Your network may expose vulnerabilities to attackers in many ways. A key area is information exposure. Many details about your organization that an attacker can gather can be used to assist in an attack. This includes technical data, such as what public services you offer, as well as nontechnical items, such as who your business partners are. The next area of importance is connectivity. Can attackers send and receive information to the systems within your network? This is dominated by the impact your firewalls (and filtering routers) have on connectivity into your network, but it can also be affected by the controls you have in place to allow workstations and notebook computers to connect to your internal network. The last major area that needs to be examined is whether the services your network relies on contain exploitable vulnerabilities.
To prepare you for performing your assessment, we present a roadmap for exploring each of these areas to ensure that you locate your exploitable vulnerabilities. Attackers often follow the same techniques when attempting to penetrate your defenses, which is why performing regular security assessments is a critical step in fortifying your network. An assessment consists of the following core phases:
Planning Determine the scope of your assessment. Decide how you will conduct it. Develop written rules of engagement to control the assessment and, most important, gain proper written approval to perform it. Assemble your toolkit to perform the assessment.
Reconnaissance Obtain technical and nontechnical information on the organization and known public hosts, such as mail, web, and DNS servers. This information may be used to focus cyber-attacks as well as reveal information useful for social engineering.
Network service discovery Determine which hosts and network devices can be accessed from the outside. For each of these systems, determine what services are running on them.
Vulnerability discovery Probe externally accessible systems and remote services to determine whether they expose known vulnerabilities to the outside. Analyze initial results to eliminate false positives.
Verification of perimeter devices Evaluate firewall and router configurations to ensure that they are well configured. Verify that firewalls do not pass traffic that should be blocked. Verify that anti-discovery and anti-DoS controls are in place and work as expected. Test intrusion detection/prevention sensors to ensure that they detect, log, and alert on suspicious activity.
Remote access Verify security controls of known remote access systems, including remote access servers, wireless access points, and VPNs. Search for unauthorized (rogue) modems and wireless access points.
Exploitation (optional) Attempt to use exploitation techniques against the discovered vulnerabilities. Based on the goals of the test, this may be an iterative activity. Successful exploitation may lead to additional access on the network, which may open the opportunity up for further exploitation.
Results analysis and documentation Analyze discovered vulnerabilities to determine their overall effect on the level of risk to the network's security. This is normally based on the vulnerabilities' impact to the affected system, the criticality of the system, the likelihood that the vulnerabilities will be exploited, and the effort required to remediate the vulnerabilities. Produce an assessment report that provides a list of prioritized vulnerabilities by level of risk and provides recommended steps to resolve the individual and root causes for the vulnerabilities.
For the remainder of this chapter, we will provide detailed guidance on the tools and techniques necessary to perform each of these steps. Assessments should always start with careful planning, so that is where we will begin.