Technical (Bottom-Up) Methodology 93
you will conduct. For the site survey, you really just need to know if it is
going to be included. However, even if a formal physical security review is
not necessary on your target network, keep your eyes open for potential
physical gaps in security. This is more applicable if you are a consultant than
if you are running the NVA from inside your target organization. This is due
to the fact that if you are an employee of the organization for which you are
performing the security review, you will already know where the physical
security holes are.
Having determined the media types, the concentrator types, the number
and type of operating systems, the start and stop point of the target network,
the network protocols in use on the target network, where the sensitive
information is located, the number of servers, and whether or not you need
to look at the physical security of your network, then you are finally finished
with the site survey. All of this information becomes very important for the
next step — developing a test plan. However, oftentimes you cannot get
answers to all the questions in the site survey. This may be due to a new
network administrator, a very large network, or just a general lack of docu-
mentation on the target network. To overcome any of this difficulty, you may
want to employ a network discovery tool. These tools are listed later in the
chapter under the heading “Zero-Information-Based Tools” (see Step 3). These
tools may also be worthwhile as a verification component to your site survey.
Not that anyone would ever intentionally mislead you, but it may be best to
check your answers personally.
Step 2: Develop a Test Plan
The next step in the six-step process is developing a good test plan for
executing the NVA. A key area that your test plan will help with is in the
testing for new and sometimes high-profile vulnerabilities. From time to time,
some computer vulnerabilities get enough attention that they make their way
to mainstream news outlets such as CNN or USA Today. Code Red, Nimda,
and the recent series of vulnerabilities inside SNMP are great examples. With
that being said, it is very difficult to constantly keep up-to-the-minute infor-
mation on what the latest vulnerabilities are. Most people who run an NVA
do not run NVAs as their only job function. If this is true for you as well,
then you will need to get the latest information from Internet sources that
maintain up-to-date vulnerability assessment information. The next subsection
(“Internet Sources”) discusses some of the Internet sites that keep information
on hacking, vulnerabilities, and other components of the Internet’s under-
ground. The list is by no means an exhaustive list of sites that house this kind
of information but it should provide a good starting point for your research.
It is also important to note that during this phase it might seem like an
easy chance to come up with a checklist of vulnerabilities to look for. In fact,
we have included many checklists in this book. However, you should never
use a checklist as an exhaustive list of tests to run on your target network.
94 Managing Network Vulnerability Assessment
Again, it was once explained to us, running a vulnerability assessment using
only a checklist is like building a car by looking only at a parts checklist. In
the car analogy, you would check to see if the car has the following appropriate
parts:
Car seats
Steering wheel
Seat belts
Engine
Four tires
Transmission
Even if your car had all of the parts listed above, you still would not have
a car. All you would have is a pile of car parts. This is the same as running
the NVA using only a checklist. You would check for the vulnerabilities that
you have on the checklist, but you will miss vulnerabilities that way. Instead,
the best mind-set to have when running a vulnerability assessment is similar
to that of a crime investigator. In this mind-set, each set of tools that you run
will provide clues for what the correct next step of investigation should be.
You might be saying that even crime scene investigators have procedures to
follow, and that is true; but starting with a checklist and looking for other
tests to run is very different from running the list that you compiled at this
phase to the exclusion of all others. The best advice to remember at this point
is to keep your eyes open because, just when you think you have seen it all
in a vulnerability assessment, something new will come up and surprise you.
Now, let’s take a look at those Internet sites that can help you get a better
understanding of new vulnerabilities.
Internet Sources
You might be thinking, “How often should I check for new vulnerabilities on
the Internet?” The best answer is: “Before you start any vulnerability assess-
ment.” The number of types of vulnerabilities just keeps growing and growing,
and it can be almost impossible to keep up with. It may often feel that if you
have been away from network vulnerability assessment for more than two
weeks that you are completely out-of-date; we know that we do. This is where
a few hours of research on the Internet may be a great help. Also, the tools
used in vulnerability assessment change almost as fast as the vulnerabilities
themselves. Most of the same sites we will look at for vulnerabilities are also
the sites to check for tools.
Part of the reason to do the research is for the sake of efficiency. A good
test plan will help you maximize the time spent gathering data on the target
network. The best test plans are gentle reminders that you need to check for
certain high-impact vulnerabilities, but not such a complete list that you ignore
the testing methodology.
Technical (Bottom-Up) Methodology 95
Web Site: Astalavista
URL: http://astalavista.box.sk (Exhibit 2)
Description: Astalavista is a great site to begin any Internet search. It
supports several sites internally and also has a search engine that looks
at other sites as well. Lately, the site appears to be getting less support
and maintenance than previously, but it is still a good starting point.
The site has recently added an enormous number of pop-up ads
whenever you perform a search. Hopefully, the pop-ups will be short-
lived. On this site you can find information on security exploits,
downloadable executables, and some articles on security in general.
Due to the pop-up ads and the occasional adult content banners, this
may not be the best site to search when at work.
Pop-Ups: Yes
Adult Content Banners: Yes
Website: Underground Systems Security Research
URL: http://www.ussrback.com (Exhibit 3)
Description: Underground Systems Security Research is a very good site
specific to vulnerabilities. You can often find a posting about vulnerability,
the code to execute the vulnerability, and a script or point-and-click
Exhibit 2. The Astalavista Web Site
96 Managing Network Vulnerability Assessment
tool as well. It makes searching for vulnerabilities and tools that coincide
much easier. Many of the links from this site are linked into the
Astalavista search engine.
Pop-Ups: Yes
Adult Content Banners: Yes
Web Site: Attrition.org
URL: http://www.attrition.org/security (Exhibit 4)
Description: Attrition became famous for posting the high-profile defaced
Web sites. It also has a very good list of vulnerabilities listed by product,
a number of decent articles or postings, nice archives for older site
posting, and a mailing list to which you can subscribe.
Pop-Ups: No
Adult Content Banners: No
Web Site: SecurityFocus
URL: http://www.securityfocus.com (Exhibit 5)
Description: SecurityFocus is as close to a definitive source of vulnerabilities
as there is. You do have to register to get access to the vulnerability
database, but registering is worthwhile. SecurityFocus also has several
Exhibit 3. The USSR Back Web Site
Technical (Bottom-Up) Methodology 97
Exhibit 4. The attrition.org Web Site
Exhibit 5. The SecurityFocus Web Site
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset