There are certain requirements that you must meet in order to be an effective
penetration tester in a freelance consultant role. The requirements deal with
your level of security skills, your systems and network knowledge, the depth and
breadth of tools at your disposal, and the OS and hardware on which you use
them. Also critical is your attention to record keeping and maintaining the
ethics of security. Potential employers of security consultants performing
penetration services should consider the following list before hiring a
consultant.
Skill Set
A security consultant must be at least at the system administrator level
(tier-two hacker) in order to effectively render security advisory services.
This is not to say that script kiddies do not recognize security flaws or cannot
hack—as previously stated, they often do more damage than hackers at any other
level. Script kiddies generally do not have a complete understanding of the
tools and exploits they use, and therefore they either miss critical holes or
potentially damage systems.
As a paid consultant, you are expected to definitively assert what you are
doing and all the potential effects your actions may have. Specifically, you
should be able to defend your choice of tool, why you use it, and what you use
it for during testing. You are also expected to answer any and all questions
related to a tool's configuration. Some of these security tools can cause
considerable damage or downtime to networks if not used properly. At the
conclusion of the test, you will be asked to articulate the method used to
penetrate the systems and to deliver recommendations on how to fix the security
holes identified during testing.
Knowledge
Successful security consultants should be familiar with several pieces of
technology, such as firewalls, intrusion detection systems, sniffers, audit
tools, authentication mechanisms—the list goes on. While it is certainly
advisable to be an expert in as many technologies as possible, the tester must
at least be familiar with how the technology works (and the products that
implement the technology) in order to find ways around the security that these
systems provide. The tester should be knowledgeable in all the major operating
systems (Windows, UNIX, Mac OS, and possibly Novell) and an expert in one.
In-depth knowledge of TCP/IP and networking protocols is required. Knowledge of
application programming or past programming experience can also be helpful since
many new exploits are constantly released as “working” code with occasional
flaws. Such experience comes in handy when writing various attacks, such as
buffer overflows.
The tester must be able to use various hacking tools, scripts, and exploits
in order to test for known bugs and vulnerabilities. Further, the tester should
have access to vulnerability services that can keep him or her apprised of the
latest hacking tools, scripts, and exploits as well as new security bugs
discovered in all the major hardware, software, and operating systems. This does
not have to be a paid service, but it must be reliable and up-to-date, and it
must provide information on how to exploit known bugs as well as offer a
comprehensive collection of exploits and tools.
Keeping current on the latest security developments and trends is essential
for any successful security consultant. The security consultant should subscribe
to and participate in a collection of security e-mail lists. In addition to
reading technical material, security consultants should periodically review what
is being posted to “underground” Web sites. The best way to defend against or
exploit threats is to understand them.
Tool Kit
Consultants develop a collection of useful software, a tool kit, with tools
and scripts for performing all types of security work, such as vulnerability
testing, penetration testing, dial-in penetration, Internet penetration, denial
of service, password cracking, buffer overflows, and risk assessments. This tool
set should cover both the Windows (9x/NT/2000) and the UNIX (including the
variants, Linux, HP/UX, AIX, IRIX, DG/UX, the BSDs, and so on) operating
systems. We have included tools in this book that we have found useful, but by
no means do they form the definitive tool kit. As your own technique is
developed, you may find additional or alternative tools that work better for
your style.
Hardware
Penetration testing often uses a lot of CPU time and bandwidth. The more
powerful the machine, the better the efficiency. We have found that a dual-boot
Linux/NT laptop (with the latest CPU, the most RAM, and as fast as possible) to
be an adequate configuration. A laptop is often better than a desktop because is
allows for mobility. Running VMWare allows you to run both operating systems
simultaneously. This adds convenience, in that tools are generally available for
at least one of these environments, but it costs more in terms of processor
speed and memory.
Additionally, running a keystroke capture utility is an effective way to log
the test. These utilities record and time stamp all activities at the keystroke
level, to some extent offloading the record-keeping burden from you to the
laptop.
Record Keeping
Keeping accurate, detailed records is a critical activity for a penetration
tester. We recommend your records provide enough detail to recreate the
penetration test steps. In the unfortunate event that a company should claim
that a consultant is responsible for damages incurred as a result of penetration
testing, reviewing the records will be the first step in resolving the
issue.
The record should detail everything that was performed during testing,
including every tool used and every command issued and the systems or IP
addresses against which they were used. A useful practice is to document your
procedures as you perform them and to use the last part of the day to type up
your notes and record your results.
Occasionally a system administrator might accuse a tester of being
responsible for attacks that took place before or after the work was performed.
In order to defend against these accusations, detailed documentation is
required. Logs from a keystroke capture utility as well as your own notes
provide the basis of defense.
Not only is it important to keep track of the actions performed during the
penetration testing, it is also important to keep track of all the information
gathered on your client. This may include information on weaknesses in the
client's network, password files, the business process, and any intellectual
property such as documentation on patent-pending processes. It is important to
keep this information so you can present it to the client to verify you were
able to access it and to stress the importance of the weaknesses that allowed
you to obtain it. However, all information obtained from the client should be
treated as highly confidential. If this information were to get out, to a hacker
or a competing firm, it could put the client at significant competitive
disadvantage, leading to a loss of capital. In addition, news of a successful
penetration test may also lead to a drop in consumer confidence.
Ethics
Penetration testing engagements are bound by the scope and length set forth
in the rules of the engagement. These rules are specified by the client and
enable the organization to feel comfortable enough to allow the testing to
proceed. These rules address issues of denial of service, contact information,
scope of project, and timetables. This information provides the boundaries of
the engagement and cannot be misinterpreted.
At issue here is trust. One of the key things security consultants have to
offer their clients is assurance and confidence that while the consultant is
examining the client's security, they will not be planting back doors or
compromising the client's network. Unfortunately, there is no script or tool
that guarantees the consultant's integrity. Each consultant must carefully
protect his or her integrity on every engagement and assignment. If your
integrity is questioned, even once, you will not recover from the accusation.
There is little room for error, accidents, or problems. Penetration testing
requires the client to give a great deal of trust to a consultant. That trust
must be protected.
Comments
Post a Comment