7. ANÁLISIS DE RESULTADOS
7.2 CARACTERIZACIÓN DEL ESTADO ACTUAL DE LA EMPRESARIALIDAD EN LOS
7.2.2 Expectativas de los estudiantes de grado decimo frente a la empresarialidad
A great number of details have been introduced: subjects ranging from multi-phased attacks to information flow from the target to the testers, as well as between the
testers on an engagement. When all these components of the test are considered, the planning of the engagement can become overwhelming. As stated above, many organizations have an ethical hack performed with very little planning. “Just see how far you can get,” they say. One of the reasons for basic forms of attack (which ultimately leads to poor value) is that planning an attack can become time consuming and arduous, putting aside the fact that many are not aware of the options available to them.
In an effort to promote comprehensive planning on the part of the company seeking or employing an ethical hack, following are some guidelines and an example engagement planner.
TABLE 7.3
Criticality Matrix for Team Communications
Criticality Description Communication
Critical • Represent information of an event, process, or activity that can harm people, business process, or data. For example:
– System failure – Denial of service
– Law enforcement involvement – Excessive customer complaints – Abusive hacking activities – Identification of a severe
vulnerability
• Communicationmustbe immediate, and conducted in the following sequential order (all critical communications must be acknowledged and documented): Phone primary contact (office, cell, pager,
other)
Phone secondary contact(s)
Phone primary/secondary administrative contact(s)
Fax (private) E-mail
On-site visit (if applicable and contact is at location)
Warning • Information that can assist in avoiding further or more detrimental impacts to business processes or systems.
For example:
– Excessive system or network load – Noncritical system outages – Identification of potential issues or
vulnerabilities in out of scope systems
– User complaints
• Communications should be immediate and acknowledged within a four-hour timeframe:
Phone primary contact (office, cell, pager, other)
Phone secondary contact(s) E-mail
Informational • Information is relative to the test. For example:
– Additional information for the Red Team’s next phase
– Comments and activities of the Blue Team
– Concerns and comments from the White Team
• Communications should be within a two- business-day timeframe and acknowledged: E-mail
TABLE 7.4
Communication Types and Formats Communi-
cation Target Format Type/Content Security
Phone (Office and Cell) Voice conversation: • Validate identity • Take notes
• Establish plan for alternate form of communication (i.e., send e-mail or fax)
Cell: text message (See Pager) Critical:
• No speakerphone
• Private location or surroundings Critical:
• Full discussion and details • Establish action plan
• Establish plan for further meetings Warning:
• Full discussion and details • Plan for actions
Informational:
• Communicate summary and follow up with documentation
Acceptable
Fax (Private) Document:
• Confidential cover page and related contact information • Initial information and followup
contact information
Critical:
• Limited materials and details • Establish plan for further meetings Warning:
• Full discussion and details • Plan for actions
Informational:
• Communicate summary and follow up with documentation
Limited
Fax (Public) Document:
• Confidential cover page • Message to contact through
other means
Critical and warning: • No sensitive information • Establish plan for further
communications Informational: • Limited information None Admin. Phone/Fax Document/voice conversation: • Validate identity (if applicable) • Message to contact at earliest
convenience or location of primary contact
Critical, warning, informational: • No information
• Message for further contact
None
Pager Message:
• Validate identity (if applicable, i.e., auto reply)
• Text message to contact at earliest convenience or location of primary contact
• State level of criticality
Critical, warning, informational: • No information
• Message for further contact
None
PDA Message/small document: • Text message to contact at
earliest convenience • State level of criticality
Critical and warning: • No sensitive information • Establish plan for further
communications Informational: • Limited information
Guidelines:
• Perform a self-evaluation of your goals and objectives. Ask yourself what you expect to gain from the test and how you plan to use the results. Are you looking to address specific weaknesses? Or, are you attempting to seek symptoms of a much larger problem within the security program? • Consider the scope of the attack and what is “in bounds.” Moreover, take
the time to evaluate what you have determined is beyond its scope and the potential impact on the objectives. Too much focus of a test is typically the result of budget restrictions or departmental segmentation. With proper planning, both of these areas can be accommodated while still meeting your goals. Of course, too little focus can lead to long engagements that provide little value.
• Ensure all the appropriate people are involved. On paper this appears obvious and simple, but internal politics and departmental rivalries intro- duce interesting results. There must be an owner, a leader, or primary person that ultimately sets the goals and scope of the engagement. Tests that are planned by committee will typically fail to meet objectives. • Commit to having a technical expert involved in the process in addition
to business managers or executives. All too often, organizations plan and execute attacks without consulting their internal expertise, specifically, security experts. A technical perspective can be very beneficial to outlining the scope and depth of the attack that should be sought to meet executive goals. However, tests that are planned by only technical resources without the dedicated involvement of business management setting loftier goals will certainly affect the potential value of the test.
• During the planning session, ask a lot of questions. However, one must keep an open mind and expect answers that conflict with personal per- ceptions of security. People typically ask questions they already feel they have an answer for and look to gain the perspective of the interviewee. To ensure the test meets the goals, especially when interviewing a pro- fessional organization that performs ethical hacking tests all the time, one must be cognizant of not making any predetermined conclusions.
