Defining Penetration Testing
A penetration testing methodology assures that a process is followed and certain tasks get completed. Additionally, a methodology also ensures that a test meets regulatory or other legal requirements when compliance testing is done.
If a penetration test is undertaken or requested as part of a regulatory audit or compliance test, the law can play a big role. Failure to follow specific processes and doing so on a regular schedule can lead to civil and regulatory penalties. This tutorial explains penetration testing with the best examples.
Different methodologies may have more or fewer steps based on their goals and what they were designed for. For example, a pen-test for HIPAA would have specific goals in mind that the process may need to be adjusted to account for. This guide explains penetration testing with best examples.
A penetration tester, or pentester, is employed by an organization either as an internal employee or as an external entity such as a contractor hired on a per-job or per-project basis.
In either case, pentesters conduct a penetration test, meaning they survey, assess, and test the security of a given organization by using the same techniques, tactics, and tools that a malicious hacker would use.
The main differences between a malicious hacker and a pentester are intent and the permission that they get, both legal and otherwise, from the owner of the system that will be evaluated. Additionally, pentesters are never to reveal the results of a test to anyone except those designated by the client.
As a safeguard for both parties, a nondisclosure agreement (NDA) is usually signed by both the hiring firm and the pentester. This protects company property and allows pentester access to internal resources.
Finally, the pentester works under contract for a company, and the contract specifies what is off-limits and what the pentester is expected to deliver at the end of the test. All of the contractual details depend on the specific needs of a given organization.
Some other commonly encountered terms for pentester are a penetration tester, ethical hacker, and white-hat hacker. All three terms are correct and describe the same type of individual (though some may debate these apparent similarities in some cases). Typically the most commonly used name is pentester.
Scoping a penetration test is important since it allows the client and penetration tester to understand the test objectives. The scoping process should seek to clearly define all the goals and objectives of the test and what the expected deliverables at the end of the test will be.
Without written permission, a penetration tester entering a network or other system is not viewed any differently than a black-hat hacker.
Written permission should always be obtained if test goals are expanded, changed, or otherwise differ from the original objectives. Never substitute verbal approvals or requests to perform a task for written permission.
Being a pentester has become more important in today’s world as organizations have had to take a more serious look at their security posture and how to improve it.
Several high-profile incidents such as the ones involving retail giant Target and entertainment juggernaut Sony have drawn attention to the need for better trained and more skilled security professionals who understand the weaknesses in systems and how to locate them.
Through a program that combines technological, administrative, and physical measures, many organizations have learned to fend off their vulnerabilities.
Technology controls such as virtual private networks (VPNs), cryptographic protocols, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), access control lists (ACLs), biometrics, smart cards, and other devices have helped security.
Administrative controls such as policies, procedures, and other rules have also been strengthened and implemented over the past decade. Physical controls include devices such as cable locks, device locks, alarm systems, and other similar devices.
As a pentester, you must be prepared to test environments that include any or all of the technologies listed here as well as an almost endless number of other types. So, what is a penetration tester anyway?
EC-Council uses ethical hacker when referencing its own credential, the Certified Ethical Hacker.
In some situations, what constitutes a hacker is a topic ripe for argument. I have had many interesting conversations over the years addressing the question of whether the term hacker is good or bad.
Many hackers are simply bad news all-around and have no useful function, and that’s how hackers are usually portrayed in movies, TV, blogs, and other media.
However, hackers have evolved, and the term can no longer be applied to just those who engage in criminal actions. In fact, many hackers have shown that while they have the skill to commit crimes and wreak havoc, they are more interested in engaging with clients and others to improve security or perform research.
Recognizing Your Opponents
In the real world, you can categorize hackers to differentiate their skills and intent.
These hackers have limited or no training and know how to use basic tools or techniques. They may not even understand any or all of what they are doing.
These hackers think like the attacking party but work for the good guys. They typically are characterized by having what is commonly considered to be a code of ethics that says they will cause no harm. This group is also known as pentesters.
These hackers straddle the line between the good and bad sides and have decided to reform and become the good side. Once they are reformed, they may not be fully trusted, however.
Additionally, in the modern era of security, these types of individuals also find and exploit vulnerabilities and provide their results to the vendor either for free or for some form of payment.
These hackers are the bad guys who operate on the wrong side of the law. They may have an agenda or no agenda at all. In most cases, black-hat hackers and outright criminal activity are not too far removed from one another.
Cyber terrorists are a new form of the attacker that tries to knock out a target without regard to being stealthy. The attacker essentially is not worried about getting caught or doing prison time to prove a point.
Preserving Confidentiality, Integrity, and Availability
Any organization that is security minded is trying to maintain the CIA triad— or the core principles of confidentiality, integrity, and availability. The following list describes the core concepts. You should keep these concepts in mind when performing the tasks and responsibilities of a pentester.
Confidentiality This refers to the safeguarding of information, keeping it away from those not otherwise authorized to possess it. Examples of controls that preserve confidentiality are permissions and encryption.
Integrity This deals with keeping information in a format that retains its original purposes, meaning that the data the receiver opens is the same the creator intended.
Availability This deals with keeping information and resources available to those who need to use it. Simply put, information or resources, no matter how safe, are not useful unless they are ready and available when called upon.
CIA is one of the most important if not the most important set of goals to preserve when assessing and planning security for a system. An aggressor will attempt to break or disrupt these goals when targeting a system.
Why is the CIA triad so important? Well, consider what could result if an investment firm or defense contractor suffered a disclosure incident at the hands of a malicious party. The results would be catastrophic, not to mention it could put either organization at serious risk of civil and criminal actions.
As a pentester, you will be working toward finding holes in the client’s environment that would disrupt the CIA tried and how it functions. Another way of looking at this is through the use of something I call the anti-CIA triad.
Improper Disclosure This is the inadvertent, accidental, or malicious revealing or accessing of information or resources to an outside party. Simply put, if you are not someone who is supposed to have access to an object, you should never have access to it.
Unauthorized Alteration This is the counter to integrity as it deals with the unauthorized or other forms of modifying information. This modification can be corruption, accidental access, or malicious in nature.
Disruption (aka Loss) This means that access to information or resources has been lost when it otherwise should not have. Essentially, information is useless if it is not there when it is needed.
While information or other resources can never be 100 percent available, some organizations spend the time and money to get 99.999 percent uptime, which averages about six minutes of downtime per year.
Appreciating the Evolution of Hacking
The role of the pentester tends to be one of the more misunderstood positions in the IT security industry. To understand the role of this individual, let’s first look back at the evolution of the hacker from which the pentester evolved.
Hacker has a double meaning within the technology industry in that it has been known to describe both software programmers and those who break into computers and networks uninvited. The former meaning tends to be the more positive of the two, with the latter being the more negative connotation.
The news media adds to the confusion by using the term liberally whenever a computer or other piece of technology is involved. Essentially the news media, movies, and TV consider anyone who alters technology or has a high level of knowledge to be a hacker.
The Role of the Internet
Hackers became more prolific and more dangerous not too long after the availability of the Internet to the general public. At first many of the attacks that were carried out on the Internet were of the mischievous type such as the defacing of web pages or similar types of activity.
Although initially, many of these first types of attacks on the Internet may have been pranks or mischievous in nature, later attacks became much more malicious.
In fact, attacks that have been perpetrated since the year 2000 have become increasingly more sophisticated and aggressive as well as more publicized. One example from August 2014 is the massive data breach against Apple’s iCloud, which was responsible for the public disclosure of hundreds of celebrity pictures in various intimate moments.
Unfortunately, Apple’s terms and conditions for customers using iCloud cannot hold Apple accountable for data breaches and other issues.
This breach has so far resulted in lawsuits by many of those who had their pictures stolen as well as a lot of negative publicity for Apple. The photos that were stolen as a result of this breach can be found all over the Internet and have spread like wildfire much to the chagrin of those in the photos.
Another example of the harm malicious hackers have caused is the Target data breach in September 2014. This breach was responsible for the disclosure of an estimated 56 million credit card accounts.
This single breach took place less than a year after the much-publicized Target data breach, which itself was responsible for 40 million customer accounts being compromised.
A final example comes from information provided by the U.S. government in March 2016. It was revealed that the 18-month period ending in March 2015 had a reported 316 cybersecurity incidents of varying levels of seriousness against the Obamacare website. This website is used by millions of Americans to search for and acquire health care and is used in all but 12 states and Washington, DC.
While the extensive analysis of the incidents did not reveal any personal information such as Social Security numbers or home addresses, it did show that the site is possibly considered a valid target for stealing this information.
