 |
| Penetration Testing Information Technology (IT) infrastructure is continually evolving with new workstations, servers, and routing hardware being added and new network connections being established. Existing network security may not be strong enough to cope with enhanced network functionality. Although firewalls provide protection, they can be circumvented through incorrect configuration and ineffective maintenance and monitoring. Vulnerabilities are found daily in existing software and combinations of software solutions can create new weaknesses to be exploited by attackers. To maintain organizational confidence the effectiveness of IT infrastructure security should be regularly subject to penetration testing. Penetration testing takes the existing IT infrastructure at face value and examines for security holes and potential exploits that an attacker could use. The standard penetration test takes two related paths, an assessment of procedure and an assessment of IT. The assessment of procedure examines how the IT is utilized and looks for extant vulnerabilities that a hostile 3rd party could exploit. This includes examining employment contracts, hardware and software support contracts, e-mail and internet/ IT utility procedures. An assessment of open source internet presence can also be provided (e.g. ability to determine network physical transport mechanisms and server types from the internet). The assessment of IT infrastructure takes the following general approach (the approach adapts and changes to suit differing client networks):  Network
topology discovery and host scanning. This process takes
an "on the ground" view of the client IT infrastructure.
Open network ports across the network are scanned. The
product of the scan is compared with expected network
use (e.g. web servers have HTTP/HTTPS ports open, e-mail
servers may use IMAP/POP3/SMTP ports, Windows machines
may use RPC/NetBIOS). The scan can also include examining
open ports for hostile "Trojan horse" type activity.
· An assessment is made of any identified vulnerabilities.
The client determines the level to which identified vulnerabilities
are tested (from identification through to actual exploitation).
This is separated into:
Network VulnerabilitiesIdentification of unknown open ports and ports that under normal function should not be open. Any Trojan activity is noted. Assessments are made of web servers vulnerabilities; network shares and null session connection capability on Microsoft networks; network management security vulnerabilities, including assessing DNS, DHCP and SNMP security functionality on the network. An assessment can also be made of any router and bridge software and connection vulnerabilities. Host VulnerabilitiesOperating system patch states (to include service packs and hotfixes) are noted and associated vulnerabilities are tested. Password use across the network is tested, the strength of operating system password function is examined, and host password lexical "strength" is tested. External connectivityAn assessment is made of firewall software (and associated vulnerabilities), firewall policy (what the firewall will let pass in either direction), and any network address translation that occurs. The reporting of vulnerabilities is the final stage of a penetration
test. This report may take the form of a presentation
and/or report. The report will include recommendations
providing a statement of action for security improvement
as a result of the penetration test. |
