[ISN] How do you test strength of a network's security?

From: mea culpa (jerichoat_private)
Date: Thu Nov 19 1998 - 23:00:31 PST

  • Next message: mea culpa: "[ISN] Practical Policies"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981119235940.14826hat_private>
    November 16, 1998
    Cyber Sense
    How do you test strength of a network's security?
    Chaim Yudkowsky
    A recent column discussed how to protect your network to make it
    impervious (or at least close to impervious) to abuse from internal- and
    external-user misuse. 
    But what happens after you have installed the hardware and software tools
    to monitor and fortify your network (local area, wide area and/or Internet
    connected) that really tests the strength of the network? 
    A recent conversation with Andrew Gingher, a senior security consultant
    with NJH Security Consultants (njh.com) with offices in Atlanta and Salt
    Lake City gave me a look into that next step. 
    The remote audit -- Internet. The first step of action is to pay someone
    to act and think like a hacker and attack your network in a friendly
    (without causing damage) but aggressive manner.  For any system connected
    to the Internet, that begins with only knowing the IP address base and
    nothing else. The "hacker" first confirms that the IP address base, which
    you think you have rights to, is accurate. 
    Interestingly, the reason for that is more to protect the auditor legally
    than to protect you, the paying customer. 
    Once the auditor has confirmed your rights to the addresses, the games
    begin. The "hacker"  will attempt to locate and identify all systems that
    can be accessed given your addresses. That means finding out as much as
    possible, including physical location of the machine, network and
    corporate features and responsibilities of the machine, and all the
    services available on the machine. 
    Once that is complete, the auditor will then use hacker techniques,
    commercial scanning tools and proprietary tools to penetrate the your
    The invasive aspects of the audit are designed to be nonmodifying of data
    so that ultimately your systems do not have to interrupt service once the
    invasion begins. 
    One of the basic tests in the invasion is use of the SUPER USER
    (administrator- or supervisor-level access) accounts for complete control
    and access of the system. 
    Finally, the auditor will perform two last manual checks that affect
    practical administration of the system's access. 
    The first is an examination of the DNS (domain name services)
    configuration to check that the technical and administrative contacts are
    correct for that site. 
    The second is looking for a system that may be "spoofing" the first site.
    A business example would be a site spoofing a bank's site that, if
    designed shrewdly enough, could disarm the customer to divulge access
    codes and other confidential information while leaving no indication that
    the customer is in the wrong place. 
    The remote audit -- Dial-up. That type of an audit is a bit easier than
    the first because it has a more focused method of entry. Such an audit has
    two functions. 
    First is "locate," when the auditor tests every phone number provided and
    attempts to identify all the devices that respond to a call. 
    The second is "penetration" of the security of the dial-up. Note that
    dial-up penetration can be made more difficult if you are using automatic
    call-back security. That will require that your system call you back at a
    predefined number to allow any access at all. 
    Onsite audit. The onsite audit consists of three primary components. 
    * Policy review. A discussion and review of policies including password
    recycling and aging, use of encryption, overall use policies (internal and
    from outside the office), and management's attentiveness and sensitivity
    to enforcing the stated policies. 
    * Internal connectivity. That is more than the engineering diagram or
    topological diagram of your network's internal connectivity and how it
    interfaces with external systems. It reviews paths of data flow between
    systems. The objective is to see if any data is flowing where it should
    not be or taking a route that is not secure enough for the value of the
    * Physical review of the facilities. One of the best security mechanisms
    is still impeding physical access and preventing disasters that threaten
    systems and their data. In that part of the audit, the auditor is looking
    for locked rooms, alarm systems, fire protection, Uninterruptible Power
    Supply (UPS), passwords scribbled on the desktop and more. 
    What to expect? The good security auditor will conclude with a report that
    addresses not only system vulnerabilities, but also specific suggestions
    for improvement and technical information for implementing those needed
    Choosing a security consultant is a responsibility that requires care and
    diligence.  Some criteria for the firm or individual to consider are: 
    * 100 percent security consulting. Expertise here involves too much to
    know to be part-time. 
    * Technical qualification grounded in real-time testing. The ideal audit
    is invading your live systems. 
    * Background checking. Security audits have a first word, "security." You
    must be able to trust the auditor and the auditor's credentials. 
    * Reference checking. Since most of us will not understand all the
    possible attacks to our system and how one consultant may test them vs. 
    another, references are good tools in understanding a specific
    consultant's methodology, final report deliverable, follow-up on
    vulnerabilities and ability to secure the systems. 
    Is a full security audit appropriate for everyone? Arguably not. But all
    of us can use the understanding of what an audit consists of to at least
    strengthen our weakest defenses. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:47 PDT