Somewhat disconcerting is the fact that there are thought to be numerous other serious issues such as unpatched systems and poorly integrated systems.
All of these attacks are examples of the types of malicious attacks that are occurring and how the general public is victimized in such attacks. Many factors have contributed to the increase in hacking and cybercrime, with the amount of data available on the Internet and the spread of new technology and gadgets two of the leading causes.
Since the year 2000, more and more portable devices have appeared on the market with increasing amounts of power and functionality. Devices such as smartphones, tablets, wearable computing, and similar items have become very open and networkable, allowing for the easy sharing of information.
Additionally, I could also point to the number of Internet-connected devices such as smartphones, tablets, and other gadgets that individuals carry around in increasing numbers. Each of these examples has attracted the attention of criminals, many of whom have the intention of stealing money, data, and other resources.
Many of the attacks that have taken place over the last decade have been perpetrated not by the curious hackers of the past but rather by other groups. The groups that have entered the picture include those who are politically motivated, activist groups, and criminals.
While there are still plenty of cases of cyber attacks being carried out by the curious or by pranksters, the attacks that tend to get reported and have the greatest impact are these more maliciously motivated ones.
The Hacker Hall of Fame (or Shame)
Many hackers and criminals have chosen to stay hidden behind aliases or in many cases, they have never gotten caught, but that doesn’t mean there haven’t been some noticeable faces and incidents. Here’s a look at some famous hacks over time:
In 2009, Kristina Vladimirovna Svechinskaya, a young Russian hacker, got involved in several plots to defraud some of the largest banks in the United States and Great Britain. She used a Trojan horse to attack and open thousands of bank accounts in the Bank of America, through which she was able to skim around $3 billion in total.
In an interesting footnote to this story, Ms. Svechinskaya was named World’s Sexiest Hacker at one point due to her good looks. I mention this point to illustrate the fact that the image of a hacker living in a basement, being socially awkward, or being really nerdy looking is gone.
In this case, the hacker in question was not only very skilled and dangerous, but she also did not fit the stereotype of what a hacker looks like.
In 2010 through the current day, the hacking group Anonymous has attacked multiple targets, including local government networks, news agencies, and others.
The group is still active and has committed several other high-profile attacks up to the current day. Attacks in recent history have included the targeting of individuals such as Donald Trump and his presidential campaign of 2016.
While many attacks and the hackers that perpetrate them make the news in some way shape or form, many don’t. In fact, many high-value, complicated, and dangerous attacks occur on a regular basis and are never reported or, even worse, are never detected.
Of the attacks that are detected, only a small number of hackers ever even see the inside of a courtroom much less a prison cell. Caught or not, however, hacking is still a crime and can be prosecuted under an ever-developing body of laws.
Recognizing How Hacking Is Categorized Under the Law
Over the past two decades, crimes associated with hacking have evolved tremendously, but these are some broad categories of cybercrime:
Identity Theft This is the stealing of information that would allow someone to assume the identity of another party for illegal purposes. Typically this type of activity is done for financial gains such as opening credit card or bank accounts or in extreme cases to commit other crimes such as obtaining rental properties or other services.
Theft of Service Examples is the use of phone, Internet, or similar items without expressed or implied permission. Examples of crimes or acts that fall under this category would be acts such as stealing passwords and exploiting vulnerabilities in a system.
Interestingly enough, in some situations, just the theft of items such as passwords is enough to have committed a crime of this sort. In some states, sharing an account on services such as Netflix with friends and family members can be considered theft of service and can be prosecuted.
Network Intrusions or Unauthorized Access This is one of the oldest and more common types of attacks. It is not unheard of for this type of attack to lead into other attacks such as identity theft, theft of service, or any one of countless other possibilities.
In theory, any access to a network that one has not been granted access to is enough to be considered a network intrusion; this would include using a Wi-Fi network or even logging into a guest account without permission.
Posting and/or Transmitting Illegal Material This has gotten to be a difficult problem to solve and deal with over the last decade. Material that is considered illegal to distribute includes copyrighted materials, pirated software, and child pornography, to name a few.
The accessibility of technologies such as encryption, file sharing services, and ways to keep oneself anonymous has made these activities hard to stop.
Fraud This is the deception of another party or parties to elicit information or access typically for financial gain or to cause damage.
Embezzlement This is one form of financial fraud that involves theft or redirection of funds as a result of violating a position of trust. The task has been made easier through the use of modern technology.
Dumpster Diving This is the oldest and simplest way to get and gather material that has been discarded or left in unsecured or unguarded receptacles. Often, discarded data can be pieced together to reconstruct sensitive information.
While going through trash itself is not illegal, going through trash on private property is and could be prosecuted under trespassing laws as well as other portions of the law.
Writing Malicious Code This refers to items such as viruses, worms, spyware, adware, rootkits, and other types of malware. Essentially this crime covers a type of software deliberately written to wreak havoc and destruction or disruption.
Unauthorized Destruction or Alteration of Information This covers the modifying, destroying, or tampering with information without appropriate permission.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks These are both ways to overload a system’s resources so it cannot provide the required services to legitimate users.
While the goals are the same, the terms DoS and DDoS actually describe two different forms of the attack. DoS attacks are small scale, one-on-one attacks, whereas DDoS attacks are much larger in scale, with thousands of systems attacking a target.
Cyberstalking This is a relatively new crime on this list. The attacker in this type of crime uses online resources and other means to gather information about an individual and uses this to track the person and, in some cases, try to meet these individuals in real life.
While some states, such as California, have put laws in place against stalking, which also covers crimes of the cyber variety, they are far from being universal. In many cases, when the stalker crosses state lines during the commission of their crime, it becomes a question of which state or jurisdiction can prosecute.
Cyberbullying This is much like cyberstalking except in this activity individuals use technologies such as social media and other techniques to harass a victim. While this type of crime may not seem like a big deal, it has been known to cause some individuals to commit suicide as a result of being bullied.
Cyberterrorism This, unfortunately, is a reality in today’s world as hostile parties have realized that conventional warfare does not give them the same power as waging a battle in cyberspace.
It is worth noting that a perpetrator conducting terrorism through cyberspace runs the very real risk that they can and will be expedited to the targeted country.
To help understand the nature of cybercrime, it is first important to understand the three core forces that must be present for a crime, any crime, to be committed. These three items are:
Means or the ability to carry out their goals or aims, which in essence means that they have the skills and abilities needed to complete the job
Motive or the reason to be pursuing the given goal
Opportunity, the opening or weakness needed to carry out the threat at a given time
As we will explore in this blog, many of these attack types started very simply but rapidly moved to more and more advanced forms. Attackers have quickly upgraded their methods as well as included more advanced strategies, making their attacks much more effective than in the past.
While they already knew how to harass and irritate the public, they also caused ever bolder disruptions of today’s world by preying on our “connected” lifestyle.
Attacks mentioned here will only increase as newer technologies such as smartphones and social networking integrate even more into our daily lives. The large volumes of information gathered, tracked, and processed by these devices and technologies are staggering.
It is estimated by some sources that information on location, app usage, web browsing, and other data is collected on most individuals every three minutes. With this amount of information being collected, it is easy to envision scenarios where abuse could occur.
What has been behind a lot of the attacks in the past decade or more is greed. Hackers have realized that their skills are now more than curiosity and are something that could be used for monetary gain. One of the common examples is the malware that has appeared over this time period.
Not only can malware infect a system, but in many cases, it has been used to generate revenue for their creators. For example, malware can redirect a user’s browser to a specific site with the purpose of making the user click or view ads.
Outlining the Pen Testing Methodology
This section explains the methodology you’ll use to conduct your penetration test. Typically, the process kicks off with some planning, such as determining why the test is necessary and choosing the type of test.
Once this planning is completed, you’ll get permission in written form, and the test can then proceed; it usually starts with gathering information that can be used for later network scanning and more aggressive actions.
Once all the penetration testing is complete and information about vulnerabilities and exploits has been obtained, you create a risk mitigation plan (RMP).
The RMP should clearly document all the actions that took place, including the results, interpretations, and recommendations where appropriate. Finally, you’ll need to clean up any changes made during the test.
We’ve all heard the saying that you have to plan for success; well, the same is true with any penetration test you are tasked with performing. To ensure success, you’ll need to do a great deal of planning.
You and the client will have a kickoff meeting to discuss the course of the test. The meeting will cover a lot of different issues but specifically look for information relating to scope, objective, parties involved, as well as other concerns.
