When most people think of security (and the challenge that hackers present to it), they have a vision of longhaired college dropouts working into the wee hours at a furious pace, trying to crack a remote system. By guessing passwords and through perseverance, luck, and ingenuity, they break into the bank, government department, or evil mastermind’s mainframe system. Although this image works well for the movies, it isn’t helpful to our understanding of the security threats that face e-business systems. Determined attackers often work in teams, they work almost entirely with automated tools, and they may wait patiently for months before attacking perhaps hundreds of sites in a single day. Many of them adopt a scattergun approach to acquiring targets.
The proliferation of the Internet and its global availability has opened up incredible opportunities for the security attacker community. The following are some of the best-known types of DoS attacks:
- Bandwidth consumption: Attackers who have more bandwidth than you, or who are able to amplify their attack using other sites on the Internet, flood your site with messages. Typically, these attacks consist of extreme volumes of ping sweeps dispatched to your hosts.
- Resource starvation: Attackers starve your host machines of resources, rather than your network. These attacks aim to use up all of a host’s CPU, memory, disk space, or other resources until the system can no longer provide a service or crashes.
- Programming flaws: Attackers exploit a failing in the systems running on the host to cause a system crash.
- Routing and DNS attacks: Attackers exploit the relatively weak security of routing protocols by corrupting the routing information. The victim’s Internet traffic can be redirected to any network or to a black hole (a network that does not exist). Either way, the victim’s website can be effectively disabled.
Security Testing: Risk Addressed
Various risks may arise in the process of ensuring fulfilment of security objectives. Some of these include-
- Unsecured and unmonitored remote-access points make your network vulnerable to attack.
- Inadequately configured border firewalls may allow intruders to connect using vulnerable services or ports.
- Excessive trusts between machines allow hackers to gain unauthorized access.
- Unnecessary user or test accounts are available for hackers to exploit.
- Security policies and procedures are poor or are not fully implemented.
- Operating-system or service-related software vulnerabilities exist and are available for attackers to exploit.
- Servers running unnecessary or poorly configured services leak information to attackers, making it easier for them to compromise your systems.
- Inadequate monitoring, detection, and logging facilities on servers allow attacker activities to go undetected etc.
A well-defined security testing procedure addresses these risks in the following manner-
- Verifies that hackers cannot discover the names of or control the content of files on Web servers and cannot change parameters on Web pages to impersonate others, corrupt data, or subvert the security of the system.
- Verifies that the Web server has the latest patches implemented and insecure facilities are removed or disabled.
- Verifies that all debug options and trapdoors have been removed.
- Verifies that all fields captured on HTML forms are validated for their length.
- Verifies that hidden fields do not contain data that can be changed to corrupt system transactions.
- Verifies that cookies do not contain sensitive data.
- Verifies that monitoring, detection, and logging services are securely configured.
- Verifies that the Web server has the latest patches implemented and insecure facilities are removed or disabled.
- Verifies that user-password policies are strict and fully implemented.
- Verifies that minimum resource access and shares are set up to provide the Web service
- Verifies that known vulnerabilities in the operating system and service products have countermeasures implemented.
- Verifies that security policies are stringent, in line with best practices, and properly implemented.
Penetration Testing
Penetration tests aim to demonstrate that within a short period an intrusion can be achieved and that a system is vulnerable to attack. If the test does not expose a vulnerability, one can reasonably assume the site is secure from this kind of attacker. Ideally, the goal of penetration testing is to –
- Gaining access to resources, which are typically restricted files or data;
- Altering restricted files or data;
- Executing system or application software programs or transactions;
- Gaining access to user accounts;
- Gaining access to root, administrator, or supervisor privileges;
- Gaining access to network management facilities;
- Demonstrating an ability to control resources, such as account, operating system, or networking resources.
Some of the characteristics of penetration testing include:
- Terms of Reference-In effect, these are a contract between the client of the penetration service and the testers. The terms of reference should clearly state the limitations, constraints, liabilities and indemnification considerations of the penetration activities of the testers. The penetration attacks may cause disruption to the client’s existing infrastructure and IT services, so it is essential that the terms of reference grant permission to perform the tests and indicate that the testers are not liable for any disruptions, loss, or damages.
- Attack Methodology-The test team will, however, tend to follow a standard sequence of activities, which includes footprinting, enumeration, gaining access, and exploitation. Penetration testers use the same or similar automated scanning tools as security assessors to identify points of entry visible to external Internet users. They try to penetrate the firewalls and identify vulnerabilities inside the technical infrastructure and to exploit unknown or unauthorized devices and systems on the target network, as well as on remote access servers, and so forth. Other vulnerable points are servers that run a file, cloud access, e-mail, web, directory, remote access, database and other recent developments including internet of things (IoT) etc.
- Focus-Currently, penetration testing is probably more focused on network and host vulnerabilities. As scanning tools become more sophisticated, the emphasis on penetration testing is likely to focus more on application vulnerabilities. The skills required to seek out application vulnerabilities will tend more and more to be business knowledge and application design and the ability to build crook-friendly browsers rather than deep technical insight into networking and operating system vulnerabilities.
- Penetration Testing Tools-Some tools for penetration testing include Burpsuite. Netsparker, Acunetix, Wireshark, Kali Linux, Metasploit etc.