No matter what you do or what your technical ability is there is usually something nagging you at the back of your mind. It may be more prominent at different times like right after you have worked with your accounts in on-line banking or it may not be much of a consideration when you are playing a game or just wandering the internet, but it is always there. "Is my data safe?" "Is there someone out there that can or is accessing my confidential, personal information? What can we do to protect ourselves? What about corporations? Corporations can confidential information stored on millions of people. What are they doing to protect your information from criminal hackers? We're going to talk about that very topic today. Corporations do in fact have something at their disposal to not only evaluate their system security, but to actually perform an actual real world test.
Penetration Testing
From Conducting a Penetration Test on an Organization we find that a very important process that any corporation can adopt in order to protect themselves from external hacking or access is to perform a system examination known as Penetration Testing. A penetration test will use technical tools and methods to evaluate the strength of an organization’s security and to detect if any vulnerabilities exist. Other forms of system security testing will scan internal systems to find blatant issues like poorly patched systems, open network ports (unused ports that are not being used by specific applications or hardware) and even systems lacking anti-virus software. A penetration test will do this as well, and then use the same tools a criminal hacker would to actually try and break into the corporation’s systems. So by performing a penetration test a corporation can actually see how they as a corporation would react when "under fire" by a criminal hacker.
Different Methods of Penetration Testing
So what ways will testers go about the penetration test? Symantec indicates there are two main approaches to a penetration test.
- “Black-Box” testing is used when the testers do not know anything about the target they are trying to evaluate. They do not know the network configurations, the server types, they may not even know where the head office is located. The testers are totally blind as to what encompasses a target when attempting to evaluate. This method follows the true path a hacker would also follow. This not only tests the protections a corporation has in place, but it also checks to see what information is actually available to a hacker. If a hacker is unable to get any information on your internal systems, it will make it much harder to actually get into a corporation's systems.
- “White-Box” as you likely have guessed is the opposite of black box. In this case the testers have full access to the target’s systems and configurations. They know all about the environment and usually, the employee’s know about the testers. In this case the hacker will use their knowledge of the system and their knowledge of how hackers work and will try to find ways in that way. This is not necessarily as thorough as a "black-box" test, but it will still get a very complete evaluation of a corporations system security.
What is Looked for in a Penetration Test
A penetration test will assess a number of sections or areas of a corporations IT security. The Open-Source Security Testing Methodology Manual provides us with a good explanation of what the testers are actually evaluating.
- Visibility: This covers what the security can see and log. Included are email, communication devices (telephones) and network traffic.
- Access: Areas that someone can access the inner network. Does not need to be a computer system or network port. Can include web pages or any public facing connections.
- Trust: Trust checks the different kinds and amount of authentication systems, access controls and confidentiality between two or more systems (or even people) within a corporation’s security umbrella. Trust in people includes, process for changing passwords and how support is provided (remote control from outside areas)
- Safety: Can a comprised system affect and harm other systems in the network. If detected can another system be locked out until the compromised system is repaired. Can a single system be detected as compromised?
- Alarm: This is probably the most important test as it evaluates that a timely and appropriate notification and response to compromising activities. Basically, can a corporation detect if they were compromised and if so, what can they do to halt the attack, determine the damage caused and correct it, and can they do anything to assist catching the hacker.
Tools of a Penetration Tester and also a Hacker
There are many tools available to both hackers (although some may create their own) and penetration testers.
- Nmap - Creates a map of a network by discovering hosts and services in the computer network. It further aids by detecting the OS that is running on a system. This will allow for OS specific penetration tests (are the systems patched to protect from known vulnerabilities).
- Nessus - Scans for vulnerabilities in a computer system and network. It can scan for known remote vulnerabilities (unpatched), poor configuration of systems (bad email relays), checks to see if common default passwords are still in use and it can also attempt to perform denial of service attacks.
- THC Hydra - Is a brute force password cracking tool. It has ability to access data from a website and attempt logins that way. It is not limited to website logins, but can access a number of protocols including ftp.
- Cain & Able - A password recovery tool that uses a multitude of methods to determine user passwords. It can scan networks, use brute-force and dictionary methods of checking passwords and it can even scan VoIP conversations to find passwords.
No comments:
Post a Comment