Before the meeting is finished, you must have a clear idea of the objective of the test because, without that, the test cannot be effective, and it would be difficult if not impossible to determine whether a satisfactory outcome has been reached.
The test should ultimately be focused on uncovering and determining the extent of vulnerabilities on the target network. In addition, the scope should determine what is and isn’t included in the test.
Essentially, you are looking to establish boundaries that you will be required to stay within. The scope must also be tangible with actual success criteria factored into it.
These are some other questions to ask:
Why is a penetration test necessary?
What is the function or mission of the organization to be tested? What will be the constraints or rules of engagement for the test? What data and services will be included as part of the test?
Who is the data, owner?
What results are expected at the conclusion of the test? What will be done with the results when presented?
What is the budget?
What are the expected costs?
What resources will be made available?
What actions will be allowed as part of the test? When will the test be performed?
Will insiders be notified?
Will the test be performed like a black or white box?
What conditions will determine the success of the test? Who will be the emergency contacts?
You should also consider if any of the following attacks need to be performed to obtain the results that a client is seeking. (Make sure that the client approves each category of attack and what it includes.)
Social Engineering The weakest security element in just about any system is the human element. Technology is able to assist and strengthen the human component, but still, a large number of the weaknesses present here must be addressed through training and practice, which is sorely lacking in many cases.
Testing the security of an organization via its human element should be something that is considered for every potential penetration test.
Application Security Testing This form of the test focuses specifically on locating and identifying the nature of flaws in software applications. This type of test can be performed as an independent test or as part of a complete testing suite.
This process may be requested in those situations where custom applications or environments exist and closer scrutiny needs to be made.
Physical Penetration Test Strong physical security methods are applied to protect sensitive data. This is generally useful in military and government facilities. All physical network devices and access points are tested for possibilities of any security breach.
This test may seek to gather information from devices or other assets that are unsecured and can be considered as part of a social engineering test in some cases.
It should come as no surprise that determining the goals of the test is one of the more difficult items to nail down.
Many clients will look to you as the penetration tester to help them arrive at a goal for the exercise. Conduct interviews with your clients, as the meeting, is your chance to do so.
Put your answers in clear, understandable language when clarifying the objectives. Make sure the meeting isn’t over until you have a good understanding of the goals of the test.
It is highly recommended that before entering into this type of meeting with a client that you have a checklist of prepared questions and an agenda prepared in order to make sure that all issues are addressed and time is not lost.
Another item to discuss and refine during the meeting is the timing and overall duration of the test. This is an extremely important detail because some clients may want you to conduct the test only during specific hours to avoid disruptions to their infrastructure and business processes.
This need will have to be balanced against the need to evaluate an organization as it works or is under stress, something that an after-hours test will not provide.
No organization of any sort is willing to have their operations affected as the result of a penetration test, so performing aggressive tests such as a denial-of-service attack or another type of test may be frowned upon.
In short, be aware of any limitations, and if you need to deviate from them, check with the client.
Another choice that will need to be made during this meeting is who will and won’t be informed about the test.
Although there will always be some part of the staff who will be aware of the test and will be on hand to verify that you are supporting the goals of the organization and to provide support in the event you are confronted about performing the test by those that don’t know about it, informing too many of the staff can have the effect of doctoring the results.
This is because personnel will adjust their work habits either consciously or unconsciously when they know a test is ongoing.
Choosing the Type of Test to Perform
A penetration test is considered part of a normal IT security risk management process that may be driven by internal or external requirements as the individual situation merits.
Whether an internal or external risk assessment, it is important to remember that a penetration test is only one component in evaluating an environment’s security.
But it frequently is the most important part because it can provide real evidence of security problems. Still, the test should be part of a comprehensive review of the security of the organization.
The following are the items that are expected to be tested during a penetration test:
IT infrastructure Network devices
Physical security and measures Psychological issues
In many cases, a penetration test represents the most aggressive type of test that can be performed in an organization. Whereas other tests yield information about the strengths and weaknesses of an organization, only a penetration runs the real risk of causing a disruption to a production environment.
Clients quite frequently do not fully grasp that even though the pen test is being done by a benevolent party, it still involves some level of risk, including actually crashing systems or causing damage.
Make sure the client always is aware of the potential risks to their business and make sure they have made backups and put other measures in place in case a catastrophic failure occurs.
When a penetration test is performed, it typically takes one of the following forms:
Black-Box Testing Black-box testing is a type of test that most closely resembles the type of situation that an outside attack and is sometimes known as an external test.
To perform this type of test, you will execute the test from a remote location much like a real attacker. You will be extremely limited in your information and will typically have only the name of a company to go on, with little else.
By using many of the techniques mentioned in this blog, the pentester will gain an increasing amount of information about the target to make your eventual penetration into the company. Along the way, you will log and track the vulnerabilities on a system and report these to the client in the test documentation.
Gray-Box Testing In this type of test, you are given limited knowledge that may amount to all the information in a black box plus information such as operating system or other data.
It is not unheard for this type of test to provide you with information on some critical, but untouchable, resources ahead of time.
The idea with this practice is that if you have knowledge of some key resources ahead of time you can look for and target these resources. However, once one of these targets is found, you are told to stop the test and report your findings to the client.
White-Box Testing A white-box test gives the testing party full knowledge of the structure and makeup of the target environment; hence, this type of test is also sometimes known as an internal test. This type of test allows for closer and more in-depth analysis than a black or gray box would.
White-box tests are commonly performed by internal teams or personnel within an organization as a means for them to quickly detect problems and fix them before an external party locates and exploits them. The time and cost required to find and resolve the security vulnerabilities are comparably less than with the black-box approach.
Gaining Permission via a Contract
Remember that one of the key tenets of performing a penetration test on an organization is to get clear and unambiguous permission to conduct the test. Although getting sponsorship and such to perform the test is important, it is vital to have permission documented.
Get the person authorizing the test to sign off on the project and the plan, and have their contact information on hand just in case. Without such authorization, the test can run into one of many snags, including a claim that the test was never authorized.
What form can this authorization take? Well, verbal authorization is not desirable, but other forms are acceptable. If you are an outside contractor, a signed contract is enough to convey and enforce permits for the action. Internal tests can be justified with an email, signed paperwork, or both.
Without this paperwork or permission in place, it would be unwise to proceed. The permission not only gives you the authorization to conduct the test but also serves as your “Get out of Jail Free” card if you are challenged as to whether you should be testing.
Don’t underestimate the importance of having permission to do a test as well as having it in writing. Charges have been filed and successfully pursued against those who have not had such permission or documentation.
After the initial meeting is conducted, a contract will be generated outlining the objectives and parameters of the test. The following are some of the items that may be included:
Systems to Be Evaluated or Targets of Evaluation (TOE) You will work with the client to together determine which systems require evaluation during the penetration test. These can be any systems that are considered to be of value to the organization or need to be tested due to compliance reasons.
Perceived Risks In any penetration test something can and will happen that is not planned. Consider that during testing despite your best-laid plans and preparations the unexpected will occur, and by informing the client ahead of time you decrease the surprise of downtime and allow for preparations to be made to lessen any impact.
Timeframe Set a realistic timeframe during which the tests are to be conducted. Ensure that enough time is allocated to perform the test, check and verify the results, and catch any problems.
Additionally, setting times for the test will also include times of the day and week to perform the test because results and responses to an attack will vary depending on the time of day and which day it is performed on.
Systems Knowledge Remember, you don’t necessarily need to have extensive knowledge of every system you are testing, but you should at least possess some basic level of understanding of the environment.
This basic understanding helps protect you and the tested systems. Understanding the systems you’re testing shouldn’t be difficult if you’re testing internal systems.
Actions to Be Performed When a Serious Problem Is Discovered Don’t stop after you find one security hole. Keep going to see what else may possibly be discovered. Although you shouldn’t continue until all the systems have been disabled and/or crashed, you should pursue testing until you have exhausted your options.
If you haven’t found any vulnerability, you haven’t looked hard enough. If you uncover something big, you must share that information with the key players as soon as possible to plug the hole before it’s exploited.
Also, ask the client to define the criterion for a “wake-up call,” which means that if your team finds something that poses a grave threat to the network, they must stop the test and notify the client right away.
This will prevent the team from stopping at every vulnerability they find and guessing whether to either continue or to contact the client.
Deliverables This includes vulnerability scanner reports and a higher-level report outlining the important vulnerabilities to address, along with counter-measures to implement.
