After finding potential security holes, the next step is confirming whether they’re indeed vulnerabilities in the context of your environment. Before you test, perform some manual searching. You can research websites and vulnerability databases, such as these:
Common Vulnerabilities and Exposures (http://cve.mitre.org/cve
)
US-CERT Vulnerability Notes Database (www.kb.cert.org/vuls
)
NIST National Vulnerability Database (https://nvd.nist.gov
)
These sites list known vulnerabilities — at least, the formally classified ones. As I explain in this book, many other vulnerabilities are more generic in nature and can’t easily be classified. If you can’t find a vulnerability documented on one of these sites, search the vendor’s site. You can also find a list of commonly exploited vulnerabilities at www.cisecurity.org/controls/
. This site contains the SANS Critical Security Controls consensus list, which is compiled and updated by the SANS organization.
If you don’t want to research your potential vulnerabilities and can jump right into testing, you have a couple of options:
Manual assessment: You can assess the potential vulnerabilities by connecting to the ports that are exposing the service or application and poking around in these ports. You should manually assess certain systems (such as web applications). The vulnerability reports in the preceding databases often disclose how to do this, at least generally. If you have a lot of free time, manually performing these tests may work for you.
Automated assessment: Manual assessments are great ways to learn, but people usually don’t have time to complete most manual steps. If you’re like me, you’ll scan for vulnerabilities automatically when you can and dig around manually as needed.
Many great vulnerability assessment scanners test for flaws on specific platforms (such as Windows and Linux) and types of networks (wired or wireless). They test for specific system vulnerabilities and may focus on standards such as the SANS Critical Security Controls and the Open Web Application Security Project (www.owasp.org
). Some scanners map the business logic within a web application; others map a view of the network; others help software developers test for code flaws. The drawback to these tools is that they find only individual vulnerabilities; they don’t necessarily aggregate and correlate vulnerabilities across an entire network. This task is where your skills and the methodologies I share in this book come into play.
One of my favorite security tools is a vulnerability scanner called Nessus by Tenable (
www.tenable.com/products/nessus
). It’s both a port scanner and vulnerability assessment tool, and it offers a great deal of help for vulnerability management. You can run one-time scans immediately or schedule scans to run on a periodic basis.
As with most good security tools, you pay for Nessus. It’s one of the least expensive tools. A free version, dubbed Nessus Essentials, is available for scanning smaller networks with fewer features. Additional vulnerability scanners that work well include QualysGuard (www.qualys.com
) and GFI LanGuard (http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard
).
Assessing vulnerabilities with a tool such as Nessus requires follow-up expertise. You can’t rely on the scanner results alone. You must validate the vulnerabilities that the tool reports. Study the reports to base your recommendations on the context and criticality of the tested systems. You’ll find that higher-end vulnerability scanners provide proof and related information to help you in your validation efforts.
Penetrating the System
You can use identified security vulnerabilities to do the following:
Gain further information about the host and its data
Obtain a remote command prompt
Start or stop certain services or applications
Access other systems
Disable logging or other security controls
Capture screenshots
Access sensitive files
Send an email as the administrator
Perform SQL injection
Launch a denial of service attack
Upload a file or create a backdoor user account proving the exploitation of a vulnerability
Metasploit (www.metasploit.com
) is great for exploiting many of the vulnerabilities you find and allows you to fully penetrate many types of systems. Ideally, you’ve already made your decision about whether to fully exploit the vulnerabilities you find. If you have chosen to do so, a screenshot of a remote command prompt on a vulnerable system via Metasploit is a great piece of evidence demonstrating vulnerability.
If you want to delve further into best practices for vulnerability and penetration testing methodologies, I recommend that you check out the Open Source Security Testing Methodology Manual (
www.isecom.org/research.html
). The Penetration Testing Execution Standard (www.pentest-standard.org/index.php/Main_Page
) and PCI DSS Penetration Testing Guidance (http://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf
) are great resources as well.
Part 2
Putting Security Testing in Motion
IN THIS PART …
Find public information about your business and systems.
Learn the art of “hacking” people.
Know where your physical security weaknesses exist.
Test for password weaknesses that are creating big risks.
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.
Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного