IP Address Confirmation & Assessment Safety (Network Vulnerability Assessments)

IP Address Confirmation
In this step, business functions must be mapped to physical system and information about how the systems operate must be recorded. It is a wise audit step to obtain a list of the organization's IP addresses, to whom they are assigned, and where they are assigned, including the type of device. DNS name resolution can be used, but if something happens to the name server, or if the IP address resolution is incorrect, the actions taken by the auditors could be slowed or result in the wrong systems being audited.

Ownership of the IP addresses should verified and confirmed before beginning the assessment. A very simple, but effective tool for IP resolution having a host of other features is available from: www.samspade.org. This tool is very intuitive, easily configurable, and will automatically select the correct Internet registration authority reflecting IP address ownership. Confirming IP addresses is good audit practice and serves to verify whether the organization has accurately completed their asset inventory.

Assessment Safety
Although auditors will have the best intentions, it is a wise practice to have a safety protocol for those moments when adverse things happen. When auditors download freeware/shareware or purchase their tools, it is a wise procedure to scan these utilities for malware being present. It only takes a moment to update the antivirus software and scan the product for worms, viruses, and Trojans.

During the audit is not the time to experiment with a new tool. An audit tool should be carefully exercised to ensure the auditor has a thorough knowledge of its use before using it in an audit. Additionally, assessment tools should be updated, as new versions become available. Newer versions will likely address newly announced weaknesses that may be missed by older pieces of software.

Auditors should have emergency contact information for appropriate management levels for each of the sections they are evaluating. These contacts must be 24/7. It is the experience of most system auditors that if anything can go wrong, it will at the least opportune moment.

Experience Note Murphy's Law will be in full effect during every audit step; plan on it.

Auditors should document all their actions and information captured during the assessment. Notes should be recorded to a central file for each member of the audit team. Some auditors go so far as to enable keystroke logging on their workstations to record all their actions. Record all IP addresses and netmasks targeted by your scanner tools. It is important to note when your system's IP address changes at any time during the assessment. This will help you keep directed and on track when performing the assessment. Additionally, it will simplify configuring the scanning tools. Using the IP addresses from the organization's inventory will shorten the time scanning tools are run. In this fashion, auditors only have to cover the territory once. Auditors should document the start and stop times of their tools. These documents will comprise a section in the auditor's work papers and will be referenced in the audit report.

Discovering the Character of the Audit Target
As a general first step, auditors will research public source information about the audit target. One of the most logical steps is to look up the domain registration information of the audit target. There are many manual Web sites providing Internet domain registration. These are just a few:

www.arin.net

www.networksolutions.com

www.allwhois.com

Social Engineering (Network Vulnerability Assessments)

Social engineering is the tactic of having contact with the organization or persons associated with the organization and through ruse, pretext, or misdirection, attempt to gain information that would facilitate an unauthorized intrusion. It is possibly the least most popular means of auditing a system and must be thoroughly addressed as a tenet in the rules of engagement for the vulnerability assessment. Social engineering tests employees and their training.

Experience Note When organizations suffer a successful social engineering attack, it makes banner headlines. Employee training and compliance auditing will help in avoiding these disasters.

Auditors and senior managers must be mindful that attackers are employing these tactics, so using them in a measured fashion has great benefits in probing vulnerabilities. In essence, social engineering involves getting employees to voluntarily surrender information that can be used to gain an advantage that would not be available without it. It can be as easy as a telephone conversation, going through someone's wastepaper basket, or using an unprotected workstation.

The primary tool of the social engineer is the telephone. Typically, a talented auditor can obtain more critical information and cause greater damage by working making a few telephone calls than the best network attacker. Among the most common approaches are:

Posing as a member of the target organization's technical support staff

Playing the role of a disgruntled customer/user seeking a password change

Calling the technical support staff and enlisting their aid in getting a workstation connected to their network

Going through the waste paper baskets located in open office areas after work hours and before it is collected

Using unattended workstations or servers

Going through the trash collected by the maintenance staff

Going through the organization's dumpster (consider this a major undertaking and avoid unless deemed necessary)

Making copies of notes and other materials left out on desks after hours

Experience Note One of the most interesting, inventive, and legendary social engineering activities was the new maintenance employee who was seen posting small signs around an office area. These signs announced a new telephone number for the company's technical support unit. When one of the senior managers asked the employee who it was that requested he post the signs, she responded that she was new and did not know the person who asked. The manager did not follow it up any further. After about a week, the company's technical support staff sent an e-mail to their manager asking what happened to all their calls. They had not received a trouble call in several days. It was discovered that when calls were made to the "new" telephone number for the technical support unit, a recorded message stated that all agents were busy; and requested the caller to verify his identity with network logon name and password. It was discovered that the callers' network accounts had been accessed and sensitive information taken through terminals located inside the company during off-duty hours. Additionally, the organization had not verified the identity and background of the maintenance person.

If the rules of engagement permit, auditor's can use social engineering for gaining access to the company's systems. For example, an auditor, not previously introduced to the target organization arrives early at the organization and loiters near the entrance. When an employee passes security and enters the office space, the auditor, acting as a new employee, offers the excuse they are new and have forgotten their identification badge, and follows the employee inside. Or an auditor telephones the network administrator and misrepresents himself as a member of the management staff and asks the administrator for her e-mail account password to be reset. The administrator provides a one-time use password without verifying the caller's identity and the auditor accesses the manager's e-mail account. Should such tactics be allowed? If the audit is going to test the risk management training provided to the employees, the answer is yes. Regardless, the use of social engineering tests must be addressed in the rules of engagement. If auditors do not test the system's vulnerabilities, attackers will. Again, it is not a matter of if an attacker attempts this type of intrusion; it is only a matter of when.

Senior managers and auditors must arrive at a level of understanding of whether the employees are going to be advised of the system testing or not. If employees are aware of system testing, they will likely be on guard and on their best behavior. However, if the rules of engagement allow the auditors to fully explore and exploit if the system crashes due to an attack, the administrators can take appropriate action without panic. But, not advising employees has advantages, in that auditors will observe the true performance of how employees react to system attacks and how recovery efforts are brought to pass. Obviously, telling or not telling employees of the system assessment is a matter for careful consideration by senior managers with the matter fully documented in the rules of engagement. Safeguards are typically deployed in the event of electing not to notify employees to avoid having embarrassing calls made to law enforcement.

The last area of preparation includes the area of permission. Appropriate levels of permission must be obtained before conducting this type of system vulnerability assessment. This is an area of good judgment. Auditors must do a thorough job, but they cannot damage any critical assets in any fashion including employee morale. On the other hand, the more realistic these tests are, the more useful will be their results. Use good judgment in crafting the rules of engagement and obtaining the appropriate levels of permission.

Tools (Network Vulnerability Assessments)

This is a good place to discuss tools such as SamSpade, and the audit features they offer. Most of these tools offer similar features and prove to be invaluable during a vulnerability assessment. SamSpade provides a GUI (graphical user interface) that expedites its configuration. It runs on Windows 9X, ME, NT, and XP. As part of its functionality, it performs queries such as whois, ping, DNS Dig (Advanced DNS request and zone transfer), traceroute, finger, SMTP mail relay checking, and Web site crawling. Using SamSpade and similar tools are intuitive and self-explanatory so it would be a waste of time to fully describe their features and configuration. However, before using this tool, and others, auditors are cautioned to become familiar with their capabilities and risks. Additionally, all the tools listed below include very well written help files as part of their product (Exhibit 1).


Exhibit 1: SamSpade
Similar tools are easily found on the Internet, caution is urged in making certain with whom you are doing business, make certain the tools come from reputable vendors and locations. Examples of similar tools may be located at www.ipswitch.com (WS-Ping ProPack) and www.nwpsw.com (NetScan Tools).

Attentive auditors review the domain registration and notice the technical contact is not located at the same address and telephone exchange as the target enterprise. Several conclusions may be drawn from this information.

The Web host is a contractor or the company that has its hosting facilities located outside its headquarters.

The response also gives some insight into the e-mail naming conventions for the target. This information could be useful if an attacker wanted to find e-mail addresses she could target.

In discovering more of the audit target, the auditor will look to the Internet for more information. Using such resources as www.google.com or www.hotbot.com will locate information about the target, its employees, and publicly available information. Google may also be used to query newsgroups for postings made by employees using the organization's domain name. This technique can be useful if employees are posting information about their company's vulnerabilities while using the organization's e-mail system.

Frequently, attackers publish the company's network vulnerabilities in newsgroups or chat rooms. Experienced auditors will query newsgroups and participate in chat rooms to determine if relevant system vulnerabilities are available.

Auditors often search public information areas such as the Securities Exchange Commission database known as EDGAR (www.sec.gov) for information about the target's filings. Two of the most informative filings are the 10K and 10Q. The form 10Q provides visibility into the company's activities in the last quarter, while the 10K is an annual filing describing the company's previous year. Reviewing these documents can provide information about recent mergers and acquisitions. It is possible the entities recently blended to form today's organization may allow the auditor to discover already documented vulnerabilities and permit unauthorized entries.

Additionally, SEC filings and posted annual company reports provide a wealth of information for the attacker. It is not unusual for attackers to collect personal information about owners and senior managers, including private e-mail addresses, residences, financial holdings, automobile ownership, marital status, social security numbers, credit histories, etc.

In the case of smaller organizations, auditors may purchase subscriptions to services that provide detailed information about individuals on a query-fee basis. If the rules of engagement allow this type of review, the type of information available about the target's senior management is almost limitless. These agencies collect information from magazine subscriptions, real estate transactions, driver's permits, professional organizations, clubs, and innocuous areas such as dog and cat licensing. Companies using this type of information collection are legitimate and are easily locatable on the Internet. Not all companies use legal means of information collection; so be wary and deal only with reputable agencies.

Auditors must be fully aware that collecting private information is sensitive, but if the auditor can find the information, so can those who intend harm. It should be within the rules of engagement to discover available information. Auditors must make appropriate recommendations as to the information disclosed by employees that could result in jeopardizing their safety. If a regulatory agency or law does not require disclosure of information, do not do it. Making it a matter of audit programs will ensure its compliance with policy and procedures.

Auditors should carefully document their public information discoveries in a detailed schedule as part of their final report. Making a printout and including it as part of the work papers is an accepted practice. This information will become very useful as the vulnerability assessment continues.

If the rules of engagement permit the auditor to travel where attackers venture, it would be wise to enter the world of chat. Downloading a shareware chat client from, www.mirc.com will provide the means to speak with others about their knowledge of the audit target's vulnerabilities. Using this vehicle requires a fair degree of skill and is not going to be valuable unless the auditor has used this communication medium previously. However in the hands of a skillful professional, chatters frequently know an organization's critical asset vulnerabilities and exploits.

Experience Note At a credit card clearinghouse, an auditor discovered several chat rooms and Web pages providing free scripts targeting the clearinghouse's Web site as well as open chats about the audit target's credit card network vulnerabilities. These scripts were designed to verify credit card information using the clearinghouse's computing facilities. When the auditor queried the persons chatting and the persons supporting the Web pages, it was discovered they were located virtually everywhere: Brazil, Russia, Philippines, Malaysia, and the United States. Auditors should not underestimate the value of chat rooms in determining an organization's vulnerabilities.

Rules of Engagement (Network Vulnerability Assessments)

Rules of engagement govern the level and extent of vulnerability assessment efforts. Develop a written agreement between the audit manager and appropriate levels of senior management, as the vulnerability assessment process is extremely invasive. In this statement the questions of who, what, when, where, and how should be thoroughly, but briefly addressed. For example, the purpose of this vulnerability assessment will be to test the effectiveness of procedures ensuring that attackers cannot obtain unauthorized access to the organization's critical assets of human resources, data, and physical resources.

Assessment procedures define the methods and means by which the various evaluation events will take place. These procedures can be expressed in the following areas:

Assessment standing. Determine and define when the assessment will begin, the scope of the assessment, and when the assessment will end.

Vantage point. What will be the vantage point of the assessment? Should the auditors consider themselves as outside the organization, or inside the organization? Obviously, the vantage point will affect the assessment objectives and the time involved. In the insider vantage point, the auditors are provided as much pertinent information as possible. For example, auditors will have the source code for CGI scripts, network topology and architecture, IP addresses, etc. With this degree of information, the auditors may test the system more thoroughly looking for subtle flaws that might otherwise escape notice. Besides, this approach saves time and resources.

On the other hand, outsider testing provides little, if any, relevant system information to the auditors in the anticipation their stance is that of an outside attacker. This approach requires a great deal of time and effort to complete an accurate and meaningful assessment. Proponents of this type of assessment claim it provides a realistic approach to system evaluation in light of the fact outside attackers will not have insider information. The fact of the matter is with the large number of attacks attempting to gain access, or extinguish services, this approach requires a significant time investment, and it is likely that new vulnerabilities will be discovered before they can be tested against the system.

There are two more vulnerability modes, passive and aggressive. Passive testing means the auditor can take only a distant view, essentially a "looking glass" approach. This is a safe way of testing, but it is not going to provide the type of detail that should be narrated in the "findings" section of an audit report. The auditor discovers a system's vulnerability and reports findings without further exploration and system exploitation. Aggressive testing takes the approach of exploiting all discovered vulnerabilities and exploring just how far the auditor can penetrate the system before coming to an end.

How far should the auditor pursue an exploit? The answer should be explicitly detailed in the rules of engagement. However, it is recommended that the auditor pursue a vulnerability to the extent possible without doing damage to the system. Only in this fashion can the risk potential be measured and reported. It is further recommended that in a system vulnerability assessment, the procedure should be to locate a weakness, exploit it, and leverage that weakness to gain wider access to the target system

The Practical Examination of Your System (Network Vulnerability Assessments)

Network vulnerability assessment is a hands-on approach in ascertaining your system's obvious vulnerabilities and their locations. There are many risks that are associated with these types of audits that go largely ignored by senior managers.

