NEWT Security Test and Assessment NTS-435 UAT May 1, 2013 Authored by: Nick Cmunt Running head: NEWT Security Testing and Assessment 1 Table of Contents Introduction ................................................................................................................................................... 2 Purpose.......................................................................................................................................................... 2 Problem ......................................................................................................................................................... 2 Proposed Solution ......................................................................................................................................... 2 Security Assessment ................................................................................................................................. 2 Security Assessment Policy ...................................................................................................................... 3 Prioritizing Assessment ............................................................................................................................ 4 Data Destruction and Retention ................................................................................................................ 4 Requisitioned Equipment and/or Personnel .................................................................................................. 4 Tentative Implementation Timeline .............................................................................................................. 4 Budget ........................................................................................................................................................... 5 Evaluation System ........................................................................................................................................ 5 Document Review ..................................................................................................................................... 5 Network Scanning..................................................................................................................................... 6 Vulnerability Validation ........................................................................................................................... 8 Benefits ....................................................................................................................................................... 10 Conclusion .................................................................................................................................................. 10 Running head: NEWT Security Testing and Assessment 2 Introduction The National Electronic Weapons Technology, or NEWT, is a company hired by the United States Government to create various electronic weapons for cyber warfare. This INFOSEC Implementation Plan is for NEWT to renew their Federal Information Security Management Act (FISMA) compliance using National Institute of Standards and Technology (NIST) Special Publication 800-115 Technical Guide to Information Security Testing and Assessment. Purpose FISMA requires that companies who work with information that relates to the United States Government have their security assessed on an annual basis. There are three types of assessment methods that can be used; these are testing, examination, and interviewing. NIST SP800-115 only addresses testing and examination methods of assessment, which is all that is required by FISMA. Problem The problem facing NEWT is that with all the consistently emerging threats, there is a need to ensure the security of company information. There is also the annual FISMA audit coming up in which NEWT must prove that the security controls in place are adequate to meet United States Government needs for security. Proposed Solution Security Assessment NEWT is required to renew FISMA compliance, and will need to have their security controls tested. This is to be carried out by NicksIT.net using NIST SP800-115. Once the testing Running head: NEWT Security Testing and Assessment 3 has been done, NicksIT.net will present the findings as well as the mitigation strategy for same to the heads of NEWT. There will be a full step-by-step presentation on how to implement these recommended mitigations. NEWT’s staff will have to carry out the recommendation, but if there are any questions that arise, NicksIT.net will be available. Security Assessment Policy The first requirement is for NEWTs IT Staff to be made available to NicksIT.net Staff Assessment Team. This is to ensure that any question that might arise can be answered, but would also include identifying and locating equipment on the network. Name Role Cell numbers Nick Cmunt Gary McKinnon Vladimir Levin Kevin Mitnick Kevin Poulsen Timothy Lloyd Robert Morris Lead Web Security Wireless Security Social Engineer Windows Linux Mac OS 218-303-6011 218-303-9622 218-303-7482 218-303-3106 218-303-4518 218-303-2466 218-303-7956 Lead role will make sure all stakeholders at NEWT understand the process and sign off on each step before the actual assessment begins. Lead role will also ensure that all team members adhere to the established methodology. All documentation will be presented and fully explained by Assessment Lead. If there any technical question which needs to be answered that the lead cannot answer, the team will be standing by to assist with those questions. NicksIT.net only hires highly trained professional security testers. While each member of the team is a subject matter expert in a certain area, they are well versed in all system aspects. The team will work to research vulnerabilities and find ways to mitigate them. Each team member has also undergone security clearance, which enables them to work with the sensitive data that is stored within NEWT’s network. Running head: NEWT Security Testing and Assessment 4 Prioritizing Assessment Before the assessment begins, there will be a short meeting to discuss how NEWT’s network is laid out. This is where NicksIT.net professionals begin to examine the network to identify what IP addresses are to be scanned and if there are any that cannot be scanned. This is also the time that the team will build an understanding of how information flows and basics about where the switches are located. A