E-Mail Message/Document: • Text message to contact at
earliest convenience • State level of criticality • Supporting documentation • No e-mail lists (i.e., itemize TO:
field)
Critical:
• Full discussion and details • Communicate initial action plan • Establish plan for further meetings Warning:
• Full discussion and details • Plan of action
Informational:
• Communicate summary and provide documentation
Acceptable
TABLE 7.4
Nevertheless, it helps to see the options in a concise format to stimulate the planning process and to have some form of documentation to drive the engagement. A sample planner is demonstrated in Table 7.5. Although summarized, the example does provide the opportunity to select characteristics of the test to support more detailed planning. (Note: Some elements in the planner are discussed in following sections.)
TABLE 7.5
Example Engagement Planner Ethical Hacking Engagement Planner General Information Date:___/_____/____Company Name: ________________________________________________ Team Members Name Team (RWB) Primary Phone Secondary Phone Fax (Private) Fax
(Public) E-Mail Role/Title
Primary Characteristics of the Engagement (Check all that apply)
䡺Social engineering 䡺Application testing 䡺Identify vulnerabilities
䡺Internet test 䡺Physical security 䡺Exploit vulnerabilities
䡺Intranet test 䡺Wireless 䡺Multi-phased attack
䡺Partner access 䡺VPN 䡺Wardialing
䡺Remote access 䡺 VoIP 䡺Wardriving
General Assumption of Threat Type (Check all that apply)
Script Kiddy Hacker Über Hacker
䡺Unstructured 䡺Structured 䡺Determined 䡺Malicious 䡺Solvers 䡺Hackitivist 䡺Vigilantism 䡺Hitman 䡺Terrorist 䡺Espionage
Attack Type Summary (See Information Management Below)
Single Multi-Phased Parallel Multi-Phased Shared Information 䡺Isolated 䡺Shared 䡺Isolated 䡺Shared
䡺All at once
䡺Incremental
Specific Groups:
䡺 All sel. above
䡺Internet testing
䡺Social eng.
䡺Intranet
Specific Groups:
䡺 All sel. above
䡺Internet testing
䡺Social eng.
䡺Intranet
Specific Groups:
䡺 All sel. above
䡺Internet testing
䡺Social eng.
䡺Intranet
Specific Groups:
䡺 All sel. above
䡺Internet testing
䡺Social eng.
TABLE 7.5
Example Engagement Planner (continued) Primary Target Summary (Check all that apply)
Social Engineering Internet Test Intranet Test
䡺Entire company
䡺Group (list below)
䡺Department (list below)
䡺Specific location(s) (list below)
䡺All Internet connections
䡺Specific sites (list below)
䡺Only certain ISPs (list below)
䡺Entire company
䡺Group (list below)
䡺Department (list below)
䡺 Location(s) (city, state, country) (list below)
Partner Access Remote Access Applications
䡺All partners
䡺Partner access network only
䡺Includes applications
䡺Other (list below)
䡺IPSec VPN
䡺SSL VPN
䡺Dial-up
䡺Other (list below)
䡺Web/Internet 䡺Client-side Internet 䡺Terminal-based 䡺Internal applications 䡺Custom applications 䡺Code review
䡺Other (list below)
Physical Security Wardriving Wireless
䡺All locations
䡺Specific location(s) (list below)
䡺All locations
䡺Anything that can be discovered
䡺Specific location(s) (list below)
䡺All locations
䡺 Anything that can be discovered
䡺Specific location(s) (list below)
䡺Public access
䡺Internal only
䡺External only
VoIP VPN Wardialing
䡺Data vulnerabilities only
䡺Voice vulnerabilities only
䡺Phones 䡺PBX/Phone systems 䡺Network (WAN) 䡺Partner network 䡺Remote network 䡺Customer network 䡺Specific location(s) (list below) 䡺Numbers provided
䡺Multiple locations (list below)
䡺Single location
䡺Test mailboxes
䡺Seek network access
䡺Seek toll fraud
䡺Other (list below)
General Scoping Green List (Specifically targeted systems and network elements)
Red List (Systems Red Team must never attack or bring down)
Yellow List (Targeted systems or network elements that must remain on line)
System: IP Address/Net: System: IP Address/Net: System: IP Address/Net: ___.___.___.___ ___.___.___.___ ___.___.___.___
___.___.___.___ ___.___.___.___ ___.___.___.___ ___.___.___.___ ___.___.___.___ ___.___.___.___
TABLE 7.5
Example Engagement Planner (continued) Tools
Permitted: Client Provided: Not Permitted:
䡺ISS
䡺NMap
䡺Nessus
䡺Trojans
䡺Open source/hacker tools
Please list: Please list:
Social Engineering Planner E-Mail
Specific Group or Dept.: __________________________ Domain: __________________________ Imposed Limitations
䡺Single shot
䡺Three strikes
䡺Individual e-mail permitted
䡺Group e-mail permitted
䡺Source masquerading permitted
Length limitation (max. characters:) Characters___________ Subject matter focus (if any):
Level of intensity (pursuit) 䡺Low 䡺Med䡺High Max. number of exchanges Number:_____, or
䡺Unlimited
Helpdesk Fraud
Main line number: ___-___-_____ Source Group/ Dept:
䡺Any
䡺Employees only
䡺Partners
䡺Customers
䡺Specific (list below) Secondary number ___-___-_____
Alternative number ___-___-_____
Third-Party Managed Service?
