technical guide to information security testing and assessment pot

Assessment rests ae use fo suppor the dezrviation of secs eel Taine unrtanding, achieve eaifeation, o emily effectiveness ver tne, THis document sa guide to the bate technical aspects

fNIST Special Publication 890-118 Notional Institute of

Standards and Technology

US Deporiment of Commerce

Technical Guide to

Information Security Testing and Assessment

Recommendations of the National Institute

of Standards and Technology

Karen Scarfone

Murugiah Souppaya

Amanda Cody

Angela Orebaugh

Special Publication s00-115 T©chnieal Guide to Information Security Testing and Assessment

Recommendations of the National Institute of Standards and Technology

Karen Scarfone Murugiah Souppaya Amanda Cody

Angela Orebaugh

" Secusity Division Information Technology Laboratory National Insite of Standart nd Technology Gaithershure, MD 208993930

September 2008

ay

Reports on Computer Systems Technology

‘The lnfrmaton Technology Laborstory (TL atthe National Insite of Sandals and Technology (NIST) promotes he US, econoray and public welfare by providing technical leadership the ngon +

‘masurement and standards ifestucere ITL develops tess test methods, reference dl proof

‘concept implementations, and tshnicl analysis to advance the development an productive use oF information technology (IT), ITL's responsible inca the development of technical, physical

‘tinstrtive, and thanagementsendands ad gvidsines forthe conte letive scart al pivacy of

‘nitive uacawiied information Feral computer stems, This Special Pubieton SDD series reports on IT's researc, guidance and eae orts i computer secur and is eallaborative

‘tities with indo, goverameat and academe organizations

‘ational Intute of Standard and echnotosy Specal Puliestion 800-115 ‘Nl Ia, Stand Techno Spec Publ NO-115, 8 pages Sep 208)

Acknowledgements

The autor, Karen Scarfe snl Murusiah Souppaya ofthe National sie of Standards ad

Technology (NIST) and Arians Cody aa Angela Orchauh of Bon Allen Malo, sho thnk

‘heir collagues who reviewed drafts ofthis document and cotebuted i echnical content The fautors would like to acknowledge Joh Connor, Ti Grates, Blair Herma, Arnold Jason, Richa Kissel, Ron Ros, Matt Scholl, and Pat Toh of NIST and Steve Alison, Derick Dic, Datel Ovens,

‘Vietoria Thompson, Selena Tont, Theadore Winograd Grege Zeppof Booz Allen Hanlon ta te sen a insight assistance thvgghou the development ofthe document, The authors appreciate all

‘he feoahsek provided during the public comment pred, cspcilly by Marshall Abrams, Karen Quis, nother rom MITRE Corporation; Wiliam Mill of SpheteCam Enterpeies and representatives hoạt the Fnac Manat Sie Daprie li Tey) an th Deptt Hea a

Trademark Information All ates are rgisterod ralomarhs onde marks of hse respostive compas

2 Security Testing and Examination Overview

2.1 Information Security Assessment Methodology

22 Technical Assessment Techniques

23 Comparing Tests and Examinations

24 Testing Viewpoints 24.1 Extemal and Internal

44 Wireless Seanning 4.4.1 Passive Wireless Seanning 4 4

44.4 Bluetooth Scanning

45° Summary

5 Target Vulnerability Validation Techniques

5.1 Password Cracking

52 Penetration Testing 5.2.1 Penetalion Testing Phases

5.2.2 Panetation Testing Logistics

53 Social Engineering

54 Summary

6 Security Assessment Planning,

6.1 Developing a Security Assessment Policy

52 Prortizing and Scheduling Assessments

6.3 Selecting and Customizing Techniques

6.4 Aasesement Logistics B41 Aesessor Selection and Skil 6 6

Table 42, Baseline Skil Set for Target identification and Analysis Techniques ant

Tabblo 5-1 Target Vulnerabilly Vaiation Techniques 57 Table 5-2 Secutty Testing Knowledge, Skils, and Abiil6s Sử

List of Figures

Figure 5:2 Altack Phase Stops witn Loopback to Discovery Phase s4

Executive Summary

A information security assesment isthe process of dteriinig how effectively an entity bi

(erg host system, nework, procedure, porsop—knotn as the assessinen object) meets spovife secuniy hjctves, Thies eps of essestment methods can be wc o accomplish this—testng, cxamination, and imerviewing Teung isthe process of exeesing ove or more assesment objects under specified

‘onion fo compare acta and expected Behaviors, Examination fete press of eheckne, inspecting, reviewing, observing, sadying or analying one or more asessment ojos t facial anderstanding,

‘chive clarieation or obtain evidence Iniorvcwing is Ue rosess of conducting disesstons ith

‘eividdals or prope within so organization lo the location of evidence Assessment rests ae use fo suppor the dezrviation of secs eel Taine unrtanding, achieve eaifeation, o emily

effectiveness ver tne,

THis document sa guide to the bate technical aspects of conducting informatio security assessments, It

fan assessment and offers insights wo assessors on thir execution andthe potential impact they may have on systems atl networks, Foran assesment tobe succesful and have a positive impact on the searity poste of asp stom (an lime the entire organization), ckements yond the exection of fewine an examination mist suppor the technica process, Stngestns for hese actives inline & robust plannine process, ont ete analysis nd tiered reporting ane also presen this woe

‘nd examination methods and techoigues tht anor

‘Te processes and tecnica guidance presented in this document enable organizations to

1 Dexclop information scurty asessment policy, methodology, and individual roles and responsibiitios rele the technical aspccs of asseement

1 Accu pla for 2 tchaicalifoemation secu assessment by providing guidance on ‘determining which sysoms to assess and the approach fr assessment addressing logitial

‘considerations developing an assessment pan, abd ensuring lepal and policy considerations ac addres Safely and effectively excete a technical information security assessment wing the presented methods and techniques and espond to any incidents that may cut during he assessment

1 Appropsitely handle tectoiea data (collection, storage, tasmsson, and destsion) Toughout tbe ssessment process

1 Conduct analysis and eprting tae inaprove the ganization s seus pose

“The information presented inthis publication is nteed to he used for a vary of wssessment puss For example, some ssesenents cts om verifying hal a pasticalarsceuty conto or coms) meets rosirements, while other are intend ta ieny, site, and ese a systems capable security

‘weaknesses, Assesiments ae alo performed Wo erase an organization's ability to mainain 2 prosctive computer network defense Asseusiens ire ean 1 take the place of hnplemmenting security onto aml ait system secu

‘Te accomplish technical security asesoments aml ensure tht technical Security testing and examinations provide maximum vale, NIST recommends tht organizations

‘= Establish raguirements for executing assessments, and provides accountability for he appropiatean information security assessment polie ‘This ienifies he omganizaton's

individuals o ensure assesements ate conducted in seconde with these requirements, Topics

‘hata arsessment policy should adress include the organizational requirements with which

‘sesements must comply, ole and responsibil, adherence to ah etabliced uscsment Inethsdology- assessment Frequeney, and documentation requiemen

i= Implement consistency and Stacie to asossineats pedies a repeatable and documented assessment methodology This provides th vaasiton of new asessnca da, and tudreses resource consrunts socal with ascesments, Using sich a methodology enables

‘nganizations to maximize the val of assessments while minimizing posible risks into

hy certain echnical asovenent lecniqdes, Tes aks can range fom not gathering sient information on the organization's security poste Fr fro wpactng y tên [dnetolly alecing the system or network avaabity by executing tetnigues Withee per

Safeguards in place, Processes tha minimize sk caste by certain assessment echniues include using siled asensors, developing comprehensive asessneh pats opsiagsesesor xis porfoming esting of hours, abd conducting tess on duplicates oF production stems (x devslopment systems), Orgatizations nced to determine the level of sk they ar willing to accep for cach ascessment, and talor thee approuchesaccoedingy

Determine the objectives of each security assessment, and tallor the approach accordingly Security asexsments have specific objectives, ccopable levee of isk, and avalable resources Because no individual technique prides a comprehensive pitue of an organization's securily shen exceed alone, rganiatons should use a comnaton of techniques This al helps ‘organizations to limit sk and resource usage,

1 Analyze findings, that seeudty assessments provide their ultimate valu, organizations shout conduct root cutee and develop risk mitigation techniques to address weaknesses To ensue

‘nays upon completion ofan ssesspet to erable the translation Finns into actionable mitigation techniques These results may indicate that organizations should adress no oy technical weaknesses, hut ees in oneonzational presses ad procedure el

Es2

Introductlon

Thi line has bec prepare or use by federal agencies It may be use by nongovernmental

‘reunions on a voluntary basis and tse o sori toh trbtion ke deste

[Nothing inthis document shoal e taken to contrac tard angeles ade mattory sn India ot Taderal agencies by the Secteary of Comilace under sttlory authority: ao should thse suidlines he atepeted a altering &supersediag the evsing authorities ofthe Secretary of Commeres, Dicecto ofthe OM, aay sir fades fc

1.2 Purpose and Scope

he purpose ofthis documeat so provide guldslines for oeganizations en panning an conducting techie information security testing and assessments analyzing findings, and developing maitgaion

‘Hategos I provides practical rcoramendations for designing ipleicsting, aad tinting teehueal information elating to security testing an assessment processes and procedute, which ean be used for several purposes—sch ae nding yulcrabliis ina sytem or network and verifying compliance with a policy rather requirements, ‘This gui is nơ intend o resent a compretiensve information security testing or assessment program, but ater an overview ofthe key elements oF techie cc testing fin! esesent ih emphasis on speci lechnupis, thse Senos an finite, and reenmmendations forthe ane

“This document replaces NIST Special Publication 800-42, Guidetine ow Newark Security Testing

1⁄3 Audience

“This guides tended for use by computer sccurty staff and program managers, system and network

‘eiinstrators, andor tecnica staff who are sponsible for the eehical aspects of preparing

"peraing an scurine systems and neler infact Managers an lea ws the inormation Prevented facia th ecnealdcesin-maing processes msocated with seco twig and Sscsnments, Material this detent is echnical erent, al antes that readers hays at east basi ualectamtjng of system and network secu

1.4 Document Structure

| Sccton 2 presents am averview a information sebrty assessments, nein polis, oes and responsibiies, methodologies, and techniques,

1 Section 3 prides tai! desripton of several foshnia!exaeinaiontchniquss inline Sacumentation view, Ing eviews, tor sifing, and file ices checkin

1 Section 4 describes several chniques for identifying targsts and analyzing them fr potential ‘olacrabities Examples ofthese techngues include network discovery and vasa sean

1 Section $ explains techniques conumonly used to validate the existence of vulnerablies, such as passed ercking and pencvation esting

1 Section 6 presents am approach and process far lating security sessment

1 Section 7 discusses factors that re hey othe execution of security assessments, nciding csonlnsf, the escent itsel, analysis, and dư hưndine, X8 Section remediation activities 8 presents an approach for posting assessment Fin and provides an overview of

“This guide also consis the fllowing appendices

1 Appundis A deseibes so five operating system (OS) CD distributions ‘computer toa CD containing «fully operational OS and testing tole that allow the use a oot

1 Appondis B provides a template for creating Roles of Engagement (ROP),

1 Appendix C biel ascasses aplication erurity assessment

1 Appenix D contains recommendations for performing resmae acess testing

Appendix ollers ait of esos that iy Faia the Security assessment process

1 Aprons Features a slossary of terms used throughout this document

18 Appenis G provides a ist of acronyms and abbreviations,

“Tees Qube Yo nonunion Stout Tesi ND Assen?

2 — S@curly Testing and Examinatlon Overview

An information security anesoment i the proces of determining how effectively an emity bung asessed (cep host, system, network, procedure, person—known asthe assessment objec?) most spac security objectives, These types of assestment msthods canbe sed o accomplish this—tstng examination, ad Interviewing Testing isthe process of exercising one o more assessinet objets under specified

onion fo compare acta and expested Behaviors, Exuminaion ete press of checking, inspecting, reviewing, serving, studying analyzing one or more asessment object facilitate understanding,

‘chive clarification or oblan evidence Interviewing isthe process of conducting disessions ith individuals or groups within an organization io Taiitte understanding, achieve earifeaton, or ientiy the leaion evidence Assessment results are used to suppor the determination af sew control effectiveness over tm,

This publication arenes technical testing and examination technigues that ean he wsed to enti

‘validate, and assess echniealvulraiiis and assist ganizations in understanding and improving the Security posture oftheir systems and networks Sceuiy Testing and examination is required by FISMA

nd thee regulations is aot meant to take the place of implementing security contol and mainaiing

"yom socunity, bat to help organizations confi that he systems ae propery secured and identify any

“organization security roquirements that ar not mit aswell x other security vaknesss tht should Be ——

“This setion provides an overview of information security assessment methodologies and technical testing

sn examination echnigs

24 Information Security Assessment Methodology

A repeatable and documented security assssmeat metbodolon i Beet in that it cam

1 Provide consistency an structure to security testing, which can minimize testing sks

1 Expedite the transition of new assessment stall

1m Adress resource consrsnts associated with scurity assessments

‘Because information security assessment requires resources sue as te, staf, hudwvare and soft resource availability i often a imiting factor i he type and frequency of xe assessments

Evaluating the types of security tests and examinations the organization wl exec, developing 30 appropriate methodology identifying the resources required, and staturng the assessment press to uppor expected requitements can mitigate the resource challenge This gives the organization the ability toreise pre-established resources sich a rained sta and standardized testing platforms: decreases time rere to conduct the sscssment an the noe to purchase esting equipment and softwares ad reduces

‘overal assessment cost

A phased information security assessment methodology offers a numberof advantages, ‘The svete is easy to follow, and provides atral breaking points for stalf wanton Is methodology shoold ewan

‘minim he following phases:

“Tees Qube Yo nonunion Stout Tesi ND Assen?

1 Planning Crise t a sucessful security assessment, the planning pase i wed information ocd for assessment exceution-sueh athe asses to be assessed, the Uteats of to gather inesest agaist the asets, andthe security contol tobe used to mitigate hose teats—and evelop the assessment approach A security assessment should ‘vith project management pl to adress goals and objectives, seope, requitemens, em fos be treated as anyother projet

«and responsibilities, limitations, sicces acon, assumptions, resourses, mele, an eliverables, Section 6a his guide covers planning

1 Execution Primary goals for the exeution them when appropri This phase shoul aires aetvities associated withthe intended phase are to identify vulnerabilities and validate

‘assessment meth and lehnigue Although specie aetivities or this phase die by ‘ssestmen! Spe, upon competion of ths phase sesesors will hive Meniied stem, network and organigttonal process Yulnerabiiies This phase i iscvssed in more depth in Section 7

= Post-Execution, The postcxecution phase foruses om analyzing ented vulnerabilities 0 {etermine root eases, establish mitigation recommendations, and develop a inal spor, Section

‘Sof his guide addresses reporting ad tigation

Several accepted methodologies exist for conducting different types of infemation security assessments References to several ofthese methodologies are found in Appendix." For example, NIST has ees &

‘methodology documented in Special Publication (SP) 800:59A, Gude for Assessing the Security Controls in Federal Information Systems—ich olfers suggestions for assessing the elfetveness ofthe scary comtols outlined in NIST SP S00-S3." Another widely used asesmnent methidology fe the Open Source Seeuty Testing Methodology Manual (OSSTMM).* Because thee ate numerous eas08s

to conduet assessments, an organization may wan to use mulple methodologies This puliation offers ecommendaions for tchnial testing and exannaton techniques tha can he used fr many assessment

‘methodologies and leveraged for many assessment purposes

22 Technical Assessment Techniques

Dorens of tehaieal sceurity testing and examination teeiniques exist that eau be used 1 assess the curity posture of systems and networks The most commonly used techniques fom the standpoint of this document will be discussed in more depth ltr in thi gids and ae grouped into the flowing thece categories

1 Review Techniques, These networks, policies, and procedures to discover vulnerabilities, and are generally conducted ar exaninaton techniques used o evaluate spstms, applications,

‘manually They inelude documentation, log, ruleset, and system coniguation review: network

*nifing an file ntcgrity checking Section 3 provides akiional information on review

Techniques

1 Target Identification and Analysis Techniques These testing techniques ports, services, and potemtal vulnerabilities, and maybe performed manually but are generally ean identity systems, Performed using automated tools They include network discovery, network port and service TST docs ot caer ne metelog neater tenes poel ni gi oplim at wl allow

>-ˆ NET SPNB-SÌA dicts he tumener or develope sve pra desis he poe of ing ‘Siig somtimes rch conto SISTSP A034 war dvcoplto he edn Son oh USS 7 or heey ato et Fd fem 3e

‘Noe tomacon on OSS THN sabi ih enna

2

iewsiiction,sulmerabilityseapning, wireless scataing, aad aplication sceurty exaniaton Further diseussi ofthese techoiguess presente i Scion

1= Target Vulnerability Validation Tecbniques, Thess testing techniques combate the cesisence of vulrailis, and may be porormed manually vey using automate tools

{epending on the specific eehuigue used and dhe ski ofthe test team Target vuleceabiliy alduina techniques include password eracking ovetation testing, socal engineering, and

"pplication security testing, More information on these techniques is found in Sesion 5

Since no one technique can provide a complete pete ofthe seewriy of system or ator,

ganizations should combine appropriate technique o ensure robust secunty assessments, For example Petetaion testing usually relies Scanning identity hosts and services that may he twges fr Taturepenceation Also, multiple technical on perovming both network porUsrvice Moniicaton ad vulneabiiy

‘says exist mect an assessment rysiremen, sch as determining whether patches have heen applied propels This pabicton fctses om explaining fo these diffrent ketnisal teenies am he Delorean aes nt specs which echngies shold he used To whic cute thục

rowing organizations withthe Mlb ehoove the eclnlguex that best meet het rules,

{n ation tothe echnical techniques desried inthis publication, there are many nom eh

lecnigucs that may be used in ation ‘surly testing, which confit the existence of physical secury vulnerabilities by atempling sea ofthe etre echniqes One exaaple physical lecanent leks, badge seaders an oer pysialseewty conto ypcally wo gan unantorized sccess to specific hosts Anather example os noa-tebaicl wcbuigue s mavual asset ideatGestion Aw

‘organization nay choose to identify aes tobe assessed though sset inventories, physical

‘althroughs of facies, and wie n-toctricalmcans,istad of eying on echical techniques for set dentition, Detalson nontechnical tectnigues are ous ths scope ofthis publication, bat ienportan to reonanize the va of non-tecical eens and to comrider shen they my Be mone njt0pist lo u than hee techni! comers,

23° Comps ng Tests and Examinations

Examinations primarily involve the review of documents such a policies, procedures, security plas, scouity requirements, standard operating procedures, architecture diagrams, engineering documentation, set invenlories stem contigeratio, resis, td sytem fogs, They ate condcted to determine

‘whother a system it properly dacs, an gai aight on apes of seeriy tal are only sailhle thw documento This documentation weno ‘portion, at maiotenance ofthe systems and network, and ts evew ad erss-sefereneing ensues the intended design, instalation, sơnHgundtam conformance and comsstey For example an envcoument's security eguiemeats shoul dive

documentation sub as system se plans ad stat operatingprocedutes—s asessors sould

‘nau tha al plans, procedures, erchitavtres, and configurations are compliant with stated security Fosrements and appicalepolicis Another examples rviewine a firewalls lest ensire ts Compliance with the orgoniaton’s scart plies sanding Internet wsge, sich ae ho se of instant rmessapig, poor tpocr (P20) ile sharin, and oer prohibited acts

sinilarly tained individuals should underiake his work ta ensse that settings ae not invert

‘mofo on dale

“Testing involves han fecuted across an ente elerpse or on selected systems, The use of scuaning and penetration "` ` and ean be techniques can provide valuable information on porta vlnerbiies and predict the liklibood tha an dversry or intruder will be abet exploit them, Testing uo allows organizations to measure level of ompliance in ares sch as plch management, password policy an configuration management

Aktough testing can provide « more accurtepctureof a organization's security posture than what ined throng examinations is more insu an ca pact sytem metsorks in he frat vironment The level of potential impact depends onthe specific 8s of esting ecniqiaes se

‘sich can ineract wth he tart s)steme and nstvorks in various ways seh a sending normal elwoik packets wo determine open an closed ports, ov sending specially rated packets fo test (or

‘ulneabiies, Anytime thats rtstr dre Interacts witha system oe stv, the potential sts for unexpected system halts and ote denial af service conditions Organizations shot determine The acceptable levels of inrusivences when deciding which eehtiqMe to ane Exsling ests known to create dena of service conditions and othr disruptions cap help reduce these negative impact

‘shile organization: tnd o void wing esting ecÖniqpcx hat impact systems or networks, atacers are

‘0% hon by thin constraint and use whatever techni they fel necessary Ast os esting is ese Tikly than evaminstions Wo deny weaknesses rele security policy and eontigaaton Tv many

es, combining lesting ad examination techiques can provide mane decorate Wie of set,

2.4 Testing Viewpoints,

Tests ean be perform rom a numberof viewpoints—for example, how easily could an exter atacker sorslicions insider secesfaly sack sytem? Section 21 of thse compares testing performed {rom external and internal iespoins Section 242 divcses she aspoet of Hews the previous Knowledge tat assessors have ofthe trgel or target envieoaen 2.4.4 External and Internal

"exemal secre testne is conducted rom outside the arenizstion’sscerity perimeter, This fers the shit to view the environments security poste ast appear etide the sey perimeters 35

Sc from the Tater stacker, the goal of eveaiagwulaerabilitiss hs eoeld be exploited by an exten

oeal testing olen gins with recannssance techniques tha search public registration data Bain [Name System (DNS) see information, aotsgroup postings, and wir publi aailable information collet information fe system abe, taterat Protocol [IP] addresses, persing stems, techies Pins of contact) tht way help the asessor to hnilyvuluerabilities Nex, enumeration bess by Using notwoek iscovery and scannig techniques to determine exteaal hosts a seni eevee Since perimeter defenses sch as reals, routers, and access contol Hist often imi te ps of afc allowed into the intemal nctwork, assessors often use techniques that va these defenses—jus ax xteonal ttackers would Depenngo the protocols alle though, iil tacks ae eneraly Toews an commonly vied a allow aplication pracols svc a File Teaser Peotoeol (FTP), Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMP) and Post Office Pio)

(HOP), Servers that ane extermally accessile ae ested for vulnerabilities hat nigh allow acces 10 Fowernal servers and pivale information Extseal seurly stig ls concentrates a discovering acess

‘method vuloertiies, suchas wireless access pons, modeins, and portals to internal sever,

For iteraalseeity testing assessors wovk rom the iateraaluetwonk aad assune the deity ofa usted insider or an atacker who hs ponetated the perimeter defenses, This Kind of esting can reveal

‘ulneablitis hat could be exploited, ae! demonstrass the potent damage this peo atacker could

‘are Ineral security testing wo foowses on system-level security and coniguration including

!pplicaion and service configuration, authentication, access conto, and sytem hizdsnin,

Asssioes who perform intl testing ar often gram some level of aeess othe network, normally as tener users, and are pede ith information tha ser with similar priilges woul have This evel

ft temporary access depo the goals of he test, ad canbe po an eel the poviegss oF 2

‘stem or network administrator Working fom whatever love of acces they have been granted sctessor allempt to gin addinal scees tothe network at systems trough fille escalation Le, Fncseasing user-level piilegas to allintrator-levelprivlges oF inteasg syste admlistor privileges wo domain admits privileges,

{nteral testing so as Hite ss extn testing because i takes place behind perimeter defenses, ven

‘ough there maybe internal fev, utes and switches place that pose Hiniatons Examination tectmiques such as network siffing may be used in addon to testing techies

{both eral and external esting is ob performed, the exteeal esting usually takes place est This

Js paaicultlybonefiil ithe same assessors wil be pesforming oth ype of testing a iC koeps shew {fom acquiring insider information on ntvorkwrchiceture or system configuration thal would not be svalahs tam adverery—an advantage thot would reduce the Vat of he tes,

2.42 Overt and Covert

‘vee security testing also known as white hat testing, involves pesforming external andr internal testing withthe kno ledge atl eouset ofthe organization's IP Saf, enabling comprehensive evaluation gfthe network or system security posture Because the IT staffs flly aware of and involved inthe testing it maybe able to provide guidance to limit the testing’ impact, Testing may also provide a tearing opporteity, with tll observine the activities and mthas usd by assessor o eval Sd potentials cicureat inplennente security messes Tis gives context the secuf regimens Fnnpletented or maintained bythe TT sa, ad ao may hep ese IT sal hose comlet esting

‘rganization docs ao inate response teases tsucited With the smack without fist verilying that aa stack is ndeet underway (eg thatthe atvty being detected dacs oo originate fram a st) In sch

"ations, the trusted third party providss un agent forthe asssrs, the management the TT TP and the

‘curly saf thr motes attics and faites commuications, This typeof et x useful for testing lschniclsecrity contol, IT sft response oposceived security incents, and staff knowledge and ienplemeatation ofthe erganization’s seen policy, Cover testing may he ended with or without warning

an adversaial porspeetve, and nonallyHentifes and exploits the most aimesiary vulnerabilities uo fain network: acess Ifa organization's goal is to enitor «specie adversary, this ype of esting Fears special coosderations—such as acguting and modeling threat data The resulting scenarios Provide ah overall strates iew of th pont ret of exploit, sk, and impact of sins, {Cover testing wstally hae dened bounarss, sch s epping testing wien acetan level of access is schieved ora certain type of damage i achievable a nex sep in testing Having sic bourares prevents daniage wie il showing ha he damage could vec

{esd tine only many walrabiltis, covert tetine is often me contuning and sosfy đúc 1o ih reauireiments To operas Ina tell environment eat enn wi ave to sow is sean and tar actions to slay “under the a” of the argelorgneations security fl When testing is tore in-house, ning must als be costa tera of ne ad dg, Inv aio, a Spansion nay have stl waned 1 perform regula ctv sub as scanigy and vulnerability

‘sessment, but no spealze technigues suchas ponettion or application secu testing Ove

‘ean slovs expensive, carves les sk than cover wating, aod is mote reqbenmlỹ sử — butcoxe tesine proves beter inciaton ofthe everyday security ofthe fargo organization Bocas stem 1.1

“Tees Qube Yo nonunion Stout Tesi ND Assen? IEwmwrmm

Review teciniqus passively examine systems, applications, networks polices and procedures

iscover security vulnerabilities” They also gather information to feitate and optimize oer

assessment icehniques Because reviews wchnigues are passive, they pose minimal isk to systems and networks This section overs several common review tecniques—documentation, log, rulest, and

*ystm configuration eviw: network snitfings ad ile intent checking

31 Documentation Review

ocumcataton view determines i the echuical aspects of polis and procedures ate cutout and

‘comprehensive, These documents provide the foundation fo an organization's security posts but are

‘often overlooked during tecnica assessments Security groups within the organization shuld povide ˆeecssore with appropriate documentation tense technical accuracy and completeness include security policies, architectures, and requitements: standard a competiensve review, Docuents to review for

‘operating procedures: system security plans and authorization agreciments memoranda of understanding

tl agecment for stm interconnections and incident response pans

Documentation review ean discover gaps andl weaknesses that could fea! to ising or improperty inplementedsocurity conols Assessors ypiealy verify thal the organization's docamemation i compliant with standards and veglaions suchas FISMA, and lok for policies tht ar deficient

‘outdated, Common documentation wesknesses clade OS security procedures or protcols that are 0 longer used, and failure wo inclade a now OS and its protocols Documentation review does nt ensure that security comtols are implemented propey—only thatthe dreton and guidance exist © support security infrastructure

Resuls of documentation eview canbe use to Fine-tune other testing and examination techniques Foe example ifa password management poliey has specie requirements fr minim password Teng and

‘complexity his information can be used to configure password-racking tols for more eliient, performance

32 Log Review

Log review determines if scurty contol are loging the prope information, andi the organization i adhering ots log management policies As source of historical information aii ngs canbe we hep validate that the ssstem is operating in accordance with established polices, For example if the loging poi slates that ll authentication attempts a ciel servers mist determine his information i being collected and shows the appropriate evel be logged the log review wil of det Log evi may

so reveal problems sch a8 miscontigured services and secur cons unauthorized acess, ad attempted ittsons_ For example, ian invasion detection stem (IDS) sensors placed Behind 3 firewall its logs can be used o examine communications that the Firewall allows into the network Ife sensor egsters ativtes that should be locked, it indiaes thatthe rewal is at configured securely

Beams of log information that may be wsful when conducting tebaieal sceurity assessments ila

