Henry - Penetration testing: protecting networks and systems

Penetration Testing

Protecting networks and systems

Protecting networks and systems

KEVIN M. HENRY

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the readers own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:

IT Governance Publishing

IT Governance Limited

Unit 3, Clive Court

Bartholomews Walk

Cambridgeshire Business Park

Ely

Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernance.co.uk

Kevin M. Henry 2012

The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.

First published in the United Kingdom in 2012

by IT Governance Publishing.

ISBN 978-1-84928-373-1

This book is a combination of attacking and defending. It is an attempt to shed light on the thoughts, motivations and actions of an attacker against an organization or individual, so that each of us can better defend our systems, our intellectual property and our values. Part of a good defense is a strong offense and knowing how to probe, test and strengthen our systems is also knowing how to test and evaluate the effectiveness of our security controls and the resilience of our systems.

To become a great penetration tester requires experience and skill. It involves creativity, persistence and patience. This book discusses the management and planning side of penetration testing. It is not focused on how to use the tools available tools change and new ones come out continuously but rather the timeless managerial and planning skills needed to plan, conduct and report on the security of a system, network, organization and its people. Mix this knowledge with hours learning the tools, and you will be well on your way to understanding how to make a difference to the security, reliability and resilience of your organization.

Kevin Henry has been working on computer systems for over 35 years. He began as an operator on the largest minicomputer installation in Canada in the mid 1970s and has since worked as a programmer, analyst, auditor and security expert. He currently provides security auditing, training and educational programs for major clients and governments around the world and is a frequent speaker at major security conferences.

Kevin lives with his wife and children in Blumenort, Manitoba, Canada, where winters are cold, and people are always friendly and helpful.

The author would like to thank Ray Friedman, Steve Mayes, Keyvan Ejtemai and Marc Thompson for their support and the opportunities they have provided over the years.

We would like to acknowledge the following reviewers of this book for their useful contributions: Jared Carstensen, Manager, Deloitte & Touche, Tiago Henriques and Antonio Velasco, CEO, Sinersys Technologies.

This book is dedicated to Rosalyn. I cannot thank her enough for her support and care she is truly a Pearl beyond price.

Todays world runs on technology. Nearly every business benefits from and relies on technology in one form or another. The use of technology has brought tremendous advantages to society by making services, features and knowledge more readily available than ever before. We can communicate across the planet (and, in fact, across the universe) in seconds, and can effectively control millions of devices instantly something we could never have done previously through simple human action.

The use of technology also, however, presents several risks to society. By using it, we develop a greater reliance on devices that lack the sense of judgment and discriminatory thought that a knowledgeable person would have. Such devices may provide us with erroneous data and cause us to make incorrect assumptions, errors in judgment or action, and possibly even seriously injure or harm society, finances and individuals.

To correctly deploy technology is a serious challenge one that requires constant education, practice and testing. Moreover, the use of technology must always be seen in context. Technology is not an end in itself, it is not the magic answer to every problem, and it should never be implemented just for the sake of using a new tool or because it is available. Technology has one purpose, and that is to support the mission or objectives of the user/organization. As we will see through this book, the proper use of technology starts long before the technology itself is purchased. It starts with defining the business

objectives and then designing the best solution for to meeting those objectives.

Despite the best intentions of designers, architects, developers and operations staff, technology is still subject to failure, breaches and compromise. Equipment, processes and people require careful monitoring and regular testing to ensure that the systems, networks, applications, security equipment and other technologies are working in a secure, reliable manner, and that they are not presenting new opportunities for attack against the organization.

Testing is the key to providing assurance of the correct implementation and operation of technology, and this book will examine the skills and techniques used by a professional penetration tester to provide the accurate, thorough and meaningful reports that their clients or management teams need on the secure operation of systems and equipment.

Penetration testing captures the imagination and sparks the interests of many people. It is part mystery, part challenge, part creativity and part risk. It has the glamour and mystique of doing something on the wild side of life by simulating a criminal act, but without the penalties. Therefore, it is no surprise that many people are drawn to penetration testing and want to know more about what it is, how to do it and, moreover, how they can use it to help protect their systems and defend their networks.

Protecting the systems and networks of today requires a broad understanding and in-depth knowledge of the tactics, tools and motivations of the adversary. The person given the responsibility to protect a system should know the nature and techniques of the enemy, and be able to prevent successful attacks by discovering and securing any vulnerabilities in their systems or networks before the adversary can find them.