If it is important for operations to continue without interruption by the security testing team, the test plan must focus on nonintrusive testing methods such as host discovery or port scanning. Host discovery is the process of scanning the network to find out which Internet Protocol (IP) addresses are attached to potentially vulnerable resources such as web servers or database servers. Depending on the purpose of the scan, an interesting discovery may be defined as anything with open ports, anything running a certain service, or even any box with a connection to the outside world.

Port scanning is a technique designed to probe a network’s open ports and look for weaknesses. Ports that are not being used should be closed, but often, they will be unintentionally left open by systems administrators who do not think to change default settings. For example, if a machine is intended to be a file server, there is no reason for port 80—the port most web servers use—to be open.

Nonintrusive testing methods can uncover valuable information about potential vulnerabilities, and, in most cases, this information is enough for an organization to justify modifying, upgrading, or replacing its existing security systems. Sometimes, positive proof of a given vulnerability’s existence and potential damage is necessary. In those cases, intrusive testing is justified.

Some security vulnerabilities cannot be reliably tested in a nonintrusive way. Weaknesses to social engineering attacks are a good example of this because it is impossible to predict how employees will behave in a social engineering situation until they are actually confronted with it. Other vulnerabilities, such as weaknesses to insecure code, are sometimes easy to test in a nonintrusive way. If a security scanner detects that insecure libraries or applications are installed in the environment, one can infer that the environment is vulnerable to buffer overflows, code injection, and the like.

One distinct advantage to nonintrusive testing is the fact that it is often automated. This allows a reliable scan to be performed by IT staff who may not have extensive security training or experience. However, just as you’d secure an IT infrastructure with more than just a firewall, testing the security of an IT infrastructure should not rely on a single method. If possible, nonintrusive and intrusive testing methods should be used in cooperation to produce a comprehensive view of the status of IT security.

IT crimes are generally crimes of opportunity. Attackers look for weak networks and bypass strong ones unless the resources on the strengthened network are highly tempting. Most of the time, if a network has been hardened, attackers will quickly move on to softer targets. Vulnerability assessment is the first step in hardening a network, and is generally performed using an automated scanning tool.

There are three basic types of vulnerability assessment scanners:

• Network scanners—A general-purpose scanner that probes a network for a variety of widely known vulnerabilities.
• Port scanners—A specialized tool that probes open ports on a system. An attacker could use these open ports to gain entry to a network.
• Web application scanners—Scans hosted web applications for known vulnerabilities. Because web applications are public-facing, they cannot be locked down as easily as an internal network.

All of these scanners are automated software packages that run periodically and produce a report of their findings. When choosing a vulnerability assessment scanner, look for one that updates frequently. Like a virus scanner, it is only as good as its vulnerability definitions. It cannot find vulnerabilities that have been discovered only recently and for which new tests have not been written.

Because of this limitation, it is important to use these automated tools as part of an overall security assessment. IT security teams should keep up to date on new vulnerabilities as they are discovered and reported, and manually check the network for them rather than wait for the vulnerability scanner to update its tests.

You have many options when choosing a vulnerability assessment scanner. The best choice depends on your organization’s needs.

Nmap. Nmap, or Network Mapper, was originally intended as a network mapping utility. Its port scanning and host detection features can be useful in identifying access points to your network and holes in access controls. The basic version of Nmap is a command-line utility, whereas the Zenmap graphical user interface (GUI) front end adds ease of use, as shown in FIGURE 12-3. Nmap is an open source utility and is highly configurable.

After Nmap runs, it outputs a report for the user. This report contains a rundown of which hosts are on a network and which ports are open on those hosts. It also contains the common usage of those ports. A sample Nmap report is shown in FIGURE 12-4 in the Zenmap GUI.

Nmap is available at https://nmap.org/.

Nessus. Nessus is a proprietary security scanner developed by Tenable Network Security. It is network-centric with webzx-based consoles and a central server. It is a useful tool for larger security teams handling larger networks. The configuration screen for Nessus is shown in FIGURE 12-5.

Nessus reports give a good breakdown of which ports are open on which hosts, and any security threats to those ports. A sample Nessus report is shown in FIGURE 12-6.

You can download a free limited version of Nessus at https://www.tenable.com/products/nessus.

OpenVAS. The Open Vulnerability Assessment Scanner (OpenVAS) is a free security scanning tool published under the GNU General Public License (GPL). The vulnerability testing plugins written for OpenVAS use the same Nessus Attack Scripting Language (NASL) as the Nessus scanner and, in fact, OpenVAS began as an offshoot of the Nessus project.

OpenVAS can deep-scan a network, looking for known issues that have not been patched in existing applications. It also scans for open ports. The configuration screen for an OpenVAS scan is shown in FIGURE 12-7.