1 Awhewicaiun server or system logs may include success and ied sutieniealon temps

12 Syston logs may ince system and serve startup and shlown informing nstalaon of nauthorize soar ile accesses, seebrity ple changes, account eanges fe sect

‘reat ad deletion, account privilege sgnnen) and privilege oe

1 Applicaton loạt nay nelul vathorzed connection tempts, aout changes, se of privileges, and application or database usage information,

1 Ansivinis logs may nchúc update feiures another ndstons of outdo signteres ad software Secu log particlar patch management and some IDS and intaston prevention system UPS) produits, may record information an known vulnerable services atl applications

Manually eeviowing logs ean be extremely ine consuming aud eumbersonte, Automated ani rol ae valle thar can sigatiealyeeduce review time and generate predeiaed sad eytomized report tha Summarize lg contents and ack thm i ase of specific activities Assessors can also use these

‘sutomated costo fiat log analysis by converting loge in diferent formats toa singe, standard format for analysis, In addition, if assessor are reviewing a specific action-—sich asthe mambo of ied logon atemps in an erganization-—tey eam se hese wok lo Filer hogs asd nthe asi eng

3.3 Ruleset Review

‘A ulcset i collsction of rules signatures that oetwork wafic or system activity is compared agaist te deerine ht action te ake for example, forwarding or escne a packet, crating am alr, ot allowing a sytem event, Review of these roles is done tense eomprhesveness a identity gas fin! weihaceses on socrily vies ad thotghonk lyere đierces sóc 9s network netics, Potcy vila, an unintendad oe vulbeablecomutusiaton pals” A ravi cag abo uncover

ineficiencies dat negatively pact a ulese's peformanes

‘Rulescs to review ine network: and host hae Hrewall and IDSIIPS ruleset, aad router access contol ists The following list provides examples ofthe pes of checks mst comes perfor in fuleslsviews

— Bact rl til regirel for example, rls that were aed fr termporny’ purposes ate removed soo a they ate no Tonge Rese)

~ Only trate thts atoried pe poly is permed, anal oer traffic denied hy defi

1 For fiewall ulessts

“Tees Qube Yo nonunion Stout Tesi ND Assen? Bach ul is til eguited

= Rules enforce least privilege eees,sbch a6 specifying ony sequel IP addresses and prs

~ More specific ules are triggered before general ules

~ There are no unnecessary open ports tht could te closed 1 tighten the perimeter security

= The eset doesnot allow wai to bypass other security defenses

For host-based frewal ruleset, dhe ules do aot indicate the presence of hackdoors, spy wate setvity or peohibited applications suchas poor-to-poor ile sharing programs

1 For IDSAPS ralses

= Unnccestry signatures hve son disabled or removed Io stminate fale positives and improve performance

—_Novossay signatures are coabled and have hss fine-tuned and properly maintained,

3.4 Systom Configuration Reviow

System configuration review is the process of identifying Weaknesses in seewity configuration combos Such as systems ot being hardened or configured according wo security plies For example tis ype

of review will eveal unnecessary services and applications improper user account and pasword setnss,

fn improper logging and backup stings, Examples of security configuration files that may be reviewed fre Windows security policy settings and Unix security configuration files suchas those in

Assessors sing manual review techniques rely on security configuration guides or checklists to verify that system settings are configured to minimize security risks.” To perform a manual syst

‘configuration review, assessor acess various sectity settings onthe device being evaluated and

compare them wi commended settings from the eek Siting thal do at meet iim

‘Security standards ae lagged and eporte

“The Security Content Automation Protocol (SCAP) isa method for using speific standards to enable automated Yuneraility management, measurement td policy complianes evaluation.” NIST SCAP fies ae weten for FISMA compliance be use to velieve and vepot security stings and provide emmediaionguldanes, Automated tools ae and NIST SP 800-334 seeurty contol esting Other tols ean

‘often executed dicey on the device being assessed, but ca also be executed ova system with network tcces tothe device being assessed While automated system configuration reviews are asst than

‘manual methods there may stil be stings dat must be checked manually Both manual and automated

‘methods require rot or administrator privileges to view selected security stings

Generally itis preferable to use automated checks instead of manual chocks whenevs Feasible

‘Automated checks can be done very quickly and provide consistent, repeatable results Having ‘manvally checking hundreds or thousand of stings i tedious and ero pre, a person

7 IST inns a epostr fury nigel ‘Now oman on SeAP sed bap hi for ps ons ia

33

35 Network Sniffing

[Natwork sifing isa pasive technique tha monitors notwork communication, dees protocols, snd

‘samines headers and payloads wo lag information of interest Besides being used as a eve: echoige, fctwork suiting ea also he we a tage identification and analysis tehaigue sce Section 4.1) Reasons for using network sniffing folude the following

1 Capnuing and eplaying network wale

15 Perioming passive network discovery (elev ate devices onthe nebwork)|

'8_ MeniBÍng oberadng ydems applications, services, and protools, including unsecured o telnet) ant unauthorized fe, pestto poe ile sharing) potas

| Lsostying unauthoriz and inappeopriae actives, such asthe unencrypted transmission of

[Network sifing as ite ict on systems and networks, wh the most noticable emputbeing on hoeuideh or eomputine power iia, The siffer—the fool used to conduct Retweorksiling— reales a neans to connect de network, such 8 ub, tp, switch with por spanning Port

Spanning the process of copying the trafic ansmited on all eher ports the por where de afer ix installed Organiation can deploy network suffers in 4 numberof locations within ao enviccomen, These commly ingle the loloning

1 Acids perimeter, to sess walle entering and eating the network

1m Behind irewall tosses that ruleset te accurately filtering wali

1 Bchind IDSWIPSs, wo determine signatures ae tiggring an being responded sppropdstly

1 In oat ofa xtc systom or appicition ro asess activity

Oma specific network segment to validate sreryped protocols

(Ons linitation to nctwork sting isthe se of enerypton Many stacker ake advantage of encryption

to ide thể activites while assessor can soe tht communication is aking place, they are unable

‘ew the eoplents Aber lmiaton is tha eter sir soy ale at he trafic ofthe local Segment whore its ins, ‘Thisragoirs the assessor ta move it rom segmenl 4 egret, asta rulliple ser Uoughout te twa, andor use port spain, Assessors may also Fd ie

‘halengng to loeate an open physical nctwork prt for scanning on each segment In ation nstwork Soiing isfy Tabor imensve seisity Mat oaultes a High deste of human involvement wo aerpet network wai

3.6 File Integrity Checking

File inteprityeheckors provide way 1 emily thar system Ges have beer changed computing sad Soring a checksun for ever guarded ile, onl establishing file chocksum database Stor checksums

se Tale computed to compare their custom value withthe stored value, which idee ils

Ey

11111 111,

‘modification A ile iategrtychocker capability is usually included with any commercial host ase

DS, and sak avaable ges standalone uty

Although an integrity checker dos no segue high degeee of human iatractio, it must be used

‘eafully to ensue is effectiveness Fle itopity checking is most efective when system Files ate

‘compared witha reference database erated using a system knovn tobe secure—this helps ensue that the Feference database was not built with compromised files, The reference database should he stored ofline

to provent atakers fom compromising te sytem and covering their racks by modifying the database

In addition, because patches abd ther updates change ile, the checksum database should be kept up

For fil inoprity checking, tong exyptographie checksums such ss Secure Hash Algorithm | (SHA-I) shouldbe used to ensure the inegriy of dat stored inthe checksum database Federal agencies ae requized by Federal Information Processing Stanand (FIPS) PUB 140-2 Securiy Reguremens for Crpographic Moduler” tse SHA (e., SHA-1, SHA-250)

37° Summary

‘Table 3-1 summarizes the major capabilites of review techniques discussed i

Table 9.1 Review Techniques

‘oviecke i ‘T+ Proioshstoalifomaton + Galva ptt and oy dato on system ue, coniureton a madison Sysem Coniguelon |» Evans he erongh of yt songurton

Revaw | 2 _vaigtes nat estore ae congue in secotance wih ardning okey

Netwo Siting + Vente srenpion ot commutators ‘atoms, operating systems, communication polocol, sens, nổ seplealens

[= Mentos changes io importa ls ean avo Welly tan Toma oT unwaad

Fis ney Chechira

Risk are associated with ch technique an thee combinaions, To ensure thal are executed safely

sn aeurately, cach assessor should havea eetan bassline sil st, Table 32 provides guielnes for

‘he minimum sil set need lạ ch technique presente in Section 3

Table 9:2 Baseline Sill et for Revow Techniques

Decameron Review | Ganstalkrowleye of secuny fom poly prepecive [owed og lamate ad aly to inerpet and naj og daa aly use

Sviomtadog stay sndoneolaton ols sonia o esas a saves ably coi nd na as

‘Keanladge of secure sy onfguraton cing O8 Fardorng and sec ay fonfgraton lạ svaraty of operat systems; yf se sulomated secu) Eentraton esting to

TargetJdentItcatlon and Analysls Technlques

Thịt secfo akftses chia target identtcation ad analysis teliniques, which focus on Ídenifting sective doves and het associated ports and services, ao analyzing them fr polenta vulaerabiiis, “The assessor wes this information fo continue w explore devices tht wil valde existence of the ulnerabiltes Organizations ofen use non-tcehuialtchaigues in alton or asad of tecaical techniques to Meniythesesets to he analyze For example, organ ations may have existing ass lnwentorce or other Hse of aes the treeless aneer example fe assessors performing ywallthoagh

‘ota fcity to seis ane ha were mot found by echrialecĐvjqpee sóc as host a were sha ol

‘esconnected fom the network when the tecnica techies Were nse,

[Natwork discovery uses a munber of methods ta discover ative and responding host on a newer

