File

advertisement
NEWT Security Test and
Assessment
NTS-435
UAT
May 1, 2013
Authored by: Nick Cmunt
Running head: NEWT Security Testing and Assessment
1
Table of Contents
Introduction ................................................................................................................................................... 2
Purpose.......................................................................................................................................................... 2
Problem ......................................................................................................................................................... 2
Proposed Solution ......................................................................................................................................... 2
Security Assessment ................................................................................................................................. 2
Security Assessment Policy ...................................................................................................................... 3
Prioritizing Assessment ............................................................................................................................ 4
Data Destruction and Retention ................................................................................................................ 4
Requisitioned Equipment and/or Personnel .................................................................................................. 4
Tentative Implementation Timeline .............................................................................................................. 4
Budget ........................................................................................................................................................... 5
Evaluation System ........................................................................................................................................ 5
Document Review ..................................................................................................................................... 5
Network Scanning..................................................................................................................................... 6
Vulnerability Validation ........................................................................................................................... 8
Benefits ....................................................................................................................................................... 10
Conclusion .................................................................................................................................................. 10
Running head: NEWT Security Testing and Assessment
2
Introduction
The National Electronic Weapons Technology, or NEWT, is a company hired by the
United States Government to create various electronic weapons for cyber warfare. This
INFOSEC Implementation Plan is for NEWT to renew their Federal Information Security
Management Act (FISMA) compliance using National Institute of Standards and Technology
(NIST) Special Publication 800-115 Technical Guide to Information Security Testing and
Assessment.
Purpose
FISMA requires that companies who work with information that relates to the United
States Government have their security assessed on an annual basis. There are three types of
assessment methods that can be used; these are testing, examination, and interviewing. NIST
SP800-115 only addresses testing and examination methods of assessment, which is all that is
required by FISMA.
Problem
The problem facing NEWT is that with all the consistently emerging threats, there is a
need to ensure the security of company information. There is also the annual FISMA audit
coming up in which NEWT must prove that the security controls in place are adequate to meet
United States Government needs for security.
Proposed Solution
Security Assessment
NEWT is required to renew FISMA compliance, and will need to have their security
controls tested. This is to be carried out by NicksIT.net using NIST SP800-115. Once the testing
Running head: NEWT Security Testing and Assessment
3
has been done, NicksIT.net will present the findings as well as the mitigation strategy for same to
the heads of NEWT. There will be a full step-by-step presentation on how to implement these
recommended mitigations. NEWT’s staff will have to carry out the recommendation, but if there
are any questions that arise, NicksIT.net will be available.
Security Assessment Policy
The first requirement is for NEWTs IT Staff to be made available to NicksIT.net Staff
Assessment Team. This is to ensure that any question that might arise can be answered, but
would also include identifying and locating equipment on the network.
Name
Role
Cell numbers
Nick Cmunt
Gary McKinnon
Vladimir Levin
Kevin Mitnick
Kevin Poulsen
Timothy Lloyd
Robert Morris
Lead
Web Security
Wireless Security
Social Engineer
Windows
Linux
Mac OS
218-303-6011
218-303-9622
218-303-7482
218-303-3106
218-303-4518
218-303-2466
218-303-7956
Lead role will make sure all stakeholders at NEWT understand the process and sign off
on each step before the actual assessment begins. Lead role will also ensure that all team
members adhere to the established methodology. All documentation will be presented and fully
explained by Assessment Lead. If there any technical question which needs to be answered that
the lead cannot answer, the team will be standing by to assist with those questions.
NicksIT.net only hires highly trained professional security testers. While each member of
the team is a subject matter expert in a certain area, they are well versed in all system aspects.
The team will work to research vulnerabilities and find ways to mitigate them. Each team
member has also undergone security clearance, which enables them to work with the sensitive
data that is stored within NEWT’s network.
Running head: NEWT Security Testing and Assessment
4
Prioritizing Assessment
Before the assessment begins, there will be a short meeting to discuss how NEWT’s
network is laid out. This is where NicksIT.net professionals begin to examine the network to
identify what IP addresses are to be scanned and if there are any that cannot be scanned. This is
also the time that the team will build an understanding of how information flows and basics
about where the switches are located. A few systems will be identified as key pieces of
equipment, and will have all tests but the actual penetration test done on them. If NEWT has a
backup or a similar system, then the penetration testing will be carried out on that system.
Data Destruction and Retention
Once the assessment is done, NicksIT.net will retain all documents for a full year, which
should ensure that the data is secure. Once the year is over, the documents will be erased using a
secure erase drive sanitizer approved by the Department of Defense.
