Assessments, Tools, and Techniques

Assessments, Tools, and Techniques

Table of Contents

Assessment Tools and Techniques ................................................................................................. 3

White Hats ...................................................................................................................................... 4

Gray Hats ......................................................................................................................................... 5

Black Hats ........................................................................................................................................ 6

Security Testing ............................................................................................................................... 9

Internal Test Procedures ............................................................................................................... 10

External Test Procedures .............................................................................................................. 11

Overt Testing ................................................................................................................................. 12

Covert Testing ............................................................................................................................... 13

Covert Testing: Remember to Get Permission from Management .............................................. 14

Information Security Audits -1 ...................................................................................................... 15

Information Security Audits -2 ...................................................................................................... 16

Types of Assessments ................................................................................................................... 17

Penetration Testing Tools ............................................................................................................. 19

Test and Audit Results .................................................................................................................. 20

Assessment Methodologies .......................................................................................................... 21

Types of Assessment Approaches ................................................................................................. 23

Banner Grabbing -1 ....................................................................................................................... 24

Banner Grabbing -2 ....................................................................................................................... 25

Port Scanners ................................................................................................................................ 26

Vulnerability Scanners .................................................................................................................. 27

of 40

Intrusive vs Non-Intrusive Vulnerability Scanning ........................................................................ 28

United States National Vulnerability Database ............................................................................ 30

Code Scanning Tools ..................................................................................................................... 31

Protocol Analyzer .......................................................................................................................... 33

Network Enumerator .................................................................................................................... 35

Penetration Testing Toolsets ........................................................................................................ 36

Risk Calculations............................................................................................................................ 37

Notices .......................................................................................................................................... 40

of 40

Assessment Tools and Techniques

187

Assessment Tools and Techniques

Assessor TypesAssessment Types Assessment TechniquesToolsRisk Calculations

**187 So we're going to break this down into the people that do assessments-- those are the assessors-- the types of assessments that they do, the techniques, the tools. And then remember, this all gets rolled up to a risk calculation. And I've got a really good graph for you, and I'll point it out. You'll see the four blocks that pop up.

of 40

White Hats

188

White Hats

Use their skills for defensive purposes• System Administrators – those individuals tasked with the

management and security of an organization’s network infrastructure and systems.

**188 So who are the people that do this stuff? White hats. These are people like you and I. These are professionals in security that pay attention to following ethics at all times. I believe that you should have a high level of ethics, and I think that really, since we're in such a delicate position within the organization, that we should be very serious about our job. Now, I'm very serious about my job, but I also play around. But I don't play around at work.

of 40

Gray Hats

189

Gray Hats

Use their skills for both offensive and defensive purposes that are not illegal or malicious and have approval to operate

• Penetration Testers – Take a holistic look at an organization in identifying vulnerabilities to a network and systems.

• Red Teams – Team of experts acting as an adversary (hacker) to penetrate an organization just as a Black Hat would do but with the intention of stressing and/or training the organizations security programs and processes.

**189 Gray hats. These people may or may not have been attackers in the past. They're good at both offensive and defensive. Another type of grey hat is a red team. Now, you hear about red teams and blue teams. Red teams are attackers hired by the organization. They do all of the evil and they are not nice in any way, shape or form. The opposite of the red team, by the way, is the defenders. That's the blue teams. Red-teaming, there's basically no rules whatsoever, except

of 40

for to help the organization get better, because they could be attacked at any minute by somebody who could do this exact same thing.

Black Hats

190

Black Hats

Use their skills for malicious and illegal purposes• Script Kiddies – Individuals who download and use scripts/exploit

tools with no real understanding of the concepts being employed in causing an effect.

• Hacktivists – The non-violent use of illegal or legally ambiguous digital tools in pursuit of political ends.

• Business/For Profit – Hackers who use their skills to earn a profit from selling the capabilities of their exploits or rent the use of hosts under their control.

• Crackers – Reference for hackers who use their skills for malicious purposes..

