Wednesday, January 25, 2012

Intrusion Tests - Your company needs one?


Every day new vulnerabilities are discovered that can be exploited to undermine the pillars of information security, causing losses and damage to company image.

For a computational design, allocate to multiple vendors, often with privileged access and which, due to deadlines and budgets avail themselves of the safety checks in their code or the step of deploying their infrastructure.

Point and correct errors after the system is in production is only part of the work of palliative Information Security Manager. Preparing for the unexpected is another. It is a matter of time before a system is compromised or spoofed. So it better be performed by monitoring those who entrust themselves, for there is a wide gap between a planned and controlled simulated attack against an actual attack is not expected.

Also, it is necessary to create a form of proactive approach to identify such failures, and rela ted areas of prompting the company to seek solutions to mitigate the risk inherent in enterprise IT. These approaches are called for Penetration Testing and Intrusion Tests.


This article aims to describe the main characteristics (technical and managerial) and stages of an intrusion test, its ease of implementation, and some key expectations of their risks by following a structured model in stages, in line with the Master Plan and Safety the company.


The problem with the government information security and corporate gain media attention and specialists in IT Security and only after actions of the invaders, Crackers, which in their attempts or not achieving success shake the foundations of information security activities and compromising pictures the company and the systems that support the business, generating legal sanction to its managers.

Cyber attacks have reached an unprecedented level after the release of the worm and other malware Stuxnet and new approaches that have social engineering as the basis for their attacks and raids. In 2010, home users and businesses struggled to stay active as they were subjected to a multitude of malware such as viruses, trojans, spammers and botnets.

The new virtualization technologies come loaded with digital opportunities and threats. This reality promotes pressure on information security professionals, and has held the security software vendors in the search for solutions and development, requiring new strategies to anticipate vulnerabilities and maintain the operability of their systems.

4-Security Assessments.

Thus, there are two direct ways of acting on information security.

1st reactively : Action taken after an invasion or when the knowledge of an attempted invasion known as attack, understanding their Modus Operandi and creating a plan to mitigate the vulnerabilities that were not provided and / or monitored by the Risk Analysis. This approach works in all layers of the company, and should involve all areas of risk incident. The advantage, if there is one, is that it corrects a flaw that was discovered and exploited by a third - not always with good intentions. In this article the attacker is called Invader or Cracker.

Proactively 2nd : In this case Analysis and Risk Assessment of the assets involved in IT is fundamental, if not essential. There are several methods and methodologies as well as a wide range of tools available to design and predict that it could mitigate the security problems that can accept and manage the risks inherent in the business. It is this approach that fit the intrusion tests, performed by experts in Information Security. In this article, the IT specialist is called Certified Ethical Hacker - CEH.

Both approaches expend resources to be developed, implemented and maintained, however, in a preventive nature, the second is undisputed that does not affect the company's image, sometimes immeasurable and irreversible.

Sometimes it is necessary to divide the company into shares, or rather, systems, and these in modules, which should be tested to exhaustion before being put into production environments. Some call or Steering UAT - User Accept Test. However, these are different approaches, in which case what is sought are security flaws - vulnerabilities, not functional failures that affect their operation.

When planning a security project, you should evaluate and analyze the existing IT landscape on the physical issues (access to perimeter, network, workstation, server) and logical (access to database fields, and applications). These assessments have different objectives and is divided into categories of actio ns:

4.1-Operational Evaluations: Results from a thorough investigation of the guidelines, policies and procedures to help identify the current state of security controls implemented.

4.2-Vulnerability Assessments: Sets all possible entry points to the organizational perimeter. Its focus is broader than the intrusion tests, but does not explore potential flaws and tends to generate reports with records of high false positives and negatives. The data used are superficial, masking potential vulnerabilities and hindering the ability to measure and relate to the real risk that an exploitable vulnerability testing can impact the resource.

