When contracted to perform a network security evaluation or penetration
test, one of the most important stages is the pre-evaluation phase.
During this phase, you develop contacts and gather information about the
company. It's important to determine the scope of your efforts with your
customer and sign an engagement agreement. In your contract, you square
away all legal issues concerning a security evaluation.
The scope defines the customer's mission, industry regulations in
effect, and most importantly their expecatations. Some companies may
want you to run vulnerability scanners, review security policies, or do
actual red team activities. It's important to communicate up front what
is expected. The scope also identifies customer constraints and
concerns. Politics or other concerns may prevent you from performing a
thorough evaluation, and/or limit you only to a certain set of systems.
I've encountered situations where the site being evaluated was well
secured, however a remote site was neglected and thus opend up a
vulnerability.
To avoid impact to the customer during peak operation times, you need to
reach an agreement on when the technical scanning and testing will be
conducted. Often this is during non-working hours, i.e., 8PM to 6AM. Let
the customer know what you plan on using to do to evaluate their
security. This can include commercial and open source tools, custom
scripts, etc. In addition, some customers may have had negative
experiences with certain evaluation tools and will not want them run on
their network. Document these concerns and include them in your report.
One last thing: never assume anything! You wouldn't want to arrive at a
customer site only to discover it's an IPX network and you only brought
tools that work on TCP/IP.
Posted by Marcin on Tuesday, January 30, 2007 in
Security.
Literally right after RSA, SCALE
is happening February 10th and 11th. I plan on making the drive out with
several other friends from school.
The presentations I'm looking forward to:
- New & Improved: How a More Modern IT Security Model Can Better
Protect Enterprise Data on Linux Systems
- Proving End-to-End Security in a Linux Environment
- Web Applications: What is your backup/recovery plan?
- Open Source Network Management Best Practices
- How to monitor your infrastructure with Open Source software
- Admin++, what root never told you
Posted by Marcin on Tuesday, January 30, 2007 in
News,
Security and
Tech.
Guy Kawasaki has a very interesting blog and today posted "The top 10
stupid ways to hinder market
adoption."
- Supporting only Windows Internet Explorer.
What Guy fails to mention, is having a website that's always available
to its users. Supporting only IE makes websites unavailable to many
users who use other browsers. It's part of the CIA triangle,
Confidentiality - Integrity - Availability. Availability is key to
creating a successful (online) business, and every minute a site is
unavailable or responding slowly, that's lost business. For a company
that's trying to create a market, sending out press releases with links
to their products and only to arrive to a dead link or downed website...
good bye.
While I'm on the topic of availability, Michael Farnum
expresses
some frustration with a security research company and Microsoft about a
vulnerability that affects the stability of Internet Explorer. Though
it's not a critical vulnerability, having malformed code crash your
browser is unamusing.
Posted by Marcin on Monday, January 29, 2007 in
Security and
Tech.
I am not 100% positive or if this just merely coincidence, but I have a
feeling my sister has fallen victim to the TJX security breach reported
last week. Fraudulent transactions originating in France (of all places)
began January 10th, comprosing four withdrawls: $3.90, $1.30, $.04, and
$.01. Finally, $120 was debited and my sister caught on and took action.
One of the reasons I like online banking is because it allows me to
review my statement (to-date) whenever I need too. I do not have to wait
until the end of the month to receive the statement, and had my sister
checked her statement online routinely, the last charge may never have
happened. I hope no sensitive personal information was exposed besides
the bank account numbers.
Posted by Marcin on Friday, January 26, 2007 in
News,
Privacy and
Security.
Part of any monitoring and intrusion detection strategy should include
file integrity checking and regularly auditing programs capable of
privilege escalation. These programs are often replaced or modified by
intruders, creating processes or performing other functions than they
were originally designed to. In Linux, these programs are identified via
a SUID or SGID bit in the permission set. An example of of a program
with the SUID bit set, is:
1004904 24 -rwsr-xr-x 1 root root 23588 Oct 19 15:52
/usr/bin/chsh
Notice I bolded the s, which identifies this program as one capable
of acquiring root privileges. A program with the SGID would have the
executable group permission set to s as well. i.e. -rwsr-sr-x
To locate all the SUID programs on your system: in a terminal, enter the
following command:
# find / -type f -perm -04000 -ls
For SGID programs, run the following command:
# find / -type f -perm -02000 -ls
I like to cat the output of these commands into files and then calculate
an md5sum. I store this md5 hash in another location and I can perform
the same command a month, 3 months, even 6 months from now and quickly
check the list of programs for changes.
# find / -type f -perm -04000 -ls > suid.txt # find / -type f -perm
-02000 -ls > sgid.txt # md5sum suid.txt bc8m092ciuhmds09238yfhkd8q3halc2
suid.txt # md5sum sgid.txt bc12e97ea5c11d206382a30f4cb9487c sgid.txt
Posted by Marcin on Friday, January 26, 2007 in
Security.
