14.5 Break into Your Own System with Tiger TeamsThe difference between a fire drill and a Tiger team is that the purpose of a fire drill is to give practice in recovering from an intrusion so that if there is an actual intrusion it can be recovered from more quickly and more thoroughly. Everyone is aware that it is happening, though they will not know how or exactly when. A Tiger team is a person or persons who actually try to break in to try to find security problems which then would be corrected. The Tiger team usually conducts its work without the knowledge of the rest of the SysAdmins. It is more formal than random probes of the system "just to see" if there are holes. Frequently, outside consultants are hired who are experienced in this.
Can someone unknown to the engineers have a seat at the "next generation" system and copy data to a CD-RW or floppy? Can someone carry equipment (that may contain valuable data) out of the building without being stopped? Can someone claim to be from the phone company or alarm company and get into the computer room? Those at larger entities and those at greater risk may want to study the techniques discussed in "Gutsy Break-Ins" on page 367. Will word of someone being fired be passed to Security so she will not be let in when she claims that she "forgot her badge"? Will the cleaning crew let her in that night? Besides testing physical security, what techniques should be used to try to gain entry into systems? Looking up "vulnerability" in this book's index is a good place to start. Tracking the mailing lists and Web sites discussed in Appendix A is good too. Certainly, there are cracker Web sites too but I am not going to aid would-be crackers by naming them. See also "Quick Fixes for Common Problems" on page 17 and "Quick and Easy Hacking and How to Avoid It" on page 117. If different SysAdmins maintain different systems within an organization, a good technique would be for them to operate as Tiger teams against each other's systems. It is important to remember that the object is to increase security, not diminish it in the heat of battle. In a large organization, SysAdmins from a different installation may be used as a Tiger team to test that Security and others will properly challenge someone without credentials and will not give out passwords and other information to those unknown to them.
14.5.1 Penetration TestingSome people may use the term Penetration Testing to mean trying to get into the system, possibly with the use of a Tiger Team. Some might use it interchangeably with the term Auditing. Here, Penetration Testing and Auditing will mean seeing how much of your internal network is visible from the Internet. This requires doing the analysis from a separate network that is not granted special access. A larger company will want to have separate Internet access for this purpose, typically through a DSL or dial-up connection. The nmap program is particularly helpful here because this is what it is designed to do. It should be run from a network unrelated to the network that you are testing. Its use is explained in "The nmap Network Mapper" on page 592. You will want to advise anyone who might be monitoring the firewall or other intrusion detection systems because these likely will be triggered. More likely than not, you should expect to find problems. These will include services accessible from the Internet that were thought to be blocked, FTP servers that allow "proxy" access to internal systems, etc. |
Top |