**190 And then there are black hats. These are people that their ethics and their moral compass are different from your organization's. I won't say that they're bad, I won't say that they're wrong; they're just different. It may be that they're in a country where there is no such thing as intellectual property, that everything is for the good of everybody. And so

of 40

therefore they act in that way. "Hey, if you're hiding this from us, we want that, because this should be the good of everybody." And we may not agree with their way of doing things. Sometimes these people are called script kiddies, which means that they really don't create anything; they just click a button and they see what happens. I think that there's plenty of-- I don't know, you wouldn't call them script kiddies on the outside-- but unprofessional professionals. There are hacktivists that are there. These are the people that I really worry about. These people say, "There are no rules, because whatever society has put on us, we're going to go ahead and we're going to crush that right now for the pursuit of whatever agenda we have." Sometimes that's religious, sometimes that's political-- doesn't really matter what the reason is. But they're saying, "We're going to destroy the system because we don't believe in it, and we really believe strongly." Business for profit is bigger and booming for black hats that are out there. And then finally there are crackers. Now, it depends on who you talk to as to what the definition of crackers is. The old definition for crackers was people who went against password databases. That was their job. The newer reference to crackers is evildoers, malicious purpose, people. And I hate to use the word

of 40

hacker in here, because I like the old term hacker. The old term hacker was somebody that was just chipping away at it and seeing how it worked and playing with it and beating it up. "I own this radio. I'm going to take this radio apart and see how it works, and then I'm going to put it back together in a different way, and see what I can do to it." That was the old philosophy of hacker that's out there. Cracker-- definitely adversarial. Business for profit, absolutely. Hacktivists and script kiddies-- all have a different motivation and set of ethics than our group of people. I can't say that they're bad, because they don't believe that they're bad. We're just on the wrong side of the aisle when it comes to them.

of 40

Security Testing

191

Security Testing

Testing is the process of exercising specific security objectives under specified conditions to compare actual and expected behaviors

Recurrence• One-time or periodic

**191 Security testing. What kind of testing do we do? Do we do it once or do we do it in a recurring manner? Security testing has a wider scope and it can include anything within the organization. You can look for specific security objectives that you want to meet for that year and do a test that says whether these things are there or whether they are not. And this could be policy. We could look at it.

of 40

Internal Test Procedures

192

Internal Test Procedures

Internal security testing is conducted from the internal network and assumes the identity of a trusted insider or an attacker who has penetrated the perimeter defenses.

• Can reveal vulnerabilities that could be exploited, and demonstrates the potential damage this type of attacker could cause

• Also focuses on system-level security and configuration—including application and service configuration, authentication, access control, and system hardening

Insider Threat• IT sabotage• Fraud• Theft of intellectual property

Ref: NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment and Insider threat research, Software Engineering Institute, Carnegie Mellon University, http://www.cert.org/insider_threat/.

**192 When we talk about internal testing procedures, remember, they're done on the inside and they assume-- we assume the identity of the trusted insider at that point. What that means is that somebody is doing something to take advantage that has a level of permission within our organization. This can reveal those vulnerabilities that could be exploited by an advanced persistent threat, somebody who comes in and gets hired for the express purpose of actually attacking our network. We're mostly looking for some sort of IT sabotage, usually fraud or intellectual property failures that are

of 40

out there. If you're looking at internal testing procedures, the Special Publication 800-115 is really strong at this. It tells you the basics of internal testing procedures.

External Test Procedures

193

External Test Procedures

External security testing is conducted from outside the organization’s security perimeter.

• Offers the ability to view the environment’s security posture as it appears outside the security perimeter—usually as seen from the Internet—with the goal of revealing vulnerabilities that could be exploited by an external attacker

Ref: NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment

**193 Then there's external testing procedures. This is conducted from outside the organization and looks at purely at the perimeter. Now, there's not just one way to do this. There's not just internal and external and that's it. It could be any variation along that theme, and we need to look at those variations.

of 40

Overt Testing

194

Overt Testing

Overt security testing (white hat testing), involves testing with the knowledge and consent of the organization’s IT staff.

• IT staff can provide guidance to limit the testing’s impact• May also provide a training opportunity, with staff observing the

activities and methods used by assessors to evaluate and potentially circumvent implemented security measures


**194 Overt testing. "Everybody knows I'm coming, so let me test." The IT staff can say, "Hey look, don't test that thing over there. Don't test that, because those are the parking meters over there and they'll explode. Don't test that thing over there because it's a really important business process right now and that's off-limits also." In the overt testing, everybody knows what's going on. There's no surprises whatsoever. I like those kinds of tests because they don't embarrass people. They potentially could, but they don't embarrass people in most cases. And if you've

of 40

got a good, professional talking to you, they can say, "Hey look, in my experience we really should test in this area, and it looks like, from my initial response blah, blah, blah."