4.2.1 Auditing and Intrusion Detection: It is more comprehensive and condenses the results of other tests which validate intrusion detection tools such as IDS / IDP 's, are seen as a pre-run. Tests: It is about discovering and exploring ways of obtaining unauthorized access, ie, the potential routes of entry to the perimeters of the authentication company. Simulations are monitored for an attack on a system or network, determining the real risk of vulnerabilities, and consequently prioritize your corrections. According to the dictionary, the test can be:

Test by which to collect samples of behavior in very specific situations, so that the results in different individuals can be objectively compared. 2. Critical examination or proof of the qualities of a person or thing. 3. Evidence, experience, examination. 4. Testing, testing.

Already intrusion:

Action to introduce, without law or by violence. 2. Illegal entry without invitation. 3. Theft, illegal possession.

5-Objective testing of intrusion.

Testing intrusion are seen connected to a sub-Systems Auditing. Aims to identify threats and vulnerabilities by performing actions that simulate attacks on IT assets, trying to access systems that require authorization, such as databases, operating systems, servers, routers, mobile devices, including any that contain sensitive information and critical to company. These allow unauthorized access to manipulation (enable / disable) some of the following attributes - Read, Write, Execute, or the possibility of elevation of privilege for the Administrator role.

They are controlled simulation of an attack, to evaluate safety. In the process, an active analysis of vulnerabilities and technical deficiencies of the physical infrastructure and logic is promoted, making the objects in question (such as systems and locations accessible internally and externally), outlining the assessments to maintain the availability, integrity and confidentiality information.

In short, actions are performed by a team of IT specialists (programmers, archite cts DBA'se networks) that attempt to compromise the normal operation and / or invade and access (or enter) networks and enterprise systems formally (without hostility) in order to uncover vulnerabilities (software failures, hardware, misconfigured networks and services), which generate losses and degrade the business.

If a test point Intrusion flaws that allow or facilitate unauthorized access or commitment, in essence succeed. However, if it does not point out errors, do not mean to say that they do not exist, but only that according to the methodology used (ie, the same known by the attacker) is not reported threats that may impact the business. There is an adage that says security: There is 100% secure system, and that there are off!

In addition, you can create a methodology that involves just try using the tests as a form of social engineering approach invasion after exhausting tests to focusing on technological resources. Sometimes, security ma nagers that this abstract is the weakest link in the chain Infosec renouncing such an approach.

6-Executive Team.

Given the heterogeneity and complexity of systems and networks that support business, it is difficult to pinpoint a single expert who can act on all fronts IT to perform such tests.

The ideal is to be made by a team of others always under the supervision of a tutor. At this point there may be some resistance to internal, it will be put to test the technical skills of IT specialists of the company, given that resort to an internal team allows to influence the test results for the relationship of collegiality.

However it is suggested that the synergy between developers / IT team and the Test stimuli without competition, containing an NDA - Confidentiality Agreement that will protect the area tested against the unauthorized disclosure of any results or data identified, and, excusing the team Test any exclusive responsibilities.

Semantically, its perpetrators are known by the industry for CEH - Certified Ethical Hacker (Certified Ethical Hacker). It is a jargon that refers technically skilled professionals in security and counter-information security accessing unauthorized resources recording the evidence and testing methods the organization's effectiveness in protecting resources and sensitive information.

If at the end of the test team CEH does not succeed is strong indication that the company's infrastructure and systems are well aligned with the guidelines for the security vulnerabilities discovered until now.

However, the idea that "gave the best they could and did not get any intrusion successfully" is not real and can generate a false sense of security. The corporate infrastructure can have vulnerabilities that the team has not found CEH or maybe they do not exist at the time of testing, but may come to exist af ter a change in network configuration, or when someone discovers it via other methods. Of course all science tends to refute epistemological theses.

The CEH was designed and developed for organizing EC-Council (International Council of E-Commerce) becoming the owner and reference to a series of related certifications such as License Penetration Tester.

Figure 1: Logo Certified Ethical Hacker and - EC-Council.

