Technical (Bottom-Up) Methodology 107
Do backdoors or inappropriate chains of trust exist? There are a number
of different ways that this could be happening. Is an end user running
pcAnywhere as a means of getting around the corporate virtual private
network (VPN)? Another inappropriate chain of trust could exist inside
UNIX systems in the /etc/rhosts and the /etc/hosts.equiv files.
Is there evidence of intrusion? Keep your eyes open when performing the
tests. If you see results that really make you believe that an intrusion has
occurred, stop your testing and alert the responsible party immediately.
Any further security testing that you do at this point could overwrite the
forensic evidence of how the system was compromised.
Are detection measures effective? There are two primary ways to perform
an NVA. The first method is to use “stealth mode,” where your testing is
known only to the management teams involved for approval. This allows
you to catch the network administrators “napping” and also gives you a
great opportunity to test the intrusion detection systems of the target
network. The other method is the “plain sight” method. In this method,
everyone involved in the network and security staff knows that you are
coming and can provide you with documentation and access to the systems
that you may not get when using the stealth method.
Step 3: Building the Toolkit
This is the step that always gets the most interest — the tools. We are going
to tie Steps 3 and 4 of the six-step process pretty tightly together because
they are very closely related. An important fact to keep in mind is the overlying
methodology of performing the network vulnerability assessment testing, and
not a specific focus on the exact tool or tools that you run. The reason for
this is that tools will change — manufacturers will go out of business, tools
will stop being supported, tool will be purchased by different manufacturers,
and better tools emerge all the time. It is also noteworthy that the tools
discussed here are not an exhaustive list of all the tools available, but rather
a representation of the tools in each particular area. The tools that we discuss
range from freeware tools, to shareware tools, to purchase-only products. And
because the tools and information about them changes so rapidly, the best
we can say is that the information is current as of this writing.
Exhibit 9 denotes the expense of the different tools that we will be looking
at in subsequent subsections:
The vulnerability assessment model illustrated in Exhibit 10 shows the
process that you will be going through when conducting a vulnerability
assessment. The horizontal line denotes the number of hosts that test level
will be run against in comparison to the level that follows. The vertical line
denotes the length of time it takes to run each successive test level. The model
shows that you will run the tests that take the least amount of time against
the largest number of hosts, and the tests that take the most time against the
fewest number of hosts. As we complete each level of the model, we will
use the output from the previous layer as seed information for the next layer