Level III Assessments
Having completed a level I and level II assessment, you may have determined it is necessary to continue your technical analysis. Some of the tools you will need for this level of the technical assessment include the following:
Information-gathering tools and techniques
Scanning tools
Enumeration tools
Wireless tools
Password auditing tools
Vulnerability scanning tools
Automated exploit tools
NIST 800-42 is a good foundational document to review to help guide you through this portion of your testing. Level III assessments can be performed for several reasons:
To see what attackers can access and infiltrate if they so desire
To determine what types of information leakage is occurring
To demonstrate the end result of some of the uncovered vulnerabilities.
Simply stated, if discovered vulnerabilities are not addressed, this may be the result. You may perform these activities yourself or hire outside consultants for this task. If you outsource any aspect of the assessment, check the vendor’s references and prior experience to see if this third party is reliable. It is also advisable to run background checks to see whether outside consultants have been involved in any criminal activities.
Vulnerability Exploitation
Vulnerability exploitation is an attractive option because you can tell some people about vulnerabilities, but showing them their passwords, talking about the secret plans for next year’s product launch, or producing a file stored only on the CEO’s laptop can have a very dramatic effect. Although exploiting vulnerabilities won’t always be necessary, when they are used, they can produce some dramatic results. A big drawback to level III assessments and the never ending hunt for potential weaknesses to exploit is that there will always be weaknesses or potential vulnerabilities; you will want to identify which risks concern your organization most and then concentrate on them while ensuring that the policy structure is in place so that long-term security can be maintained. Tools used for vulnerability exploitation include
Metasploit
CANVAS
Core IMPACT
If you believe this level of assessment is necessary, planning becomes an important issue. These activities most likely will not run from 8 a.m. to 5 p.m. Therefore, it is important that team members are not scheduled for long periods of continuous work, even if they are being fueled by Snickers and Mountain Dew! These activities can take substantial amounts of time, so make sure to
Plan the best time to perform these activities, possibly late night and weekends. Think about what result a network outage would have during peak business hours.
Maintain phone numbers and contact information of key network professionals. If something does go wrong, you will need the appropriate contact numbers.
Plan your activities to have the least level of impact on the organization.
Tip
Throughout this assessment process, you should be in close contact with management to keep them abreast of your findings. There shouldn’t be any big surprises at the conclusion of the process. Management should be kept informed of your findings as the project progresses. At the conclusion of these assessment activities, you will want to report on your initial findings even before you have developed a report. You shouldn’t be focused on recommendations here, but on what you found and its potential impact. Some key decisions will start being made at this meeting, so it is essential to prepare in advance.