Regarding the composition of the team performing, it is stated that:

EC must be performed by a team of others the current IT team, which just shows how easy and / or difficulty that particular asset is exposed.
When possible, choose a team / company that uses specialized tools and methodologies certified.
Do not cast lots or expectations that the same team that performs these tests is that the correct or point solutions wh en necessary. Managers will assess whether the failure is corrected or accept the risk of living with it

7-legal foundation.

According to requirement number 11.3 of the PCI DSS (Payment Card Industry Data Security Standard) requires to run regularly test security systems and processes.

" Vulnerabilities are continually being discovered and introduced by new software. The systems, processes and software should be tested frequently to make sure that security is maintained over time and through changes. Perform a penetration test on infrastructure network infrastructure and applications at least once a year and after any significant modification or upgrade of the infrastructure or application . "

Other regulations such as Sarbanes-Oxley (SOX), California Senate Bill 1386 (SB 1386), HIPAA (Health Insurance Portability and Accountability Act) and II Basillica require institutions to protect their information. Organizations should consider various alternatives to increase the security of th eir corporate networks, with the execution of tests that assess, certify and guarantee the pillars of information security or handling risks.

Background 8-Normative Testing Intrusion.

Basically this is the macro-two ways to run.

1.8 Non-structured: You execute the attack without planning, notice or specific target. And how to make use of vulnerability scanners to track IP addresses. This type of action is similar to the practice of scripts Kids are not well liked within a professional environment.

8.2-Structured: In order to better quality and reliability, the tests should be somewhat structured. The company tester can create and tailor their own methodology or guided by international norms and standards published as OSSTMM / ISECOM, NIST 800-42, or ISSAF OWASP-PTF, always allied to the use of specific tools for this purpose.

F igure 2 : Seal generic OSSTMM.

An adapted screenplay recommended by the "Test Network Security Guideline", published by the U.S. Trade Center by NIST and mimics the action of an attacker, structure their approach to attack the following macro-steps: Planning, Target Observation ( footprinting), Enumeration, Exploitation, Access / Intrusion, Elevation of Privileges, Maintenance and Evasion.

9-Planning Related Activities.

Using techniques closer to reality by simulating data and daily situations because of its negative test may become invalid and frustrating. The makers of the test, by definition, are not legitimate users.

9.1-Scope Test.

Is to determine whether its implementation will be in person or remotely, triggered internally or externally, and, announced or unannounced indicating whether the staff will be aware of the tests or not.

According to the critical information that will be passed on the environment, hence the CEH team can get access to privileged information, the tests are classified as:

Black Box or Blind: It is known only minimal details of the environment.
White Box N or T Blind: you know, but ignore the details of the environment.
Box H or Gray bridy: It is only a few points of the environment.
Code Audit : Obtain and analyze only the source code.


Define what will be the target and time of execution.
Catalogues and record all the variables of the environment to be tested, keeping them safely.
When possible to create a copy of the validation environment Hash.

9.2.1-Identify and values, and activities information.

Determine ways and criteria to classify information assets. In an enterprise scenarios are different and involve vari ous risks and areas, like an ERP, which integrates the functions of the operating company. This is because when an access point in the system, this can be expanded, reaching other enterprise perimeters.

By choosing destinations, is due to quantify the cost that the company would have the data system were exposed to hackers, competitors or others outside the corporation. It uses the market value of assets to determine which systems will have to assess priorities and to properly size the human resources of the executing team.

9.2.2-Identify Threats Associated Asset Target Testing Intrusion.

There are various forms of threats, each of which represents different degrees of risks to company assets. At this stage we determine which approach will be used for exploration assets. There is no better way to protect virtually than to think and act as an attacker. Testing Intrusion occur after you identify and evaluate as sets that are accounted for in the original design safety. As for Risk Analysis to determine the probability of occurrence and their impacts.


Depending on the criticality of the features to be tested, is indicated faithful copy of the environment by generating their Hash , ensuring its integrity, or that run in a while that this feature is less used as a weekend. If the test is not only intrusive and destructive, a BCP & DR are not the premise for doing so.

