Tools (Network Vulnerability Assessments)

This is a good place to discuss tools such as SamSpade, and the audit features they offer. Most of these tools offer similar features and prove to be invaluable during a vulnerability assessment. SamSpade provides a GUI (graphical user interface) that expedites its configuration. It runs on Windows 9X, ME, NT, and XP. As part of its functionality, it performs queries such as whois, ping, DNS Dig (Advanced DNS request and zone transfer), traceroute, finger, SMTP mail relay checking, and Web site crawling. Using SamSpade and similar tools are intuitive and self-explanatory so it would be a waste of time to fully describe their features and configuration. However, before using this tool, and others, auditors are cautioned to become familiar with their capabilities and risks. Additionally, all the tools listed below include very well written help files as part of their product (Exhibit 1).


Exhibit 1: SamSpade

Similar tools are easily found on the Internet, caution is urged in making certain with whom you are doing business, make certain the tools come from reputable vendors and locations. Examples of similar tools may be located at www.ipswitch.com (WS-Ping ProPack) and www.nwpsw.com (NetScan Tools).

Attentive auditors review the domain registration and notice the technical contact is not located at the same address and telephone exchange as the target enterprise. Several conclusions may be drawn from this information.

The Web host is a contractor or the company that has its hosting facilities located outside its headquarters.

The response also gives some insight into the e-mail naming conventions for the target. This information could be useful if an attacker wanted to find e-mail addresses she could target.

In discovering more of the audit target, the auditor will look to the Internet for more information. Using such resources as www.google.com or www.hotbot.com will locate information about the target, its employees, and publicly available information. Google may also be used to query newsgroups for postings made by employees using the organization's domain name. This technique can be useful if employees are posting information about their company's vulnerabilities while using the organization's e-mail system.

Frequently, attackers publish the company's network vulnerabilities in newsgroups or chat rooms. Experienced auditors will query newsgroups and participate in chat rooms to determine if relevant system vulnerabilities are available.

Auditors often search public information areas such as the Securities Exchange Commission database known as EDGAR (www.sec.gov) for information about the target's filings. Two of the most informative filings are the 10K and 10Q. The form 10Q provides visibility into the company's activities in the last quarter, while the 10K is an annual filing describing the company's previous year. Reviewing these documents can provide information about recent mergers and acquisitions. It is possible the entities recently blended to form today's organization may allow the auditor to discover already documented vulnerabilities and permit unauthorized entries.

Additionally, SEC filings and posted annual company reports provide a wealth of information for the attacker. It is not unusual for attackers to collect personal information about owners and senior managers, including private e-mail addresses, residences, financial holdings, automobile ownership, marital status, social security numbers, credit histories, etc.

In the case of smaller organizations, auditors may purchase subscriptions to services that provide detailed information about individuals on a query-fee basis. If the rules of engagement allow this type of review, the type of information available about the target's senior management is almost limitless. These agencies collect information from magazine subscriptions, real estate transactions, driver's permits, professional organizations, clubs, and innocuous areas such as dog and cat licensing. Companies using this type of information collection are legitimate and are easily locatable on the Internet. Not all companies use legal means of information collection; so be wary and deal only with reputable agencies.

Auditors must be fully aware that collecting private information is sensitive, but if the auditor can find the information, so can those who intend harm. It should be within the rules of engagement to discover available information. Auditors must make appropriate recommendations as to the information disclosed by employees that could result in jeopardizing their safety. If a regulatory agency or law does not require disclosure of information, do not do it. Making it a matter of audit programs will ensure its compliance with policy and procedures.

Auditors should carefully document their public information discoveries in a detailed schedule as part of their final report. Making a printout and including it as part of the work papers is an accepted practice. This information will become very useful as the vulnerability assessment continues.

If the rules of engagement permit the auditor to travel where attackers venture, it would be wise to enter the world of chat. Downloading a shareware chat client from, www.mirc.com will provide the means to speak with others about their knowledge of the audit target's vulnerabilities. Using this vehicle requires a fair degree of skill and is not going to be valuable unless the auditor has used this communication medium previously. However in the hands of a skillful professional, chatters frequently know an organization's critical asset vulnerabilities and exploits.

Experience Note At a credit card clearinghouse, an auditor discovered several chat rooms and Web pages providing free scripts targeting the clearinghouse's Web site as well as open chats about the audit target's credit card network vulnerabilities. These scripts were designed to verify credit card information using the clearinghouse's computing facilities. When the auditor queried the persons chatting and the persons supporting the Web pages, it was discovered they were located virtually everywhere: Brazil, Russia, Philippines, Malaysia, and the United States. Auditors should not underestimate the value of chat rooms in determining an organization's vulnerabilities.

1 comments:

Doug said...

I posted an introduction and review of the SamSpade tool here:

http://dougvitale.wordpress.com/2011/11/21/samspade-and-samspade-org/

Pity that it hasn't been updated since 1999.

Popular Posts