‘entity weaknesses, and learn fn the network erates Both pasive featinaen) and active esting) tectniqacs exist for dvcovering devices ønehvurk, Passive echnighes une a stork sie 6 ‘tunity ntvork rafi and wesod the IP adverse ofthe active host and eam report which pots ae ia tse and which operating systems have heen discovered an the uetwork Passive discuvery can also

“ntty the elatioasips otveeshosts—inclung which hots eommunieat wih ech eet ow

‘Requetly their commanicatop eur and the type of wae Hat aking place—and is uslly

perform from a host on the internal network where it can monitor hos! communications This x done

‘without sending ou a ingle probing packet, Passive discovery takes mone ime to gather information than docs active discovery, al hows at ot send oe rceive trate during the monitoring period

‘wight te epoted

Active techniques send varius typos of nctwork packets, sch as Interact Conta Message Protocol LACM pine sei responses from netvork hosts, generally through hese of an astomsted oo

‘ne ett, known a8 OS Fingerpnting, enbles te ssseaoe fo Uelermine the systems OS by sending it

a ix of oral, abnormal adie gal wetoork atic, Another activity iavlves sending packets to oman pir BH la geHerle responses thal iicate the pnts esse, ‘The ol sealzes the responses fm these sctiiies, and compares dhe with kot tis of packets hon specific operating

‘ystems and network sericesenabling iw Mriiybnst, the operating systems they un, the ports, Ain he sate of those pots, This information canbe uscd or purposes ha ace guhering information

‘om targets for pensation testing, gencrting opology mops, determining firewall and IDS configurations,

Sn iscovering vulnerabilities n s)slems ad etwork configurations,

[Network discovery tls have many ways to acquire formation through seansing Enterprise firewalls in! intson detection systems cat ientty san instances of scat, parculely hose that we the mos Suspicions packs (e.g, SYNIFIN scan, NULL sean, Assessors whe plan om performing discovery theongh firewalls ad ftrasion detection systems should consider which fypes Of cans ace most ely fo provide ovis without drawing the atetion of secucy slninisttlrs, an how cans eam be conducted fea mot telthy tanger (9h 35 mop sly oe fom a are of soe TP addesss) 1 mypeave thể chances of sucess, Assessors should aso be cautious when selecting types of scune to se aginst ol Stems, particularly dhose known o have weak security because some sans can cause system failures

“Typically the cose the scan to normal activity, theless ikely iso ease operational problems,

[Network discovery may als detect unauthorized or 0 < devices operating ona network Fo exampls zation that uses ony afew operating ystems cull quickly natty rogue devices tha utilize

41

JisTezont ones Once a wie sng deve is Meni! it ean he located by using existing nero

‘maps a iformation scaly collected on th device's nctwork activity co enti the sich t which it

is connected It may be neessary to generate additonal network activity withthe rogue device —sush ts Pingt—to find the comect switch The net stp iso identify the switch port onthe sich associated

‘ithe ote device and a physically tae the cable connecting thal sich pore oe ree deve,

A numberof ool exis fr use in network discovery, and t should be noted that many ative discovery tools canbe ase for passive nstiork sniffing ad port scanring aswell Most offer graphical wer ieterface (GUD, and come als fer conman-line interlace, Comman-ine interfaces ti take longer to learn than GUI because ofthe number af eons a suites thal spit ha ests he tool sould perform and which an assessor mus em lo use the to elfectvey, Also, developers have

‘writen a number of modules for opensource tools that allow assessors to easily parse tool culpa, Por xaple,conhining tool's Extensible Markup Language (XML) output capabilites, «ie sritng tnd «database creates a more powerful ool that can monitor the aettork for unauthorized services and ‘machines, Learing what the many comands do and howto combine them is est acheved with he hoip of experencea sscuiy engines Most xperiened TT professionals, cing syn

mini and oer nto ensiners, sould beable omer ets working with th tiscavery tos themselves more efficiently Nanded hy an engines

Some ofthe advantages of active discovery as compared to passive discovery, ae tha am assesment can

lẻ c0mlaeteÐ rom alert network and wells ries tle Gime to gather inoemation Tn passive discovers ensring that al ost are eaplred rete rai hit al pons, which en he ine

‘svsiingepectall larger enerprise notes

A isodvantage to setivedieovery i tha it ends to generate network aise, which sometimes resus a network Inleney Since alive isconery sends oat queries to revive rexpanses this alional netvek scl could slow down traffic or cause packets ta be dropped in poorly coatigued networks if Ptfonmed a high volume Active discovery ea also eggs IDS alr, since use passive discovery £ reveal is ceiginaton poi The ability to sucess discover ll network sjstems can e affected by

‘vironments with protect octwork sgments and perimeter security devies and techniques, For trample, an environment using network adress rslaton (NAT)—hich allows organization to have jeter nonpublic outed TP adresses that ae anslate oa erent set of ple IP arses for

"extemal aiie—may note aerate discover fom points external to the peter oF from protected Scuments Personal an! host-based few on arg! deviews aaa hock discovery trafic

‘Misiformalion ony be received asa raul of ying ta insigas activi from devices Active discovery resents nfarmation fom which conclusions aus be daa aut stings on the trgetaework,

For bth passive and ative discovery, the information rece is seldom completely auras, To ittustate only hosts that are on aed counected during active discover wil identified i systems ora sent ofthe network ae ollie during the ssessintt thre Is pte] fra lage ap in discovering deviees ANhoush passive discovery will only find devices that anemit or receive communications Shsing he discovery vid, prvet such as atwork mana

discovery capabilites and sotomatially generale alerts when anew device f present on the nth {Cantino iscovery cn scan IP ares macs for new adreses or monitor now Hades resets Also, many discovery tools ean he scheduled to run replay such as nee every sec ammount of ays a3 Pricular ine This provides more aceate asus than runing these tos spac

42 Network Port and Service Identification

[Network port an service iemifcaion volves using a dt team oem network ports ad services operating on ative hoste—such ge FTP an HTTP-—and the application tha is unping each iMenified service sich s Microsoft tne formation Server (IS) Apaehe lờ thế HTTP xen (Organizations should conduct network port and service ienlieation to identify hosts itis has wot already ben done by other means e.g nctwork discovery) and lag prtentallyvulirable services

“This information ea be used to dotrine targets for pensation West

Al base scanners can deny ative sts and open por but some scanners at also abe to provide

‘xtional information on the scanned hosts, Ifommstion gare ring am open por scan ca asin identifying the target operating spstem tush process called OS fingerprinting For example, hos, học TCP podk 135, 13, an 445 open, iis pray a Windoses hos or possily a Unis host ring Samba Other items—such a the TCP packet sequence nuber geneiation a esponss to packet ako provide cle wo ientlying the OS, But OS hegerpriating not folpeoat Foe example, vewalls bok certain ports and types of tai, an system adoinstralos an eonigure thee systems Jong 1n porstandard ways to camourlage the woe OS

Some scanners can help deaf the application running ona particular post dough & process called Service Metiiaton Many scaubes use a series ile dat Iss combion port nuers an pial stsociated services—for example, a veanner hat kdenfies hat TCP port 80s open on a bost nay rpbxt hata we server i stening ttt port—hutaGonal eps ae needed before ths can hệ conimmed, Some scanners cn ntat communications with an shssrved por and aly 2s communications ta dctermine what service fs there, aftn hy comparing the observed aetvity ta repository of information inl service implementations These lecnigdes may also De use eaiy the Service apliation ad application Yasin, sch as which We server solar sm use-—this proces Known at terion seaneing A wellknown form of version seaming, called banner grabbing, voles

“apuring Daas formation tassv by the remote pot when 3 consection iit, This

Jnformation can ialode he application type aplication version, and even OS type and version Version scanning snot foolproof, because «serty-consciousadminisator ean alter the tansmied bankers or

‘her characteristics in hopes of concealing the service's tue oatre However, version scanning far

‘oe accurate thn simply relying ona scanners services fle

‘Sanne mode support the various scanning methods wih stengths and weaknesses that are nornally

‘aplaned in tcir documentation, Tor example, some seaners work best scanning though fra,

‘oie cers are eter tite for sans inside the real Rests si] đe depeedng eanner use Sone scanners respond witha simple open o Closed response foreach port while others n the pón flee addons dtl ee ier or nieve) that ean asin the senor in dtersning hal oer

‘ypes of sears woul be elpfl to gan ina information,

Network ort and service Mdontifeation often wes IP addess results of network discovery asthe devices to sean, Port seas cae also be sun independently on entie Docks of IP aldreses—here, port Scanning perfocs network discovery hy defaul though Mentifying the ative hosts on the aetwork, The

‘esult of network dsenvery abd network port and service identification a ist ofall active devices

‘operating in the adress space tht respond to te port scanning to long with esponding pons Aditona active devices ould exit that id ot respond to sanming such a those th are shielded by firewalls or tre ol, Assessors can try Find these devices by scanning th devises themselw,

+

placing the scanner ona segment that ean access the devices, a aempting to evade the reall hough the use of alterate scan ips (eg SYNVFIN or Xia sean”

{tis eecommened tht i both extemal an internal scanning ae tobe sel and dhe seers are

intentionally perforavng the testing “Mind” tht external seanning be performed fis, Done in his nde tog can he reviews ad comparsd before an during itera esting When performing external

scamming, assestore may use ay existing stealth tecigues to got packets through firewalls while evading Astecton hy IDS and IPS." Tools that be ragtefaion,tupleslen, oweigp mựcol onlr mổ ưng tectigest alter packets so tht they len int aed appear mors like norma aie are recommended Internal testing tends to use less aggressive scanning methods becavse ese sans are WocKed ls offen than external scans, Using move aggressive sans stray sigifcanly increases the changes

disrupting operations without necessarily improving san eslls, Being able to scan a network with

