Tony Castillo, CCIE, CISA, CISSP

1
External Network Security Testing

• Tony Castillo, CCIE, CISA, CISSP
• 9/25/07

2
Biography

• Anthony P. Castillo, CCIE, CISA, CISSP
• Currently holds the position of Founder, CEO and
  Chief Scientist of USDN Network Security, an
  exploit creation and network defense laboratory
  with clients ranging from national defense to
  large financial institutions. Clients include
  Cisco Systems, Bell Laboratories, Lucent
  Technologies, Ascend Communications, Sonicwall,
  Oracle, Honda Motor Company, JDS Uniphase,
  Sprint, Xerox, GE Capital, and Paramount Studios.
• He has over eighteen years of professional
  experience in application vulnerability research,
  carrier class infrastructure engineering, and
  network penetration testing.

3
Current Projects

• Member of the think tank for the Institute for
  Defense Analyses. The IDA provides scientific,
  technical, and analytical support using advanced
  technologies for defense systems. This work
  involves primarily assisting the Department of
  Defense in developing technology strategies,
  plans, and standards.
• Tony is on the team which is currently revising
  the Department of Defense Directive O-8530.1
  Titled "Support to Computer Network Defense
  (CND).
• Currently sits on the board of the FBIs national
  InfraGard program as the Lead Technical Advisor.

4
Syllabus

• Myths of External Security Testing
• Method of External Security Testing
• Additional Testing Things To Consider
• Questions Answers

5
Myths of External Security Testing Commercial
Tools

• Myth Running a commercial vulnerability scanner
  is external security testing.
• Reality The purpose of the test is to simulate a
  real world attack on the systems. Few real
  hackers use store bought tools to hack with.
• Reality Given that the goal of hacking is to
  enumerate and in some cases penetrate the network
  without getting caught, commercial tools that
  light up an IDS like a Christmas tree are highly
  inappropriate.

6
Myths of External Security Testing Internal
Staff Testing

• Myth We already test our network using our
  internal staff.
• Reality Unless the internal staff spends all day
  researching the latest vulnerabilities in
  operating systems and applications, they are not
  equipped with the proper skill sets knowledge
  base required.

7
Myths of External Security Testing Scope of
Testing

• Myth We are only using 8 of our 192 IP addresses
  so we only want to include those in the testing.
• Reality 22 of the time systems are discovered
  and tested that the organization did not even
  know were attached to the network and externally
  visible to the Internet.(USDN 2006 figures /
  sample pool of 719 tests)

8
Method of External Security Testing

• Network Mapping
• External Vulnerability Assessment
• External Penetration Testing
• Report Analysis

9
Method of External Security Testing - Network
Mapping

• Network mapping is conducted to
• Check for unauthorized hosts connected to the
  organization's network
• Identify vulnerable services
• Identify deviations from the allowed services
  defined in the organizations security policy
• Create a detailed map of what servers and
  services can be seen by anyone on the Internet
• Prepare for detailed vulnerability assessment

10
Method of External Security Testing Network
Mapping (cont.)

• The result of the network map is a comprehensive
  list of all active hosts and services operating
  in the tested address space.
• Network scans first identify active hosts in the
  tested address range. Once active hosts have been
  identified, they are scanned for open ports that
  will then identify the network services operating
  on that host.
• The information gathered during this open port
  scan will often identify the target operating
  system. This process is called operating system
  fingerprinting.
• Network mapping will assist in identifying the
  application running on a particular port.
  Identifying which application product is
  installed can be critical for detecting
  vulnerabilities. A technique called 'Banner
  Grabbing' is often used to help identify
  applications.
• Banner information is generally not visible to
  the end-user (at least in the case of web servers
  and browsers) however it is transmitted and can
  provide a wealth of information, including the
  application type, application version and even
  operating system type and version.

