REQUIRED KNOWLEDGE

Planning a test in a fashion that will promote the greatest value can be difficult to say the least. One of the first steps in establishing the rules of engagement is considering what information about the target should be provided to the tester. No

matter the scope or scale of a test, information flow initially will set in motion other attributes of planning and ultimately meeting factors for which value will be measured. Usually some form of information is provided by the target and only in the most extreme cases absolutely no information is offered. Some cannot be avoided, such as the name of the company, whereas others can be easily kept from the testers without totally impeding the mechanics of the test.

Following are some basic definitions of information provisioning:

• Zero Knowledge. Zero knowledge is just that: the tester is provided noth- ing about the target’s network or environment. The tester is simply left to his ability to discover information about the client and use it to gain some form of access. This is also called blackbox or closed depending on who is scoping the test.

• Limited Knowledge. Something growing in popularity with companies seeking penetration testing is providing just enough information to get started. In some cases information may include phone numbers to be tested, IP addresses, domain information, applications, and other data that would take some time to collect and do not represent any difficulty to a hacker, but are rather time consuming for the tester. The interesting aspect of getting some information and not all is the assumption of scope. Organizations tend to use limited information to define the boundaries of the test as opposed to providing initial data to support the engagement. For example, there is a difference in providing whether a customer has IDS as opposed to providing a list of phone numbers. The former is an obvious attempt to limit the information provided to the tester, whereas the latter is influencing the scope of the engagement.

• Total Exposure. Total exposure is when every possible piece of informa- tion about the environment is provided to the tester. Prior to the start of the engagement, a list of questions and required items is sent to the customer in preparation for the meeting. At the meeting, reams of docu- ments are provided to help the tester gain as much knowledge about the network as possible. This is also known as crystal box, full knowledge, or open, again depending on who is planning the engagement.

We find out through this journey in ethical hacking that the seemingly simple concept of providing information (or not) will dramatically affect the scope and depth of the test resulting in different levels of value.

TIMING OF INFORMATION

During the planning of the test it may be determined that several pieces of information are provided to assist the tester in finding opportunities to attack the network by saving time in collecting the information, but also help in testing the organization’s incident- management capabilities. There is an option to control the flow of information from the company to the tester to keep the test stimulated and reflect multiple types of attack

scenarios. In the later section, “Multi-Phased Attacks,” we cover the different nuances of information management and larger teams of testers focused on a single target; but for now, the goal is to demonstrate the value of information, how and when it can be shared with the tester, and the advantages and disadvantages of the practice.

Security is realized by layers of controls and checks supported by process and management to ensure an overall secure posture. Layers typically materialize in the form of access controls, user rights, and services offered to the authenticated user, among many other things. All of these are based on information or tools made available to users. Each set of information is related to what controls are required for that layer in the security architecture and the roles associated with the user or an application.

To accommodate the needs for variable controls for cyber assets, for example, many companies employ some form of division of authorization through segmen- tation of systems, networks, and even applications. A company may have three different types of customers, each accessing similar data from a centralized database but with increasing levels of access. The first type may have purchased a monthly newsletter to be e-mailed and be provided an account on a Web server to modify their profiles regularly to ensure they are receiving information in which they are interested. Another type of customer is someone who has paid for enhanced services and is provided access to an application server, such as Citrix or Microsoft’s Terminal Server, to use the application supported by data provided by a back-office database. Finally, there may be customers with hundreds of users requiring dedicated access to the network to get the necessary data directly from the systems.

Given this scenario, there are four different avenues into the network. • Internet

• Web authenticated • Application service • Direct access Internet

Basic use of the Web site and Internet-facing systems is the initial type of access provided to the public. A public access Web site is posted to attract new customers and provide information about the company and the services offered, such as the newsletter. Without any added information, this is the typical route of a hacker beginning an attack against exposed systems that are offering services, such as Web, e-mail, and FTP, that can be exploited to gain access. As a tester, this can also be used as an initial starting point for the test. The Web site can offer information that can be used during the reconnaissance phase of the engagement, or attempt to directly exploit vulnerabilities in any Web-based applications. The value to the customer is clear, seeing that attacking a system on the Internet as if by an uninformed hacker or script kiddy is the fundamental motivator for having the test performed in the first place.

Web Authenticated

To provide personalized use of the Web and make modifications to their profiles, users may provide a username and password to access private areas of the Web site.

Usually, the customer pays via credit card and receives the necessary credentials via e-mail or other form of communication.

A hacker may surreptitiously obtain a paying customer’s identity to make mod- ifications to the profile to acquire valuable data, or attempt to use the privileged access to look for more opportunity to attack the network. Attacks can be based on application code only available to authorized Internet users, or provide the oppor- tunity to inject invalid data into the profile in hopes of unearthing a vulnerability. From the perspective of an ethical hacker, the added support of a stolen username and password would help in identifying any vulnerabilities to which a hacker with the same information may be privy.

