Professional Documents
Culture Documents
Business Objectives:
To ensure the test is valuable to the overall security program, in addition to being financially
effective, the demands of the business must be understood.
Questions to be Considered
● What is the objective of the test?
● Why are you considering permitting someone to hack your network?
● What do you expect to learn?
● Are you prepared for the results?
● Do you have the capabilities to address the identified issues?
● Have you considered the risk of the test and feel that you can identify a success or failure?
● Is security even part of your business?
● Is it ingrained in your actions and does it play a role in your organization’s success?
SECURITY POLICY:
● A security policy is one of the most important components of a successful
information security program.
● Security policies defines a desired posture that the organization strives to
achieve and maintain.
● Policies set the bar for the organization’s security, and information security
management and operations personnel are tasked with driving the
organization to that mark.
● A security policy is the foundation on which all security operations are built.
● Without a security policy to define the expectations of the security controls it
is effectively impossible to establish a well-fortified security program.
● A security policy will state the acceptable uses and procedures in maintaining the desired
security level. These attributes will help in the planning of the test, shape the tasks to be
performed, and assist in evaluating success factors.
● An old or outdated security policy will greatly affect the value of the test.Should keep
those updated
● Security policies come in many forms, from simple documents to policy applications that
work within the environment.
● Policies are created to describe, detail, and communicate the expected security practices
as well as the processes that are to be followed to protect, defend, and recover from attacks.
● Act as a reference for any new updations.
● While framing the security policy, content organization is a key factor of the degree to
which the information is integrated and used.
STANDARD:
● A standard is the actual definition of the technical nature of the requirement communicated
by the policy statement.
● Standards provide specific details that explain or quantify the policy statement with which
they are associated.
● Standards should be detailed and clear in communicating the requirements of the policy
statement by quantifying the necessary attributes of the policy. However,
● The standard should not include procedures or step-by-step processes on how to implement
the policy.
● The goal is to define the final structure associated with the statement.
○ Eg: Passwords must be at least eight characters in length.
○ Each password must contain alphabetic, numeric, and special characters
GUIDELINES
● A guideline is a collection of supporting activities to help associate everyday activities
with the support of the policy statement.
● Guidelines provide general suggestions or recommendations that further clarify the
policy with general details or suggestions for their implementation.
● Guidelines should provide associated technologies and guidance in various conditions.
● The processes for carrying out the policy should not be addressed within the guidelines.
● Users should avoid using personal information that can be easily guessed, such as a name
or critical number as a password.
● Users should seek combinations of words that are easy to remember yet difficult to guess.
4
● Users should avoid the use of passwords that are commonly found in dictionaries.
Users should avoid writing the password down.
PROCEDURE:
● A procedure defines the tasks required to meet the requirements set forth in the policy.
● Procedures are step-by-step instructions detailing how a particular task is to be performed.
● These are executed to implement and enforce policy statements, or to measure the
organization’s compliance with a particular statement for later auditing purposes.
● Procedures should be very clear on performance of necessary tasks and should avoid any
information outside the scope of simply providing the steps to complete and enforce.
● PROCEDURE examples
Enforce password policy on NT Domains.
• Log on to domain controller as Administrator.
• Run the User Manager application.
• Select “Accounts…” from the Policies menu.
• Configure the system’s password policy to mirror the organization’s password policy.
• Click “OK” and close the User Manager application.
BUSINESS CHALLENGES:
● Companies might have to face loss of productivity, financial and legal liabilities, loss of
network availability, and corruption or theft of data. Furthermore, it may damage the
company brand name and reputation and incur loss of confidence by stakeholders.
● Meeting financial and business objectives.
5
SECURITY DRIVERS:
The major drivers fueling the need for security include:
● Increasing network complexity
● Ensuring corporate value
● Lower management investment
● Business consolidation
● Mobile workforce
● Government regulations and standards
● Business systems are more integrated and exchange information over complex networks
such as the Internet.
Business Consolidation:
● Because of the information exchange requirements and the consolidation of dissimilar
network infrastructures, applications, and data, there is an increase in the opportunity for
security-related issues.
● Vulnerabilities associated with integrating systems with other entities and the exposure
should be monitored
● Commitment to protecting information for all parties involved
Having an ethical hack performed before or just after a merger is complete can be very valuable
for the combined organizations.
Mobile Workforce:
● Remote workforce needs access to corporate resources to accomplish tasks once provided
only to on-site employees.
● In planning a penetration test, the scale of remote users and their access to assets must be
evaluated, although testing a mobile workforce is filled with challenges.
