Set the Stage for Security Testing

By Kevin Beaver

In the past, a lot of security assessment techniques in ethical hacking involved manual processes. Now, certain vulnerability scanners can automate various tasks, from testing to reporting to remediation validation (the process of determining whether a vulnerability was fixed). Some vulnerability scanners can even help you take corrective actions. These tools allow you to focus on performing the tests and less on the specific steps involved.

However, following a general methodology and understanding what’s going on behind the scenes will help you find the things that really matter.

Think logically — like a programmer, a radiologist, or a home inspector — to dissect and interact with all the system components to see how they work. You gather information, often in many small pieces, and assemble the pieces of the puzzle. You start at point A with several goals in mind, run your tests (repeating many steps along the way), and move closer until you discover security vulnerabilities at point B.

The process used for such testing is basically the same as the one a malicious attacker would use. The primary differences lie in the goals and how you achieve them. Today’s attacks can come from any angle against any system, not just from the perimeter of your network and the Internet as you might have been taught in the past.

Test every possible entry point, including partner, vendor, and customer networks, as well as home users, wireless networks, and mobile devices. Any human being, computer system, or physical component that protects your computer systems — both inside and outside your buildings — is fair game for attack, and it needs to be tested, eventually.

When you start rolling with your testing, you should keep a log of the tests you perform, the tools you use, the systems you test, and your results. This information can help you do the following:

  • Track what worked in previous tests and why.

  • Help prove what you did.

  • Correlate your testing with firewalls and intrusion prevention systems (IPSs) and other log files if trouble or questions arise.

  • Document your findings.

In addition to general notes, taking screen captures of your results (using Snagit, Camtasia, or a similar tool) whenever possible is very helpful. These shots come in handy later should you need to show proof of what occurred, and they also will be useful as you generate your final report. Also, depending on the tools you use, these screen captures might be your only evidence of vulnerabilities or exploits when it comes time to write your final report.

Your main task is to find the vulnerabilities and simulate the information gathering and system compromises carried out by someone with malicious intent. This task can be a partial attack on one computer, or it can constitute a comprehensive attack against the entire network.

Generally, you look for weaknesses that malicious users and external attackers might exploit. You’ll want to assess both external and internal systems (including processes and procedures that involve computers, networks, people, and physical infrastructures). Look for vulnerabilities; check how all your systems interconnect and how private systems and information are (or aren’t) protected from untrusted elements.

These steps don’t include specific information on the methods that you use for social engineering and assessing physical security, but the techniques are basically the same.

If you’re performing a security assessment for a client, you may go the blind assessment route, which means you basically start with just the company name and no other information. This blind assessment approach allows you to start from the ground up and gives you a better sense of the information and systems that malicious attackers can access publicly.

Whether you choose to assess blindly (i.e., covertly) or overtly, keep in mind that the blind way of testing can take longer, and you may have an increased chance of missing some security vulnerabilities. It’s not my preferred testing method, but some people may insist on it.

As a security professional, you might not have to worry about covering your tracks or evading IPSs or related security controls because everything you do is legitimate. But you might want to test systems stealthily. In this book, I discuss techniques that hackers use to conceal their actions and outline some countermeasures for concealment techniques.