Editor's note: This is the second of a three-part series examining the best ways to ensure network security. The first part, listing the top 10 penetration testing tools, is available here. The third part will cover perimeter vulnerability testing.
While it is important to test the exterior of your network, an attacker may already be inside. The attacker could be a disgruntled employee or an outsider using services located behind-the-firewall and perimeter security defenses. If you are considering testing your internal security controls, there are several things you need to review, among them the types of internal tests, the testing techniques you may want to employ and the importance of testing employees (social engineering testing).
An organization's internal network can be probed, analyzed and attacked in a variety of ways. Some of the most common types of internal tests include:
- Insider attack: This pen testing technique simulates the types of malicious activities that could be carried out by an authorized individual with a legitimate connection to the organization's network. For example, if access rules are too permissive, an IT administrator may be able to lock others out of the network.
- Outsider attack: This pen testing technique examines the ability of outsiders to gain internal access via permissive services. It could target Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Structured Query Language (SQL), Remote Desk Top (RDP) or any other available service. There are services online that sell access to restricted corporate resources.
- Stolen equipment attack: This simulation is closely related to a physical attack, as it targets an organization's equipment. It could seek to target the CEO's laptop, smartphones, copiers or the organization's backup tapes. No matter what the target, the goal is the same: extract critical information, usernames and passwords.
- Physical entry: This test technique seeks to test the organization's physical controls. Systems such as doors, gates, locks, guards, closed circuit television (CCTV) and alarms are tested to see whether they can be bypassed. One popular is using bump keys for mechanical locks and Arduino boards for electronic locks.
- Bypassed authentication attack: This test technique looks for wireless access points and modems. The goal is to see whether these systems are secure and offer sufficient authentication controls. If the controls can be bypassed, an ethical hacker might probe to see what level of system control can be obtained.
Testing techniques can vary depending on the amount of knowledge the penetration testing team has about the network.
- Blackbox testing simulates an outsider attack, as outsiders usually don’t know anything about the network or systems they are probing. Simply stated, the security team has no knowledge of the target network or its systems. The attacker must gather all types of information about the target to begin to profile its strengths and weaknesses.
- Whitebox testing takes the opposite approach of blackbox testing. This type of security test takes the premise that the security tester has full knowledge of the network, systems and infrastructure. This information allows the security tester to follow a more structured approach and not only review the information that has been provided, but also verify its accuracy. So, although blackbox testing will typically spend more time gathering information, whitebox testing will spend that time probing for vulnerabilities.
- Graybox testing is sometimes referred to as partial knowledge testing. A graybox tester partially knows the internal structure.
No matter what type of pen test is executed, it is carried out to make a systematic examination of an organization's network, policies and security controls. A good pen test will also review the social component of the organization. Social engineering attacks target the organization's employees and seek to manipulate them to gain privileged information. Many of the most successful attacks over the last several years have used a combination of social and technical attack techniques. Ghostnet and Stuxnet are two such examples. If you need to update policies after performing an internal pen test, one good resource is the SANS policy project. Proper controls, policies, and procedures to which your employees have been educated can go a long way in defeating this form of attack.
Michael Gregg, CISSP, CISA, CISM, CASP, is an "ethical hacker" who provides cybersecurity and penetration testing services to Fortune 500 companies and U.S. government agencies. He's published more than a dozen books on IT security and is a well-known speaker and security trainer. Gregg is chief operations officer of Superior Solutions Inc., headquartered in Houston.