Covert Testing

195

Covert Testing

Covert security testing (black hat testing) involves testing with without the knowledge of the organization’s IT staff but with the full knowledge and permission of upper management.

• Tests technical security controls, IT staff response to perceived security incidents, and staff knowledge and implementation of the organization’s security policy

• Trusted third party can be designated to minimize unintended operational impact


**195 Covert testing. Sometimes this is called double-blind testing, where I'm testing you, you've paid me to do it, but the individuals within the organization don't know that I'm coming. This happens a lot with social engineering test. Management knows. You know. You've got a contract. They don't know. If we're doing this from the outside, the incident response team should react to this.

of 40

You have to have full knowledge and permission of upper management. It needs to be on letterhead and it needs to be signed and at least needs to be-- they say one signature; in most documents out there I say two. I want CEO's full knowledge and the CISO's full knowledge.

Covert Testing: Remember to Get Permission from Management

196

Covert Testing: Remember to Get Permission from Management

**196 If you don't have permission from management, you could go to jail.

of 40

Information Security Audits -1

197


An information security audit is a systematic, measurable technical assessment of how the organization's security policy is employed while testing is the process of exercising specific security objectives under specified conditions to compare actual and expected behaviors.

• Many of the testing methods discussed are used during an audit.

Information security audits can be internal or external and consist of

• Preparation• Scheduling• Evaluation – performing audit • Formal response – reporting

**197 Now, stepping back from that kind of testing, and we talk about auditing. Really, auditing comes down to: What is the policy of the organization? Are they acting on that policy correctly? And can we get proof of that in the reporting and proof of that with actions? This policy that they may have to adhere to may be enforceable by law, so therefore third-parties from the outside can actually execute this. You may do it as an internal process. This takes a little bit more preparation and a little bit more planning, because when we deal with policy, we-- it kind of spreads out and the scope kind of fans out very

of 40

quickly. So we have to be ready for it.


198


Effectiveness is based on whether or not in place controls meet a given set of control objectives.

The information security program must integrate with internal and/or external auditing activities.

• Some audits are compulsory (regulatory)• Others are voluntary

— When an independent auditor attests that the organization complies with an industry standard

**198 Really, the effectiveness is: Is the control in place, and can we test for that particular set of control objectives? If you're not very organized about this and you don't have a set of objectives to assess by, now what you're doing is-- well, you're doing a security assessment or a penetration test at that point. Remember that a lot of this is regulatory. A lot of this is required by law. So be ready for that kind of compliance.

of 40

Types of Assessments

199

Types of Assessments

Vulnerability AssessmentThe scanning of a network/domain to identify and report on known vulnerabilities

Penetration TestThe scanning of a network/domain to identify and verify known vulnerabilities by actively exploiting each identified vulnerability

Risk AssessmentAnalyzing the potential impact to an organization if a threat were to exploit a vulnerability to an Information System

**199 Let's talk about some of the different assessments that we can possibly achieve here. Vulnerability assessment. We usually use-- the two tools that I use in vulnerability assessments for scanning are Nmap and Nessus. They scan the number of machines, the open ports, and then the software listening at those ports, and then they go back and they compare that to the potential software vulnerabilities that are in that version of that software. There's no actual real action going on in the vulnerable assessment. We don't-- if there's a

of 40

wound there, we don't stick our finger in it so they say, "Ow, quit it." When we go to the penetration testing side of things, we actually stick our finger in there and see that it actually hurts. So in a penetration test, I would use a tool like Metasploit or Canvas, and we'll talk about the tools in a minute. What I really like to do is I like to do a vulnerability assessment combined with a risk assessment, because the risk assessment says, "These are the overall security objectives of the organization. This is where we're going to be spending our money this year." Then we do the penetration test and we say, "This is the proper place to spend the money because we found these controls. We found the absence of these controls. We found that these controls don't work." And that allows the risk assessment-- if we looked at the steps in that process, when we got down to the control selection portion of it, the vulnerability assessment will say, "Here are the controls, and they didn't work." So they do the risk assessment and they get down to, "These are the controls we have." And I go in with the penetration test or the vulnerability assessment and say, "I see that those are working, or not working."

of 40

Penetration Testing Tools

200

Penetration Testing Tools

Automated, such as• Vulnerability scanners

Manual methods, such as• Crafting phishing emails• Vulnerability research• Writing shellcode• Manually exploiting hosts

Should be combined with creativity and “outside the box” thinking in order to provide a thorough assessment

Attackers are determined and creative – ethical hackers (pen testers) should be too!