As a rule of thumb, include any information in the contract that clarifies expectations, rules, responsibilities, and deliverables. The more information you include in a contract that clarifies things, the better for you and your client as doing so eliminates confusion later on.
After a plan is in place and proper preparation has been completed, the information gathering process can begin. This phase represents the start of the actual test, even though you will not be engaging your target directly as of yet. At this step, a wealth of information can be obtained.
Sometimes this step is known as footprinting instead of reconnaissance or information gathering. All these terms are correct. In any case, the process is intended to be methodical.
A careless or haphazard process of collecting information in this step can waste time later or, in a worst-case scenario, can cause the attack to fail outright. A smart and careful tester will spend a good amount of time in this phase gathering and confirming information.
How do you gain information? Well, there is an endless sea of resources available to do this, and it is up to you to determine which are useful and which are less so. Look for tools that can gain information that will help you build a picture of a target that will allow you to refine later attacks.
Information can come from anywhere, including search engines, financial disclosures, websites, job sites, and even social engineering (I’ll define all of these methods a little later, so don’t worry).
What you want to have when leaving this phase is a comprehensive list of information that can be exploited later. To give you some idea of what information is available, look at the following list:
Public Information Collect all the information that may be publicly available about a target, such as a host and a network information, from places like job boards.
Sector-Specific Commonalities Ascertain the operating system or systems in use in a particular environment, including web servers and web application data where possible.
DNS Information Determine queries such as Whois, DNS, network, and organizational queries.
Common Industry System Weaknesses Locate existing or potential vulnerabilities or exploits that may exist in current infrastructure that may be conducive to launching later attacks.
A tip I give to those coming into the field of ethical hacking and pen testing is to try to think “outside the lines” that they may have been traditionally taught.
When acquiring a new piece of technology, try to think of new ways that it could be used. For example, could you wipe a device and install Linux on it? Could you circumvent safety mechanisms on the device to force it to allow the installation and configuration of additional software and hardware?
Try to train yourself to think like someone who is trying to cause harm or get away with something. As a penetration tester, you will be expected to think like a bad guy but act in a benevolent manner.
Scanning and Enumeration
Once you have gathered information about your target, it is time to move on to the next step: scanning and enumeration. While you hope that you have gathered a good amount of useful information, you may find that what you have is lacking. If that’s the case, you may have to go back and dig a little more for information.
Or you may also decide that instead of going back to fill in gaps in your knowledge you want to continue with the scanning process. You will find yourself developing an eye for things as you practice your skills and gain more experience.
Scanning includes ping sweeping, port scanning, and vulnerability scanning. Enumeration is the process of extracting meaningful information from the openings and information you found during scannings, such as usernames, share data, group information, and much more.
Penetrating the Target
Once a target has been scanned and openings and vulnerabilities determined, the actual penetration of the target can proceed. This step is done to exploit the weaknesses found in the system with the intention of compromising the system and gaining some level of access.
You should expect to take the results from the previous step of gathering intelligence to carefully identify a suitable target for penetration. Keep in mind that during the previous step a good number of vulnerable systems may be uncovered, so the challenge is now to locate a system or systems that can be exploited or are valuable targets.
For example, when scanning a network, you may locate 100 systems, with four being servers and the rest desktop systems. Although the desktop systems may be interesting targets, you will probably focus your attention, at least initially, on the servers, with the desktops a possible secondary target.
After selecting suitable or likely targets, you will attempt to use your skills and knowledge to break into the targets. Many different attacks may be tried before one is actually successful if one is successful at all.
Remember that scanning and assessing a system as having a vulnerability does in no way mean it is actually capable of being exploited in any way. You should consider which type of attacks may be successful and what order you will attempt them prior to actually employing them against a target.
Attacks that may appear during this phase can include
Password cracking Traffic sniffing
Session hijacking Brute-force attacks
These attacks are covered in this blog, so you will have some familiarity with each and how to use them. Be aware, however, that there are many potential attacks and tricks that can be performed, many of which you will learn over your career and as experience grows.
Automated tools can be used to identify many of the more common, well-known weaknesses that may be present in an environment. These tools typically have updates that are regularly refreshed that ensure that the latest weaknesses are caught.
Here’s how to select a good penetration tool:
It should be easy to deploy, configure, and use. It should scan your system easily.
It should categorize vulnerabilities based on severity that need immediate fixes. It should be able to automate verification of vulnerabilities.
It should re-verify exploits found previously.
It should generate detailed vulnerability reports and logs.
However, automated tools present some limitations, such as producing false positives and missing known weaknesses. They can also be loud on the network and even provide a false sense of confidence in the results.
Since automated tools cannot locate every potential weakness, the need for manual testing becomes apparent. A human, with the right training and knowledge, can locate a wide range of weaknesses that may not be located through automated means.
However, the downside of performing the test manually is that it is time-consuming and it is just not possible for a human being to check every potential vulnerability in a reasonable amount of time.
So what is the best approach? Well, the best approach for many penetration testers is to combine the two into a hybrid approach. The automated tests can be used to look for vulnerabilities, and the manual ones can focus on specific issues and do further investigation on specific weaknesses.
Some other actions that happen after breaking into a system are maintaining some sort of access and covering your tracks.
Maintaining access is a step that is used to preserve the opening that you have made on a system as a result of gaining access. This step assumes that you will want to continue going further with the attack or come back later to perform additional actions.
Remember that the owner of the targeted system is, or at least should be, attempting to stop or prevent your access to the system and as such will try to terminate your access.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Covering Your Tracks
Covering your tracks is also an important part of this step because it helps conceal evidence of your actions and will ward off detection and removal actions on the part of the system owner. The less evidence you leave behind or the more you conceal it, the harder it will be for the defending party to thwart your actions.
Documenting the Findings of the Test
After conducting all the previous tasks, the next step is to generate a report for the client. This document is called your risk mitigation plan. Although the report can take many different forms depending on the specific situation and client needs, there are some essential pieces of information and a format that you can follow.
The report should start with a brief overview of the penetration testing process. This overview should seek to neatly encapsulate what occurred during the test without going into too many technical details. This section will be followed by an analysis of what vulnerabilities were uncovered during the test.
Vulnerabilities should be organized in some way that draws attention to their respective severity levels such as critical, important, or even low. The better you can separate the vulnerabilities, the better it will assist the client in determining where to dedicate time and effort toward addressing each.
The other contents of the report should be as follows:
Summary of any successful penetration scenarios
A detailed listing of all information gathered during penetration testing Detailed listing of all vulnerabilities found
Description of all vulnerabilities found
Suggestions and techniques to resolve vulnerabilities found
I additionally try to separate my reports for clients into a less technical summary and report up front. I then attach the hard technical data as an appendix to the report for the client to review as needed.
In some cases, clients may request a certain format either directly or indirectly as a condition of the test they request. For example, in tests that are performed in order to satisfy the Payment Card Industry (PCI) standards, a format may be requested for the client that conforms to specific standards.
The same might be said for requirements pertaining to HIPAA standards and others. Always ask your client if any specific format is needed or if it is up to your own discretion.
To make the reporting and documentation process easier, I strongly recommend that during your process of penetration testing you make a concerted effort to maintain clear and consistent notes.
If this is not your forte, I strongly recommend you develop these skills along with purchasing or developing a good reporting system (which we will discuss more fully elsewhere in this blog) to ease some of a load of this process.
A lack of documentation can not only make things harder for you, but it will also have the effect of potentially leaving conspicuous holes in your test data.
After all, is said and done, there may be some degree of cleaning up to do as a result of the actions taken during the penetration test. You will want to go through all of the actions you took in your documentation and double-check to determine whether anything you performed needs to be undone or remediated.
You are seeking to make sure that no weakened or compromised hosts remain on the network that could adversely affect security. In addition, any actions you take to clean up the network or hosts should be verified by the organization’s own IT staff to ensure that they are satisfactory and correct.
Typical cleanup actions include removing malware from systems, removing test user accounts, restoring changed configurations, and fixing anything else that may have been altered or impacted during the test.
Exploring the Process According to EC-Council
There are many ways to perform the ethical hacking process, and another well-known process is that of EC-Council’s Ethical Hacker Credential. The process is arranged a little differently, but overall it is the same.
I am documenting it here for you because I strongly feel that being aware of your options is essential to being successful as a pentester.
The following are the phases of the EC-Council process for your reference:
Footprinting This means that the attacking party is using primarily passive methods of gaining information from a target prior to performing the later active methods. Typically, interaction with the target is kept to a minimum to avoid detection and alerting the target that something is coming to their direction.
