Domain 8: Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)

www.giac.org

•  
• Overview
  • Mission Statement
  • FAQ
  • Code of Ethics
  • GIAC Ethics Council
  • Code of Ethics - Violation Submission
  • EEOC Policy
  • Proctor Policy
  • Program Overview (PDF)
  • Full GIAC Brochure
  • Contact
• Why GIAC
  Certification Matters
• Certifications
  • Roadmap
  • Steps To
  • Security Admin
    • GAWN
    • GCFW
    • GCIA
    • GCIH
    • GCUX
    • GCWN
    • GISF
    • GSEC
    • GCED
    • GPEN
    • GWAPT
  • Management
    • GISP
    • GSLC
    • GCPM
  • Forensics
    • GCFA
    • GREM
    • GCFE
  • Audit
    • G7799
    • GSNA
  • Legal
    • GLEG
  • Software Security
    • GSSP-NET
    • GSSP-JAVA
  • GSE
  • GSE-Malware
  • GSE-Compliance
  • DoD 8570
  • Retired Certifications
• Certified
  Professionals
  • Listings
    • G7799
    • GAWN
    • GCFA
    • GCFW
    • GCIA
    • GCIH
    • GCUX
    • GCWN
    • GISF
    • GISP
    • GREM
    • GSEC
    • GCED
    • GSLC
    • GSSP-NET
    • GSNA
    • GPEN
    • GCPM
    • GLEG
    • GSSP-JAVA
    • GWAPT
    • GCFE
    • Retired Certifications
  • Profiles From The
    Front Lines
  • Does Certification Really Matter?
  • GIAC Hero
  • Business Card Logos
• GIAC Gold
• GIAC Expert Level
  • GSE
  • GSE-Malware
  • GSE-Compliance
• GIAC Help and Information
• Challenge Info
• Registration Info
  • GIAC Pricing
  • Challenge Certification
• Exams
  • Practice Tests
  • Deadlines
  • Exam Technical Issues
• Proctor Program
  • Program Details
  • FAQ
  • KRYTERION Sites
  • Proctor Policy
  • Proctor Forms
  • Computer Requirements
• Retakes & Extensions
• Certification Renewal – NEW
  • Overview
  • Certification Renewal Handbook
  • FAQ
• Exam Feedback Procedure
• Grievance Procedure
• ADA Accomodation Policy
• Job Listings
• SANS Portal
• SANS Home
• SANS Software Security Institute
• SANS Reading Room
• Direct Links G7799 GSAE GPCI GSNA GAWN-C GCDS GLFR GLIT GBLC GLEG GCIP GHSC GISP GFSP GEWF GEIT GLDR GCIM GCPM GSLC GCSC GSPA GOEC GISO GISF SSP-CNSA GGSC-0400 SSP-DRAP SSP-MPA GGSC-0200 GSEC GGSC-0100 GPEN GSOC GWAS GWAPT SSP-GHD GCWN GCFA GCED GHTQ GCIA GCIH GCFW GIPS GCUX GAWN GNET GREM GSIP GSSP-C GSSP-JAVA GSSP-NET GCEH GCFA GREM
•  

• Overview
• Interview with Dr. Cole
• Student Comments
• Domain 1: Access
• Domain 2: Network
• Domain 3: Management
• Domain 4: Application
• Domain 5: Cryptography
• Domain 6: Architecture
• Domain 7: Operations
• Domain 8: Planning
• Domain 9: Law
• Domain 10: Physical

Penetration Testing

Category: Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
Author: Allen Melmeg
Date Added: February 12th, 2007

---

Introduction

The boundaries of a company have changed with the expansion of the Internet. In the '80s most companies had only a physical boundary that needed protection of its assets. Today, due to the changes in the way resources are made available, companies are forced to also verify that their assets are protected from both the external and internal threats that our working environment has enabled. Penetration validation is the process of validating that the defences/securities of our assets in our entire environment meet the confidentiality, integrity, and availability (CIA) standard as specified by the company's policy. It is the step that follows penetration testing (that is, when vulnerabilities are actually exploited). The purpose of penetration validation is to validate the penetration tests with respect to the actual loss per asset that would occur.

The objective of this paper is to highlight the entire cycle of penetration testing and validation, thus giving the reader a better understanding of penetration from the CISSP perspective. Penetration testing and validation actually provides only a snapshot of the security environment at a specific point in time and, as such, makes configuration management a key component to maintaining our ever-dynamic environment.