11
Method of External Security Testing External
Vulnerability Assessment

• This step identifies not only hosts and open
  ports, but also any other associated external
  vulnerabilities. The report should provide
  solutions and recommendations to provide
  information on eliminating discovered
  vulnerabilities.
• The assessment attempts to identify
  vulnerabilities in the hosts selected for
  testing. The assessment will identify out-of-date
  software versions, applicable patches or system
  upgrades, and validate compliance with, or
  deviations from the organization's security
  policy. To accomplish this, the assessment
  identifies operating systems and major software
  applications running on hosts and matches them
  with known and sometimes proprietary
  vulnerabilities.
• Ask the company performing the security
  assessment if they solely rely on automated
  scanning tools or if they have a creative staff
  employed to take personal view of your Internet
  footprint.
• People are much more efficient at detecting
  security holes then scanners, especially in web
  based applications.

12
Method of External Security Testing External
Vulnerability Assessment (cont.)

• Identifying active hosts on a network with active
  services (ports) on hosts
• Identifying application and banner grabbing
• Identifying operating systems
• Identifying vulnerabilities associated with
  discovered operating systems and applications
• Testing compliance with host application
  usage/security policies
• Establishing a foundation for actual penetration
  testing
• SOX, SAS 70 PCI compliance testing usually
  stops here

13
Method of External Security Testing External
Penetration Testing

• Penetration testing is security testing when the
  tester attempts to circumvent your network from
  the Internet and attempt to gain network access.
• This testing is highly recommended for complex or
  critical systems.
• After identifying hosts on the network that can
  be reached from the outside, an attempt then is
  made to compromise the host. If successful, then
  this host is leveraged to attempt to compromise
  other hosts not generally accessible from
  outside. This is why penetration testing is an
  exploitive process that leverages minimal access
  to eventually gain access.

14
Method of External Security Testing External
Penetration Testing - Goals

• Gain external privileged access into an
  organizations digital infrastructure
• Obtain internal data residing on the protected
  internal network
• Upload files to demonstrate privileged level
  access to an internal system
• View information externally whose purpose is
  intended specifically for personnel within the
  network

15
Method of External Security Testing Report
Analysis

• Upon the completion, of the work a report will be
  created which presents the findings and includes
  issues found, architectural recommendations,
  vulnerability eliminations, and security
  improvement processes.

16
Method of External Security Testing Report
Analysis

• An external security test report is used for the
  following reasons
• A description of the effectiveness (or lack of)
  of your security controls
• To have a reference point for corrective action
• To define mitigation activities to address
  identified vulnerabilities
• To have a benchmark for tracing an organizations
  security progress
• To assess the implementation status of system
  security requirements
• To conduct a cost/benefit analysis of security
  spending
• To ensure availability, confidentiality and
  integrity of data
• To have the trust and confidence to transact
  business

17
Additional Testing Things To ConsiderWireless
Testing

• Even with a secure traditional perimeter,
  wireless networking should be tested if used
  within an organization
• Types of authentication techniques in use
• Strength of encryption used

18
Additional Testing Things To ConsiderWireless
Testing
19
Additional Testing Things To ConsiderPasswords
Authentication

• User login credentials are often times still the
  easiest route into a network.
• 42 of all logins used contain a password found
  in the English language dictionary.(USDN 2006
  figures / sample pool of all user credential
  testing)

20
A Quick Note On Encryption

• All the important data on my network is encrypted
  by my VPN so I have nothing to worry about.
• Using encryption on the Internet is the
  equivalent of arranging an armored car to deliver
  credit card information from someone living in a
  cardboard box to someone living on a park
  bench. Gene Spafford Ph.D.Professor of
  Computer Sciences, Purdue University

21
Questions Answers
22
Thank you

• Tony Castillo, CCIE, CISA, CISSP

• Las Vegas Orange County Chicago
  AtlantaCorporate Address 3 Sunset Way, Suite C
  Henderson, Nevada 89014http//www.usdn.net
  info_at_usdn.net (877) GET-USDN