However, one should pay attention to the fact that running in a production environment. If you want to do it to exhaust any questions about the effectiveness of tests in the search and exploitation of vulnerabilities, it is necessary to have available and updated Plans Business Continuity and Disaster Recovery, because as some results can lead to impairment tests or unavailability of the resource analysis. It is important to define para meters that identify the points where the test will work and its validity.

The flow below shows a brief description of the stages of a itenizada Intrusion Test. This pattern of invasion has grip with CEH, the EC-Council.

11-Procedures of Macro Flow Testing a Intruder

Figure 3: Suggested for Testing Intrusion even flow with sub-phases and their techniques.

12-Alignment testing methodology.

To ensure its efficiency, should include simulated and structured methods of attack trees, sequentially, according to data previously identified at each stage of invasion and in accordance with the profiles and limitations of each feature tested. This order of attacks will follow the flow of least resistance from the weights of default difficulty.

At the end of each battery or during its execution, it generates a detailed report containing all i nformation created or stored on the target resources of the tests recorded with date / time and target IP, along with a list of all the tools and methodologies used. Thus, knowing it will be time for completion of tests in alignment with the defined project scope.

Finally, excute to escape, or if any remaining information, it is removed, so as to leave the system as close to the state in which it was made before the service.

13-Description of Methodological Steps.

13.1-Planning. Policy development and scoping as well as assets and resources to be tested in structured outline.

02.13-Note - Footprinting. Arise specific information about the target system, such as physical location, ISP, mobile Administrators, etc.. Predicted very technical approach used by Social Engineering.

13.3- scan or fingerprint - Network probing and information gathering. It consists of scanning the search for hosts ( workstatiosn , servers, PDA's or similar), services, ports, protocols and asset shares, routes, OS's, IN's , accounts without passwords or guest , files and configurations, the NETBIOS and DNS list, among other services.

13.4-enumeration. Step scan that follows involves the enumeration of resources to direct the course of the invasion, in order to discover what services are running their doors in the listening state, beyond the operating system and version of the target.

13.5-Search Failure. After discovering what services run on existing operating environment the company is seeking for its likely failures (vulnerabilities) published. These are services running on servers or operating systems that print their active sockets (IP + port + protocol). The next step is starting to exploit a vulnerability discovery available for this service / system, or according to the technical capacity to understand the application code and develop their own exploitation engineering techniques - known as exploits , or using any Framework available. If there is no ability to analyze the application source code for flaws by the coding, there are several sites that publish information about vulnerabilities that can be exploited only by typing the name and version of active service. However, any tool or methodology should include the search for unpatched vulnerabilities with their respective manufacturers and National Vulnerabilities Database NIST Data Base, known as CVE - Commun Vulnerabilities Exposures, and the CERT Cordination Center, Bug Trap, SANS or Security Focus.

Circumventing 13.6-Protection: Based on the detected faults this step aims to find ways to perform an attack that breaks the barriers of protection such as Anti-Malware, Firewalls, IDS's ACL'se. At this point the test can take different directions, according to the conditions of the an alyzed system, which will signal the best procedure to follow the intrusion. The views described below can be used in isolation, integrated or collaborative achievement of joining forces to break the security of the systems tested.

13.6.1-trick users: Search deceive the user by means of contacts or talks exploring the relationship of trust and good faith among other human characteristics such as curiosity, sympathy, fear, trust or guilt, leading him to perform some procedure compromise safety. The approach can be conducted in person, via telephone, email, mail or other means of communication.

Explore 13.6.2-Fault: If the step of searching for faults have shown significant results, we can focus on your farm to try to get the system invasion by this technique.

Explore 13.6.3-Settings: involve techniques to obtain invasion through the activation of weak password and flaws in the device configuratio n and network resources, such as passwords or planned in a standard dictionary.

13.6.4 Refuse-Services: This facility does not cover exactly the goal of penetrating the system, but to cause disruption of services. Depending on the purpose of attack represents a powerful technique that can be exploited if the other options result in unsuccessful attempts, when the offending agent's motivation is greed. Does not compromise the integrity or confidentiality of the service, only your availability.