䡺Yes
䡺No
䡺Not Providing Information (NPI)
Max. calls per subject:
Subject:__________ Max. calls____ Subject:__________ Max. calls____ Subject:__________ Max. calls____ Subject:__________ Max. calls____ Specific subjects
not to employ:
Phone Fraud
Number Range(s) Target Group(s)
䡺Any
䡺Discretionary
䡺Other (list) Max. Calls per
Subject
Subject:__________ Max. calls____ Subject:__________ Max. calls____ Subject:__________ Max. calls____ Subject:__________ Max. calls____
Permitted subj:
䡺Any
䡺Discretionary
TABLE 7.5
Example Engagement Planner (continued)
Max. Calls per Individual
#__________________ Specific subjects not to employ:
External Testing
Dumpster Diving In use?
䡺Yes
䡺No
Location(s):
䡺All
䡺Discretionary
䡺Specific location(s) (list below) Permitted to follow trash off-site?
䡺Yes
䡺No
Included Shredded Materials?
䡺Yes
䡺No
If discovered:
䡺Test concludes
䡺Phase concludes
䡺Continue at another location
䡺Report
Duration of activity:
䡺As long as possible
䡺Remaining work day
䡺Four hours
䡺Two hours
䡺One hour
䡺15 minute
䡺Depart immediately upon success Piggy-Back In use? 䡺Yes 䡺No Location(s): 䡺All 䡺Discretionary
䡺Specific location(s) (list below) Once in:
䡺Target all accessible areas (zones)
䡺Discretionary
䡺Specific floors
䡺Area(s) that requires authentication
䡺Specific area(s) (list below)
Duration of activity:
䡺As long as possible
䡺Remaining work day
䡺Four hours
䡺Two hours
䡺One hour
䡺15 minute
䡺Depart immediately upon success If discovered:
䡺Test concludes
䡺Phase concludes
䡺Continue at another location
䡺Report
Permitted activities:
䡺Target all elements
䡺Shoulder surfing
䡺Material removal from location
䡺Implantation of devices (systems, wireless, etc.)
䡺Disinformation
TABLE 7.5
Example Engagement Planner (continued)
Location Entry In use?
䡺Yes
䡺No
Location(s):
䡺All
䡺Discretionary
䡺Specific location(s) (list below) Tactics to employ:
䡺All feasible attempts
䡺Focus on guards
䡺Focus on technical controls
䡺Alternative access (windows, vents) permitted
If discovered:
䡺Test concludes
䡺Phase concludes
䡺Continue at another location
䡺Report Duration of activity:
䡺As long as possible
䡺Remaining work day
䡺Four hours
䡺Two hours
䡺One hour
䡺15 minutes
䡺Depart immediately upon success
Permitted activities:
䡺Target all elements
䡺Shoulder surfing
䡺Material removal from location
䡺Implantation of devices (systems, wireless, etc.)
䡺Disinformation
䡺Report
Information Management
Parts 1, 2, and 3 represent staged information provisioning for single attack, or information for multi-phased attacks
Information expected at various points within each phase (Check all that apply) Reconnaissance (P
art 1) Reconnaissance (P art 2) Reconnaissance (P art 3) Enumer ation (P art 1) Enumer ation (P art 2) Enumer ation (P art 3) Exploitation (P art 1) Exploitation (P art 2) Exploitation (P art 3) Standard Elements Nothing Register domain(s) Network diagrams Internal Testing Nothing Network architecture Documentation
System types (e.g., OS) Policies and procedures
TABLE 7.5
Example Engagement Planner (continued)
Access credentials (power user) Access credentials (admin.)
Application information
Internet Testing
Nothing IP addresses
Host names
System types (e.g., OS)
Network documentation Firewall type(s)
IDS type(s) Web account
Customer Web access account Employee Web account
Partner Web account
Remote access system information
Remote access account Appication information
Social Engineering/Physical Security
Nothing
Floor plans Location information
Visitor badge Employee badge
Extended access materials Door codes
Policies and procedures
Wardialing
Nothing Phone numbers
By using this or similar documentation at the beginning of the planning phase, it will help, at a minimum, to collect your thoughts and perspectives of the test in a single document. Understandably, the example planner is only a summary of probable engagement characteristics and insinuates that much more work is required. For example, the information management section only stipulates the type of infor- mation offered to the testers and at what point in the engagement, not the actual data. Nevertheless, this can be a good starting point for planning or the foundation of your own document for future tests. Furthermore, if an organization were to create a similar document and present it to potential professional service companies that perform ethical hacks, it can help determine their capabilities in providing the service.