A number of methods are available to perform this task, including Whois queries, Google searches, job board searches, discussion groups, and other means.
Scanning In this second phase, the attacking party takes the information gleaned from the footprinting phase and uses it to target the attack much more precisely.
The idea here is to act on the information from the prior phase to avoid the “bull in the china shop” mentality and blunder around without purpose and set off alarms. The scanning means performing tasks like ping sweeps, port scans, observations of facilities, and other similar tasks.
Enumeration This is the next phase, where you now extract much more detailed information about what you uncovered in the scanning phase to determine its usefulness. Think of the information gathered in the previous phase as walking down a hallway and rattling the doorknobs, taking note of which ones turn and which ones do not.
Just because a door is unlocked doesn’t mean anything of use is behind it. In this phase, you are actually looking behind the door to see whether there is anything behind the door of value. Results of this step can include a list of usernames, groups, applications, banner settings, auditing information, and other similar information.
System Hacking Following enumeration, you can now plan and execute an attack based on the information uncovered. You could, for example, start choosing user accounts to attack based on the ones uncovered in the enumeration phase. You could also start crafting an attack based on service information uncovered by retrieving banners from applications or services.
Escalation of Privilege If the hacking phase was successful, then an attacker could start to obtain privileges that were granted to higher privileged accounts than they broke into originally.
If executed by a skilled attacker, it would be possible to move from a low-level account such as a guest account all the way up to administrator or system-level access.
Covering Tracks This is where the attacker makes all attempts to remove evidence of their being in a system. This includes purging, altering, or other actions involving log files; removing files; and destroying other evidence that might give away the valuable clues needed for the system owner to easily or otherwise determine an attack happened.
Think of it this way: if someone were to pick a lock to get into your house versus throwing a brick through the window, the clues are much more subtle or less obvious than the other. In one case, you would look for what the visitor took, and in the other, the trail would probably have gone very cold by then.
Maintain Access Planting back doors is when you, as the attacker, would leave something behind that would enable you to come back later if you wanted.
Items such as special accounts, Trojans, or other items come to mind, along with many others. In essence, you would do this to retain the gains you made earlier in this process in the event you wanted to make another visit later.
Hardening a Host System
The computer systems of an organization are vital to its ability to function. Systems typically perform tasks such as processing data, hosting services, and hosting or storing data.
As you know, these systems are also tempting targets for an attacker. Being aware of the threats and vulnerabilities that could weaken an organization is important and is one of the main motivations behind being a pentester but knowing how to be proactive and deal with the issues before an attack is also important.
We all know that stopping a problem before it starts can save a tremendous amount of work. This is where the process of hardening begins.
The process is ongoing as threats change and so do vulnerabilities, meaning that the organization must adapt accordingly. The process will have several phases consisting of various assessments, reassessments, and remediation as necessary.
Introduction to Hardening
While it is true that most system, hardware, and software vendors offer a number of built-in security features in their respective products, these features do not offer total protection.
The security features present in any system can limit access only in a one-size-fits-all approach, meaning that they don’t take specific situations into account.
As a pentester, you should recognize that computer systems are still rife with vulnerabilities that can be exploited. Mitigating this situation requires a process known as system hardening, which is intended to lower the risks and minimize the security vulnerabilities as much as possible. The process can be undertaken by IT staff or even pentesters if so contracted.
System hardening is a process that is designed to secure the system as much as is possible through the elimination of security risks. The process typically involves defining the role of a system (i.e., web server or desktop) and then removing anything that is not required to perform this role.
If this process is strictly enforced and adhered to, the system will have all nonessential software packages removed and other features disabled in order to reduce the surface threat. This process will decrease the number of vulnerabilities as well as reduce the possibilities of potential backdoors.
Note the step of defining a system role; this is absolutely essential in getting further into hardening a system. Defining the role is essential because it is impossible to effectively remove nonessential services until you know what is essential.
If this process is taken to a serious level, more extreme measures can be taken, including the following:
Reformatting and wiping a hard drive before reinstalling the operating system
Changing the boot order in BIOS from removable devices to other components
Setting a BIOS password
Patching the operating system Patching applications
Removing user accounts that are not used or disabling these accounts
Setting strong passwords
Removing unnecessary network protocols Removing default shares
Disabling default services
The steps involved in hardening are very much a moving target, with the process varying widely from company to company. This is why securing a system requires a high level of knowledge regarding how the system works, features available, and vulnerabilities.
Of course, system administrators should always remember that there are many different computing systems and services running on any given network, but all devices have an operating system whether it is a mobile system, laptop, desktop or server. On the technology side, increasing security at the operating system level is an important first step in moving toward a more secure environment.
In fact, attackers are well aware that operating systems are the common denominator in all of the stated environments, and as such, they are a good place to start an attack. That’s why the operating system represents a good place to start a defense.
In addition, operating systems are very complex, and all are subject to defects of all types, some of which can lead to security issues, no matter who the creator of the system may be. Some in the technology field believe that some systems are more secure than others and that’s “just the way things are.”
The reality is that any operating system can be made secure or less secure based on who uses it and how it is set up. Operating systems are quite frequently misconfigured or even mismanaged by those who use and support them, meaning that they are targets for attacks for this reason alone.
Three Tenets of Defense
The following are three ways to approach hardening a system.
Following a Defense-in-Depth Approach
Defense in depth is a powerful and essential concept in information security that describes the coordinated use of multiple security countermeasures to protect assets in an enterprise and that complement one another.
The strategy is based on the military or “castle strategy” principle in that it is more difficult for an enemy to defeat a complex and multilayered defense system than to penetrate a single barrier.
Think of a castle with all of its defenses—its defense usually includes moats, walls, archers, catapults, and hot lead in some cases. Once attackers get past one layer of security, they have to contend with another.
Defense in depth serves as a way to reduce the probability that an attack will ultimately succeed. If an attacker goes after a system, the different layers typically stop the assault in one of three ways (but not the only way):
Providing Safeguards Against Failure If one security measure is used, the danger if it fails is much more serious. In this case, if a single security measure is in place and were to fail, even briefly, the system would be totally defenseless. For example, if a network is protected solely by a firewall and the firewall failed, then an attacker could access the network easily.
Slowing Down an Attacker If multiple defenses are in place, an attacker must successfully breach several countermeasures, and one of the purposes this serves is to give the defender time to detect and stop the attack.
Serving as an Imposing Obstacle While no defense will ever stop those who truly want to gain access to a system, multiple layers will serve as a deterrent to many.
The truth is that there are fewer highly skilled hackers than there are script kiddies and beginners. Good defenses will serve as an imposing obstacle for many, meaning that a true attack will not happen in many cases.
Basically, never put all your eggs in one basket. Depending on one security mechanism is a perfect recipe for disaster because any technology or procedure can and will fail.
And when the single mechanism depended on happens to fail, there will then be no security mechanism in place to protect an organization against attackers.
Of course, the layers of defensive measures must not go overboard—too many layers can make the system unmanageable.
Implementing Implicit Deny
One of the most important concepts in security is that of implicit deny. Simply put, implicit deny states that if an action is not explicitly allowed, then it is denied by default.
To be secure, a party, whether it is a user or piece of software, should only be allowed to access data or resources and as such perform actions that have been explicitly granted to them. When an implicit deny is implemented correctly, actions that have not been specifically called out will not be allowed.
Implicit deny is present in a number of situations, including many locations in software where it makes the difference between secure and insecure environments.
One example of implicit deny is in firewalls, where the system is locked down and doesn’t allow any traffic whatsoever to pass until the system owner configures the system to allow specific traffic.
In the real world, not every piece of hardware and software will adhere to this rule, as good as it is. In many modern operating systems, the tendency is to make the system as usable as possible, which means that many actions are allowed by default.
This can be thought of as implicit allow since many actions are permitted that should not be for security reasons. This means many devices and software will need to be configured to allow every operation without question.
Why is this done? Simply put, if an operating system allows everything to occur without question, it is much more usable for the end user; in other words, it’s more convenient to use—at the expense of security, of course.
What is the result of this policy of implicit allow? Many users install, configure, or do things to a system that they are not qualified to do or don’t understand and end up causing a security issue or incident within an organization.
Implementing Least Privilege
Another core element of a robust security program is that of least privilege. This concept dictates that the users of a system should only ever have the level of access necessary to carry out whatever tasks are required to do their jobs. This concept can apply to access to facilities, hardware, data, software, personnel, or any number of elements.