**200 When we do penetration testing, we use those tools to get us set up. That's not-- if we just used those tools, that would be click, click, click, click, click-- and we're done. That's not what we should be doing. Those give us the data that we can then go forth and actually do the manual work of actually investigating and ripping apart the systems. Usually I like to pull a virtual image at that point because now we know that we've gotten it down to these particular things, and that's set the scope for it. When we pull back, now we can really, really dig in there.

of 40

Test and Audit Results

201

Test and Audit Results

Once testing and analysis is complete a report should be generated that identifies system, network, and organizational vulnerabilities and their recommended mitigation actions.

Security testing and audit results can be used for• A reference point for corrective action • Mitigation activities to address identified vulnerabilities • A benchmark for tracking progress in meeting security requirements• An assessment of the implementation status of system security

requirements • A cost/benefit analysis for improvements to system security • Other life cycle activities, such as risk assessments, certification and

accreditation (C&A), and process improvement efforts • To meet regulatory / reporting requirements


**201 When we get to test and audit results, one of the biggest problems that we run into is-- well, that these results are sent in clear text. I can't tell you how many reports of other penetration testers I have seen where there's not even a password set on the PDF. "Oh here, let me email that to you." Really? Plaintext? PDF attachment? No password, no nothing? Really? Now, the testing and audit results, what they're really doing is they're trying to make the organization better. So just because you can do this really cool thing does not mean that that is valuable to the

of 40

organization. Just because there's one way in, that's not what you're trying to do. You're trying to find all of the ways in that the adversary would do, and then you're trying to say, "Here, this fits in with your security plans or your controls that you're going to purchase. You need to do these things." Or you might say, "Hey look, you're spending a lot of money on that thing over there, and maybe you want to think about this over here." It's a lot less money and it's also-- it's going to protect you a lot better.

Assessment Methodologies

202

Assessment Methodologies

Accurate

Penetration Test

Ethical Hacking

Vulnerability Scan

Hands-on Audit

OSSTMM Security Assessment

Thoroughhttp://www.osstmm.org

**202 I love this graph. If you ran

of 40

screaming from the room, let me explain this graph, and then okay, you'll miss a couple of things. From OSSTMM.org-- they do a security assessment. What you want is a high degree of accuracy and a high degree of thoroughness. The reason why penetration testing, ethical hacking and vulnerability scanning are sitting on the wrong side of the thoroughness is because usually what the organization does is they limit your scope. They say, "Only do this, only do this." I think that ethical hacking and penetration testing are probably the same thing, but this is what OSSTMM-- they separate these two things out. Then the vulnerability scan is not nearly as accurate because it doesn't actually stick the finger in the wound. The ones up there, ethical hacking and penetration testing, they actually-- "Ah, it hurts. Don't do that." You could knock the machine over and that's a serious problem. From an accuracy standpoint, hands- on audits are not as thorough, because what they do is they look for the policy, they look for the report, and then they artificially test at intervals inside of there. They don't actually test everything, unless it's a very, very severe audit.

of 40

Types of Assessment Approaches

203

Types of Assessment Approaches

Black Box – No prior knowledge of the system or network to be assessed.

White Box – Full knowledge of the system or network to be assessed.

Grey Box – Assessment performed by the system or network administrator.

**203 Now, there are different types of approaches out there-- black box, white box, and grey box. Black box says, "I don't know anything about what's going on." I'm given maybe a URL or an IP address range, and that's it. White box, I know everything that's going on. I'm involved, I talk-- this is a very iterative process. I like the white box testing process. I start black and I go toward white. And then the grey box assessment is performed by some-- a system administrator. They have a lot of knowledge of what's going on in the organization, but they may not have that knowledge that comes from working with multiple

of 40

systems or attacking things for a living.