few systems will be identified as key pieces of equipment, and will have all tests but the actual penetration test done on them. If NEWT has a backup or a similar system, then the penetration testing will be carried out on that system. Data Destruction and Retention Once the assessment is done, NicksIT.net will retain all documents for a full year, which should ensure that the data is secure. Once the year is over, the documents will be erased using a secure erase drive sanitizer approved by the Department of Defense. Requisitioned Equipment and/or Personnel Personnel will include the team of assessors from NicksIT.net who will be conducting all of the testing that is required within the NIST SP800-115 security testing methodology. This team will use their own equipment, but will team up with NEWT’s IT Staff to answer any questions, and to identify and physically locate hosts or other equipment. They will also answer other questions about system configuration, such as host firewalls or antiviruses in use. Both of these can affect scanning and/or the actual penetration test. Tentative Implementation Timeline The scheduled time is for a total of 15 days. Assessments will not continue on the weekends unless otherwise notified. The day will begin when NEWT’s doors open and end when Running head: NEWT Security Testing and Assessment 5 NEWTs IT Staff leaves for the day. If there longer hours are needed, this can be arranged, but that the budget would be impacted as that was not in the original scope of the assessment. Task Name Meeting and Document Review Network Scanning Vulnerability Validation Evaluation System Duration 2 days 3 days 4 days 2 days Start Tue 6/11/13 Thu 6/13/13 Tue 6/18/13 Mon 6/24/13 Finish Wed 6/12/13 Mon 6/17/13 Fri 6/21/13 Tue 6/25/13 Budget The project is scheduled for a two week period to start on June 11 and end June 24. The cost of hotel, meals, and transportation are all included in the bill. The final bill will be $78,150; the budget for this was $80,000. The wages which will be billed are for regular work days; if NicksIT.net employees work longer hours; the wages will be adjusted to reflect the change. In the event that there are additions to the bill, this would most likely push the budget over its limit. Flight Hotel Car Wages Cost Number needed $250 $80 $100 $550 7 7 3 7 Number of days required 2 15 15 15 Totals $7,500 $8,400 $4,500 $57,750 $78,150 Evaluation System Document Review The first priority is to review documents, such as security policies, network architecture, and requirements; standard operating procedures; system security plans and authorization agreements; memorandum of understanding and agreement for system interconnections; and incident response plans. Documentation Review helps determine whether technical aspects of Running head: NEWT Security Testing and Assessment 6 policies and procedures are current and comprehensive. This step can reveal weaknesses in policies that can lead to improperly implemented security controls. Network Scanning In this network, discovery will be carried out using both passive and active techniques to identify hosts and the information that traverses the network. The passive tool that will be used is Wireshark and the active tool will be Nmap. These tools will help give an inventory of hosts on the network and possibly uncover rogue devices. Nmap will give a list of services and protocols that are in use on hosts that require deeper investigation. This can be cross referenced to policies to ensure that only necessary services are running. Vulnerability scanning will also be conducted using Nessus along with NeXpose. This will show if any vulnerability exists on the network hosts. Once done, the results can be reviewed and will show if a patch policy is being followed. This activity should also set off any intrusion detection system IDS or intrusion prevention system IPS that is connected to that particular network segment. Vulnerability scanners check only for the possible existence of the vulnerability. Most vulnerabilities fall into the following eight categories. 1. Misconfiguration: Misconfigured security settings, particularly insecure default settings, are usually easily exploitable. 2. Kernel Flaws: The kernel is the core of an OS, any security flaw in the kernel puts the entire system in danger. 3. Buffer Overflows: A buffer overflow occurs when programs do not adequately check the input. When this occurs, arbitrary code can be executed with the privileges of the running program. Running head: NEWT Security Testing and Assessment 7 4. Insufficient Input Validation: Many applications fail to fully validate the input they receive from users. Web pages have a problem with this when a user enters a special query command that leads to a Structured Query Language (SQL) injection. 5. Symbolic Links: A symbolic link (symlink) is a file that points to another file. Operating systems include programs that can change the permission granted to a file. 6. File Descriptor Attacks: File descriptors are numbers used by the system to keep track of files in lieu of filenames. When a privileged program assigns an inappropriate file descriptor, it exposes that file to compromise. 7. Race Conditions: Race conditions can occur during the time a program or process has entered into a privileged mode. A user can time an attack to take advantage of elevated privileges while the program or process is still in the privileged mode. 8. Incorrect File and Directory Permissions: File and directory permissions control the access assigned to users and processes. Poor permissions could allow many types of attacks, including the reading or writing of password files or additions to the list of trusted remote hosts. Wireless scanning will be used to discover any rogue access points and to test for basic wireless security. Bluetooth scanning and testing will also be evaluated to ensure that the proper security control is in place for mobile devices. This test will also look into the range of the wireless signal to check how far the signal extends from the building. External scanning will also be carried out in order to test perimeter defenses. The scanning will use the same tools already listed to find any open ports or services that are running on servers that have been put in a demilitarized zone (DMZ). Vulnerability scanning will be done to ensure any front facing systems are secure. Running head: NEWT Security Testing and Assessment 8 Vulnerability