http://www.amcity.com/louisville/stories/1998/11/16/smallb3.html
November 16, 1998
Cyber Sense
How do you test strength of a network's security?
Chaim Yudkowsky
A recent column discussed how to protect your network to make it
impervious (or at least close to impervious) to abuse from internal- and
external-user misuse.
But what happens after you have installed the hardware and software tools
to monitor and fortify your network (local area, wide area and/or Internet
connected) that really tests the strength of the network?
A recent conversation with Andrew Gingher, a senior security consultant
with NJH Security Consultants (njh.com) with offices in Atlanta and Salt
Lake City gave me a look into that next step.
The remote audit -- Internet. The first step of action is to pay someone
to act and think like a hacker and attack your network in a friendly
(without causing damage) but aggressive manner. For any system connected
to the Internet, that begins with only knowing the IP address base and
nothing else. The "hacker" first confirms that the IP address base, which
you think you have rights to, is accurate.
Interestingly, the reason for that is more to protect the auditor legally
than to protect you, the paying customer.
Once the auditor has confirmed your rights to the addresses, the games
begin. The "hacker" will attempt to locate and identify all systems that
can be accessed given your addresses. That means finding out as much as
possible, including physical location of the machine, network and
corporate features and responsibilities of the machine, and all the
services available on the machine.
Once that is complete, the auditor will then use hacker techniques,
commercial scanning tools and proprietary tools to penetrate the your
system.
The invasive aspects of the audit are designed to be nonmodifying of data
so that ultimately your systems do not have to interrupt service once the
invasion begins.
One of the basic tests in the invasion is use of the SUPER USER
(administrator- or supervisor-level access) accounts for complete control
and access of the system.
Finally, the auditor will perform two last manual checks that affect
practical administration of the system's access.
The first is an examination of the DNS (domain name services)
configuration to check that the technical and administrative contacts are
correct for that site.
The second is looking for a system that may be "spoofing" the first site.
A business example would be a site spoofing a bank's site that, if
designed shrewdly enough, could disarm the customer to divulge access
codes and other confidential information while leaving no indication that
the customer is in the wrong place.
The remote audit -- Dial-up. That type of an audit is a bit easier than
the first because it has a more focused method of entry. Such an audit has
two functions.
First is "locate," when the auditor tests every phone number provided and
attempts to identify all the devices that respond to a call.
The second is "penetration" of the security of the dial-up. Note that
dial-up penetration can be made more difficult if you are using automatic
call-back security. That will require that your system call you back at a
predefined number to allow any access at all.
Onsite audit. The onsite audit consists of three primary components.
* Policy review. A discussion and review of policies including password
recycling and aging, use of encryption, overall use policies (internal and
from outside the office), and management's attentiveness and sensitivity
to enforcing the stated policies.
* Internal connectivity. That is more than the engineering diagram or
topological diagram of your network's internal connectivity and how it
interfaces with external systems. It reviews paths of data flow between
systems. The objective is to see if any data is flowing where it should
not be or taking a route that is not secure enough for the value of the
data.
* Physical review of the facilities. One of the best security mechanisms
is still impeding physical access and preventing disasters that threaten
systems and their data. In that part of the audit, the auditor is looking
for locked rooms, alarm systems, fire protection, Uninterruptible Power
Supply (UPS), passwords scribbled on the desktop and more.
What to expect? The good security auditor will conclude with a report that
addresses not only system vulnerabilities, but also specific suggestions
for improvement and technical information for implementing those needed
changes.
Choosing a security consultant is a responsibility that requires care and
diligence. Some criteria for the firm or individual to consider are:
* 100 percent security consulting. Expertise here involves too much to
know to be part-time.
* Technical qualification grounded in real-time testing. The ideal audit
is invading your live systems.
* Background checking. Security audits have a first word, "security." You
must be able to trust the auditor and the auditor's credentials.
* Reference checking. Since most of us will not understand all the
possible attacks to our system and how one consultant may test them vs.
another, references are good tools in understanding a specific
consultant's methodology, final report deliverable, follow-up on
vulnerabilities and ability to secure the systems.
Is a full security audit appropriate for everyone? Arguably not. But all
of us can use the understanding of what an audit consists of to at least
strengthen our weakest defenses.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat Nov 21 11:38:32 1998