‘stomzed packets also works well for interna esting, boca checking fr specific vulnerabilities Fouls highly castomized packets Tools with packet hue ability ac elpfl with this process Once hut packets can he sei hough a sceond Seung program tha wil eollee the resus Because stomized pockets ca trgter a denial of servis (DoS) atack, this ype of est should be conducted Ching perins of low network rlic—sch as ernie ron the weekend,

Although port scanners dcuiy active hosts operating systems, ports services and apliestons, they do

ot identity vulnerabilities Additional investigation is needed wo conim the presence of insecure Proocols Trivial File Tramsr Pratcol (TFTPI telnet), malware, east appiations nd ulneabie series, To Meni) vuhcrble services, he sssessor compares Weniied version numbers of services wih is of hrosinwlnrable versions, perform some vlnerbiiy scanning a

Slacassed in Section 4.3 With por scabners the scanning process is highly automated ut interpretation ofthe scanned datas ot

loa ba scanning ean supe network operations by consuming bandwith ad slowing neswork response Hes, enables organization to ee tals host te conlsttad to ns any approved hotwork services Scaming software should he earful selexted to minimize distuptions w operations Port scanning can also he conducted alice hours o cause minimal impact to options,

43° Vulnerability Scanning

Like network port snd service idenifiestion, vulnerability seunsing isms hosts anl hoat tributes (e- operaling systems, applications, open pot) but it alo attempt o idesly vulnerable eter thao elyine human iteration of te Scanning results Many vulborailiyScanocs ase eaulppe accep esl fom nctwork discovery and network port and service wntfcalion, which reduces he

‘moti of werk neces for vuherabiiy scanning Aso, sme scanners ea perform their un net discovery and network pot and service henticaion, Valera scanning an el ỏenHy tated softer versions, ssins patches, and miscoigerations and validate compliance wilh a dvistions from an organization’ secu policy, ‘This done by Ideniyng the operating systems and major softwae applications running onthe hosts and matching them with information on know valaeaBiflet

‘ore io he scanners" vulerabiity databases

'Vulnerily seanaer căn

Check compliance with host application wag al security pices

“

ws For penetration testing

18 Provide information on how to mitigate discovered vara,

Valnerabity scanners can e run against ost either tealy of fom the network, Somme network-based scanners have administrator level eedentiah on indvidal hosts ad can extract wulnerabity information from hosts sing those credentials Other nesworkhased scammers fo Wot have such recess

rely on contig scanning of neivorks to late hosts an then sea tase hot foe valraiis ly ch ase, networks scaning is prmaily used o perform net diteotery ah lỏenƒy an posts aml elated yurabiies —in most eases, is mot ited by the OS of te targeted systems, ‘Network-based scanning witout Roc credential can be performed both intrall a externally and slthough internal cunning usually uncovers more vulnersbilites than external scanning esting fom oh

‘iewpoints is mportant, Extroal scanning must contend with perimots security devices that look tefl, limiting assessors oseannin only the ports aherzod to pars aie

Assessors performing exeralscanbiog may Fi cllenges similar to those faced with netvof

discovery, such asthe use of NAT or personal and host hse firewalls To overcome the challnges of INATand condvetsiceestl networksbwed scanning, ssssor can ak the firewall instar to able pot forwarding om specific UP adresses propo eters if this supovte by the trea

dr rquest network access bed the device performing NAT Assessors cm als rues hal personal Gr host-based firewalls be configured to pert alec ow ts sytem IP xresses daring the astess nent Potod These steps Will give assessors increase sight ino the Hetvork, bu dd aot accurately fect the eapubiles ofan extemal stacker although they may oer a beter indication of the capable svalable to a nalicous insider or an external attacker with access Uo ant boston the introal ator

‘Assessors can alse perform scanning on individual hosts

For local vulnsability scanning «scant is install on each host to be scanned This is done primarily

to deatiy hos O8 aid epplication misconfiguations and vulnerabilities oth network-xploitahe and Ioedly splotable, Local scanning i able to detect vulnerabilities wih a higher vel of detail than rnotworktned scanning hssauss focal sean ally egies both host lca access a9 or

‘Ministrativeaecourt Some scanners alo olfer the eapaiityofrepsiring foal misanfigrations,

A vulnerability scanners a rlatvey fast and easy way te quantify an organization's exposure to surface ulnerablties\ surlacevsnerabiy sa weakness that eins in olin, pendent rom other uinerablties ‘The sstes behaviors and tps in response ta attack piers smitty the tenner ae compared ug hove that characterize the signatures of known vuerablies an thet

bo any matches tha ate fond Besides signature-based seabaing some Yuleraiity seanness tempt simulate the econnaissanee atackpateras used to probe for expose, exploitable

‘ulneabilties, and report the vulnerabilities found when tess techniques are sexsi

‘One difcity in dentiying te ak level of vulneablis i that they rarely exist in iolaon, For {sample thefe could he several low-risk vlnerabilies tha presenta Dighe 3k whew combined

Scanners are unable o detect vulnerablies tht are vealed oly asthe result of potentially woending combinations of atack patterns The tool may assign alow risk lo each vulncabiy, lating the assessor falsely confident inte security meas in ple A more reliable way of emtfyng the risk

‘uineabilties n sgsre#ae is thrch penetration testing, whic isdiseussed in Seton 5.2,

abel an ETP server asa nora risk because it uansmits passwords in cleartext, hu if the organization nly uses the FTP server a snoaymous public server Hat docs ao se passwords the the lak

‘might he consierably lower Assesors shoul determine the appropriate risk level foreach vulnerability tnd simply accept the rsk levels seigool hy vlnsgabli0 seanner,

[Network-based vulacabiity scanning has some Significant weaknesses, As ith acovork ssf and discovery, this type of scanning uncovers eulneriies only fr active systems, This generally covers surface valerate, an unable to adress the overall ik esl ofa scanned network Alou the process el is highly atomsted, verily scannets cn havea high lake postive em nức

‘eporting vlverabiiies when none exit) Ar invial with expedtise in networking and OS security Seoul etepet the esl, And because nettn-ased vlnerahiy scanning segues more

information tha hot seamnig to eably ienlfy the vlnerbiilies om a host esto generate Sgniiauysnoce ator tafe than pot Scanaing This hay have 3 negate impact onthe boss or

‘network being seamed oron aetworksepments through which seaoning tafe is tuvesing Many ‘ulneabity scanners aso inch network-baso tests for DoS aftacks thin the de ofan

‘experienced assessor, can havea marked mesa iat om scanned hows "Scanners fen allow al Date este oe suppresses as ds the is of mpoetng hosts throb fests,

Another significant linitatin of vulerailty scanners is that ke virus scanners and IDSS, they rly on

‘repository of signatires, This requires the assessors to update these signatures frequently to enable the anno orecogive the Its vrais ore ning ay seer, an ssc shod ital he Tatestupates wo ts vulnerability database, Sowe verily scanner databases are uplated more regularly than chests update requeuey shouldbe a masjr consideration when selecting a

‘Mest vulnerability seanners slow the asessor option ifaent eves of seaming that vay aces

of thoroughness, While more comprehensive scanaing may detect a grester qunber of wulneabliis,

un slow the overall seaning process, Lea comprehensive seanning can tae less ie, but denies only wel-Anowa vulnerabilities Wis generally commended hat asesors conduct a thorough |

‘ulnerability sean if esoures permit

‘Vulnerability scaming isa somewhat lborintensve activity tat requires high degree of human Tavolvement ietespret results Itmay aso disrupt network operations by taking up bandwith and slowing response ies, Nevertheless, vulacrablty scanning fs extremely important in cosuring that Yalnerbiile are mitigated before they are discovered and exploit hy adversaries

‘Ac with ll patsrm-matehing at signatar-hssed tos, application valarability scanners typically hase high false posive ates Assessors should configure and calibrate thoi scanners to minimize bah alse file and flee nepasive othe ereatst posible ext ad meanineully interpre esis fo ds the weal vlnstbilities, Seannrs signatie-based tols hut vulperailiis that go undetsied by aulomated seater also suet fom the high false nestive rales tht charters ether cm poenilly De aught axing multiple vray scanners o ational forms of testing © common prac is use

‘multiple seanaers—ihis provides sensors witha way to compare reslls

44° Wireless Seanning

‘Wireless technologies, i ther smplet sense, enable one or more devices to commute without he neal forphyseal connections such ay network or perral ables, They range fom impe lechưuloiex Tike wizeles Keybesds and mice 1 comps cellphone ters and colerpise Wiel oc area networks (WLAN) AS dhe umber and availabilty of wieless-enbled devices continues 1 increase

+6

“Tees Qube Yo nonunion Stout Tesi ND Assen?

is important for organization wo actively test and secure their coterie wireless environments ®

‘Wireless sans can help organizations determine corrective actions to mitigate sks posed by wireless

“The following factors i he oepanization’s environment should he tea into consideration whoa planing echnical wireless security assessments

1 The location ofthe Facility Being seanned, because the py sea proximity ofa building to a public area e, sweets and public common afea) ois location ina busy meopoitanatea may Increase the risk of wireless threat

1m The security level ofthe data oe tansnited using wireless technologies

1 How often wicless devices connect to and disconnet from the environment an the typical traffic levels for wireles devices (6 occasional aetivty or fay constant activity) thin Doeause only active wireless devices ane discoverable dung a wieless sean

1 Existing deployments of wireless intrusion detection and prevention systems (WIDPS"), which may alr collet most ofthe information that would be gathered by testing, Wircessscansing should be conducted using a mole device with wireless analyzer software installed

nd eonigured-such asa laptop, handheld device, o specialty device, The reanning software or tol Should allo the operator to configure the device for spel seans and to Scan in bo passive and active

