Section 14.5 Break into Your Own System with Tiger Teams | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

14.5 Break into Your Own System with Tiger Teams

The difference between a fire drill and a Tiger team is that the purpose of a fire drill is to give practice in recovering from an intrusion so that if there is an actual intrusion it can be recovered from more quickly and more thoroughly. Everyone is aware that it is happening, though they will not know how or exactly when. A Tiger team is a person or persons who actually try to break in to try to find security problems which then would be corrected. The Tiger team usually conducts its work without the knowledge of the rest of the SysAdmins. It is more formal than random probes of the system "just to see" if there are holes. Frequently, outside consultants are hired who are experienced in this.

It is mandatory for the Tiger team to have written authorization because there is no other way to distinguish their actions from cracking. The military uses Tiger teams to test the security at highly classified installations. Occasionally, a team member gets shot as an intruder. The team should test not just the computers but also the "human factors", for example, can a team member whose face is unknown to the security guard get past her?

Can someone unknown to the engineers have a seat at the "next generation" system and copy data to a CD-RW or floppy? Can someone carry equipment (that may contain valuable data) out of the building without being stopped? Can someone claim to be from the phone company or alarm company and get into the computer room? Those at larger entities and those at greater risk may want to study the techniques discussed in "Gutsy Break-Ins" on page 367. Will word of someone being fired be passed to Security so she will not be let in when she claims that she "forgot her badge"? Will the cleaning crew let her in that night?

Besides testing physical security, what techniques should be used to try to gain entry into systems? Looking up "vulnerability" in this book's index is a good place to start. Tracking the mailing lists and Web sites discussed in Appendix A is good too. Certainly, there are cracker Web sites too but I am not going to aid would-be crackers by naming them. See also "Quick Fixes for Common Problems" on page 17 and "Quick and Easy Hacking and How to Avoid It" on page 117.

If different SysAdmins maintain different systems within an organization, a good technique would be for them to operate as Tiger teams against each other's systems. It is important to remember that the object is to increase security, not diminish it in the heat of battle. In a large organization, SysAdmins from a different installation may be used as a Tiger team to test that Security and others will properly challenge someone without credentials and will not give out passwords and other information to those unknown to them.

In 1985, I was disgusted with Continental Airlines plan to strand my suitcase and me in different cities because their clerks were too lazy to retrieve my suitcase from the luggage train only 50 feet away. I followed an employee (who did not know me from D. B. Cooper^[a]) out a door onto the ramp. He and others looked for my picture ID, saw none, and gave me funny looks but nobody stopped me. Do your people challenge unknown persons? Is there a good policy on what to do?

I came back inside, satisfied that I had my suitcase and that their terrible service was defeated this once. This was at Bostons Logan airport, one of the busiest in the U.S. It would have been just as easy for me to have put a bomb in someone elses luggage and headed home to watch the news.

Postscript for the second edition: Terrorists smuggled box cutters (knives) past Logans security and used them to hijack two airliners and fly them into the World Trade Centers two tall towers. This caused the largest loss of life of any terrorist act ever. The next day, I transported blood supplies in my plane at my own expense at the request of Angel Flight of Georgia under emergency authority and extreme security.

^[a] D. B. Cooper hijacked a 727 many years ago. His demand of, perhaps, a million dollars and a parachute was honored. The rear emergency exit of a 727 could be opened in flight, which he did. The FAA then ordered 727 aircraft modified to prevent a reoccurrence. He and the money were never heard from again until he admitted it on his deathbed under an assumed name in late 2000.

14.5.1 Penetration Testing

Some people may use the term Penetration Testing to mean trying to get into the system, possibly with the use of a Tiger Team. Some might use it interchangeably with the term Auditing. Here, Penetration Testing and Auditing will mean seeing how much of your internal network is visible from the Internet. This requires doing the analysis from a separate network that is not granted special access. A larger company will want to have separate Internet access for this purpose, typically through a DSL or dial-up connection. The nmap program is particularly helpful here because this is what it is designed to do. It should be run from a network unrelated to the network that you are testing. Its use is explained in "The nmap Network Mapper" on page 592. You will want to advise anyone who might be monitoring the firewall or other intrusion detection systems because these likely will be triggered. More likely than not, you should expect to find problems. These will include services accessible from the Internet that were thought to be blocked, FTP servers that allow "proxy" access to internal systems, etc.

Top