|Network Security Assessment|
|By Chris McNab|
|Pub Date||: March 2004|
Network Security Assessment offers anefficient testing model you can adopt, refine, and reuse tocreate proactive defensive strategies to protect yoursystems from the threats that are out there, as well asthose still being developed. This thorough and insightfulguide covers offensive technologies by grouping andanalyzing them at a higher level--from both an offensive anddefensive standpoint--helping administrators design anddeploy networks that are immune to offensive exploits,tools, and scripts.
Copyright © 2004 O'Reilly Media, Inc.
Printed in the United States of America.
Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O'Reilly & Associates books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or email@example.com.
Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly Media, Inc. Network Security Assessment, the image of porcupine fish, and related trade dress are trademarks of O'Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O'Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
After managing the performance of over 20,000 infrastructure and applications penetration tests, I have come to realize the importance of technical testing and providing information security assurance.
This book accurately defines a pure technical assessment methodology, giving you the ability to gain a much deeper understanding of the threats, vulnerabilities, and exposures modern public networks face. The purpose for conducting the tens of thousands of penetration tests during my 20+ years working in information systems security was "to identify technical vulnerabilities in the tested system in order to correct the vulnerability or mitigate any risk posed by it." In my opinion, this is a clear, concise, and perfectly wrong reason to conduct penetration testing.
As you read this book, you will realize that vulnerabilities and exposures in most environments are due to poor system management, patches not installed in a timely fashion, weak password policy, poor access control, etc. Therefore, the principal reason and objective behind penetration testing should be to identify and correct the underlying systems management process failures that produced the vulnerability detected by the test. The most common of these systems management process failures exist in the following areas:
Unfortunately, many IT security consultants provide detailed lists of specific test findings and never attempt the higher order analysis needed to answer the question of "why." This failure to identify and correct the underlying management cause of the test findings assures that, when the consultant returns to test the client after six months, a whole new set of findings will appear.
If you are an IT professional who is responsible for security, use this book to help you assess your networks; it is effectively a technical briefing of the tools and techniques that your enemies can use against your systems. If you are a consultant performing security assessment for a client, it is vital that you bear in mind the mismanagement reasons for the vulnerabilities, as discussed here.
Several years ago, my company conducted a series of penetration tests for a very large international client. The client was organized regionally; IT security policy was issued centrally and implemented regionally. We mapped the technical results to the following management categories:
We then computed the average number of security assessment findings per 100 systems tested for the total organization and produced the chart shown in Figure P-1.
Figure P-1. Average vulnerabilities by management category
We then conducted a comparison of the performance of each region against the corporate average. The results were quite striking, as shown in Figure P-2 (above the average is bad, with more findings than the corporate average).
Figure P-2. Regional comparisons against the corporate average
Figure P-2 clearly shows discernible and quantifiable differences in the effectiveness of the security management in each of the regions. For example, the IT manager in region 3 clearly was not performing software maintenance or password/access controls management, and the IT manager in region 1 failed to remove unneeded services from his systems.
It is important that, as you read this book, you place vulnerabilities and exposures into categories and look at them in a new light. You can present a report to a client that fully documents the low-level technical issues at hand, but unless the underlying high-level mismanagement issues are tackled, network security won't improve, and different incarnations of the same vulnerabilities will be found later on. This book will show you how to perform professional Internet-based assessment, but it is vital that you always ask the question "why are these vulnerabilities present?"