Requirements

1. Obtaining written approval from management should be the first step before penetration validation can commence. This is critical and often a minimum requirement from a penetration (pen) tester's perspective, with respect to legality issues.
2. A term of agreement should be established in the interest of the organization and the pen testing team's liability. The terms provide guidelines for the tester and means of interaction between the organization and the pen testing team.
3. Yet another basic requirement is the project scope of the pen test validation. Scope can be specific target systems or a comprehensive validation covering as much vulnerability throughout the entire organizational structure, on what is expected and what are the required deliverables in the form of documentation, and recommended corrective measures to safeguard the assets. A well-defined scope makes the penetration validation a feasible goal to obtain.
4. Liability insurance is another basic requirement that the pen testing team needs to provide the organization. This is necessary to cover expenses for faults caused by the pen testing team, making them liable for their actions.
5. Service level agreements (SLAs) should be provided by the pen testing agency. They define the terms of services that are provided. Normally such SLAs cover both solutions and penalties. In general, SLAs dictate the minimum levels of availability and the consequences of disruption of services.

There are two types of penetration:

1. Internal: This testing is often performed from different network access points that include both the physical and logical segments; this provides a more detailed view of the security.
2. External: This testing has its focus on the infrastructure components, servers, and the related software of the target. It also provides a detailed analysis of the information that is available from public sources, such as the Internet. Enumeration of the network is also performed and analyzed. The filtering devices, such as firewalls and routers, are also scrutinized for their vulnerabilities. Finally, the impact and consequences are accessed.

The two types of penetration have three variations, each depending on the degree of knowledge provided by the target company to the pen testing team.

• Black box: This testing does not provide the tester with any information and therefore is a much better testing method because crackers and script kiddies normally do not have any information that is directly obtained from the target company and need to gather their information from public sources. It simulates real-world attack scenarios. The steps of mapping the network, enumerating shares and services, and operating system fingerprinting are typical for black box testing.
• White box: For this, related information is provided and is done so to assess the security against specific attacks or specific targets. This is the chosen method when the company needs to get a complete audit of its security.
• Grey box: In this testing, some knowledge is provided to the testers but this testing puts the tester in a privileged position. This would normally be a preferred method when cost is a factor as it saves time for the pen testing team to uncover information that is publicly available. Also, this approach would be suitable when the organization needs to obtain knowledge of the security assessment practices.

Methods of Penetration

You have two choices when it comes to getting penetration done. However, we will describe the details of the manual alternative for this paper because this would be the preferred method in providing a nonbiased report that might be necessary to meet legal regulations.

• Automatic: The automatic penetration is often chosen when cost is a key factor. Due to the free software availability of many penetration tools, a company could choose to have the penetration performed by this method. Also, commercial tools that could be used have a cost associated with them; however, this tool cost could be spread out and would still be a less costly solution than manual penetration. However, the learning curve for each penetration tool is usually much higher, and the knowledge required and experience in doing such work demands the skills of an expert.
• Manual: Manual penetration is usually chosen to give an independent assessment of the penetration. Normally an external company that is experienced in the field and does it on a regular basis, with a good track record, is chosen. Regulation requirements could make this the only alternative a company has.

Resources/Assets

Each company has its own assets that it requires to maintain its confidentiality, integrity, and availability. The type of asset could be physical, such as people or hardware, or it could be logical, such as data or installed software. Each type of asset plays an important role in security. Companies need to protect these assets and not only know that they are protected, but also take the measures to validate that the controls put in place actually are meeting the security policy of the company. Each asset should have a value assigned to it, because this allows you to more accurately evaluate the loss in cases where availability of the asset is a factor. Understanding the role of each asset in the entire environment is crucial, as an asset by itself might not be of high importance and value but when used together with another important and very valuable asset could be the weak point in the chain. Every asset's security measure has its own cost-to-loss ratio, which determines the validity of the control mechanism that it needs to minimize the loss of its availability.

• People: Often a company's most critical and important asset. However, this is one of the least protected assets because it is often one taken for granted. No matter what high-tech hardware and software you have, people will always maintain their place in the ranking of assets. This is a human asset, so it is prone to its vulnerabilities. People, like everything else, have their own weaknesses. One often exploited by attackers is social engineering, which is used to obtain valuable information from employees. Piggybacking into an office is another common method used to break security measures put in place, such as access codes to the facility. Educating employees is the only way to minimize the loss that could be exploited by these vulnerabilities, and this should be done on a regular basis.
• Data: This is considered the most important and usually has procedures in place to restore it to its original state in case of corruption. However, just having procedures in place is not enough. You need to verify that those backups can restore the data to its original state by doing verification on a regular basis. Auditing is one way to keep track of the proper use of data.
• Hardware: In today's computer environment we have so many different hardware assets that keeping track of each, and its utilization, is very important. This is where a librarian comes into play. Some of the various hardware assets are servers, desktops, firewalls, and routers, each with its own specific vulnerabilities.
• Software: Another asset is software, which you need to closely monitor. Tracking this is necessary because this is constantly changing its security, due to patches. Control management plays a key role in both hardware and software, where changes and updates are now much more frequent. Keeping up-to-date with software updates is an ongoing battle that most companies face today.