Banner Grabbing -1

204

Banner Grabbing -1

Connecting to an open port on a host, emulating the service to receive header information.

Usually contains:• Type of service (Web, FTP, SMTP)• OS type (Windows, Linux)• Software maker (Apache, IIS, SSH)• Version number

**204 What we should be doing is capturing information, and the first easiest thing to do with all machines is do a banner grab. That means go to the open port and see what information is returned. Go to the web server and figure out what kind of web server it is, what operating system is running, what database is sitting behind it. It's going to contain that kind of information. When we go and telnet to a mail server, it's going to respond back

of 40

with an EHLO message and it's going to say, "EHLO" and then it's going to give us information about that mail server itself. That banner grabbing is just: What does it give us back right there?

Banner Grabbing -2

205

Banner Grabbing -2

# telnet 10.10.254.215 80 (HTTP)HEAD / HTTP/1.0 (don’t skip the spaces, and hit enter 2x)

**205 We can dig down inside of that banner grabbing-- notice here they did a telnet to port 80, and one of the responses back is, "This is an Apache server running on Ubuntu."

of 40

Port Scanners

206

Port Scanners

Tool that probes system(s) for open ports and reports back which ports are closed, filtered, and/or open.

• Available for every OS and popular mobile devices• Used by system admins and intruders for the same reasons

— Discover live hosts on a networko ICMP, TCP, UDP scans

— Search for open network ports— Scan for specific port— Identify services on ports

• Examining responses from each port can reveal more information about the system being scanned

Best defense is controlling traffic allowed in and out of the network, and monitor traffic that is allowed in

**206 Port scanners. We'll actually now go after that and we'll say, "Okay, we knew that that was the web server. That's fine, but now let's go to that machine again and see what other open ports are there." We can discover the live hosts that are there. Now, first, before we do the port scanning, we might want to do an IP address scan of the organization. The standard tool that we would use is Nmap. If the organization is very large, we might have to graduate to something called Masscan. That one is for much larger enterprises. These are very noisy things, and if you have

of 40

an intrusion detection or intrusion prevention system in place, it needs to know what IP address you're coming from, because you will immediately get locked out for any of those tools.

Vulnerability Scanners

207

Vulnerability Scanners

Program that probes hosts for weaknesses, misconfigurations, patch versions, etc.

• Network vulnerability scanner— Broad tools performing several checks for visible vulnerabilities

o Nessus• Host vulnerability scanner

— Runs on a specific host, more specializedo Microsoft Baseline Security Analyzer (MBSA)

• Application vulnerability scanner— Looks for misconfigurations or vulnerabilities in specific applications

o Web scanners are most popular type• Database vulnerability scanner

— Designed for databases includes scans for poor passwords, table permissions, database permissions

**207 Vulnerability scanners. Most people know this as Nessus, but there are plenty of other vendors out there. I actually like-- instead of using vulnerability scanners, I like to use patch management tools that have been tuned to this very purpose. This will tell you every single version of every single DLL on the machine, if you have an agent- based system.

of 40

Intrusive vs Non-Intrusive Vulnerability Scanning

208

Intrusive vs Non-Intrusive Vulnerability Scanning

Intrusive scans can cause network/service disruptions.• Aggressive port scans• Non-credentialed• Attempt to exploit a system• Attempt to DoS a system

Non-intrusive scans do not cause network/service disruptions. • Slow/non-aggressive port scans• Credentialed - Uses privileged accounts to access and scan for

missing patches (NESSUS)

**208 Some vulnerability scans are very intrusive. Aggressive port scans will be very, very noisy. They don't have a credential with them at all, and so what happens is when they pass information, they say, "Hi, I'm here to scan your system." And the system might say, "Okay, I'm not going to allow that to happen." It might already have controls in place. And what we don't want to do is we don't want to say, "Okay, drop your shields and let me attack you." What we may want to do is program a particular set of temporary credentials that will allow us to be on that machine. "Hi. Here's a temporary username and password.

of 40

I'd like to scan you." Okay, now we're not dropping our shields for everybody; we're just dropping our shields for that one person coming through. You could do nonintrusive scans. They definitely won't cause disruptions but they'll give you less accurate data. You could do totally passive scans-- that will give you a lot of good information if it's listening on the segment where the hosts are. If you've got a fully switched network, you're not going to hear as much as you actually want to; you'd have to put it at junctures where you're spanning all that data.