When implemented and enforced properly, a user or system is given access; that access should again be only the level of access required to perform the necessary task.
At any point, any given program and every user of the system should operate using the least set of privileges necessary to complete the job, with no more, no less. When implemented as described, the principle limits the damage that can result from an accident or error.
It also serves to reduce the number of potentially harmful interactions among privileged programs to the minimum needed for correct operation, so that unintentional, unwanted, or improper uses of privilege are much less likely to occur and cause harm.
If a question arises related to misuse of privilege, the number of programs that must be audited is minimized. Another example of least privilege is that of “need-to-know,” which calls out the same type of setup in environments as those present in the military and defense contractors.
In Windows 10, actually starting with Windows Vista, many sensitive system operations displayed a colored shield icon next to them in the interface. This colored shield icon informed the observant user that the chosen operation would require elevated privileges and would, therefore, prompt the user for approval.
If a user was not logged in as an administrator, they would have to provide credentials to prove they could do the operation. If the user was logged in as an administrator, they would then be prompted whether they had requested the operation and, if so, whether they wished to approve the operation to continue.
Least privilege is an effective defense against many types of attacks and accidents, but only if it is implemented and adhered to; otherwise it loses its effectiveness.
Because least privilege can be time-consuming and potentially tedious to implement as well as maintain, a system admin could very easily become lazy and neglect to stick to the concept.
Consider the problems that could arise if a person changes positions or jobs within an organization; logically their responsibilities would change, which means their privileges should change accordingly. Note the phrase “Only if it is implemented and adhered to”? This is perhaps the trickiest part.
In many companies least privilege procedures were implemented only to have a higher-up in the company get angry that they couldn’t do something they did before. Because the upset individual was high up in the company, they would be able to request/demand that the restriction is lifted.
Even though these individuals did not need the extra privileges, they got them. The end results in many cases would be lowered security or, much worse, a security incident.
A system admin needs to keep track of the necessary privileges so that a person doesn’t change job positions and end up with more privileges than they need, opening the door for an accident to cause substantial damage.
Creating a Security Baseline
One of the first steps in hardening a system is determining where the system needs to be security-wise in regard to its specific role. This is where a baseline comes in. A baseline provides a useful metric against which a system can be measured in regard to its expected and defined role.
Simply put, a security baseline is a detailed listing of the desired configuration settings that need to be applied to a particular system within the organization. Once a baseline is established, it becomes the benchmark against which a system will be compared.
Systems that are not found to meet or exceed the requirements specified in the baseline will either need to have remedial action taken to bring them into compliance or need to be removed from the environment (barring other actions as allowed by company security policy).
When generating a baseline for any given system, the settings that are eventually arrived at will depend on the operating system that is in place on the system as well as its assigned role within the organization.
Baselines are not something that stays static; they will change over time. Factors that will cause a baseline to change include operating system upgrades, changing roles, data processing requirements, and new hardware.
The first step in creating a baseline against which to measure a given system is to define the system role. On the surface, it may look as if only one or two baselines will be needed—with the knee-jerk response being that only one is needed for desktops and one for servers—but more are typically required.
Roles should be identified by examining the computing and data processing systems in an environment and identifying which have common requirements. These common requirements will collectively define a role to which a common set of configuration options can be applied.
Baselines should include the minimum software deployed to workstations, basic network configuration, and access, and latest service pack installed, for example.
While it is true that in many organizations a common set of settings will be applied across all systems, there still will be identifiable groups that will have their own unique requirements.
Typically an organization will define those settings that are common among all systems and then customize further by adding additional settings and configuration options to enhance as necessary.
Creating a security baseline is a daunting task at best, but many tools exist to make the process much easier to complete and much more efficient. Additionally, manufacturers of operating systems generally also publish guidance that can be used to fine-tune a system even further.
Using a software tool can make it easier and quicker to scan for and detect a broad range of potential issues by automating the process. Some of the common tools for hardening systems and creating baselines include the following:
Bastille This Linux- or Unix-based tool is used to scan and harden a system so it is more secure than it would be otherwise. It is important to note, however, that Bastille has not been updated in some time, but it may still be used as a hardening tool in some cases.
Microsoft Baseline Security Analyzer (MBSA) This tool has been made available by Microsoft for a long period of time and has evolved over the years. The tool is designed to do a scan of a system and compare it against a list of commonly misconfigured settings and other issues.
Security Configuration Wizard (SCW) Originally introduced in Windows Server 2003, the SCW has become a useful tool for improving system security. The wizard guides you through the process of creating, editing, applying, or rolling back a security policy as customized by the system owner.
The Microsoft Baseline Security Analyzer (MBSA) is probably the most well-known tool. When this tool was originally released in 2004, it was quickly adopted by many in the IT and security fields as a quick and dirty way of assessing the security of systems by determining what was missing from the system and which configuration options were impacting security.
The tool is able to provide a reasonably basic, but thorough, assessment of Windows, SQL Server, and Office. During the assessment process, the tool will also scan its host a system to determine which patches it is missing and inform users of what they need to do to remedy the situation.
As opposed to many other tools on the market, the MBSA does not provide any ability to customize the scan above a few basic options. Essentially the tool can scan a system using predefined groups of settings that Microsoft has determined to be the ones that most impact system security.
MBSA includes support for the following operating systems and applications:
Windows 2000 through Windows 10 as well as Server versions from 2000 through Windows Server 2012
Internet Information Server 5 through 8 Office 2000 through 2016
Internet Explorer 5 and higher
Additionally, MBSA supports both 32- and 64-bit platforms and can perform accurate security assessments on both platforms with context-sensitive assistance. MBSA is a useful tool, but care should be taken to avoid becoming too reliant on its output.
While the tool provides a great foundation for performing assessments and saving results for later comparison, it is not an end-all, do-all solution.
The MBSA is available only for the Windows platform. Additionally, the tool is only capable of assessing a fixed portfolio of applications, and as such, any application that it is not hardcoded to check for will not be assessed.
You may see the phrase penetration test used interchangeably with the term security audit, but they are not the same thing. Penetration testers may be analyzing one service on a network resource.
They usually operate from outside the firewall, with minimal inside information, in order to more realistically simulate the means by which a hacker would attack a target.
An audit is an assessment of how the organization’s security policy is employed and operating at a specific site. Computer security auditors work out in the open with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.
Computer security auditors perform their work through personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data.
Hardening with Group Policy
Using tools to analyze and configure basic settings for a computer system is only the start of “locking” down a computer, as many more tools are available to provide security. One of the most popular ones is Group Policy in the Windows family of operating systems.
In its simplest form, Group Policy is nothing more than a centralized mechanism for configuring multiple systems at once. In the hands of a skilled administrator who is guided by proper planning and assessment, the technology can be used to configure just about every option on a system, including such items as
Whether or not a user can install devices Whether or not a user can install software What printers the user can connect to
What settings the user can change
Where patches may be downloaded from How auditing is configured
Permissions on the registry Restricted groups
Permissions on the filesystem
Group Policy in Windows Active Directory has more than 1,000 settings, but this in no way implies that every setting needs to be configured—indeed, no administrator should ever attempt to do so. Only those settings that are required to attain a certain level of security dictated by company policy should ever be configured.
Hardening Desktop Security
The home and business computer system at the desktop level is a popular and tempting target for attackers. Even beginner attackers know that the average computer user has a wealth of information and other things stored there.
Consider the fact that the average home user stores a large amount of information on their drive year after year, frequently migrating it to new systems—the amount of information increases like a snowball rolling downhill.
The average user stores everything from bank information, credit card information, photos, chat logs, and many other items. With enough information in hand, a user could easily steal your identity and use your good name and credit to buy themselves whatever they want.
One of the ways to deal with vulnerabilities on a system is by patching and applying updates to a system. This is something that you should be prepared to recommend to a client.
Just a few years ago the prevailing wisdom was to simply build a system from scratch and install all applications as well as updates and patches during initial setup and then deploy and either infrequently or never install additional updates.
Since the year 2000 forward, this approach has largely changed, with many organizations becoming victims of malware and other types of mischief the reason a reevaluation of the prevailing approach was considered and adopted. The downtime and loss of production that could have been prevented through the application of regular patches was a huge reason for this shift.
Along with the increased threats, there has been increasing concern about governance and regulatory compliance (e.g., HIPAA, Sarbanes–Oxley, FISMA) to gain better control and oversight of information.
Factor in the rise of increasingly interconnected partners and customers as well as higher speed connections, and the need for better patching and maintenance becomes even greater.
