Robert Shimonski - Penetration Testing For Dummies

It can get even worse if those same countries (or others) decide to launch attacks to disable power grids, steal secrets, or gain access to military secrets. This makes pen testing and ensuring assets are secure very important. Just as important is re-testing to ensure they remain secure over time.

You might not realize it, but you don’t just dive into pen testing. You should take these specific steps before you get into the heart of pen testing:

Make sure you have a thorough understanding of the basics of information technology (IT) systems, networks, and other technologies at the fundamental level. This knowledge aids your career in security, pen testing, and ethical hacking.

Conduct vulnerability tests. A type of pen testing is a vulnerability test. A vulnerability test identifies in advance any potential threats — areas where a hacker could potentially attack a vector — to your systems. An attack vector is a method or pathway a hacker uses to access or penetrate the target system; hackers poke around your systems to find something that’s weak or vulnerable. I discuss vectors in further detail in Chapter 4. One example of a vulnerability is a known software bug that allows elevated privileges.You’ll use framework tools such as Metasploit (see Figure 1-5) and other tools to produce vulnerability reports that detail all the security concerns you need to know. From there, you can run additional tests to determine exactly what you need to do (if anything) to fix the threat. Vulnerability tests become more complex and exponentially more useful when you use them in combination with other tests. Other tests may include, but aren’t limited to, system checks (for example, checking logs for access), vulnerability logs, and system performance tests that show items such as high CPU, disk utilization, or other system issues that could potentially show an exposure, breach, or injection of code or an unwanted visitor.

Consider when to scan. It might seem obvious, but when you decide to scan is also important. To keep vectors as secure as possible, you need to set up schedules in which you scan, during specific and regular intervals, that cover all areas of the enterprise in which you aim to protect.

Choose which tools to use. Figure 1-5 shows Metasploit (which I discuss further in Chapter 4), a tool you can use to run scans. There are many management and monitoring tools, logs, and other software to augment your pen test to have a complete view of the holes in your security. I cover many of these tools in Chapter 3and discuss additional tools and sources throughout Part 2.

Test in a safe environment. You’ll want to test all changes and new scans in a lab ( sandbox ) prior to unleashing them on your production systems, to make sure you know what they will do before you cause more impact.

FIGURE 1-5:Metasploit is one tool for pen testing.

When you conduct any pen test, your goal is to have a strategy.

You can blindly run tests to see what you find; you can also try to penetrate systems to find whether there are any weaknesses. That’s fine for any scans or tests you conduct weekly or monthly to assess your overall security posture , which is the status of the security of your company’s software and hardware, networks, services, and information. The state of your security posture should be evaluated regularly and take into account your readiness and ability to react to and recover from incidents.

Sometimes you want to go deeper and really test your security posture by conducting specific attacks, such as penetration, stealth operations, destroy attacks, and overwhelm attacks. For example, if you believe a hacker’s goal is to gain access to files from outside of your corporate network, your goal should be to assess that threat using your tools.

You also want to conduct both internal and external tests. You never know where your attacks might originate from.

A high-level view of what vectors an attack may come from— both those from within your trusted network (with trusted users) and those that originate from outside of your security perimeter from untrusted users — is essential to have. An example of an external attack from an outside untrusted user may come in the form of someone using a website you host in your network (usually in a demilitarized zone [DMZ]) that may find a vulnerability that allows them to access resources from within your trusted network. On the contrary, an internal attack is just that — originating from inside your network that easily evades all the perimeter security such as firewalls and access control lists.

Either way, you can run scans using Nessus (see Figure 1-6) to see whether either of those vectors produce the result you don’t want, which is a hacker gaining access to your systems without your knowledge.

I discuss how to select the right tool and analyze for weaknesses that could cause your enterprise, brand, and data great harm if not fixed or monitored in Part 2.

FIGURE 1-6:Use Nessus to conduct an assessment.

You need to find the right balance between security and assessment. You might know of a hack, but not be able to fix it. A completely 100 percent secure system is usually unusable to anyone. Networks and systems were made to be used and that means leaving ports open. For example, the Internet generally requires that port 80 (HTTP) be left open.

When you’re ready to pen test, these are the general steps you’ll take:

1 Download and run a pen test tool in a safe environment such as your home. Running a pen test in a production environment that causes an outage is a denial of service attack, which prevents other people from using your system. Make sure you’re doing things safely and as controlled as possible to test and find risks, not create outages and impact. I discuss denial of service attacks more in Chapter 6.

2 Download a free tool and start to investigate.I discuss many available tools in Chapter 3, but for a basic test, I recommend using a vulnerability scanner. Figure 1-7 shows Retina CS from BeyondTrust ( www.beyondtrust.com ), which allows you to run scans to see what a host is susceptible to and what threats are exposed.

3 Scan a single host by its IP address, or an entire IP subnet with many hosts on it.This step helps you identify target systems that need to be reviewed based on the reports they generate for threats and exploits that may exist on them.

4 Document the host or hosts you’re testing and then which attacks you want to try based on the information you have gathered.Your goal here is to find vulnerabilities.

5 Penetrate.This is the part of the pen test that actually conducts the known hack to see if you can execute it.

6 Follow up with your findings.You can report the findings, fix the issues, monitor the issues that don’t have fixes, contact the vendors to get fixes, block access, and so on.

FIGURE 1-7:Examining a Retina CS scan.