Requisitioned Equipment and/or Personnel
Personnel will include the team of assessors from NicksIT.net who will be conducting all
of the testing that is required within the NIST SP800-115 security testing methodology. This
team will use their own equipment, but will team up with NEWT’s IT Staff to answer any
questions, and to identify and physically locate hosts or other equipment. They will also answer
other questions about system configuration, such as host firewalls or antiviruses in use. Both of
these can affect scanning and/or the actual penetration test.
Tentative Implementation Timeline
The scheduled time is for a total of 15 days. Assessments will not continue on the
weekends unless otherwise notified. The day will begin when NEWT’s doors open and end when
Running head: NEWT Security Testing and Assessment
5
NEWTs IT Staff leaves for the day. If there longer hours are needed, this can be arranged, but
that the budget would be impacted as that was not in the original scope of the assessment.
Task Name
Meeting and Document Review
Network Scanning
Vulnerability Validation
Evaluation System
Duration
2 days
3 days
4 days
2 days
Start
Tue 6/11/13
Thu 6/13/13
Tue 6/18/13
Mon 6/24/13
Finish
Wed 6/12/13
Mon 6/17/13
Fri 6/21/13
Tue 6/25/13
Budget
The project is scheduled for a two week period to start on June 11 and end June 24. The
cost of hotel, meals, and transportation are all included in the bill. The final bill will be $78,150;
the budget for this was $80,000. The wages which will be billed are for regular work days; if
NicksIT.net employees work longer hours; the wages will be adjusted to reflect the change. In
the event that there are additions to the bill, this would most likely push the budget over its limit.
Flight
Hotel
Car
Wages
Cost
Number needed
$250
$80
$100
$550
7
7
3
7
Number of days
required
2
15
15
15
Totals
$7,500
$8,400
$4,500
$57,750
$78,150
Evaluation System
Document Review
The first priority is to review documents, such as security policies, network architecture,
and requirements; standard operating procedures; system security plans and authorization
agreements; memorandum of understanding and agreement for system interconnections; and
incident response plans. Documentation Review helps determine whether technical aspects of
Running head: NEWT Security Testing and Assessment
6
policies and procedures are current and comprehensive. This step can reveal weaknesses in
policies that can lead to improperly implemented security controls.
Network Scanning
In this network, discovery will be carried out using both passive and active techniques to
identify hosts and the information that traverses the network. The passive tool that will be used is
Wireshark and the active tool will be Nmap. These tools will help give an inventory of hosts on
the network and possibly uncover rogue devices. Nmap will give a list of services and protocols
that are in use on hosts that require deeper investigation. This can be cross referenced to policies
to ensure that only necessary services are running.
Vulnerability scanning will also be conducted using Nessus along with NeXpose. This
will show if any vulnerability exists on the network hosts. Once done, the results can be
reviewed and will show if a patch policy is being followed. This activity should also set off any
intrusion detection system IDS or intrusion prevention system IPS that is connected to that
particular network segment. Vulnerability scanners check only for the possible existence of the
vulnerability. Most vulnerabilities fall into the following eight categories.
1. Misconfiguration: Misconfigured security settings, particularly insecure default settings,
are usually easily exploitable.
2. Kernel Flaws: The kernel is the core of an OS, any security flaw in the kernel puts the
entire system in danger.
3. Buffer Overflows: A buffer overflow occurs when programs do not adequately check the
input. When this occurs, arbitrary code can be executed with the privileges of the running
program.
Running head: NEWT Security Testing and Assessment
7
4. Insufficient Input Validation: Many applications fail to fully validate the input they
receive from users. Web pages have a problem with this when a user enters a special
query command that leads to a Structured Query Language (SQL) injection.
5. Symbolic Links: A symbolic link (symlink) is a file that points to another file. Operating
systems include programs that can change the permission granted to a file.
6. File Descriptor Attacks: File descriptors are numbers used by the system to keep track of
files in lieu of filenames. When a privileged program assigns an inappropriate file
descriptor, it exposes that file to compromise.
7. Race Conditions: Race conditions can occur during the time a program or process has
entered into a privileged mode. A user can time an attack to take advantage of elevated
privileges while the program or process is still in the privileged mode.
8. Incorrect File and Directory Permissions: File and directory permissions control the
access assigned to users and processes. Poor permissions could allow many types of
attacks, including the reading or writing of password files or additions to the list of
trusted remote hosts.
Wireless scanning will be used to discover any rogue access points and to test for basic
wireless security. Bluetooth scanning and testing will also be evaluated to ensure that the proper
security control is in place for mobile devices. This test will also look into the range of the
wireless signal to check how far the signal extends from the building.
External scanning will also be carried out in order to test perimeter defenses. The
scanning will use the same tools already listed to find any open ports or services that are running
on servers that have been put in a demilitarized zone (DMZ). Vulnerability scanning will be done
to ensure any front facing systems are secure.