Experience Note An auditor was examining the business' network software development process for compliance to the company's policy and procedures. She discovered the programmers and engineers were not observing any of the policy requirements and were basically approaching their development phases in a haphazard fashion. She detailed her findings in a preliminary report to senior managers who told her that they had evolved past the SDLC and other quality methods. Instead, they were writing their code, installing it, and using the network vulnerability assessment as a quality control to determine any weaknesses existing in their software. Her audit report findings were lengthy and specific.

In conducting network and other types of practical vulnerability assessments, it is paramount that auditors adopt a holistic view of auditing. Auditing is the process by which prohibited, abusive, and irregular activities are found and reported. If a concerted auditing effort is adopted, the entire system consisting of the three pillars of human resources, data and physical facilities will be measured as part of risk management and operational efficiency.

Vulnerability assessments only measure those vulnerabilities that are within the scope of the rules of engagement, the knowledge of the auditors, and those system vulnerabilities that are present at the time of the assessment. It should be made clear that network vulnerability assessments must be considered as part of the whole audit picture. They are not a substitute for poor systems design and management.

Network vulnerability assessments are the part of the audit program whose purpose is the practical identification of system vulnerabilities. If vulnerabilities are found, and they will be found, they will be reported as findings, accompanied by recommendations in the audit report. It is a fair statement that you cannot repair system weaknesses, unless you locate them first. If during a comprehensive audit, senior managers fail to locate and repair system vulnerabilities, it is a safe bet that attackers inside and outside the organization will find and exploit them. The general goals and objectives of system vulnerability assessments are as follows:

Measure levels of system risks.

Ascertain practical compliance with organization's policies and procedures. (This usually involves a high-degree of employee and senior manager embarrassment.)

System vulnerability assessments comprise an important part of the comprehensive auditing effort and clearly demonstrate professional due diligence.

Audit team members should be carefully selected for their experience, people skills, communications skills, good judgment, system knowledge, and knowledge of software and intrusion and attacker tactics. It is recommended they have a good knowledge of programming in languages such as C, C++, Java, and PERL. Programming skills and network knowledge enable auditors to review open source tools, fix or modify them, and write their own programs, if necessary. It is worth remembering that running automated tools without an understanding of the underlying protocols and issues is dangerous and generally will not provide sufficient insight when documenting findings in the audit report. Skills such as persuasive sales are a valuable commodity if the audit team is going to engage in social engineering. Often the question is asked if this is "white-hat," "black-hat," or "gray-hat" system attacking.

Experience Note Personally, the author thinks the "hat" business is a bit of nonsense. Some organizations are caught up in the idea of hiring individuals of questionable character, but who have a great deal of skill. Many are convicted felons. Think of this example, "Would you hire a professional thief to make a security survey of your business?" Prudent business managers should engage professionals of known abilities with impeccable references, not soon-to-be indicted attackers.

Questions arise whether organizations should outsource system vulnerability assessments or develop the skills internally. Correct answers are not easily decided as there are advantages and disadvantages to both sides. There is some degree of risk in outsourcing vulnerability assessments unless a significant amount of research is done.

Experience Note There are many outside "system security consultants" that are reformed attackers. Some have even spent time in prison for their criminal behavior, while others have been defendants in lawsuits centered in their unlawful behavior.

So before contracting outside vulnerability auditors, it is prudent to discuss their backgrounds, experience, bonding, the length of time they have been in business, and references. Demand they provide a long list of satisfied clients and a few that were not so satisfied. Contracts should be carefully crafted enumerating liabilities and responsibilities.

It is strongly recommended that several lawyers, having experience with services of this nature, review the details of the contract before being finalized.

It is the practice of most consultants to spend an inordinate amount of time keeping skills current to explore and exploit system weaknesses. For some, their skills' improvement and bragging rights are something that borders on obsession. On their own time, they explore system weaknesses to the exclusion of other pursuits. Many consultants can tell you about successfully gaining root access to systems that were considered impregnable by its owners. Regardless, if the decision is made to use contractors, your sensitive assets are subject to capture by the outsiders. You are giving them the key to the business' crown jewels.

Experience Note It is quite likely that today's system audit consultant will not be employed by the firm for more than a short time. She knows your system's vulnerabilities when she decides to exploit them.

If the organization decides to develop inside talents, there are many suitable training courses available that can provide the skills necessary to perform a respectable system vulnerability assessment. Training of this nature is valuable and can be used as part of an employee development program. It is important to note that systems auditing skills are a serious commitment in that they require constant upgrading and expansion as new technologies emerge and new weaknesses are announced.