To ensure that the organization's security controls are functioning properly, both the IT organization and the IS auditor should use the same techniques that hackers use in an attempt to bypass access controls. A vulnerability assessment is used to determine potential risks to the organization's systems and data. Penetration testing is used to test controls implemented as countermeasures to vulnerabilities. Penetration tests performed by the organization are sometimes called intrusion tests or ethical hacking. The penetration test team uses public sources to gain information on an organization's network, systems, and data. Known as discovery, this includes passive scanning techniques to discover the perimeter systems' OS and applications that are listening for network connections (ports). It might also include the review of public websites, partner websites, and news groups, to discover information on applications and network connectivity. One example of discovery is the use of newsgroups. System administrators often post questions to newsgroups on the Internet to solve problems they are having with applications or network devices. An intruder can search newsgroups using the domain name of the organization to find potential vulnerabilities. When the discovery process is complete, the penetration test team should develop a list of potential vulnerabilities on the network. They should then systematically attempt to bypass the access controls by attempting to guess passwords (using automated password-cracking tools and dictionaries), searching for back doors into the system, or exploiting known vulnerabilities based on the type of servers and applications within the organization. Penetration testing is intended to use the same techniques and tools intruders use. Penetration testing can be performed against both internal (applications) and external (firewalls) devices. It should be performed by qualified and authorized individuals. The penetration team should develop a penetration test plan and use caution when performing penetration tests on production systems. The penetration test plan should include methods by which vulnerabilities will be identified, documented, and communicated upon conclusion of the penetration testing period.
Authorized penetration testing is often performed using the same network diagnostic tools hackers commonly use. The IT organization should implement regular vulnerability scanning in addition to penetration testing. Similar to virus-protection programs, vulnerability scanners combined with firewall and IDS logs ensure that the IT infrastructure is protected against both new and existing vulnerabilities. Vulnerability scanning is implemented using automated tools that periodically scan network devices looking for known vulnerabilities. These tools maintain a vulnerability database that is periodically updated as new vulnerabilities are discovered. The vulnerability scans produce reports and generally categorize vulnerabilities into three categories of risk (high, medium, low). The more sophisticated scanning tools provide a list of the vulnerabilities found on the network by device or application, as well as the remediation of that risk. One of the more popular tools used for vulnerability scanning is Nessus (www.nessus.org), an open-source scanner that maintains a vulnerability database (which can be updated via the Internet). An example of a Nessus vulnerability report is shown here (this example does not include the entire report):
The Nessus report shows the machine address, vulnerability (port/service), a text description of the vulnerability, the solution, and the Common Vulnerability and Exposure (CVE) ID. As public vulnerabilities are discovered, they are maintained in databases to provide naming and documentation standards. One such free public database is maintained by the MITRE Corporation (http://cve.mitre.org) and can be used to review known vulnerabilities and their remediation. In addition to vulnerability testing, the organization can employ tools that are designed to entice and trap intruders. Honey pots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. Honey pots generally are placed in an area of the network that is publicly accessible and that contain known vulnerabilities. The concept of a honey pot is to learn from an intruder's actions by monitoring the methods and techniques employed by a hacker attempting to gain access to a system.
Honey pots are often used as a detection and deterrent control against Internet attacks. The most significant vulnerability in any organization is the user. The use of appropriate access controls can sometimes be inconvenient or cumbersome for the user population. To ensure that the organization's security controls are effective, a comprehensive security program should be implemented. The security program should include these components:
|