Validation Password cracking will be carried out using tools such as Ophcrack or Rainbow Tables to ensure that password policies are being followed. This will reveal whether a policy in active directory or other system has been properly setup and if it is being properly enforced by the systems. Ophcrack will mainly be used to test windows-based computers, and Rainbow Tables will be used to test other operating systems. Unfortunately, due to time restraints there is not enough time to test to see if the password history works properly, but staff can run any of these scans offline at their own scheduled intervals. Penetration testing will be carried out using Metasploit, but only to verify if a previously identified vulnerability does, in fact, exist. This is important since some vulnerabilities can be false positives and lead to time being wasted trying to fix problems that are not really there. While a penetration test can eliminate false positives, it should be known that if an exploit is used against live systems, it can lead to that system becoming unstable. The skilled workers at NicksIT.net can ameliorate the situation, however, this is never a 100 percent so this will only be done after careful consideration, notification and planning. The penetration testing will consist of four phases. The planning phase, rules are identified, management approval is finalized and documented, and testing goals are set. The discovery phase of a penetration test includes two subparts; first is to make sure all systems that are to be included have been scanned, and the second part is vulnerability analysis, which involves looking at the network scan information. This phase is really important since the outputs of Nmap and Nessus and NeXpose will be compared. This is to cross reference all scan data and even check with public vulnerability databases such as the National Vulnerability Database (NVD). Running head: NEWT Security Testing and Assessment 9 Once all this has been completed and management has signed off on the scheduled attacks, the team will begin. If an attack happens to be successful, the vulnerability is verified and a mitigation plan will start. If the vulnerability escalates their privileges level on the system, additional testing will be required to find what this affects. If the system that is being penetration tested has an antivirus installed, then the exploit used should set off that antivirus. If the antivirus does not trigger an alert, it could show a misconfigured or faulty antivirus. Testing fouls will be identified before any IP is attacked. This is to ensure that the particular IP address is owned by and managed by NEWT and that the system is not critical to the day-to-day operations of NEWT. If there are third parties that host services for NEWT, permission will need to be obtained from the involved parties, and an adjustment to the scope of the assessment will have to be made. Social engineering will be used to see if employee training has been successful in teaching the staff at NEWT what information should not be revealed. This test will be carried out using a few methods such as face-to-face, phone calls, and e-mail phishing. Another aspect of this will be dumpster diving to see if any documents containing personal identifiable information have been thrown away. This is a really important part since NEWT uses NIST SP800-88 to destroy all records. If a social engineering attack is successful, the employee name will be used in the report. This should not be held against the employee since the employees will be chosen at random and the testing will be done at random times during the day. This means that any employee could get tested. Again this is not to test individual employees, but rather to identify the effectiveness of employee awareness programs, and understanding of company policies. Running head: NEWT Security Testing and Assessment 10 Finally, a complete copy of the web server will be created, along with the File Transfer Protocol (FTP) server, and both of these will be fully tested. These systems have both been identified when putting together the scope for this assessment. Both will be copied into a virtual machine and set up with identical settings and patch level. These systems have been identified as low hanging fruit and would probably be the target of any attack. When previous assessments have been done on NEWT, these systems have always been a focal point and, therefore, need to remain as secure as possible. The FTP server is what the United States Government uses to retrieve technological weapons, and if vulnerability were to be found, could cause these weapons to fall into the hands of very bad people. Benefits After the NIST SP800-115 is completed, NEWT will be fully compliant with FISMA for another year. This will ensure that NEWT can continue its contractual agreement with the United States Government. This also allows the stakeholders of NEWT to rest assured that the information security policies and procedures that are in place are fully up-to-date and working, as anticipated. Conclusion NIST SP800-115 is a great tool to assist in testing and evaluating the security posture of a company. While the Technical Guide to Information Security Testing and Assessment is a great document and has a very well laid out framework, it does not explain how to use any tools nor does it go into details about what tools to use. This would mean that anyone using this framework better know up front what kind of tools are out there and which ones could be used to accomplish the necessary tasks. Personally, I have found that to be true with most of the NIST Running head: NEWT Security Testing and Assessment documents that I have read thus far. They are great at giving you a methodology, but they stop right there. I would love to have more information in one of these assessment documents about how to use some of the tools. I feel that these documents ultimately leave information out so that it is only used by people that specifically know what they are doing. This is not a bad thing per se; it’s just a bit hard to really distinguish the differences between all the testing and assessment documents out there, as all seem to be a framework and nothing more. 11 Running head: NEWT Security Testing and Assessment Reference Karen Scarfone, M. S. (2008). Technical Guide to Information Security Testing and Assessment. Gaithersburg, MD: National Institute of Standards and Technology. 12