● Typically, evaluating the security of remote access systems is realized by performing a
security assessment to find vulnerabilities rather than attempting to exploit them.
Exploiting remote system vulnerabilities is possible, however, much more is gained by direct
observation.
7
● Without some form of self-control, the limit is only defined by the readiness to expose
one’s self to risks.
● On the surface, risks are being caught and going to jail, but more extreme examples can
include the loss of life, as with terrorists.
Anything is possible if the attacker is prepared to risk everything, and in a mind with no ethics,
there is no logical governance
IMPOSED LIMITATIONS:
● Customers that demand close involvement usually hinder the process by the implication
of distrust and disturbing the flow of the tester to work her art.
● Therefore, an imposed limitation can materialize in the form of customer
micromanagement of the test when in nearly all cases it is best to leave it up to the experts.
● No dumpster diving.
● Only test certain IP addresses.
● Do not use ISS.
● No Trojans.
● No vulnerability can be exploited until permission is obtained.
● Only wardial certain telephone numbers.
● No e-mail-based social engineering.
● No Web application-focused attacks.
● Only attack Windows systems
● Do not use partner information to support an attack.
● Do not attempt to avoid detection.
● Only attack one site.
● Do not attack customer DNS systems.
● No user-focused attacks.
● No DoS attacks.
● No information shall be shared between testers on the engagement.
● No information is to be changed.
● No calling cards are to be left behind.
● Do not attempt to attack ports over 1024.
● Only test services running on specified ports.
9
● Usually some form of information is provided by the target and only in the most extreme
cases absolutely no information is offered. Following are some basic definitions of
information provisioning:
10
● Zero Knowledge. Zero knowledge about the target’s network or environment, left to his
ability to discover information about the client and use it to gain some form of access. This
is also called blackbox or closed.
● Limited Knowledge. providing just enough information to get started. Information may
include phone numbers to be tested, IP addresses, domain information, applications, and
other data that would take some time to collect, but not impossible.
● Total Exposure. Total exposure is when every possible piece of information about the
environment is provided to the tester. Prior to the start of the engagement, reams of
documents are provided to help the tester gain as much knowledge about the network as
possible. This is also known as crystal box, full knowledge, or open,
to the successful operation of the business and are sometimes overlooked (arguably on
purpose) when it comes to security.
● Its better to check these once-trusted networks to look for vulnerabilities that may exist
between partners or between them and remotely connected networks. This is also true
when attempting to map a network.
● Intranet. Arguably, one of the more complicated aspects of ethical hacking is the internal
hack.
● Internal hacking can range from running hacking tools on the internal network to
posing as an employee with all the necessary credentials.
● Intranet-based attacks can be difficult to perform given the imposed limitations, but in
practice it is like a playground for testers.
● Many organizations are soft on the inside and hence is a source point of attack to be
considered
MULTI-PHASED ATTACKS:
● In a multi-phased test, the concept is to determine the security posture of
theorganization at various levels of access and knowledge that a hacker may potentially
obtain.
● Usually multi-phased tests are based on source points of the test, information provided to
the testers, when the information is provided, and any supporting materials associated with
the test, such as a username and password.
● From the Internet with no information, with limited information, and from inside the target,
with how information is shared among these phases, a great deal of insight from the test
can be obtained.
● The key is determining the information to provide to the testers, when, and in what context
relative to the other testers and phases.
Parallel Isolated:
● Series Shared: There is always the potential for an attacker to move from a digital
attack to a physical one. This is especially true in comprehensive and well-funded
attacks, such as espionage or terrorism.
● On the other hand, it can also include the criminal seeking and obtaining employment at
the target company and waiting for the right opportunity to strike.
● The final attack may be theft or obtaining enough information about the company’s
security measures and practices to launch a successful attack remotely
13
Series Isolated: Series multi-phased penetration tests where information is not transferred
from one phase to another is typically practiced when each phase is considered unique, unrelated,
and there is ample time allotted to the engagement. This technique is also leveraged when there is
a great deal of management associated with each phase.
● The Red Team performs the test. Based on the type of test and the level of knowledge their
client is willing to provide, they may be involved in the establishment of the engagement
with the White Team to make certain expectations, guidelines, and procedures are well
communicated.
● The goal of the Red Team is relatively simple:
● To attack the target firm within the established scope of the engagement and communicate
to the White Team any critical issues that may represent a risk to the target organization.
(volatility of the situation and gain permission before exploiting and possibly causing
excessive damage or downtime of their customer’s network or systems.)