Threats

A threat is, in its simplicity, any event that, should it be realized, could create loss in damage that could affect the confidentiality, integrity, and availability of the asset. It can be both intentional, such as malicious modification of sensitive data, and accidental, such as deletion of a file.

Vulnerabilities

It is best defined as a weakness that can be exploited by a threat to your assets, whether it be people, data, hardware, or software that allows intruders to infiltrate your security environment. Dedicated crackers focus on scrutinizing software products, whether it be operating systems or application software, looking to find weaknesses to exploit for their own purposes. Well-known sites are known to share information about new vulnerabilities for the purpose of keeping security-related personnel updated about new vulnerabilities. www.cert.org and www.securityfocus.com are two of the most popular sites for identifying the latest vulnerabilities and providing fixes. Learning and understanding the vulnerabilities as they are known is key to maintaining your security structure.

Exploits

This method is developed to take advantage of vulnerability once it is known. At this stage, you have zero data attacks. This is when the vulnerability is discovered and then the exploit is developed shortly after, thus putting the security administrators in a position without time to resolve the vulnerabilities. Sites are also available that keep security administrators up-to-date on new exploits. A proof of concept is also sometimes provided that enables you to actually verify whether you can be subjected to this exploit.

Risk Management (Risk = Threat x Vulnerability)

You need to understand the risks involved in doing a pen test. It could cause potential disturbances, such as unexpected server crashes, data corruption, or even performance brought to a standstill, resulting in loss of revenue and output productivity. When unannounced tests are scheduled, they normally are associated with risk at a high rate and the expectations of encountering problems that are unexpected are even higher. A successful pen test depends on the expertise and experience of the pen testing team. Pen test teams need to plan for risks and ensure that contingency plans fall in place to optimize time and resource utilization. You need to determine the risk factor of each asset and its value to get the damage/loss value that could occur in cases of security breaches and disturbances.

Control Management

This process keeps track of our security environment changes in an organized way and thus allows you to manage; control, and check when such changes have taken place. In general, control management is how you identify, control, account for, and audit changes made to the trusted base computer (TCB).

Updates

Program updates are more frequent these days and, as such, you need to keep up-to-date with updates for program compatibility and vulnerabilities.

Patches

These are being released on a regular basis today; therefore, keeping your security structure updated with the latest patches is a must. However, you need to actually test the patches in a test environment before applying them on the live systems because of new issues the new patch can cause.

Environment Changes

All your physical hardware or software will at some time be replaced for some valid reason, such as a new server with a higher-speed processor, or because the old processor does not give the performance result that is required today. Knowing your actual environment as it is today compared to what it may have been some time back is a must.

Penetration Testing

This process enables you to exploit the vulnerabilities in your security environment in as controlled a manner as possible. This is often done after an audit assessment, vulnerability assessment, and risk management have been performed. It can be a risky process as unexpected down time to the environment could cause negative results. It is critical that the business continuity plans (BCPs) and the disaster recovery plans (DRPs) have been tested and verified before any penetration is ever undertaken. The expertise required to obtain the results of such a test is very high, and a very broad view of the entire environment and the process interaction between systems is vital. Starting penetration testing without written approval is not an option because it is an illegal breach of security. It is crucial to keep a log of all activities performed and the results obtained, no matter what the outcome. Make sure all the performed activities are timestamped and that the information is passed on to the related contact person in the organization.

The process of penetration testing could highlight to the respective concerned administrators, managers, and executives the potential consequences that attackers could cause by taking control of their assets.

Phases of Penetration Testing

Pre-Attack Phase

The two phases are passive and active reconnaissance.

• Passive Reconnaissance: This phase provides all the footprinting information, such as physical and logical locations, analog connections, and company contact information. It consists of the following activities: directory mapping (web, ftp), competitive intelligence gathering, asset classification (determining asset value of infrastructure that is interfacing with the web), obtaining registration information, product/services offered (finding out the product ranges and services offered by the target company that are available online), document sifting (the gathering of information only from published material), and social engineering.
• Active Reconnaissance: This phase attempts to profile and map the Internet profile of the organization. A few of the activities involved are network mapping, perimeter mapping, web profiling, operating system and service identification obtained through OS fingerprinting and port scans.

Attack Phase

Perimeter Testing: This phase includes the following steps: penetration of the perimeter (getting access through your firewall), gaining access of the target (having control and access), getting root privileges by escalation, and then executing code of choice. Now it would be possible to install root kits or Trojans and finally cover the tracks.