OpenVAS scans provide detailed reports offering a breakdown of network vulnerabilities and the state of the environment in a format that even entry-level security professionals can understand. A sample OpenVAS report is shown in FIGURE 12-8.

You can find more information and live demonstrations of OpenVAS by visiting http://openvas.org/.

Security breaches are inevitable. They can occur despite your best efforts to prevent them. Knowing this, incident response and remediation must be a part of any security testing effort. It is simply not enough to scan for known vulnerabilities, patch them, and assume your IT infrastructure is safe. When unauthorized access does occur, there are two stages to a good IT response:

• Incident response—The initial response to a security breach. The goal at this stage is to contain or shut down the attack before further damage is done.
• Cleanup—The process of examining a system or network to assess damage, removing any software installed during the attack, and looking for new vulnerabilities such as backdoors, or holes in a system’s security that attackers create to facilitate repeat attacks.

Both of these are crucial and should be tested as part of an overall security assessment. The middle of a crisis is not when you want to discover that your network security expert hasn’t read a Bugtraq alert in 5 years. Incident response testing usually involves bringing in or creating a penetration team, which will be discussed later in this chapter.

To subscribe to the Bugtraq mailing list, go to https://www.securityfocus.com.

Security breach drills are one way to test the ability of IT staff to respond to an incident. These drills can be open, blind, or double-blind.

In an open drill, everyone knows that the incident is a drill and that no real attack is taking place. This is the least intrusive type of security breach response test. In a blind drill, IT staff is not notified that a drill is taking place, but the testing team has full knowledge of the infrastructure. In a double-blind test, the IT staff is not given prior warning of the test. In addition, the testing team is not given information about the infrastructure. It must start from scratch just as an attacker would. This is the most accurate way to test breach response, because it most closely imitates a real attack.

Any security breach drill should end with an incident recap meeting involving management, systems administrators, and testers. At the incident recap, the group should discuss what it learned from the tests, prioritize its findings, and begin the process of remediation.

Gap analysis is the process of identifying the difference between reality—the current state of an organization’s IT infrastructure—and the organization’s security goals. Every organization has a different ideal security level. Some organizations need the best, most secure infrastructure available. Others can forsake some level of security to gain cost savings and ease of use. Whatever that ideal level is, a gap analysis will inform IT of what improvements need to be made in order to achieve it.

A thorough gap analysis covers all seven domains of a typical IT infrastructure (shown in FIGURE 12-9) and examines security in each of them.

User Domain. Gap analysis in the User Domain focuses on user training and day-to-day practices, and how the practices affect IT security. If users are required to attend an annual security workshop on secure password creation, for example, but then use the same insecure passwords they used before the training, this represents a gap in security that should be addressed through better training and technical enforcement methods.

Most users do not willfully follow insecure practices. In most cases, they simply do not understand the purpose behind security procedures, or they do not know how to follow them successfully. Most users’ highest priorities are convenience and task efficiency. They simply want to do their jobs as easily and quickly as possible. Users often perceive security measures as an obstacle to those goals. Creating, memorizing, and typing a complex password with eight or more characters, uppercase and lowercase letters, and numeric and special characters, is more difficult and time consuming than a simple four-character password or no password at all. Similarly, it is intuitive for many users to prop open a security door, especially if they are moving equipment in and out of a server room. It is inconvenient, from the users’ perspective, to keep entering a password every time they go in and out of the server room, especially if they are carrying heavy equipment.

An effective training program that generates user buy-in to security practices bridges the gap between users’ legitimate need for convenience and efficiency with the demands of a secure infrastructure.

Workstation Domain. Because the number of workstations in an organization can be very large, automated vulnerability scanners are often the most efficient way to perform a gap analysis in the Workstation Domain. The data derived from a vulnerability scan is useful only when it is compared with the organization’s stated security goals. Many vulnerability scanners find vulnerabilities that can be exploited only from within the local network because the workstations are protected by the network firewall. The gap analysis in this domain should focus on vulnerabilities on workstations that could spread to the local network. They should be run on a regular basis because the state of any given workstation can change at any time.

For example, users—despite thorough training—will occasionally open an email attachment or load a webpage that contains a virus. Many viruses are designed to hide on a system and spread themselves across a local network until a trigger event causes them to deploy their malicious payload. The original user may not even be aware that he or she clicked on a malicious attachment or webpage. Ideally, every data packet downloaded to a workstation should be passed through a virus scanner, but the reality is that many organizations do not have updated virus scanners or users have disabled them to save time. Running a periodic vulnerability scan on the Workstation Domain is a second layer of defense in case a malicious program slips through automated virus scanning.

LAN Domain. Gap analysis in the LAN Domain focuses on the network itself. How are resources on the network secured, and could those security measures be bypassed by someone who has access to the network, either internally or remotely?