● It is necessary for the Red Team to provide the following information: vulnerability
explanation, testing focus, and mitigation
● Vulnerability Explanation. Detail the vulnerability and the impact that could result from
exploitation. This can include characteristics such as downtime, exposure of critical
business systems such as billing or transaction systems, customer impact, partner
exposure, or the inadvertent disclosure of private or proprietary information
previously defined as beyond the scope of the engagement.
● In many cases, the vulnerability represents a threat the customer intentionally made
clear was something he was not prepared to include in the overall test.
● Testing Focus. it is necessary to explain what would be the disadvantages of not
performing the test. One exposed vulnerability can expose several others and It is
necessary for the customer to make a decision to accept the risk of the potential impact to
obtain greater insight as to other weaknesses or forgo the test.
● Mitigation. Finally, for the client to fully weigh the options compared to risk and cost, the
Red Team should provide a collection of high-level recommendations for repairing the
hole. The details of the recommendations will be limited because it is simply the
perspective based on the external representation of the vulnerability.
● The White Team has the opportunity to identify other security resources outside the Red
Team to collect the information and work directly with the company to address the
vulnerability. In some cases, this allows the Red Team to continue other avenues of attack,
for example, on a completely different location, to maintain continuity of the project
● The White Team is a mixture of customer representatives and the managing staff of
the consulting firm.
● The White Team is the liaison between the attackers and the target providing control
over the attack and monitoring the reaction of internal staff to the test.
● The White Team is the field commander managing the test to ensure it remains within
the established guidelines. Additionally, the team provides an opportunity to deal with
unexpected results.
● Following are some examples of specific issues where the White Team can become very
helpful: piggyback attacks, reverse impact, and detection.
15
● Reverse Impact. The Red Team should notify the White Team if a critical vulnerability
is identified and report on the various risks associated with the weakness. The same holds
true for the White Team.
● There are circumstances where the Red Team is unaware of the massive impacts they
are having on the target’s systems and may continue the operation, potentially
harming their customer in ways previously stated as undesirable during the planning
of the test.
● In the event the target is experiencing unmanageable difficulty with the attack, the
White Team acts as a conduit to the Red Team to throttle the attack in accordance
with the measurable experiences of the Blue Team. In most scenarios, the attack is
paused to determine what actually happened before attempting to continue the test.
● Detection. Although some tests are performed surreptitiously to avoid detection there are
cases where this is not critical to the success of the engagement. For example, a client may
wish to test the ability of the technology and internal resource to measure the response to
an attack.
● However, some want to gauge the granularity of the systems and people when presented
with a very “quiet” attack technique.
● During engagements of this type the White Team can provide a signal to the Red Team
to let them know when they have been detected and to use other methods.
● In some cases, the ability to perform the attack without detection is much more valued
by the client than actually exploiting a vulnerability.-case etudy of company with
theft of confidential data
● The Blue Team is the internal employees who, traditionally, are not aware the test is
taking place.
Blue Team usually represents a group of employees to be observed more closely who are
typically associated with security or IT administration.
● There are three primary objectives for establishing a Blue Team: incident response,
vulnerability impact, and counterattack.
● Incident Response.-How the internal team is responding to any such attacks.To measure
the readiness of internal team to respond to any incidents in the right manner.Its more
than just Technology.
● Vulnerability Impact.-The ability to determine how badly a vulnerability can affect
the network’s operations falls within the role of the Blue Team. it is up to the White
Team to observe the reaction of the systems and people in charge of those systems to gauge
the degree of a vulnerability being exploited.
● If the vulnerability represents a threat to the operations of the business or falls
beyond the scope of the engagement, the White Team can notify the Red Team to stop
or divert their energy.
16
● In contrast, the White Team can query the Red Team to see what type of progress has
been made even when the Blue Team has not reacted in any way that would imply
awareness of the attack
● Counterattack. When under attack, a company can attempt to stop it by instituting
updated controls, but, in the case of a counterattack, will attempt to inflict damage on the
hacker. - a much debated topic(DoS against the hacker to simply stop him from continuing
and providing a window of opportunity to close the exploited hole)
● There are several issues relating to the counterattack:
● Clear Identification. If a company is under the assumption it is prepared to assault an
identified hacker, it must be absolutely certain it has correctly identified the source. -legal
ramifications
● Capability. Most companies do not have the necessary expertise to launch an attack,
much less one aimed at a knowledgeable adversary.
● Waking a Sleeping Giant. If a company were to retaliate, it could become the focal point
for the hacker and any other hacker looking to topple a company with an attitude.