‘modes The scanning software shoul also be configurable by the operator to deni deviations fom the

“organization's witeles security conliguration requirments

ange and tile aisonal esting and examination accordingly

Individuals witha strong understanding of wireless networking—especially HELE 802.1 ahem

technologies—should operate witeless seanning tls These operator should be rained on the

funetionlity and capability ofthe scanning tools and software to beter understand the captured

Jnformation and be more apt to idenily potential deals or malicious activity Tadivduals with sini

sis shou be employed ta analyze the data and ess acquired ftom witless scans, Scanaing ool

‘perators should be aware of other RF signals authorized Tor se within the ate being scanned

4.4.1 Passive Wireless Scanning

Passive canning should be eonducted regularly Wo supplement wireless security measures area n Place, suchas WIDPSs.” Wivles scanning ols used to conduct completely pasive sens transit no fata nor doth ool in aby way affect th operation of deployed witless devives Ry oot anmiting data apusive scanning ool remains uneteted by malicious uses and ober devices This reduces the Tiklinood of individuals avosing detection by disconnecting or disabling unauthorized witless doves

‘Wirsess seaming took scan each IEEE N02 albg/n channelirequeney separately, often for only several bindredwlliseconds at tine, The pssive scanning toot way nt receive al iansrisions on a Specific channel, For example, he tl may have ben seaaning hel | the preese moment when &

‘tees devivetrnsnied a packet o channel 5, This makes importa st te dell tne ofthe too! to be log enough to cafur packets, yet short enough to efficiently scan each channel, Dwell time configurations wil depend onthe devive or tol used to coodut the wiles scans In adlon, scary persons! endctng the scan sould slosly wove veh the area sing scanned ors the nome Sf devios tha po undstected Rogue devies can be idsoified in several ways though passive scanning

The MAC adres ofa discovered witeloss deve indiats the vendor ofthe device's wireless interface, Wan organization nly deploys witeless interfaces from vendors A and Bde presence

‘ofnterfacs from any other vendor incaes potential rage doves,

11 an organization has accurate recon ots deployed wireless devies, assessors the MAC addresses of discover devices withthe MAC addresses of authorized devices Most ea compare scanning tool allow assessors entra list of auihorized devices Becauxe MAC alressex cat

he spoofs aecesore shold no assume thatthe MAC adresses of dncnvered devices are acchate—bit checking MAC aireses con deny rope devices that do et wse spoon

J devices may wee SSIDs thar are ot authorized by the organization,

1 Some rogue doves may use SSDs that are authorized by the ganization but a aot aber 10 its wielss security configuration requitemens The signal ste

Ioeated within the confines ofthe Laity arin the aes being scanned Devices operating outside ih of potential mgue devices should he reviewed to dete whether the devices are

“

organization's coins night sl pose siguticant sks hese the organization's devices might inadvertently associate wo the

4.42 Active Wireless Scanning

Organizations shouldbe cautious i conducting active seas wo mae sue they do ao inadvertently sean hosing organization hat are within ange is mpostant evaluate

devices owned ot operated by ne

the physeal letion of devices hefore aetisey scanning em Organizations hot ao he eas tlie ssi wean of ra devices hal apps oe operating within the crgapizaton' oh Soch devices ent belong wa visitor othe organiza who inadvertently has wireless geese enabled,

tt aeightoring organization with a device dat is lone to, bt a within, the organization facility Generally organizations should focus on eating and lest potential /ogue devices aer than tefonning sei seats of such devices,

(Orpantations may use ative soning whe conducting penetation testing Other ommn wireless

đe se, Tools ae available hat employ serpud sachs sa funetions step to clean Fnppementedsecurgy measures and evaluate the security vel of devices Fx example ol used 89 conduct wirsess pensation testing attempt to connect o access pints (AP) thcuh various method 9 Sircumvensccutyconfitrations, Ih tool can gan acess to the AP it can sain infoeraon and Men the vird neteurkv and wireless devices to which the APs canncte, Some alive too may

eo identity vnerahilties scorer onthe wireless client devices, cr conduct wired eter

‘tinea esl ined in Section 4,

4.43 Wireless Device Location Tracking

Seeusity pasonnel who operate the wireless scanning tool should stomp locate suspeious devies

RP signals propagate in manne eative l the environmen, which makes ortant forthe opertor

to undetstand how witelos echoology support this proces Mapping capabilites ane wef hte, ut

‘he ma actors needed fo sppoet this capability ars krewiedgeable operator and an appropiate

sting it dowa, secon guing ito comply with the organization's policies, ar emaving the device completely Ifthe device ito be removed, seewsty personel shoul evalvte the atsty of the fopue device heore itis confsated This can be done tough monitoring transmissions and aưemling to ces the device

I iscovered wieless devices cana be leat daring the sean, seeuty personnel should tempt 1 use

‘a WIDPS to support the location af discovered devices, This equires the WIDPS to Toca specie [MAC aos hat was disenserd during te sean, Propery deployed WIDPSs should ave the ability 8 sist scurty personel in locating these devices, and aly mses thease of multiple WIDPS encore to increase location entiation gratuity Because the WIDPS wil oy be ale wo heate a

‘Oepaizations may sa to postoun scanning ooly ia acas of thot fais that ave seessble bythe Bi t0 xe if atackers could gn accor o devices va Mluctooth—or to perfor seaming in

‘sampling of physical lations rather than throughout te ent facility Because many Bhitoot-

‘abled devices (seh as cellphones and personal digital asians [PDA ate mobile, conducting pusive scanning several ims over perio of dine may’ e necessity Organizations shuld ao sean ony Blustothinfstucire, such a acess pos, tat hey dephy, Ifrogue acces polo are

‘izcovered the organization should handle them in accordance wih established polices and processes,

A numberof ols re avilsle for etsy testing the security and operation of Blutooth devices

‘Those ool aterptw coaneetlo dikcsvered devices and petos atacks a surepiiusly gun acces

an connectivity to Bluctoot-enabled devices Assessors shuuld be extremely caution of perforing

‘tive scanng because of the Iikelihod of inadvertently scanning personal Bluetooth devices, which re found in many environments As a general ule, assessors should use active scanning only when they are certain tht the devices being seamed bslong tothe organization Active scanning canbe used to

valate the curity mode in which a Blutooth device is operating, and the strength of Blgcooth passitord identification numbers (PIN), Active scanning ca also Ne und very tal these devices ae Lio the lowest possibi operational power sting Io minimize thei range As wih IEEE S02 Ia rogue devices, ge Blast devicts should be dealt with n secondanee wih policies and gu

{hun provaes wives on eaugating acovered wineries, Tas unst wiles doves tinh nhượng tần s2annSB

{Sowers poten backers and ther sec visabone

“Tee are sks associat sd with each technique sod combinaGon ofecnigues To ensue that ll ae executed safely and ecuriely, each assessor shoul have a crtaiahacline skill et Table 4-2 provides

‘lins forthe minimum skill ct need foreach technique presented in Section 4

“able 42, Dating Skil Sot for TargtMentiestion and Analyse Techniques

Target Vulnerability Validation Techniques

Tis seth areca earget vulnerability validation techniques, which use information produced from taygtidenteaion ai analysis wo further explore te existence of potential vlueeabiiies The

jective is to prove tha a vulnerability exists and io demonstrate de curity exposures tha oocur when itis exploited Target vulocrabiity validation involves the greatest amount of ick in assesses, ince this techniques hive more potential o impact the target system or two Han ther echnigde=

‘Targotvuloeraily validation techniques for application security testing are rely discussed in Appendix

541 Password Cracking

‘When a user cots a password, a hash ofthe entered password is ponerated and compared witha stored hash of the user's actal password, I the hashes mash, the users authenticated Password cracking lx the process of covering passwords {rom password hashes stored in a computer system or ansmnited tvernetwarks, Its asially performed daring wssesinents to deny ascents wth wok passes Paswsond cracking is performed on mae tht are ele iolrsoptd bya network sniffer while Deg transite serosa network, or etrievd fromthe lange de, khch peneraly apiret gi ra level access on, lyse aves othe target spster, Once these hast are obfAjned, an aưomated pssword cracker rapidly generates additonal hashes ual a maths fou or the stesso halls the

‘racking temp

enerating hase it dvsonary attack which uses all words in etionsry oF ex fe

‘There are mumecins dlcionades avaiable om the Interne that encompass shor an hieLangusges

‘ames poplar tlevision shows ete Avothor cracking metiod is Kiowa as a Byrd aac which buds

fn te uitionary method by sing numeric and spite chatacters to dictinaty words- Depending the password cracker Reng usc, this fe of tack ean ry a numberof variations, sch as wring common sulsitions f huracters and numbers fr leer ee, pes and Infekme), Some wll ko

‘eiding characters std namhers ta the Binning and end of Gctonary wos 8, password, psswordS)

‘enough Une and processine power although could take many yeas and regu serious comput power, Assessors and attuckers often have multiple machines Over which they can spread the ask oF

‘racking passwords, which greatly shortens the Ue involved

Password cracking ea also he performed with die abt, which are hookup tables with pee

comput password hashes For example a rainbow able ca be creue that contains every posi Posstord fra siven characte et up a certain charter length Assessor may then search the ahi for the password hase hat they are ying to crack, Raine ahis requ lrge arte of storage space and a ake ang tine to genorts, bt thee primary shoncoming i that they may he nective seaist paseo shin tha ses valling Salling te inclusion ot a random piece of infortacon i the pasword ashing proces hat decreases the Hikelibod of went passwords returning the same hash, Rainbow tables will ot produce contest ests without taking sling into sccount-—but this skamatiallyinreases te amount of storage space that Us tables equi Many operating stems use

salted pasword hashing echaniunstoedue tế eTecfiMenes of eahow tables and er Forms of pastwoed ercking