14-Techniques Used

Depending on the type of failure encountered numerous attacks launched themselves to corroborate or refute the purpose of the test. The following is a non-exhaustive list of some explanatory technical approaches do not emphasize any tools or systems for doing so.

14.1-Social Engineering : This technique, or rather, how to approach focusing on human resource shou ld be used since it is part of the project scope Intrusion Test or not to ratify the actions strictly technological nature.

14.2-Malware - Create and send a malicious code with a virus and / or Trojans and monitor their behavior in networks, to test the efficacy of anti-virus or if the standard policy to open e-mails with attachments was respected by users. This type of virus must be fake, or be done in an environment mirror (clone) with isolated machines to the company network preventing its spread.

14.3 Access-Control : Simulates a user with resources to be exploring a valid trust, technical approach as Man-In-The-Middle .

14.4-Overflow Buffer: Buffer overflow vulnerabilities are exploring the use of memory and their pointers, and their variations known as S tack Overflow and Heap Overflow. It is considered the Achilles heel of computer security, it is still the main method of exploration the insertion and execution of malicious code in order to leave a backdoor as a rootkit or cause a Denial of Service .

14.5-Code Injection: Search explore applications that do not validate user input accurately. So, you can insert code that will be interpreted by the server. This technique can be performed via forms, URLs, cookies , and parameter passing arguments to functions and variables, among others. The most widely used method is to inject SQL queries, which aims to display and / or change information contained in databases.

14.6-Cross-Site Scripting (CSS): CSS not persistent attacks occur when past data are used without validation to generate a results page. Already in its persistent form, the data passed by the client will be written directly on the server and is publicly accessible, without proper validation or restrictions.

14.7-Exploits: These are scripts and programs designed to exploit vulnerabilities. It is an oc currence of a pattern of attack designed to commit a portion of the code of the target system. The act of running a farm is known as attack.

8.14-Discovery Passwords Authentication Brute Force: Search for authentication services and access control vulnerable to attack by trial and error discovery of passwords, listing potential candidates. The computational cost (time) is directly proportional to the number of candidates and inversely proportional to the cases of passwords that follow the Guidelines for Creating Passwords suggested by ISO / IEC 17799:2005 Section 11.3.1. This test aims to assess the quality of policy and standards development, maintenance and custody of secret keys.

9.14-Passive Capture and Traffic Analysis and Network Package - Sniffing : Check if you can identify trafficked and sensitive information without adequate safeguards (encryption or steganography) through the capture and handling of network traffic in order to test algorithms and protocols used. Your goal is not to break encryption. 14:10, Disabled Services Security: Ability to disable components and services such as Proxies, Firewall, Anti-Malware, Alarm systems, CCTV, room safes, access to CPD's, among others aimed at ensuring and preserve the physical and logical integrity of the company, provided in ISO / IEC 17799:2005 Section 9 and 11. Sometimes, to succeed it is a complementary use of Social Engineering.

14:11-Remote Connections: Search or active connections on standby that can be established via RAS, RADIUS, VPN's, without authentication or with low level of security.

14:12-warchalking: Scan the spectrum of wireless networks exceeding the enterprise perimeter in search of open connections or without the minimum encryption required by the security policy.

14:13-Insecure Credential Handling: To assess the credentials sent via HTTP, HTT PS form but with the log sent via HTTP, stored in cookies, passed via the URL query string or passed from server to the client clear text, to remember myself.

14:14 Forced-Denial of Service: Submit host test target to an anomalous situation and extreme, forcing respond to requests for access or connection in addition to its processing capacity, degrading their performance or their unavailability full ripening, usually through resource depletion. It can be run locally, remotely or distributed.


Data vulnerabilities and attack vectors available, the attacks are launched with the aim of obtaining unauthorized access to the highest possible elevation of privileges. For each vulnerability identified, we seek the following:

Confirm or refute its existence.
Find or develop code / proof of concept tool.
Document the methodology used for such exploi tation.
Obtain access and, if possible, escalate privileges, without triggering alarms, IDS / IDP.
If you identify certain vulnerability without however be available and published some way to exploit it, and pay attention to an alternative use of the Framework Metasploits.