Normal activities included in this phase are as follows:

• Checking to see how the target is responding to error responses and how it is managing errors when probed with ICMP probes.
• Spoofing responses by creating specially crafted packets to test the access control lists.
• Testing to measure the threshold of denial-of-service attacks by sending different connection variations of both TCP and UDP.
• Testing to see which protocol filters are in place by trying to connect with the most frequently used protocols (such as SSH, FTP, and Telnet).
• Testing to see whether the IDS allows malicious content and scanning the target in many ways to see whether the IDS captures abnormal traffic.
• Test to see if systems in the DMZ, such as web server, respond to web server scans by performing various methods such as POST, DELETE, and COPY

Different Web Application Testing: These include some of the following activities:

• Testing for input validation
• Sanitization of output parameters
• Testing whether the target is vulnerable to buffer overflow attacks
• Checking to see whether denial-of-service can be achieved by locking out users or excessive requests to a service
• Testing for sensitive data that can be obtained through the cache, and also checking for error messages

Acquire Target: At this phase, you try to discover as much information as possible about the target to use this information at a later time when exploitation is performed. You perform scanning of the target machines, such as vulnerability scanning, and test different methods to acquire the target, such as active probing scans. You also try to access the target machine using authorized information with the help of some type of social-engineering attack.

Escalating Privileges: After the system has been acquired, you need to escalate the privileges by exploiting the target and gain access to the protected assets. Some such activities would be the use of techniques like brute force to obtain an authenticated status and using Trojans, protocol analyzers, or any other means to get information.

Gaining Access: It is at this stage that the penetration tester exploits the vulnerability by executing the code of choice such as getting a command shell. After access is gained, it is common to upload root kits or implant programs that provide backdoor access. Having the target connecting to the attacker's machine is often a desired solution by attackers. Following this, the attacker needs to cover his tracks by manipulating the audit logs. The main goal here is to explore the extent to which security defences fail.

Post-Attack Phase

At this stage the pen tester needs to restore the systems exploited back to their original states. This includes activities such as removing uploaded root kits or backdoor programs, removing exploited vulnerabilities, and cleaning up the Registry entries added during the exploitation and installation of programs on the compromised target, as well as removing shares and connections established during the gaining access phase.

Penetration Testing Deliverables: These include a detailed report of all incidents that occurred, and all activities carried out, during the testing. A description of the observations during testing is provided, as are the objectives and recommend corrective measures as agreed upon in the rules of engagement.

Validation of Penetration: This is the final step after penetration testing is accomplished. You now have a documented report with the actual validation of each asset value that would be lost in regards to a breach of your security defences. The validation report also defines to what degree the penetration was successful, and unsuccessful. Recommendations are provided to secure those components that did not pass the test or meet to a certain degree, as required by regulations or security policy. Validation establishes the worth of penetration testing for its defensive measures in the entire environment. It is an independent validation of evaluating the results obtained from the penetrating testing to ensure that the results are conclusive. Recommendations that need to be implemented are also in this report. A gap analysis is now performed that shows the difference between where the organization is today, relative to where it would like to be.

Summary

The basic steps performed by penetration testers in doing both penetration testing and validation have been discussed from a broad view standpoint. Having this knowledge should give students learning these skills some foundation that they can further build on. Ensuring that the requirements stated previously have been accomplished is a must, and no compromise in this matter should be accepted. Verifying that both BCP and DRP have been tested before starting penetration is also a must. Finally, remember that any penetration test or validation report is valid for only a specific point in time.

Allen Fernandes

MCSE, GSEC, CISSP, GCFA

Sources

The following three sources have been studied by me, and I have to the best of my knowledge presented concepts and penetration testing phases as I have understood. I use these testing phases successfully and appreciate very much these sources.

Chapter 22, Penetration Testing: EC-Council Official Curriculum, Ethical Hacking and Countermeasures. Courseware Manual v4.1

Chapter 6, Operation Security: The CISSP Prep Guide Gold Edition by Ronald L. Krutz and Russel Dean Vines

DVD 3 Volume 2: CISSP Certification Package(Video Seminar) by Shon Harris

References

Other references that have more details about the different phases, attacks, and defense strategies have also complemented this paper.

Guideline on Network Security Testing - http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf

Counter Hack by Ed Skoudis

Hacking Exposed 3rd edition by Stuart McClure, Joel Scambray, George Kurtz.

The art of Deception by Kevin D. Mitnick and William L. Simon

---

• Overview
• Interview with Dr. Cole
• Student Comments
• Domain 1: Access
• Domain 2: Network
• Domain 3: Management
• Domain 4: Application
• Domain 5: Cryptography
• Domain 6: Architecture
• Domain 7: Operations
• Domain 8: Planning
• Domain 9: Law
• Domain 10: Physical

© 2000-2010 The SANS Institute

SANS Web Privacy Policy: www.giac.org/privacy.php - Web Contact: webmaster@giac.org

Phone: 301-654-7267 | Mon-Fri 9am-8pm EST/EDT

(ISC)² and CISSP are registered marks of the International Information Systems Security Certification Consortium, Inc.