Network Security Assessment
Overview
With "Network Security Assessment", risk level is determined by first accessing the client's network via Internet or intra-LAN, followed by attempting to discover vulnerability of each terminal (host/node) accessible on the network, and by initiating simulated intrusion. As opposed to relying on mere scanning tools, auto-diagnosis tools, and simplified penetration tests, we developed the best set of analytic methods based on our own network analyses experiences. This set of methods enables us to precisely and specifically point out the facts of the client's network security and vulnerability.
Features
- All hosts available in the analysis segment are targeted for inter-host risk evaluations
- All external threats including Internet, dial-up/modem line, connection between partners, and wireless connections, are considered
- Intrusion is initiated without being detected by the administrator. It is then expanded via domino-effect [1]
Entire workflow of network security assessment
Client briefing prior to analysis
In this briefing, confirmation of analytic procedures, as well as to confirm communication/coordination means between the client and our team of analytic experts, will be reviewed. The attack/intrusion phase, described later, is also geared toward testing the client's network anomaly detection capability. When our tasks in the client's network are detected as abnormal, proper steps and measures should be prepared.
Diagnostic phase - 1: environment survey
Environmental diagnostic phase
This portion of analysis is initiated by researching connection points to the client's network.
Connection points:
Internet, inter-partner private network, dial-up connections, and wireless LAN access points
A list of these public/private connection points are prepared and submitted, so that the client can grasp on their existences.
Network information
When the client's network information is collected, our analysis moves onto the next phase. Prior to the next stage, a briefing session may be required.
Post-environment survey briefing
If the client's network topology and connection points that we actually discovered differ tremendously from the information given by the client (for example, if multiple of undocumented hosts and dial-up connection points are discovered), we may require a briefing session with the person in charge. This is to inform the survey result to the client, prior to initiating the post-analysis briefing. It also enables us to reconfirm with our client regarding the range of our diagnostic work.
Diagnosis phase - 2: analysis
Analysis phase
Attack/intrusion phase following analysis is initiated from both inside and outside, with each of these initiated separately. External analysis is geared toward detecting intrusion vulnerability to the client's system. On the other hand, internal analysis focuses mainly on super-user vulnerability via authenticated user. These two sides of analyses are cohesive. Once an attacker is allowed intrusion from outside, s/he will be able to take advantage of the internal vulnerability, thus leading into a possibility of sequential damage expansion known as "domino effect". In the subsequent analysis/measures phase, two sides of these analyses are combined to determine total vulnerability of the client's environment. Also, the client's vulnerability assessment that our analysis team assembles prior to the completion of diagnostic phase will be submitted with the report as an appendix.
"Domino effect" is ...
An intruder at a network node that is seemingly irrelevant to the system and domain holding crucial personal information and intellectual properties can expand a domino-fall-like chain of intrusion. The attacker eventually reaches his/her goal - the system and its domain. Domino effect is a hacking method or a situation where hackers can take advantage of such chains of vulnerabilities.
- In a business-related network provided by an infrastructure company, SNMP was being used, although its community name was modified
- However, a networked printer and its account did not have password
- On the printer, SNMP was running. Browsing the printer's configuration file allowed the intruder to obtain community names and other important information
- Based on the obtained SNMP information, attempting to log on to a Cisco router succeeded
- Cisco router's configuration file gave out account names and password hash
- After analyzing the passwords, login attempts to the DC server were made with these newly obtained accounts, and were succeeded
- With the DC's administrator privilege, SAM was obtained, while at the same time all SAM files were obtained from the domain host
- Almost all business-related hosts were conquered
Diagnostic phase - 3: attack/intrusion
Attack/intrusion phase
This enables us to analyze down to the level where mere automatic diagnosis tools can never be reached. Auto-diagnosis tools often report vulnerabilities, but cannot examine whether they are actual threats. Moreover, those tools can only be functional within the boundary of TCP/IP networking.
In this attack/intrusion phase, our analytic expert manually works his/her ways into analysis. By attempting unauthorized access as an internal user, as well as to simulate breaking-in via Internet, data network, wireless, and dial-up connection, our engineer evaluates the client's hidden internal/external vulnerabilities.
Intrusion detection system of the client's network, along with anomaly detection ability of the users and system administrators, will be tested under this simulated attack. We therefore initiate testing with hard-to-detect methods, and gradually shift to easier-to-detect methods.
Our analytic expert combines information of the client's environment obtained during the initial screening, with known vulnerability information, and initiates with simulated attacks under various scenario to expose real threats hidden in the client's network.
Analysis milestones of simulated attacks will be determined by discussing with the clients. Normally, we analyze the system without actually attacking it. The client's data and services will then be undisturbed. If requested, we can set the specified target system in a DoS state while conducting analyses. In this case, we collaborate closely with the client's system administrator to work at a specified time (at night, for instance).
Diagnostic phase - 4: analyses/measures
Analyses/measures phase
Phases up to this point are analyzed, and per-priority suggestions and measures for the client's improved security are proposed. In the final report, specific vulnerabilities, insecure practice / setting / administration / network design, and other factors are reported, along with suggestions. For items to be reported, refer to the report item samples below.
Analysis result briefing
In this session, we go through key points of the analysis result, and presentations and sessions covering methods used in the simulated attacks, as well as Q&A sessions for the client and our analysis team.
Report items and formats
Report item samples are as follows. Note that environment, resources, and work range may differ for each client. Report will be delivered to the client in hard copy format and/or in .pdf format.
Reported contents
Report agenda
Executive summary, analysis target, external/internal vulnerability information summary, analysis procedure, background, environment survey phase, attack/intrusion phase, suggestion/measure proposal and summary, network mapping, vulnerability information, suggestion/measure proposal, configuration/administration, user authentication / password administration, network design, DNS zone transfer information, host-targeted penetration result, acount information obtained in the course of analyses, Windows NT/2000-specific information, NFS vulnerability information, NetBIOS vulnerability information, network mapping, and others
Case study
Analysis pattern per site network
Branch LAN
- Size: ±50 PCs, router, and firewall
- Analysis day count: 1-2 days
Central office LAN
- Size: PCs laid out in multiple 27-bit segments, 1 router, firewalls, and a DMZ server
- Analysis day count: 3 days - 1 week
Large-scale LAN
- Size: PCs laid out in multiple 24-bit segments, routers, firewalls, DMZ servers, and multiple access points
- Analysis day count: 1 week -
