Day 1: ITSM Vulnerability Assessment techniques
Lesson 1:These techniques are in two-parts, 1) Information assurance strategies, and 2) Software assurance tools. My feeling is that vulnerability assessments are typically done less strategically/operationally in IT environments (relying too much on tools and point-and-click scanners), while not hands-on enough for IT dev shops (or unknown where to start).
Part 1: Information assurance vulnerability assessment -- Network segmentation, Physical
This is a bottom-up strategic approach using the OSI model. Start with Layer-1 and move up to the application layer. Physical security is extremely important. Host all computers at a data center and utilize thin clients locally, if possible.
How about the network? Keep network ports off by default and check/verify structured cabling. The largest problem here would be rogue AP's or other WiFi-related security problems. WEP is worst of these, but WPA-Personal can also present problems with weak passphrases. This time last year, TJX had a data breach that started with an attack on WEP.
However, RF is all around and available in many devices. Not only will rogue AP's present a physical layer network segmentation problem, but clients will as well. Clients are devices such as PDA's, PDA phones, and also anything with both a radio and software. Other technologies such as copper wire, lasers, and infrared can also carry network traffic across segmented networks via the physical layer.
Scanning for all of these devices is not easy. Using Kismet and BTScan, even with advanced tools such as WiSpy -- it can be impossible to perform such scanning at all times. There aren't enough good vulnerability assessment tools for brute-forcing passwords along with scanning, and this activity takes even more time. When was the last time you made sure that BTScan was checking for unsafe OBEX passwords?
Recommendation: Vendors (secure AP vendors especially) should provide AP's that present false AP information, for WiFi, Bluetooth, IRda, and possibly other common RF technologies. They should present a captive portal stating that connecting to this AP is against corporate policy, and that they are being monitored while administration has been contacted. Integration with SIEM is ideal to backup these claims.
If your WiFi vendor solution could also scan employee devices, this should detect rogue clients (e.g. Blackberrys, iPhones, Windows Mobile devices, etc). Again, integration with SIEM technology is an ideal way of notifying a possible breach. Checking to see if packets can loop between network types is a great way of detecting rogue AP's and clients, but be careful how it's implemented. All network traffic can be locally queued and/or blocked.
When a vendor can't provide a solution, you may want to roll-your-own. I suggest Soekris boards, CM9 miniPCI cards, and Pyramid Linux.
I'll talk more about the software-side of assessing radios on Day 2. If you'd like more information, please check out the books, "Blackjacking" by Daniel Hoffman, and the infamous, "Wi-Foo" and "Hacking Exposed: Cisco Networks" by the Arhunt team.
Part 2: Software assurance vulnerability assessment -- Browsers and extensions
Best browser tools
bookmarklets, Firefox's Tools->Page Info (with View Cookies), Nikhil's Web Development Helper, Cooxie, Web Developer, FireBug, Microsoft Script Debugger, DOM Inspector, InspectThis, Cert Viewer Plus, HOOK, FlashTracer, XPath Checker, XPather, View Source Chart, viewformattedsource, UrlParams, IE Developer Toolbar, HttpWatch Basic, TamperIE, Tamper Data, Modify Headers, LiveHttpHeaders, Header Monitor, PrefBar, Technika, Fiddler, FireBug Lite, JS Commander, VBScript, Applescript, about:config
bookmarklets are the best browser tools because they are cross-browser, cross-OS, and multi-attack-functional. I use them in IE7, Firefox 2, and Opera 9.
I listed most of the other tools in a sort of important order. Feel free to explore them in this order. Some are Firefox only, and some are IE only. Some are external browser tools but had to be listed regardless (e.g. Fiddler, FireBug Lite, and JS Commander). I've listed VBScript and Applescript because they can be used to control the browser. In my past blog posts on Why crawling doesn't matter, I talked about similar ways of "driving the browser" and called these "browser-drivers".
I am not going to spend any time in the near-future on the internals of bookmarklets or browser add-ons, although I may touch on some of these other tools more when it comes to specific attacks. The point of this is to introduce you to tools which you may have not used or heard of. I would really like to leave you with further information on bookmarklets, so here are a few links to RSnake's, Awardspace, and Squarefree. Some of my favorites are: Find Redirects, Show JS Vars, generated source, view cookies, netcraft, Alexa, http headers, and Edit Cookies. I have taken the code from Ajax Security in order to compose a "HOOK-lite" for Javascript function monitoring.
var ret = ""; for(var i in window) { if(typeof(window[i]) == 'function') { ret += i + " | "; } } alert(ret);
You can paste the above into Technika and click "Run". Technika requires Firebug and Firefox.
blog comments powered by Disqus