It is easy to see why proper patch management has become not just an important issue, but a critical issue as time has moved on.
The goal of a patch management program is to design and deploy a consistently configured environment that is secure against known security issues in the form of vulnerabilities.
Managing updates for all the software present in a small organization is complicated, and this is more complex when additional platforms, availability requirements, and remote offices and workers are factored in.
Accordingly, as each environment has unique technology needs, successful patch management programs will vary dramatically in design and implementation. However, there are some issues that should be addressed and included in all patch management efforts.
Researching Information Sources
A critical component of the patch management is researching and verification of information. Every organization should designate a person or team to be in charge of keeping track of updates and security issues on applications and operating systems.
This team should take a role in alerting administrators of security issues or updates to the applications and systems they support.
A comprehensive and accurate asset management system can help determine whether all existing systems are accounted for when researching and processing information on patches and updates.
Scheduling and Prioritizing Patches
When developing a patch management process you should consider several factors in order to get the most effective and most optimized process in place as possible.
The more research and time you take to develop your patch management process, the more likely it is that it will be more effective at stopping or at least blunting the impact of various security threats and vulnerabilities as they appear—or even before they become a problem.
The first factor to consider is that a patch management process needs to guide and shape the management and application of patches and updates to the systems in any given environment.
Generally, at the most basic level, you need to have a patch management process that is concerned only with the normal task of applying patches and updates as they become available to ensure that regular maintenance is done and not overlooked.
You never want to have a situation where patches are getting applied or updates are getting applied only in response to a problem or threat. Essentially what you are trying to avoid is having a reactive process as much as possible and be on a proactive footing instead.
How often the process of applying patches takes place as part of normal maintenance is something that each organization will need to consider for themselves; for example, some organizations might decide to have patches applied every month and so may decide to delay major patches to every quarter.
Or they may decide to go to the other end of the spectrum and apply patches every couple of weeks or so as part of normal maintenance. You may read this and think that three months (every quarter) is too long to wait, but there is no one-size-fits-all solution.
Also remember that the patches we’re talking about here are not being applied specifically in response to a security issue, though they could be addressing an issue, just not a critical one. For critical issues, you will have a different plan in place to deal with those situations as they arise.
Speaking of critical updates in the form of patches, service packs, or even hotfixes, there needs to be a plan in place to meet the needs of these particular software items. In addition to regular maintenance, it is expected that from time to time high priority or sense of security issues will arise.
Security researchers or vendors find them and identify them and decide that they are indeed a critical issue that must be addressed as soon as possible.
When these situations occur, organizations want to have a process in place that deals with these off-cycle situations that cannot wait for the normal maintenance cycle.
In these situations, the patches must be deployed immediately and installed on the systems to avoid a security problem getting out of control or emerging and leading to more serious problems.
Typically what starts off this process of patching is that a vendor will identify an issue as being crucial to their customers’ stability and well-being. So they will distribute information stating that there’s an issue with the software package and that certain updates will address that issue.
Since these situations can appear at any time, not on a set schedule, an organization has to evaluate the seriousness of the situation and decide how best to employ the patch to its greatest effect.
What makes this process a little tougher is that you cannot schedule these types of situations to occur; they just appear as things are found that need to be addressed immediately. Regular maintenance updates can be scheduled so they are deployed when the systems are not being utilized for normal business operations.
That way, if a serious problem arises during the patching process, it can be handled without affecting business operations adversely.
These types of updates and patches can be applied off hours on a weekend or evening when the systems are not being used. In the event a problem arises, time can be built into the schedule so there’s enough time to fix it before the systems are needed again.
If the problem is serious enough, this means that the update must be deployed immediately, even if it is in the middle of the day. Fortunately, these issues do not appear all that often, but they do appear from time to time and you must be ready to apply them as quickly as possible, with the goal of reducing any risk to your environment of becoming destabilized because of the patch deployment.
Testing and Validating a Patch
Murphy’s Law essentially says that if something’s going to go wrong, it will go wrong. IT and security folks quickly learn that Murphy’s Law also applies to our field and will quickly throw a monkey wrench into all our best-laid plans.
In order to avoid any problems that might occur during the deployment of a patch, it’s a good idea to consider a mandatory testing phase.
During this phase, you check to make sure a patch works as advertised and will not have any adverse effects on the environment in which it will be deployed.
Do not underestimate the potential for something to go wrong when a patch is deployed. Just because a patch is supposed to fix an issue doesn’t mean it won’t cause problems when it is deployed into your environment.
A patch may cause numerous other problems to pop up after it is deployed. The unexpected can happen, and that’s why we implement a testing process with the intention of lowering the possibility of this situation as much as possible.
The testing process should begin after a patch is acquired and before it is deployed into a production environment. Ideally, the patch should be deployed to a test system or even a lab system and given a test drive or evaluation both before and after it’s applied.
Remember that just because a patch is made available does not mean that it always has to be deployed; in some cases, the best action is no action at all. But you should arrive at the decision after evaluating and testing.
Also, do not underestimate the value of doing your research through Google or other sources to see if other people are encountering issues with the patch or update.
Take care to ensure that the patches you will be deploying are obtained from a legitimate source and can be checked out to determine that they have not been altered or corrupted in any way.
Upon completion of testing and validation of a patch, you still have other steps to take. You must decide on a deployment schedule. Ideally, any updates that are required, even if they’re critical, will be applied outside of normal business hours.
In some situations, the option to wait is not something that can be considered or rolled into the equation when performing planning.
For example, there have been cases where a piece of malware such as a worm spread rapidly across the Internet and affected an untold number of hosts all around the world.
In many of these cases, it was found that the application of a patch to squash a vulnerability that the worm had exploited not only would keep the system from becoming infected but would also have the effect of eliminating one more host that could be used to infect numerous other hosts.
In these cases, it just was not worthwhile to wait for any appreciable length of time to apply the patch. The worm was still spreading and systems that were cleaned but still vulnerable would still run the risk of becoming a problem if they were infected again.
Although organizations don’t use anyone fixed method to apply their updates, at a conceptual level the methods are all pretty much the same as far as how they progress and function. Most patches and updates will involve a medium- to high-level use of system resources.
Typically, a system reboot—in some cases, numerous reboots—will occur during the application of a patch, and during this time the system is essentially unusable for whatever its normal purpose is.
This is why testing is critical; in addition to showing whether the patch is beneficial and addresses a problem, testing gives the organization a good look at how the process will take place. In that way, the organization can determine the best way to deploy the patch or update and achieve minimal disruption and downtime.
There’s a saying that no good plan stays intact after it is put into action— and the more complex the environment or the more critical the situation, the greater the chance that saying will apply (or at least that’s the way it seems).
It is not unheard of for IT to run into a situation where they have installed a piece of software or applied a patch numerous times without incident and then there is a failure even though they did everything the same way.
When these situations occur, it is important to have a rollback plan. With a rollback plan, when a patch or update doesn’t go as planned and causes more problems than it’s worth, you have a way to get out of it gracefully with minimal disruption.
In some cases, this may mean simply uninstalling a patch or update and then rebooting the system, and you’re back to where you were before the issue.
In other cases, you may have to rebuild the system (though this may be extreme), in which case you’ve hopefully planned ahead and had images that you can deploy to the system rapidly to get it back up and running.
The lesson to be learned here is to always have a backup plan in the event that things don’t go the way they’re supposed to—in other words, hope for the best but plan for the worst.
Something that has to be addressed when discussing patch management is the issue of changes. Change management is a process that provides a mechanism to approve, track, change, and implement changes.
For security reasons, you always want a clear picture of what is occurring on your system, and you want to be able to access that information and review it at any time for auditing or compliance reasons.
The change management process by design should include all the plans to perform the process of getting a patch into an environment. This includes testing, deployment, and rollback plans, as well as anything else that’s needed to ensure that things happen from beginning to end in a clear and documented way.
In some cases, the change management process should also include documentation on the risks and how a given change or update affected those risks. Finally, in numerous cases, there will be benchmarks set that a change is expected to meet in order to be considered successful.
Installing and Deploying Patches
The deployment phase of the patch management process is where administrators have the most experience. Deployment is where the work of applying patches and updates to systems occurs.
While this stage is the most visible to the organization, the effort expended throughout the entire patch management process is what dictates the overall success of a given deployment and the patch management program in total.
Auditing and Assessing
Regular audit and assessment help measure the ongoing success and scope of patch management. In this phase of the patch management program, you need to answer the following questions:
What systems need to be patched for any given vulnerability or bug? Are the systems that are supposed to be updated actually patched?