of 40

United States National Vulnerability Database

209

United States National Vulnerability Database

A search engine for all vulnerability management data

All data is accessible through the Security Content Automation Protocol (SCAP), and contains checklists, software flaws, misconfigurations, impact metrics, and compliance information

**209 Now, you want to get into the vulnerabilities. I've used OSVDB. I like that. That matches up with the National Vulnerability Database. But the National Vulnerability Database-- that's the open source thing that we all pay for our tax dollars. This will actually tell us about a lot of vulnerability management data, and it is a search engine for that, but it's not a database that we can retrieve. I like OSVDB because I can say, "Give me the entire database, and I'll do data manipulations on the backside here." This one, you just query it. It's a search engine.

of 40

Now, one of the things that it has that I really like is Security Content Automation Protocol, or SCAP. And this will match up to checklists and software flaws. This will tell us how to fix things in the future, not just from a patching standpoint but also from a checklist standpoint.

Code Scanning Tools

210

Code Scanning Tools

Security tools designed to find SECURITY bugs in the source code

• Static analysis tools – effective at finding coding errors that lead to vulnerabilities like buffer overflows

• Fuzz-testing tools – designed to deliberately inject random data into the application to “see what happens”

Together these techniques help to identify a larger number of coding bugs.

**210 Code scanning tools. These are very unique to particular instances. There are web scanning tools that will scan all sorts of different web servers, but then what we really need is we need to go past the web server into the application itself and review that application

of 40

there. I think that code scanning tools can look for early easy flaws. I do not think that they can look for complex, long logic flaws that may exist. But code scanning tools will give you the first pass on this. You need a programming expert to do true review, third-party review of your code, if you're actually producing a piece of software. Some organizations say, "Well, we can handle that internally." There's nothing like somebody from the outside flying down and crapping all over your code.

of 40

Protocol Analyzer

211

Protocol Analyzer

Hardware or software tool that captures and analyzes traffic passing over a communications channel

With networking, commonly referred to as a sniffer or packet analyzer

• Sniffers capture and analyze wired or wireless traffic• Sniffers use network interface cards in promiscuous mode in order

to accept and process EVERY packet it sees• Packet analyzers vary from those that just capture packets, to those

that reconstruct TCP/IP sessions

Switch Port Analyzer (SPAN), port mirroring, port monitoring• Ability to copy network traffic passing through ports on a switch (or

VLANs), and forward to a port designated for traffic capture and analysis

**211 Protocol analyzers. Sniffing the data as it flows toward you. What does that look like? Well, there are a variety of protocol analyzers out there. I happen to like Wireshark as a tool to start with pure packet. There can be hardware and there are software tools. With networking, some of the things that we have to deal with is the promiscuous issue. Some organizations do not allow their computers to go into promiscuous mode, to actually suck up all the packets. And also, if they're fully switched, you're only going to see the traffic on one segment, or the

of 40

broadcast traffic. You're never going to see all the other communication. So we need to accurately tap that data on that particular switch. This is usually when we span all the traffic out one of those particular ports. Be aware. When you're spanning that traffic out one of those ports, this is a large quantity of traffic. If you've got 40 hosts that are all speaking gigabit, well, you can't make all 40 of those gigabit ports go out one gigabit port unless they're only talking a maximum of gigabit. You might have to go up a level here. That can't be done with a simple laptop. That's going to have to be done with something like a tcpdump and a customized port pull to actually get that data to flow. Remember, it is a lot of data at that point. You've got to be ready for it.

of 40

Network Enumerator

212

Network Enumerator

Tool that scans the network collecting information on users, groups, shares, and services that are visible

• Not to be confused with network mapping that provides information on servers running on the network

Useful for discovering how much network information is available to outsiders, and which systems and services need secured

Many vulnerability scanners perform network enumeration as part of their default scan.

**212 Network enumerators. Well, I like tools that scan the network and collect information on users, groups, shares and services. That usually requires some sort of invasiveness. Usually when I talk about this, I talk about Windows Active Directory and actually doing a permissions-based LDAP dump, where I actually pull all of those groups and users out so that I can see them. LDAP dumps really work very well. This enumerates-- in Microsoft land, this enumerates all the computers, users, groups by IP address, their services. It is really a detailed process. This allows you to see whether you've got users and

of 40

groups that shouldn't be there anymore, that maybe need to be disabled at that point. Services that should have been turned off a long time ago are still running.