For example, many networks are set up with a firewall to prevent unauthorized users outside of the local area network (LAN) from accessing resources on the network. Once inside the firewall, however, there can be a false sense of security that leads to insecurely protected resources. Consider a file server located behind the firewall. Because it is not exposed to outside attack, systems administrators consider it relatively safe and focus their attention on other vulnerabilities. Unfortunately, if strict access controls are not implemented on the file server itself, as well as on individual folders and files on the server, a low-level user could easily stumble upon sensitive information such as product designs or financial reports, which they could then disclose intentionally or unintentionally outside of the organization.

LAN-to-WAN Domain. The LAN-to-WAN Domain is where tools such as a port scanner come into play. This is where you will test an attacker’s ability to gain privileged access to the organization’s private network through openings between the LAN and the wide area network (WAN).

Many servers come with a default configuration that leaves various ports open, such as those used by web or File Transfer Protocol (FTP) server software. If those services are not used on a machine, the ports should be closed before the machine goes into production. Unfortunately, many systems administrators forget to do this, leaving an open door for an attacker to gain access from the WAN—usually the Internet—to the LAN. A port scanner will alert systems administrators to ports that have been left open unnecessarily.

WAN Domain. Resources on the WAN include cloud computing and web applications. These must be analyzed separately from locally hosted applications because they generally exist on the public Internet, which exposes applications to a host of new threats and vulnerabilities. Some of the most prominent vulnerabilities are code injection and buffer overflow errors. Code injection is an attack where the hacker inserts malicious code into an input field, usually on a web application. If the application is not coded securely, the server will execute the malicious code.

Consider a contact form on an organization’s website. It is a simple application that allows website visitors to send a message to various departments within the organization. The user selects a department, and types his or her name and a message into a web form. The information is stored in a database table. Every 10 minutes, a script runs on the web server that pulls new comments from the database, reformats them, and emails them to the correct department.

As long as users do the expected, and enter a name and message into the form, the system works well. Unfortunately, if a malicious user finds this form, he or she could enter the following line of text in the message field:

This is a message for IT security"; drop table comments;

The web server would interpret the input as a database command:

Insert into comments "This is a message for IT security"; drop table comments;"

The web server will send that line of code to the database, which would interpret it as three lines of code:

Insert into comments "This is a message for IT security";

drop table comments;

"

The trailing end quote would throw a syntax error, but not until after the crucial command, drop table comments, was executed. This command would delete the entire comments table from the database. This type of attack is common on web applications. It is possible because of lax input validation, which is something that a good web application security scanner will look for.

Remote Access Domain. Allowing remote access to internal resources adds a level of complication to any IT infrastructure and can lead to gaps in an otherwise secure system. Gap analysis in the Remote Access Domain focuses on the access controls that authorize remote users on the internal network and the encryption methods and IP tunneling that allow data to be sent securely over the public Internet to a remote worker.

There are many areas where a gap analysis could uncover vulnerabilities in the Remote Access Domain. Lost or stolen challenge-response tokens are a common problem for remote access. If a lost or stolen token cannot be disabled promptly, that represents a significant vulnerability in the Remote Access Domain. A gap analysis in this domain should examine the average time lapse between the point a device is missed and the point at which it is disabled.

System/Application Domain. Gap analysis on systems and applications focuses on insecure code in the application, the operating system, or the libraries and programming languages that connect the two. In the System/Application Domain, you will be looking for vulnerabilities that can lead to buffer overflows, SQL injections, and other common application-level attacks.

Unfortunately, many application-level vulnerabilities are not the fault of insecure code written in-house. The vulnerabilities exist in the programming languages and libraries that developers rely on. Libraries and functions within programming languages exist so that developers can concentrate on the high-level functionality of their applications and not get bogged down by the low-level details of file management or database communication. Unfortunately, when a vulnerability exists in low-level libraries, that vulnerability filters up into the application, where it can be exploited by malicious users.

New vulnerabilities are constantly surfacing, so it is important for developers and systems administrators to know exactly which libraries are in use and to keep up to date on new vulnerability announcements.

The term “red team” originated in military war-gaming parlance. In this context, the red team is the attacker in a war game. Both the attacker and the defender know that the war game is taking place. The red team knows that the defenders expect them but do not know how they’ve prepared. In penetration testing, the red team may be made up of systems administrators from other departments within the organization or of external penetration testers.

The blue team in a war game is the defending team. It may not know how the red team will attack, but it knows to expect some sort of attack. In penetration testing, the systems administrators and general IT staff are considered the blue team.

A tiger team is the most common type of penetration tester. Tiger teams are almost always external testers who operate in a double-blind penetration test. The target, with the exception of upper management, who authorized the test, is unaware that the test is taking place, and the testing team is given no information about the infrastructure. The tiger team is left to discover what it can about the infrastructure prior to launching the actual attack, and the IT staff must detect and respond to the attack.