What legacy systems are excluded from patch management, and what measures are in place to offset the risk?
The audit and assessment component will help answer these questions, but there are dependencies. Two critical success factors are effective asset and cost management.
While the audit and assessment element of your patch management program will help identify systems that are out of compliance, additional work is required to reduce noncompliance hosts.
Your audit and assessment efforts can be considered “after the fact” evaluations of compliance since the systems being evaluated will typically already be deployed into production.
To supplement post-implementation assessment, controls should be in place to ensure that newly deployed and rebuilt systems are up to spec with regard to patch levels.
Passwords form one of the primary methods of barring access to a system to unauthorized users. Passwords act much like the key for a house or car, allowing only those who have the correct key from getting into the car or house.
Passwords have served the vital purpose of allowing only authorized users to access a system or service.
One of the biggest problems with passwords is that they are frequently rendered useless through carelessness or recklessness, two things that are addressed in this section through the proper use of passwords.
Being Careful When Installing Software
The software is what you use to do whatever it is you are doing with a computer. Software includes all the applications, services, and the operating system itself, so there is a lot happening on even the most basic of systems.
The problem is that software is running however the designer intended it to, which can mean that it could potentially cause harm. It is with this in mind that you must carefully consider the applications you download and what they may be doing on your computer.
When talking about software, consider just how much a software application can possibly do. Consider that any operation you can do—including deleting files, making system configuration changes, uninstalling applications, or disabling features—the application can do as well. Keep in mind that what you download may not have your best interests at heart.
Consider that some applications, when downloaded, may not include any documentation or scant guidance on all the things it does and will leave you to fend for yourself.
Even worse, the software may not even have an author that you can contact when you need help. You may be left to decide if the application is going to help you or if it may possibly be something that could do something more sinister.
By applying the following set of guidelines, you can avoid some of the issues associated with untrusted or unknown software:
Learn as much as you can about the product and what it does before you purchase it.
Understand the refund/return policy before you make your purchase.
Buy from a local store that you already know or a national chain with an established reputation.
If downloading a piece of software, get it from a reputable source.
Never install untrusted software on a secure system; if it needs to be installed, put it on an isolated test system first to test what it does.
Scan all downloaded content with an antivirus and antispyware application.
Ensure that the hash value matches what the vendor has published to ensure the integrity of the software.
Do not download software from file sharing systems such as BitTorrent.
Note the presence of downloaded applications on the list. In today’s world, many of the applications you use are available in digital format only online.
A multitude of free programs is available for all types of systems, with more available each day. The challenge is to decide which programs deserve your confidence and are, therefore, worth the risk of installing and running on your home computer.
So with a huge amount of software being available for download only, what can you do to be safe? Consider the following as a guide:
What does the program do? You should be able to read a clear description of what the program does.
This description could be on the website where you can download it or on the CD you use to install it. You need to realize that if the program was written with malicious intent, the author/intruder isn’t going to tell you that the program will harm your system.
They will probably try to mislead you. So, learn what you can, but consider the source and consider whether you can trust that information.
What files are installed and what other changes are made on your system when you install and run the program? Again, to do this test, you may have to ask the author/intruder how their program changes your system. Consider the source.
Can you use email, telephone, letter, or some other means to contact the software developer?
Once you get this information, use it to try to contact them to verify that the contact information works. Your interactions with them may give you more clues about the program and its potential effects on your computer and you.
Has anybody else used this program, and what can you learn from him or her? Try some Internet searches using your web browser. Somebody has probably used this program before you, so learn what you can before you install it.
If you can’t determine these questions with certainty, then strongly consider whether it’s worth the risk. Only you can decide what’s best. Whatever you do, be prepared to rebuild your computer from scratch in case the program goes awry and destroys it.
Remember that an antivirus program prevents some of the problems caused by downloading and installing programs. However, remember that there’s a lag between recognizing a virus and when your computer also knows about it.
Even if that nifty program you’ve just downloaded doesn’t contain a virus, it may behave in an unexpected way. You should continue to exercise care and do your homework when downloading, installing, and running new programs.
Using Antivirus Packages
One of the dangers of modern computing with networking and shared media is that of malware in the form of viruses and worms. Although some systems are more vulnerable than others, all systems are vulnerable whether they are based on Windows, Mac, or Linux.
Each has malware targeted toward them and it’s just a question of how much. Whereas some viruses are merely annoying, others can cause severe damage to a computer and may even corrupt data beyond repair or recovery.
In order to protect a system from viruses, there are a few simple and necessary steps that can be taken, with the installation and maintenance at the top of the list.
You must consider it a full-time job to protect your systems from viruses; your computer is never truly safe unless it is disconnected from the Internet and you never insert computer disks or software from unreliable sources.
Backing Up a System
Everything on a computer is typically considered as either those items you can replace or those you can’t. What have you done about the items that you can’t replace on the computer you use, such as project files, photographs, applications, and financial statements?
What happens if your computer malfunctions or is destroyed by a successful attacker? Are those files gone forever?
Do you have a backup or a way to recover information when you have a loss caused by a malfunction or an intruder? Do you back up your files on to some other media so that you can recover them if you need to?
When deciding what to do about backing up files on your computer, ask these questions:
What files should you back up? The files you select are those that you can neither easily re-create nor reinstall from somewhere else, such as the CDs or the floppy disks that came with your computer.
That check register you printed does not constitute a backup from which you can easily re-create the files needed by your checking account program.
You’re probably not going to re-enter all that data if the files are destroyed. Just as you protect your irreplaceable valuables, back up the files you cannot replace, easily or otherwise.
How often should you back them up? In the best of all cases, you should back up a file every time it changes. If you don’t, you’ll have to reintroduce all the changes that happened since your last backup.
Just as you store your precious jewelry in a lockbox at the local bank, you need to store your files safely (back them up) after every use (change in the file) lest an intruder destroys the file or there’s a system catastrophe.
Where should you back them up to—that is, what media should you use to hold backed-up files? The answer is: whatever you have. It’s a question of how many of that media you have to use and how convenient it is. Larger capacity removable disk drives and writable CDs as well as external hard drives also work well and take less time.
Where should you store that media once it contains backed-up files? No matter how you back up your files, you need to be concerned about where those backed-up copies live which includes potential storage locations such as the cloud.
A robber can gain access to the same information by stealing your backups. It is more difficult, though, since the robber must know where your backups are, whereas an intruder can access your home computer from literally anywhere in the world. The key is to know where the media is that contains your backed-up files.
Just like important papers stored in a fireproof container at your house, you need to be concerned about your backups being destroyed if your living space is destroyed or damaged. This means that you should always keep a copy of all backed-up files in a fireproof container or somewhere where they are out of harm’s way.
Hardening Your Network
So far we have discussed network-level and application attacks, but those are only part of the equation for a pentester.
A pentester must not only know about systems and how to improvise and find ways to identify weaknesses that breach security; they must also know how to address any issues they locate and recommend fixes for the customer.
Much like with hosts, a network has to be evaluated to determine where it’s currently vulnerable, the types of vulnerabilities and their seriousness, and where each vulnerability is located, as well as how they relate to one another.
The end result of this process should be that the network becomes much more resilient and resistant to attack or compromise and therefore should be in a more secure state.
As you can imagine with the complexities, coverage, diverse range of services, and potential size of the user base, network hardening is going to be much tougher and challenging, but definitely doable. As with anything of this scope and size, careful planning is required to get the best results.
In fact, if you’ve been doing your job with the same level of care and consideration, then you should have thorough documentation and results from your pentest that will simply require you to do some research, take some time to figure out the best way to deal with what you found, and then make those recommendations to the customer.
So with our existing knowledge of the process of hardening hosts in hand, we are now going to discuss how to secure a network and some of the various items, tasks, and devices that you can make use of to make this happen.
What Is Hardening a Network?
When you undertake the process of hardening a network, much like you would with a host, it can involve technical, administrative, and physical measures that will end up making your final secure solution.
It’s important to understand that there’s no one area or one component of technical, administrative, or physical controls that are going to help you entirely on its own; some combination of these things can get you the most bang for your buck:
Technical controls, or anything that is going to be based in the world of technology, such as servers, authentication systems, or even items like firewalls (which we’ll explore in just a moment)
Administrative controls, or a series of policies and procedures that dictate how to secure an environment as well as how to react within that environment
Physical controls, or anything that protects any component or area on the network from being physically accessed and touched by someone who is not authorized to do so