Penetration Testing Toolsets

213

Penetration Testing ToolsetsKALI – Live CD distro of Linux, built for pentesting.

CORE IMPACT – Commercial scanner with exploits built into the underlying system.

Nessus – Security scanner.

Metasploit - Open source exploit delivery and creation framework.

SARA – Security Auditor's Research Assistant.

GFI LANGuard – A commercial network security scanner for Windows.

E-Eye Retina – Commercial vulnerability assessment scanner.

Canvas – Commercial vulnerability exploitation tool that includesmore than 150 exploits.

<http://www.sectools.org>

**213 There are a whole host of penetration testing tools out there. My favorite tool is at the top of the list-- KALI-- because it includes Nessus, Metasploit, and about 60 or 70 other tools. It's a full-blown distribution. It used to be called BackTrack, by the way, if you've ever heard that term before. I really like KALI as a distribution because it-- well, I can run it anywhere. I can run it off of a whole bunch of

of 40

different pieces of hardware. I can run it off of a USB stick. It's a really robust tool. I also like running any of my KALI distributions-- if I'm going to run them from the live CD, that's fine, because it doesn't write any data to the CD. CORE IMPACT, SARA, GFI LANGuard, E-Eye Retina and Canvas you pay for.

Risk Calculations

214

Risk CalculationsSingle Loss Expectancy (SLE) – Cost due to the occurrence of a risk on an asset.

SLE = AV x EF

Asset Value (AV) – Value of the asset in dollars.

Exposure Factor (EF) – Percentage of asset lost due to the occurrence of a risk on an asset.

Annualized Rate of Occurrence (ARO) – Expected number of occurrences of a risk on an asset.

Annual Loss Expectancy (ALE) – Expected annual loss due to the occurrence of risk on an asset.

SLE x ARO = ALE

**214 Last thing we want to talk about here is risk calculations. This is all designed to find out whether we are in good shape or we are not in

of 40

good shape, and roll all of this information up to management for them to make decisions. In the risk calculation, we talk about the single loss expectancy. That's the cost that is incurred based on the loss on the risk on the asset itself. So, how much we will lose if this box gets pushed over? How much will we lose if people take this data off of this box and give it to somebody else? How much would it cost to replace that data, or replace those customers? That's our single loss expectancy. Now, that's calculated by the value of the asset. Sometimes we can calculate down to the cost of a new customer and how much it costs for customer acquisition. Sometimes we can't. Also, we look at the exposure factor. How much of this asset will we lose? If we don't know the calculation there, we aspect multiply times one. Now, we take the single loss expectancy and we multiply it times the number of times that it could occur in a year. The annualized loss expectancy is a multiplication of annualized loss expectancy times the annualized rate of occurrence. That gives us our single loss expectancy. The problem is, is that there's a prediction issue here that we run into. Let's think about for a second. So I'll give you an example. In Florida, they have hurricanes that

of 40

happen every year. And this is a fake example, so humor me. It's close to real life. In 2003, how many hurricanes made landfall? Four. In 2004, how many hurricanes made landfall? Five. In 2005, how many hurricanes made landfall? Six. Our annualized rate of occurrence is going up. It is trending up. Our asset value was a building. The exposure factor, when the hurricane came through, it sucked up the building just like a twister. It just pulled it right out of there. So we lost our entire asset value. Our exposure factor was 100 percent of 100 thousand dollars. So we had to rebuild our building every single time the hurricanes came through, and it keeps on costing them more and more and more and more every single year. The trend is that we're going to have to rebuild our building eight times next year. How many hurricanes made landfall the next year? And the answer is zero. So we've invested all this money to make a hurricane-proof building, and did we waste our money? And that's usually what you get as a reaction. "We spent all this money on a firewall, and nothing happened." Good. That's the problem with security and doing risk assessments, is that if you are lucky, nothing happens. If you are unlucky, everything happens, and you can't control it.

of 40

Notices

of 40

Assessments, Tools, and Techniques

Documents

Transcript of Assessments, Tools, and Techniques