This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --------------39E57D4B44C9 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.SUN.3.96.981119235940.14826hat_private> http://www.amcity.com/louisville/stories/1998/11/16/smallb3.html November 16, 1998 Cyber Sense How do you test strength of a network's security? Chaim Yudkowsky A recent column discussed how to protect your network to make it impervious (or at least close to impervious) to abuse from internal- and external-user misuse. But what happens after you have installed the hardware and software tools to monitor and fortify your network (local area, wide area and/or Internet connected) that really tests the strength of the network? A recent conversation with Andrew Gingher, a senior security consultant with NJH Security Consultants (njh.com) with offices in Atlanta and Salt Lake City gave me a look into that next step. The remote audit -- Internet. The first step of action is to pay someone to act and think like a hacker and attack your network in a friendly (without causing damage) but aggressive manner. For any system connected to the Internet, that begins with only knowing the IP address base and nothing else. The "hacker" first confirms that the IP address base, which you think you have rights to, is accurate. Interestingly, the reason for that is more to protect the auditor legally than to protect you, the paying customer. Once the auditor has confirmed your rights to the addresses, the games begin. The "hacker" will attempt to locate and identify all systems that can be accessed given your addresses. That means finding out as much as possible, including physical location of the machine, network and corporate features and responsibilities of the machine, and all the services available on the machine. Once that is complete, the auditor will then use hacker techniques, commercial scanning tools and proprietary tools to penetrate the your system. The invasive aspects of the audit are designed to be nonmodifying of data so that ultimately your systems do not have to interrupt service once the invasion begins. One of the basic tests in the invasion is use of the SUPER USER (administrator- or supervisor-level access) accounts for complete control and access of the system. Finally, the auditor will perform two last manual checks that affect practical administration of the system's access. The first is an examination of the DNS (domain name services) configuration to check that the technical and administrative contacts are correct for that site. The second is looking for a system that may be "spoofing" the first site. A business example would be a site spoofing a bank's site that, if designed shrewdly enough, could disarm the customer to divulge access codes and other confidential information while leaving no indication that the customer is in the wrong place. The remote audit -- Dial-up. That type of an audit is a bit easier than the first because it has a more focused method of entry. Such an audit has two functions. First is "locate," when the auditor tests every phone number provided and attempts to identify all the devices that respond to a call. The second is "penetration" of the security of the dial-up. Note that dial-up penetration can be made more difficult if you are using automatic call-back security. That will require that your system call you back at a predefined number to allow any access at all. Onsite audit. The onsite audit consists of three primary components. * Policy review. A discussion and review of policies including password recycling and aging, use of encryption, overall use policies (internal and from outside the office), and management's attentiveness and sensitivity to enforcing the stated policies. * Internal connectivity. That is more than the engineering diagram or topological diagram of your network's internal connectivity and how it interfaces with external systems. It reviews paths of data flow between systems. The objective is to see if any data is flowing where it should not be or taking a route that is not secure enough for the value of the data. * Physical review of the facilities. One of the best security mechanisms is still impeding physical access and preventing disasters that threaten systems and their data. In that part of the audit, the auditor is looking for locked rooms, alarm systems, fire protection, Uninterruptible Power Supply (UPS), passwords scribbled on the desktop and more. What to expect? The good security auditor will conclude with a report that addresses not only system vulnerabilities, but also specific suggestions for improvement and technical information for implementing those needed changes. Choosing a security consultant is a responsibility that requires care and diligence. Some criteria for the firm or individual to consider are: * 100 percent security consulting. Expertise here involves too much to know to be part-time. * Technical qualification grounded in real-time testing. The ideal audit is invading your live systems. * Background checking. Security audits have a first word, "security." You must be able to trust the auditor and the auditor's credentials. * Reference checking. Since most of us will not understand all the possible attacks to our system and how one consultant may test them vs. another, references are good tools in understanding a specific consultant's methodology, final report deliverable, follow-up on vulnerabilities and ability to secure the systems. Is a full security audit appropriate for everyone? Arguably not. But all of us can use the understanding of what an audit consists of to at least strengthen our weakest defenses. --------------39E57D4B44C9-- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:47 PDT