Paseo crackers enn be tun during an assessment ta ensure policy compliance by verifying acceptable password composition, For example if the organization hạ pasivond expiration policy en pass fackers canbe sun at iotervals that coacide with the intended password Hite, Password cracking that

is performed fine praduces ite or no impact on te system or network, and the heeft of this

‘operation include valating the organization's passwort poiey and verifying policy compliance

5.2 Penetration Testing

Penetration testing i sce testing in which asessors nmi real-world stacks to ienty methods fa circumventing the scourity features of an aplication, system, or uetwork Totten involves launching teal attacks onal systems and data tai use tool and schoigues commonly used by attackers Most

petetraton texts jolve Toning for coninaians dÍ vlneribIiies on on or ore stems that ean be tse to gain more acces than coal he achieved though a single wera, Pension ein cam kobe vel er determining

lw well he syste teats eal wordt tack paterns

12 The likly level of sophistication an ataker aed to successfully compromise he system

1 Aditona countermeasures tha could mitigate ets agains the system

1"

Penctation testing can he valuable, butts labornsasive and requires great expertise to minimize the risk to rgsted systems, Systems may he damaged or oerise rendered inoperable during the course of Penetration testing, even th te organization hens in koowing how sytem could fe eared fouperable by an nike Although experienced penetration testers can mitigate thi sk, ican ever be fully ginhgtel Ponatrdie teuing should be prorat only afer carel eamsideration, nition,

ah planning,

Penetration testing often incides nontechnical method of attack, For example, a penstraion stor ould breach physical security conto and procedures Wo connect tom network, sel equipment apes Scosiive information (possibly hy installing key logs devices), or dssup conmmpnicatons- Caution should he exereised oon perforin pysieal security testing security quae should he ade sate of how 0 erty the valcity of txter activity, such as vin «pot of contact or documentation, Another on technical cas f attack the use of social enpinesiog, such as posing 3s ap desk agent and cling

to mquest a users passvords, or eallng Me helpdesk posing sss user abd asking fora passtord to be resst Additional information on physisal secu Yetng cca engincering eshaiguss, ana other non lectncal means af attack inlet in penetration sin Hes oss the seape ol his pubiaton

5.2.1 Penetration Testing Phases

Figure $-1 represents the four phases of petaton testing" tn the planing phase rules are ened,

‘managemsot approval is inalzed an documented ad testing goals are st, The plamine phase sets he rouralwork fra soeceesfl penetration est No ata tông eects this phase

“Tees Qube Yo nonunion Stout Tesi ND Assen?

Figure 1, FourStage Ponatraton Testing Methodology

‘The discovery and eovers information gathering stl scanning Network ort abd serve deniieaon, described i phase of penetration testing includes wo pats The Fit part isthe sta of acta testing, Section 4.2, fs conducted to idem pote targets In ation wo pot and service ideatfcation, eter techniques are used to gather information onthe targeted network

1 Host name and IP address information can be gathored dough many methods, including DNS interogation, InterNIC (WHOIS) queries and network sifing (generally only during internal tes)

'= Employee names and contact information can be obtained by searching the organization's We servers dictny servers 1m System information, [NaiBIOS enumeration (generally only dusing internal tests) and Network Information System such as names and shares ca be found throug methods seh as (NES) (generally only daring itera ests)

'= Application and service information, sich as version nbs

In some cases, techniques suchas dumpster diving and physical walkthoughs of faites may be used «0

‘collect ional information on the targstd network, ad may also uncover akional information to Be ‘nod ring the penetration tests, sh as passwort writen om paper

“The second pat ofthe discovery phase is wulerabilty analysis, whic involves comparing the services applications, and operating systems of scanned hosts aginst vulnerability databases (a process tha x bloat for vulnerability senners) and the eden" oụn knoalelse of vulnernhilies' Human testers căn their in databases —or publi datahases such a the National Vlerabiity Database (NV) —

to deny vulnerabilities manually Appendis E has more information oa these publily aailable Vulnerability databases Manual processes can identity new or obseurevulneablits that automated Scanners may mis, but are much slower than an automated scanner

‘maximum level of pote sceoss tam attacker, Thay may instead sul ig the testers lesen more shout the targeted network and its pte vulnerabilities, or induce chang in the sae ofthe targeted network's security, Some exploits enable tetsrt to escalate fin access to aional resources, H this occurs, adliional analysis and esting are required to their privileges on the syst o Belwork to Actesmi the tre lev of rik for te nebo, sch as ety he types nrmaton ha a be flemed, changed, or reinone frm te aster Ine even an tack ona specific vulnerability pees fesse the weslee should attempt expo another eisenverd vlerabiiy WU esters are able to exploit Valeriy, they ean install moe fool onthe target system or network to Cae the lesing process These tools ace used o gain access 10 alitional systems or esources on theAeurk sai al ccs to information shout te network oe exgasizaion Testing aad snalsis on mule systems should

bo conducted during a penetration tet wo determine the level of access an adversary could gain, Tk proces is epeesented in he feedback loop in Figure 5-1 Petcen the atack and discovery phse of & Penetraion txt

Pracovey |_| Ess [aiing Ll setting | sytem | eee GÌ Hưng hưng Mao

1 Misconfigurations Misconfiure sally easily exploitable sce set0ngt, anlculely insecure dau stings, ae

1 Kernel Flaws, Kemel co is the cone of a OS, ad enfores the overall seu mod forthe systent—so any soeity win de Kernel puts de entice syste in danger,

12 Buffer Overtions, 4 baller overflow accars when programs do not adequately cheek inp or anpmpriate leah Whar this aces, rita cane ea be nied nto the systems a

‘execute withthe piilegesolten athe administrative les el of the ning pera

Insufficient Input Validation, Many applications fir aly vada the from users, Aa example a Web application that emda value frm a user na database the cetive

‘query If the user enters SQL commands insteud of or ination othe requested vals, andthe

‘Web application does nt filtr the SOL commands, the gucry may be run with malicious change thal the user rested casing what ie known ae 8 SQL injection tack,

Symbol Links A symbolic Unk (symlink) file that poins 9 anther file Opera

‘stems ialude eogeams thr can change tke permissions granted ule IF teseproptams von with privileged permissions, a ser could statically creat symlinks rick these programs lmlo mong or Isũng cnhical sự tem le:

‘management, Atihe conclusion ofthe tesa reports goteally developed to deseibe ented

‘ulnerabilitic, present a sk cating, and give guidance om how to mii

Section § discusses pttextng asi stich a goi im mac de the discovered weaknesses,

52.2 Penetration Testing Logistics

Penetration test scenarios should focus on locating and targting exploitable defects in the design ad implementation ofan application, sytem, or ctwork, Tests should reproduce both the mos ike and

‘ost damaging stack palteros incluing worst-case scenarios such at malicious actions by

Slminidrdtowe Since a penetration test scenario canbe designed to simulate an inside attack, an outside

Sa or both, external an ntl security testing methods are consented I bt ner an exer

‘esting sto be performs the eaten lestng Waly ets Hs

‘aside scenarios smote the oasier atacker who has litle o no specie Knowledge of the art and

‘who works enirty from assumptions To simite am external slack, testers re provided with noel TBfaghetion boat the get ensitonment other than targeted IP adresses or adress anges,” and ptm ope souresrescarh by calleting iafonaion on the tet fom pic Web pages

tewsgroupe and salar sites Port seunner and vulnerability scaners ae then used to went target hosts Sins the tester traffic usually goes ough a Grewal, the amount of information obsined foc scanning is far less than ifthe test were undertaken ro an insider perspective After Mcaiying hode

on the network hat can be raced from ous, esters attempt to compromise one ofthe hosts If Succest this accese may then he use to compromise other hosts tht are no generally accessible fom

tside dh network, Pete esting isa trative process tat leverages mui access giảm Insider seonaros simulate the ssions of 4 malicious insider Ae ineral penetration tests ini wo an estan est excep ha the testes rated some level of acre othe netsvork or specific network systems Using this acces, he are onthe internal petwork (chad th firewall and hays beet Penetration testers try to gain a greater level of access ta the network and its systems tough privilege Escalation, Testers ate provided with network information that somone wit ther level of access woul toemaly have—renerlly a vandanlcnployee, althosh depending on the goals ofthe tes could festa he formation tht assem natork adinisator lhl possess

"gainst production systems and data Because of ts igh cost and potetal impact psnstaion tin of

Sn crpatization's network and systems ow ap annual Basis way be sufficient Also, pentvaton testing ean

be designed to stop when the tester reaches a pont when an adtional ston will ease damage Te rests of pectrtion esting should be taken seriously, and any vulncnhilies discovered should Be ritigated Ress he avilable shod be presence the organization's wagers, Organi mons

‘hold conser conducting les ahr tensve tong activities cn argu ais medr ha he are Tmajthining the equired Sestity posture, A well-designed progr of regularly scheduled netork amd ulneabiltyseansing imrspersed with pric poocttion esting, can help prevent way types of attacks ad roduce the poteatalipctof success oaes

tumbos, Social Security ninh re IDs, and passwords, Phishing uses atcntictooking emails rejest ior or dnet snes ta hogs Web sitet colle information, Other examples digital tod erating raudolen e-mails and senting tachment tha cold mime Worm

‘reanzation aan osngte ott individuals Tesere should pele a detailed Final repre that

identifies bo suecessol und wnsoecessl tics sed, This vel of etl il belpempanizatons Wo tailor her security swareness

ine pega,