Finding Weakness in Todays Networks
Evaluating the security of an internal network environment can be accomplished several ways. We routinely field a number of questions about internal network security assessments. A few of the most common questions are regarding:
- Internal Penetration Test vs Internal Vulnerability Assessment
- Authenticated or Unauthenticated Assessment
- To White List or Not to White List
- Black Box, Grey Box or White Box
- Patch Management Reporting
The following is some insight into these different areas.
Internal Penetration Test vs Vulnerability Assessments
The easy answer is both are good, and both should be performed. These are really two different assessments that happen to use some of the same tools and skill sets. A vulnerability assessment is geared towards finding and reporting vulnerabilities. These assessments also can give you an indication as to how your patch management solution is working. The Internal Penetration Test on the other hand will give you an indication as to what an attacker can do when they get onto your network. (And yes we meant to say “when” and not “if”).
An internal Vulnerability Assessment is normally accomplished using software to scan all network devices for missing patches and configurations that could make them vulnerable. To be effective, this scan is done using network credentials (see “Authenticated and Unauthenticated” below) and is not designed to mimic a real attack. It is more of an administrative assessment to help accurately identify all weaknesses and vulnerabilities. The end deliverable is a comprehensive report on all vulnerabilities that exist in your environment.
Internal Penetration Tests are meant to give a “real world” picture of how an attacker would operate once they have access to the internal network. Rather than identify all possible vulnerabilities, the Internal Penetration Test demonstrates how effective internal security controls can be at detecting and preventing an attacker from achieving their objective. Internal Pen Tests have stated goals established prior to the engagement called flags. Once the set number of flags is reached or the allotted time is reached the test is completed. The flags can be access to specific systems, data sets, or elevated user level access. Internal Pen Testing can be performed in several ways (see Black Box, Grey Box or White Box Section). A lot of these are performed in two parts. The first part is usually performed without user credentials. This would show what an attacker would do with physical access to a network jack. The second phase is performed with basic user credentials. This demonstrates how an attacker could proceed if they had access to a user system and session, such as when malware gets run on an internal workstation. The report of an Internal Penetration Test is a detailed narrative of attack methods and shows where internal controls may have failed.
Many of our clients have both an Internal Penetration Test and a Vulnerability Assessment performed concurrently in the same engagement; however some opt to alternate these every other year.
Authenticated or Unauthenticated
Internal vulnerability scanning software can be run with administrative level credentials or without. When an unauthenticated scan is performed the software has no access to each workstation and server. Open ports will be identified and tested for vulnerabilities. If a system or device has no open ports little if anything will be reported on the system. This results in a report showing few vulnerabilities which may give administrators “warm and fuzzies”, but unfortunately does not show the reality of what systems may be vulnerable.
Why? Because most attacks and breaches in the modern world start from the inside out. Phishing emails, malicious attachments, or compromised websites are opened by users, allowing the malware to run on the workstation directly and the breach progresses from there. Very few attacks nowadays involve the attacker “hacking” their way past your firewall. Why do all that work when you can get an authenticated user on the inside to run your malware and let you on their PC?
These “Inside Out” attacks take advantage of vulnerabilities in applications, such as the web browser, office applications, Java, PDF readers, etc. When a system is scanned with administrative level credentials the engineer and scanning tools can see what is installed on each system and look at the different applications and files to determine their version and any associated vulnerabilities. The information the assessment can glean from this type of scanning is far greater than if not performed in an authenticated manner. It also can virtually eliminate false-positives because the scanner does not have to guess what is installed on each system. The report may be a little longer but it will contain the detailed and comprehensive information that can help admins know what is really happening on their network.
To White List or Not to White List
Many networks have Intrusion Prevention Systems (IPS) on the internal network and/or on systems. During an Internal Vulnerability Assessment or Internal Penetration Test, these host-based IPS systems can see the testing activity as hostile and block or deny access. Is this good or bad?
The answer depends on the assessment. Remember, the goal of an Internal Vulnerability assessment is not to mimic an attacker but to help administrators identify installed applications and associated vulnerabilities. An IPS will block access, muddy the waters, and result in an inaccurate picture of what vulnerabilities may exist. In this case, you will want to create exclusions or “whitelist” the scanning device to allow it to get its job done. This will give you a comprehensive and accurate report on all vulnerabilities, which is what you want from an Internal Vulnerability Assessment.
In the case of an Internal Penetration Test, the assessment is showing the effectiveness of your internal controls, so you can leave the IPS enabled. This will allow you to see how this control detects and responds to internal threats, and how an attacker may be able to circumvent the defenses. In some cases the security engineer may request whitelisting during an Internal Penetration Test as well, depending on the agreed upon scope and goals of the assessment.
Black Box, Grey Box or White Box
In a Black Box type of engagement the security engineer is not given any information about the network. The White Box type engagement the security engineer is given full knowledge of the network infrastructure and Grey Box is somewhere in between.
Black, Grey or White does not matter to us. It is your assessment and we are happy to test using your preferred methodology. Keep in mind that the less information we have the longer the assessment will take and therefore Grey and Black Box tests tend to cost more.
In the end, the ultimate goal of any internal network security assessment is to help protect your systems and data by finding weakness and vulnerabilities before they can be exploited by the bad guys. Making sure the methodology matches the goals helps to ensure you get what you need out of your assessments.
Authored By: Philip VanMeerhaeghe, CISSP