Will your company ever ask this question? Hopefully the FBI does not call you …
As Jim Aldridge from Mandiant says in this youtube video the first thing that will happen is the FBI will call you in a somewhat cryptic manner…
Tell you the systems that were compromised and what systems compromised them. That’s it. If you do not have any SIEM (Security and Information Event Management) systems this information will be of limited value.
Unfortunately a breakin investigation (or forensics in Security terminology) may let you know that the hacker was in your systems for months or even years.
Jim Aldridge listed some good questions:
1. What information was exposed?
2. Do I need to notify regulators or customers?
3. What is the extent of compromise?
4. How much money did I lose?
5. How did the attacker gain entry?
6. How do we effectively stop the attack and remove the attacker?
Of course if you were scanning your systems and revealing vulnerabilities on a regular basis you will likely not get a call from the FBI.
As everyone knows – there are 7 OSI network layers.
And this is my favorite Open Source Interconnect (OSI) diagram:
So what do I mean about the “8th network layer”?
Well I mean the human element of course. Got a new book written by Christopher Hadnagy and Dr. Paul Ekman: “Unmasking the Social Engineer”
It is a great book on the human interactions, body tone, body language, and more. In other words how can a hacker call the target company and ask for passwords or user names and actually be given them. Well if the password is freely given to the hacker there is no defense for that.
CSRF or Cross Site Request forgery is the highest likely method of attack
Broken Authentication is second
And cross-site scripting(XSS) is third
SQL Injection as well as security misconfigurations are also higher than 10% of he vulnerability types.
The IBM report at X-Force blog recounts the challenges a web application scanner has as to when and what to scan.
As one has to be careful with how to scan production systems. If not done well, a vulnerability may not be exposed or a production system may have ill effects.
We are aware of this in our product offerings.
Scan Solutions at Oversitesentry
Hydra, w3af, Scapy are all good as well.
We can create our own scans using scapy – as we can create our own scan reviews depending on the environment that we need to look at.
to make this work – one really needs to understand the tcp networking from rfc793
contact us to learn more…
Penetration testing are several acts on various computers and systems.
First in “recon” one checks the public profile of the company.
Use scan tools, nmap, hping, scapy, burp suite, and others to check the target computers out. (this is the Alpha scan)
Then one can use a few pre-built tools to review vulnerabilities like Nessus, maltegoo, Metasploit or Armitage(a good GUI to Metasploit), OWASP and Tshark/Wireshark are also good tools to review what is going on in the network. (Sigma scan)
Each tool can be used to further your knowledge of the network, or to find out more about how to investigate/exploit the systems.
Little by little a dossier is created with more and more information compiled.
Then at some point the pentester may also use some Social engineering. (custom scan – Omega scan)
Here is where the custom portion of a pentest occurs.
Incidentally the process of pentest “almost” mirrors the hackers methods.