now doing reconnaissance, but it is considered active reconnaissance because the hacker is actually sending traffic to the organization’s systems.
The goal of the scanning phase is to find out what services are running on the system by finding out the port numbers that are open on the system. Once the hacker finds out the port numbers that are open, the hacker will then do a banner grab from the system, which reports the version of the software that is running on that port. The reason the hacker wants to know the version of the software is so that they can then research how to exploit that software.
In this phase of the hacking process, the hacker may also try to enumerate the system, which means collecting more information about the system. The hacker may try to identify computer names, usernames, or even get a list of groups from the system.
Hacking Process - 3. Gaining Access/Initial Exploitation
Once the hacker knows what ports are running on the system and the version of the software that is running on those ports, they will research how to exploit that software. It is amazing how easy it is to find exploits on popular products—just go to Google and type exploit and then add the product name of what you want to exploit.
The hacker could use any attack type for the initial exploitation in order to gain access to the system, but popular methods of gaining access to a system today are buffer overflow attacks and other types of injection attacks.
Once the hacker gains access to the system, they may need to perform an escalation of privilege attack. This attack is required if the hacker compromises a system and does not have administrative access to the system. The hacker could perform a privilege escalation attack to gain administrative access. There are a number of ways that hackers could perform a privilege escalation attack; they could obtain the password hashes from the SAM database of the Windows system, for example, or perform DLL injection by loading a malicious DLL in the same address space as a process with system-level access.
Hacking Process - 4. Maintaining Access/Persistence
Once the hacker has gained access to the
system, they want to ensure that they can get access again later. To ensure persistence, meaning that the hacker can gain access later, the hacker will plant a back door, such as creating an administrative account or planting a rootkit or Trojan virus on the system.
Hacking Process - 5. Covering Tracks
The final phase in the hacking process is to cover tracks. The hacker knows that most security professionals will implement auditing or logging features on the system and log any activity that is performed. After the hacker creates the suspicious activity, they will then find the log files on the system and either delete the files or delete the entries from the logs that deal with the hacker’s activity. It is critical that you protect the log files to ensure that no one can destroy them.
A List of Some of the Common Steps in a Penetration Test:
The point to understanding the hacking process is that, as a penetration tester, you should follow that process so that your penetration test (pen-test) is similar to what the hacker would do to gain access. This is important to understand because a lot of security professionals may not spend time performing steps in the profiling phase, which means that you never know what your organization is exposing out on the Internet.
Steps are:
- Initial meeting
- Draft legal documents
- Create a pen-test plan
- Test pen-test plan
- Perform penetration test
- Create a report on findings
- Present report results
- Destroy any copies of the report
Penetration Test - 1. Initial meeting
Start the process by meeting with upper-level management to find out the scope of what they would like you to do. At this point, you should find out if it is OK to perform all types of testing such as a denial of service attacks, buffer overflow attacks, and password attacks (to name a few). Also, at this point, you should reiterate that you cannot guarantee that denial of service will not happen.
Penetration Test - 2. Draft legal documents
After the initial meeting, see a lawyer and have a legal document drafted stating that you are allowed to do the penetration test. Be sure to have the document signed by an authorized representative of the organization you are doing the penetration test for.
Penetration Test - 3. Create a pen-test plan
Once you have the document signed, plan the types of attacks or testing you will perform. The purpose of building a plan is so that you are disciplined and follow a methodology in your approach and don’t just have a field-day hacking someone’s network.
Penetration Test - 4. Test a pen-test plan
Test the tools you will use to perform the different types of attacks to ensure they work and to see if they will cause a denial of service when executed.
Penetration Test - 5. Perform penetration test
At this point, you are at the customer’s site performing the penetration test and following your plan. Be sure to test password cracking, wireless cracking, and buffer overflow attacks. Test physical security elements and social engineering attacks against the organization as well. Be sure to document everything you do, including the start time and end time of each step.
Penetration Test - 6. Create a report on findings
Once the test is complete, create a report of your findings. You do not have to include your log of all activity, but be sure to have it handy in case you have to refer to it. You should include screenshots of successful and failed attacks on the systems along with recommendations on how to improve security.
Penetration Test - 7. Present report results
In this phase, you will meet with upper-level
management again to report your findings and give them a copy of the report. Ensure that you have the customer sign off on a completed assessment.
Penetration Test - 8. Destroy any copies of the report
As a final step, ensure that you do not have additional copies of the assessment in either printed form or electronic form.
Protocol Analyzer/Packet Sniffer
The first tool to be familiar with is a protocol analyzer, also known as a packet sniffer, or just sniffer. The purpose of a sniffer program is to passively capture traffic traveling the network in order to view or analyze that traffic. The purpose of using a sniffer when performing a security assessment is to see if you can capture sensitive information being sent on the network in clear text. If you find that passwords or other sensitive information is in the packet capture, then you should recommend that the organization encrypt network traffic.
Network Scanners and Port Scanners
A very important set of tools to security testers and network administrators is a network scanner and a port scanner. A network scanner can help you map out what systems exist on the network, which is known as network mapping. Two common tools that could be used for networking mapping are nmap and Angry IP Scanner. Network mapping software can also be used to identify invalid systems that have been connected to the network. This is known as rogue system detection.
Wireless Scanner
A common set of tools used on today’s
networks is a wireless scanner and a wireless cracker. A wireless scanner is a
tool that can be used to discover wireless networks within range and their characteristics. For example, with a wireless scanner you can see the SSID name, the channel, the type of encryption being used (WEP/WPA2), and the signal strength. Examples of wireless scanners are Acrylic WiFi for Windows and Kismet for Linux.
Wireless Cracker
A wireless cracker is a tool used to crack the encryption key on a WEP or WPA2 protected wireless network. There are tools such as Aircrack-ng that can be used to crack the wireless encryption once enough traffic has been captured.
Vulnerability Scanner
A vulnerability scanner is quite a bit different from a port scanner. The vulnerability scanner will scan the system for known vulnerabilities and then report the problems that have been found. The vulnerability scanner bases the decisions on a vulnerability database that is constantly being updated. When you do the scan, the vulnerability scanner compares the patch level and the configuration of your system(s) against the vulnerability database to see if you are not following best practices (have vulnerabilities).