Running head: NEWT Security Testing and Assessment
8
Vulnerability Validation
Password cracking will be carried out using tools such as Ophcrack or Rainbow Tables to
ensure that password policies are being followed. This will reveal whether a policy in active
directory or other system has been properly setup and if it is being properly enforced by the
systems. Ophcrack will mainly be used to test windows-based computers, and Rainbow Tables
will be used to test other operating systems. Unfortunately, due to time restraints there is not
enough time to test to see if the password history works properly, but staff can run any of these
scans offline at their own scheduled intervals.
Penetration testing will be carried out using Metasploit, but only to verify if a previously
identified vulnerability does, in fact, exist. This is important since some vulnerabilities can be
false positives and lead to time being wasted trying to fix problems that are not really there.
While a penetration test can eliminate false positives, it should be known that if an exploit is
used against live systems, it can lead to that system becoming unstable. The skilled workers at
NicksIT.net can ameliorate the situation, however, this is never a 100 percent so this will only be
done after careful consideration, notification and planning.
The penetration testing will consist of four phases. The planning phase, rules are
identified, management approval is finalized and documented, and testing goals are set. The
discovery phase of a penetration test includes two subparts; first is to make sure all systems that
are to be included have been scanned, and the second part is vulnerability analysis, which
involves looking at the network scan information. This phase is really important since the
outputs of Nmap and Nessus and NeXpose will be compared. This is to cross reference all scan
data and even check with public vulnerability databases such as the National Vulnerability
Database (NVD).
Running head: NEWT Security Testing and Assessment
9
Once all this has been completed and management has signed off on the scheduled
attacks, the team will begin. If an attack happens to be successful, the vulnerability is verified
and a mitigation plan will start. If the vulnerability escalates their privileges level on the system,
additional testing will be required to find what this affects. If the system that is being penetration
tested has an antivirus installed, then the exploit used should set off that antivirus. If the antivirus
does not trigger an alert, it could show a misconfigured or faulty antivirus.
Testing fouls will be identified before any IP is attacked. This is to ensure that the
particular IP address is owned by and managed by NEWT and that the system is not critical to
the day-to-day operations of NEWT. If there are third parties that host services for NEWT,
permission will need to be obtained from the involved parties, and an adjustment to the scope of
the assessment will have to be made.
Social engineering will be used to see if employee training has been successful in
teaching the staff at NEWT what information should not be revealed. This test will be carried out
using a few methods such as face-to-face, phone calls, and e-mail phishing. Another aspect of
this will be dumpster diving to see if any documents containing personal identifiable information
have been thrown away. This is a really important part since NEWT uses NIST SP800-88 to
destroy all records. If a social engineering attack is successful, the employee name will be used
in the report. This should not be held against the employee since the employees will be chosen at
random and the testing will be done at random times during the day. This means that any
employee could get tested. Again this is not to test individual employees, but rather to identify
the effectiveness of employee awareness programs, and understanding of company policies.
Running head: NEWT Security Testing and Assessment
10
Finally, a complete copy of the web server will be created, along with the File Transfer
Protocol (FTP) server, and both of these will be fully tested. These systems have both been
identified when putting together the scope for this assessment. Both will be copied into a virtual
machine and set up with identical settings and patch level. These systems have been identified as
low hanging fruit and would probably be the target of any attack. When previous assessments
have been done on NEWT, these systems have always been a focal point and, therefore, need to
remain as secure as possible. The FTP server is what the United States Government uses to
retrieve technological weapons, and if vulnerability were to be found, could cause these weapons
to fall into the hands of very bad people.
Benefits
After the NIST SP800-115 is completed, NEWT will be fully compliant with FISMA for
another year. This will ensure that NEWT can continue its contractual agreement with the United
States Government. This also allows the stakeholders of NEWT to rest assured that the
information security policies and procedures that are in place are fully up-to-date and working,
as anticipated.
Conclusion
NIST SP800-115 is a great tool to assist in testing and evaluating the security posture of a
company. While the Technical Guide to Information Security Testing and Assessment is a great
document and has a very well laid out framework, it does not explain how to use any tools nor
does it go into details about what tools to use. This would mean that anyone using this
framework better know up front what kind of tools are out there and which ones could be used to
accomplish the necessary tasks. Personally, I have found that to be true with most of the NIST
Running head: NEWT Security Testing and Assessment
documents that I have read thus far. They are great at giving you a methodology, but they stop
right there. I would love to have more information in one of these assessment documents about
how to use some of the tools.
I feel that these documents ultimately leave information out so that it is only used by
people that specifically know what they are doing. This is not a bad thing per se; it’s just a bit
hard to really distinguish the differences between all the testing and assessment documents out
there, as all seem to be a framework and nothing more.
11
Running head: NEWT Security Testing and Assessment
Reference
Karen Scarfone, M. S. (2008). Technical Guide to Information Security Testing and Assessment.
Gaithersburg, MD: National Institute of Standards and Technology.
12
Download