Rob Pope had to take some deep breaths and look
inconspicuous while he waited for someone to approach the security
door.
When an employee opened the door and went through, he tailgated
them, followed unnoticed into the adjacent corridor and then
slipped into the heart of the building.
Once he was in, his heart stopped pounding and he began to take
on the role of a staff member. He sat down at a PC and began to
work. "I sat down at people's computers when they went to the
lavatory, and tapped away getting network configuration details and
downloading documents to a USB drive," he said. "No one asked who I
was."
It was Pope's first intrusion, but since then he has sneaked
into dozens of companies. Pope is not breaking the law, however -
he only infiltrates with permission. He works for
SecureTest, a company specialising in
penetration tests. Clients ask the company to target specific
elements of their IT infrastructure and identify
vulnerabilities.
This can involve physical intrusion, in which testers gain
access to different parts of the building - especially the server
room.
A common tactic by penetration testers is to leave their
business cards hidden in key spots, to be retrieved later on with
the client's executives in tow. Clients are also expected to
provide "get out of jail free cards" - signed letters releasing the
testers if they are caught.
Even when companies are convinced that their company is
invulnerable, they are frequently surprised by test results. Often,
network managers may view their systems in terms of defence,
putting up obstacles that appear invulnerable, but attackers do not
play by the rulebook.
Testers use undocumented techniques and exploit human error and
technical flaws to find their way into a system.
Some companies do not even configure their defences according to
the conventional rules. Instead, they leave gaping holes that
testers can simply stroll through.
"You think a place will be secure and you go in and you find
yourself using techniques that you were using 20 years ago," said
Dan Haagman, director of operations at information security
consultancy 7Safe.
One basic mistake that testers see even today is weak password
security, enabling them to guess their way into accounts. Another
is firewall misconfiguration. Rogue machines connected to the
network have also been good to Phil Huggins, chief technical
architect at security consultancy and penetration tester
Information Risk Management. He remembered one
particularly enjoyable test.
"We found a Windows NT4 system facing the internet, unfiltered,
and with no password on the administrator account, and the system
name was Trojan. It took 15 minutes to reach the crown jewels," he
said.
After the pre-test meetings, penetration tests start with
information discovery in which testers gather information about the
target. Techniques such as dumpster diving are common, in which
testers search through rubbish to find useful snippets of
information (do you know where the hard copies of your server logs
are?).
Searching newsgroups for information about the company can yield
results, and Google is a useful tool for those that know how to use
it.
The "site" prefix (for searching within a particular web domain)
and the "filetype" prefix (useful for searching for, say, Microsoft
Access files, Outlook databases or systems administration scripts)
can sometimes yield useful results - as can metadata gleaned from
documents retrieved from a company's website.
The target scanning phase lets the penetration tester assess the
size of what Haagman calls the company's "attack surface". The
greater the number of attackable points in the system (public IP
addresses, for example), the more opportunities there are for a
tester to get in.
Identifying potential doorways into a system leads to a
vulnerability assessment, in which the attacker rattles them to see
how vulnerable they are. Security testing tools from companies such
as Nessus are useful here because they can automate the process,
identifying weak points in identifiable parts of the company's
infrastructure.
The fun part is the penetration test, when the consultants
really get to go to work, blowing the doors open and finding
innovative ways to gain control of different parts of the
system.
The attack points and methods used by penetration testers have
changed over the past few years. "It all changed in 2000. Everyone
went online," said Huggins. "Before that, it was all infrastructure
based. It was all looking at networks, operating systems, patches
and so on."
As the number of web-based applications increased, attack
vectors became increasingly browser-based. Web applications can be
fruitful for hackers, said Pope. Common vulnerabilities include
exchanging user credentials over clear text before entering an
encrypted session, or simply not encrypting connections with SSL at
all.
One of the most dangerous web-based application attack vectors
open to penetration testers is SQL injection, in which SQL commands
are inserted into web input forms.
Poor input validation can miss these commands, enabling
attackers to modify database queries containing web form input
strings. Using this technique on a poorly-written system could let
a penetration tester copy your entire customer database, for
example.
"I did a training course with 10 developers last week. Only two
of them had heard of SQL injection, which amazed me," said Pope.
But web applications are now well known points of attack. The
emphasis is already switching to locally-run applications, said
Pope. Using exploits in Office and other applications can give
testers a way into a company, he said.
"People are filtering out .exe files sent via e-mail, but
everyone lets Word and Powerpoint files through," he said, adding
that the main danger now concerns flaws in the client code rather
than macro viruses.
Buffer overflows are only one kind of exploit that can be
generated by sending properly configured documents. "I wonder
whether people are really testing their workstations and proxy
servers against these kinds of attacks," said Pope.
The danger from poorly written or configured applications is
linked directly to unprotected inner defences. A company may spend
thousands of pounds securing the edge of its network, and pay
little attention to the infrastructure within.
Internal applications that were never supposed to be seen by
anyone from the public internet are often developed without
adequate security, said Huggins. Now, thanks to the prevalence of
IP networks and the ubiquity of HTTP, (aka the firewall avoidance
protocol) they can be easily reached.
"Internal networks are still very soft inside, because people
rely on the fact that they are not on the internet and they have
some proxy filtering," said Huggins. "Once an intruder is on that
network, if it is soft then they have the capability to move
around."
This is compounded by a lack of network segregation, he said.
Network administrators are often too overworked to properly
configure virtual local area networks for security purposes.
It is a brave IT director who will invite someone to try and
break their network. If you are going to do it, you want someone
trustworthy. Poacher-turned-gamekeeper stories of companies hiring
known black-hat hackers are doubtless true, but Haagman does not
advise it.
"Security clearance is a very valuable thing these days," he
said. "Would you trust an ex-burglar to do a security audit on your
house? Would you have a convicted fraudster doing your tax
returns?"
The last question is interesting: the FBI and countless
financial institutions have hired former arch-fraudster Frank
Abagnale Jr to demonstrate his techniques, after all.
Regardless of who you think you are getting, there could be
consultants in the penetration testing community with chequered
backgrounds, said Martin O'Neal, managing director at penetration
testing firm Corsaire. His advice is to check out lots of
references on potential suppliers from your peers. Ask around and
do your own research.
There are accreditations for penetration testers - the EC
Council has a certified ethical hacker qualification, for example.
The Open Information Systems Security Group - a non-profit body
whose phones are answered by a for-profit penetration testing
consultancy - has its own. Which accreditations should clients look
for?
7Safe has tried to avoid the credibility problems of conducting
the training, examination and awarding of the certification itself
by handing over the examination to the University of Glamorgan.
The university examines contenders for the consultancy's
certified security testing certificate and certified security
training professional courses, but lets 7Safe certify professionals
and hand out the certificates. 7Safe and the university have also
combined to produce a postgraduate certificate in penetration
testing and information security.
O'Neal still prioritises Check, the accreditation scheme for
security consultants provided by Government Communication
Headquarters' information assurance arm, the CESG. Check is
designed for public sector contractors and includes a security
clearance element.
Commercial companies have been using Check as a criteria for
selecting security providers, but sources suggest that the
commercial IT sector, led by the Intellect trade association, is
preparing another penetration testing standard designed exclusively
for the commercial sector. It could be launched as soon as
March.
In the meantime, some penetration testing experts stand by the
Open Source Security Testing Methodology Manual. It is a
methodology for security testing developed by the Institute for
Security and Open Methodologies.
If you are going to let a company this close to your network, be
sure to lay out the ground rules. In the pre-test meeting, the IT
department should establish which parts of the network are to be
tested and how far you may not want someone trying to own your
mission-critical transaction server, but it may be acceptable for
them to identify potential ways into that server.
How "noisy" should the attack become? Should attackers remain
covert, or push the test as far as they can go and become
increasingly blatant until they are caught?
What objectives exist along the way? Step one might be finding
the chief executive's private e-mail address. The final step might
be gaining physical access to the administrator's workstation.
Hopefully, proper vetting should avoid the same problem that
O'Neal recalled befalling one company. One new supplier was keen to
form a relationship, so offered a large e-commerce company (let's
call them X.com) a free penetration test. "They proudly presented
their results, whereupon the company's staff pointed out that they
had tested Y.com, which was owned by a different organisation
altogether," he said.
That is one scenario where a penetration tester definitely would
not get the chance to leave any business cards lying around.
Related articles:
www.securetest.com
www.7safe.co.uk
www.irmplc.com
Read the
security testing manual
Comment on this article:
computer.weekly@rbi.co.uk