The client can realize several layers of value depending on when the credentials were provided to the tester. Fundamentally, the client gains an understanding of the vulnerabilities associated with privileged users. Also, depending on the severity the vulnerability represents in the special area of the Web site, the customer can deter- mine how much investment should be made to rectify it. The reasoning of measuring risk against cost of access and the severity of a vulnerability is based on the likelihood of occurrence. The more people who have access, the greater the likelihood that someone with bad intentions will push the limits. If the cost of a username and password is $30.00 per month, a hacker would be less likely to pay the initial fee without knowing there is a vulnerability worth $30.00 deep within the site. In contrast, if the cost were $2.00, the odds of a hacker with a certain degree of motive would likely spend the money on the off chance of finding a hole with greater potential.

Of course, these assumptions are completely based on the security of the enroll- ment and payment applications. If a hacker can steal the credentials, the risk factor calculated against the cost and exposure is nullified. However, this is exactly the reason why not providing the credentials to the tester until all other uninformed attempts to access the site are executed is so valuable to the customer (unfortunately, this simply takes more time). Ultimately, when the tester fails to gain greater access, the credentials are then provided to perform a test against the secured portion of the Web site. The customer will have a better understanding of the security of the Web site, the severity and exposures related to an exploited vulnerability, and an initial roadmap to repair.

Application Service

A user may pay more to have direct access to an application to allow more features and information than the limited security portion of the Web site. As with the secured Web site, a user can buy the enhanced version of the service, obtain the credentials, and directions on installing a small client application or plug-in for her browser.

As with anything offered on the Web, a terminal services system may be vul- nerable to attack without any credentials. Therefore, the organization may, at first, offer no insight to the advanced services offered in an effort to understand the vulnerabilities to the common hacker. However, much like the Web access example above, once the tester has failed, credentials allowing typical client access can then be used to deduce exposures that correspond to enhanced client access.

The ability to launch an attack against the client’s network based on the added privileges can be enlightening for the company. Depending on the application and configuration of the terminal system, it may be possible to collect ample amounts of information that can be used later via a different route, or actually launch an attack from the vulnerable system.

However, what is the potential risk the tester is representing by performing the test? Once again, we can revisit the cost of the service and the identified vulnera- bilities to determine the overall risk associated with providing the services online. However, in most cases, the goal is to determine what exposure is related to the authorized customers. Some applications are complex and if manipulated correctly, they can be used against the company, such as destroying data and bringing the system to a halt.

No matter what depth of the attack ultimately acquired by using supplied cre- dentials, the reality is that the test is demonstrating risk related to authorized users and does not clearly reflect what a hacker may do. Nonetheless, some risk is attributed based on the likelihood that a hacker would obtain authorized credentials or gain access to the application through other means. Overall, the test is a viable tactic and by providing the information after exhausting all other avenues of attack, the customer is assured the test was comprehensive and reflective of many different types of threats.

Direct Access

For companies with hundreds of users requiring access to specific information, an organization will typically provide network connectivity in the form of a VPN or frame relay connection to support the volume of traffic and greater number of features offered to a premium client. The goal of the target having a penetration test performed in this scenario is to understand the level of risk associated with many unknown sources accessing their network based on a single connection, one that may have only one level of authentication representing all the remote users. The exposure to an attack is either high or low depending on how paranoid you are about security, the setup of the connection, and the depth to which the remote users and systems are allowed into your network. Regardless of the presumption of risk, having a penetration test performed against the dedicated network and application can be helpful and valuable.

As with any cyber threat, the likelihood of an attack—based on privileged access—is related to how credentials are provided, the number of users provided access, the value of the asset being accessed, and the vulnerability of the system or application. When credentials are provided to a user, especially a user from outside the company’s domain or control, such as an employee of a partner, there is an assumed level of authentication prior to providing access. If the identification and authorization of the remote users is weak, and there are thousands of them, the likelihood of one of them attempting to harm your network is measurable, if not substantial.

To perform this phase of the engagement, the tester is made aware of the existence of the network and is permitted to attempt an attack with no specialized

access provided. There are many situations where this does not provide any addi- tional benefit simply because the tester cannot gain access to a frame relay network or it would require attacking a customer or partner. However, if the customer network is VPN-based and leverages the Internet, there is a potential for a vulnerability to be exploited to gain access to the network. Although it is somewhat rare and requires some sophistication, an attack on a VPN device could be performed by a motivated and experienced hacker. Given the complexity of the attack without providing direct access for the tester, many clients offer network connectivity to execute the test. A modem is usually the method of choice to allow the tester to access the segment connecting the customers to the client’s network, although if a VPN is employed, the tester is provided the necessary credentials to act as a customer.