This is an Open Source tool created by HDMoore containing a set of best learning and research platforms designed specifically with the aim to strengthen and accelerate the development, testing and use of exploits used by professionals Infosec or CEH.

Metaspolit The Framework contains dozens of exploits, payloads and advanced tools of analysis for testing vulnerabilities on multiple servers and operating systems. Your goal is to create a research environment, development and exploitation of software vulnerabilities, providing the tools necessary to complete the cycle of research, briefly divided into four phases:

1 Finding a programming erro r that may or may not lead to a security breach.

2nd evaluate the vulnerability to determine the ways in which it can be exploited.

3rd Develop expolit after the phase of analysis using reverse engineering techniques, analysis and " debugao "code, etc..

4th Test expolit source and variables in different environments, service packs, hotfixes, patches , and / or directly on the target service or feature. The expolit itself does not refute that the vulnerability can be exploited, compromising the system.

Figure 4: Screen illustrative of Metasploit.

15.1-Example of some of the tools contained in the Framework Metaspolit

msfconsole - metasploit console mode
msfcli - automation interface penetration and exploitation
msflogdump - displays log files sessions
msfplayload - used to generate custom payloads
msfpescan - used to analyze and decompile executables and DLLs
msfencode - an interactive payload encoder encoder
msfupdate - used to check and download the update framework
msfweb - browser-based graphical interface


During the test, register all activities performed, without omission of details, such as methodology, scope, tools used, dates and times, list of the hosts involved, profile of the executing team, purpose of the intrusion with all the vulnerabilities tested or unsuccessful. As a result, you get a list of recommendations for improvements and / or suitability of technology services that support the business. At the end of the analysis, it is a relationship to determine if the tests have caused some damage to the system, ensuring that no other intruders have gained access to the system during the test.

Reinforcing that is not the focus of a team tests apply Corrective Action Pla n, and may mischaracterize its purpose - which is to discover and point out security flaws, tending to the business side, unless it is pre-planned and aligned to the project scope.


Some norms that suggest methodologies Intrusion Tests, such as PCI and consider OSSTMM traditional penetration testing as a prerequisite for launching a commercial product.

However, you should think about the cost benefit of X as a long-term solution to the requirements of security control. Allocate a staff CEH is expensive! Companies who invest in hiring their own security personnel to maintain long-term costs of doing Attack and Penetration Test and improve the quality of results, as security professionals are more effective because they become familiar with the internal systems, but if this is not the niche where the company operates, ie, a provider of IT, this resource will soon be obsolete because of their idl e use. Hence the hiring of an outside team periodically (every significant change of configuration or deployment of a new system) can be a solution to reduce costs with a new IT project

18-Recommended Reading.

Further reading aid in decision making and understanding of the possible adoption and modeling for any scenario.

ISSAF - Information Systems Security Assessment Framework
OWASP - Open Web Application Security Project
OSSTMM / ISECOM - Open Source Security Testing Methodology Manual
NIST Special Publication 800-42: Guidelines on Network Security Testing
NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment

An Intrusion Test program is a set of procedures aimed at identifying security flaws in an environment taking advantage of them to break it, obtaining unauthorized access to information and computing resources, and t hat can help the organization to assess the degree of exposure of information assets, taking appropriate corrective measures in nature.

It also acts as an additive to Risk Analysis, because it identifies vulnerabilities by simulating the vision of an outsider to the organization with hostile intentions. However, its execution is controlled so as not to damage the environment, but only test the effectiveness of any existing controls.

There are several ways to treat the security of a network, system or application and penetration test is just one of many available, however, it shows more concrete results permeating the reality of the company's IT infrastructure, with minimal false positive and negative.

Your results should be used to help point, direct and determine what management actions and priorities will be more suitable for better treatment of the risks inherent in information security, as well as help you select the controls to be implemented and direct resources to the protection, mitigating such risks.

Finally, the intrusion tests and all other related security must be provided and be part of the program within the Information Security Master Plan.



Post a Comment