TEAM COMMUNICATIONS:
ENGAGEMENT PLANNER:
● Planning is an activity which consumes more time and if no effective planning is done,the
outcome of the test results will be very poor.
● you expect to gain from the test and how you plan to use the results. Are you looking to
address specific weaknesses? Or, are you attempting to seek symptoms of a much larger
problem within the security program?
○ Consider the scope of the attack and what is “in bounds.” Moreover, take the time
to evaluate what you have determined is beyond its scope and the potential impact
on the objectives.
○ Ensure all the appropriate people are involved. The internal politics and
departmental rivalries introduce interesting results. There must be an owner, a
leader, or primary person that ultimately sets the goals and scope of the
engagement. Tests that are planned by committee will typically fail to meet
objectives.
● Sample engagement planner to be discussed-
● To collect your thoughts and perspectives of the test in a single document.
Understandably, the example planner is only a summary of probable engagement
characteristics and insinuates that much more work is required.
● For example, the information management section only stipulates the type of information
offered to the testers and at what point in the engagement, not the actual data.
THE RIGHT SECURITY CONSULTANT:
● ARCHITECTS: There are security consultants who have moved away from technology,
or never fully immersed themselves in technology, and focus on the business of security.
● Security consultants of this type work on the larger picture of security and are usually the
authors of security policies and the minds behind comprehensive security architectures that
are supported by the various security-related technologies.
● Rely heavily on the technologists to implement what they have architected.
● Architects look to the big picture of security and seek out solutions to ensure security is
addressed technically as well as operationally.
● Perform Services in Accordance with the Law. There may be situations where a
consultant is asked to perform or made aware of something illegal. In this situation it is
necessary to abide by the laws society has created. Essentially, it is ethically correct and
expected to operate within the boundaries of the law, regardless of personal interpretation.
● Maintain Confidentiality. Security consultants are regularly exposed to proprietary
information and ethically bound to protect that information.
● Honesty. In addition to simple professionalism, given the sensitivity of interacting with
proprietary information and all that it implies, honesty must be practiced to ensure
continued trust.
● Conflict of Interest. Everyone during some point in his or her career has been faced with
professional conflict. Typically, this is associated with knowing certain information that if
you were involved with another process you may make determinations based on that
information. This cannot only lead to personal and professional conflicts but will test the
ethical values one may have. Finally, this could have a negative impact on customers,
related partners, and the company you work for, possibly damaging reputations and
associations.
● Intentional Acts. Clearly associated with ethics, intentionally harming or damaging the
reputation of clients, employers, or colleagues is unacceptable behavior.
TESTER:
● Hire a Educated certified one or hire a reformed hacker
● Hacker-Punishment-After serving the punishment,can he or she be hired?
● how can someone be reformed or prove a new mental state?
● The motives for becoming a hacker are usually encoded into someone’s character and to
assume that this can change is a difficult proposition indeed. The traits of a hacker are what
many seek, setting the foundation for critical decision-making and ethical challenges for
management.
● When choosing a consultant for performing ethical hacking tests, it is critical that the
person’s social aptitude and goals be evaluated in addition to their technical capabilities.
● LOGISTICS: Planning takes time and effort, but it is well worth it. So far, we have
discussed planning in the form of establishing teams, setting expectations, understanding
the ultimate value of the test, and determining the impacts of various restrictions and
limitations. There is another side to planning: logistics.
● Logistics are the nuts and bolts of an engagement and are a necessary evil to ensure the
total operation is a success.
● AGREEMENTS: An agreement between the service provider and the customer is a must.
Many service provider organizations have a master services agreement that outlines the
legal stipulations of the business relationship. These can include warrantees,
19
INTERMEDIATES:
● In between partners getting affected with tests? -alternate route through partner network,
accidental step in.
20
● Depending on the type of relationship a client has with its partners, it is usually rare for the
targeted company to allow or sanction any type of attack on a partner’s network. There are
some circumstances, however, where the partners are held to a security standard to interact
with the client’s network and have signed an agreement that will allow the client to validate
the security of the connection through exploitation. In these rare cases, an attack against
the partner is permitted and the partnering organization is notified.
● To collaborate with the partner and see if it is willing to permit a test against its system.
The answer is never a simple one and usually the partnering organization demands more
information about the test: what is going t pobe tested, what are the goals, who is
performing the test, why their server is being included, and so on.
● Customers
● Service Providers-Communications,Detail,Support
● Law Enforcement-FBIS