Security Architecture, Quality of Hertford Fashions Service Applications and System Infrastructure - Essay Example

Security Technical Report Penetration Testing April 26 This report describes the scope of testing undertaken, all remarkable findings along with selected remedial advice. It recaps the findings, analysis and recommendations from the assessment, which was undertaken across the Internet. It documents the findings for the security architecture, quality of HertfordFashion’s service applications and system infrastructure. The purpose of the test was to use exploitation capacity in identifying and validating potential vulnerabilities across the network infrastructure within scope. 1. Introduction HertfordFashion is a leading fashion design company that an enormous networked environment with its Web site from a lone point of contact across vast geographical boundaries. This has made it critical to take countermeasures to avert any exploits that can cause losses. This is an important reason as to why such a corporation needs to infuse more resources in security measures to safeguard their information assets. 2. Approaches to Ethical Hacking The ethical hacker will try to make attacks over numerous channels, like: • Remote network: where simulation of an attacker from a remote network makes an attack against the filtering routers and firewalls. • Remote dial-up network: simulation where the client uses dial-up connection to set an attack against telephone devices such as modems, fax, and voice mail servers, in cooperation with the local telephone service provider. • Local network: simulation on an authorized individual such as an employee with network connection privileges. This type of simulation tests the client’s server security firewalls and internal Web servers among other security implementations. • Stolen equipment: majority of company employees retain sensitive data on their portable devices, such as tablets, PDAs, smart phones and laptop computers and. The ethical hacker will attempt to retrieve the data from these devices, and remotely access servers with unauthenticated credentials. • Social engineering: this is possibly the most common unavoidable attack and it asses the integrity and level of awareness among the company’s personnel. This attack entails the hacker communicating by either a call or email with the company’s personnel, and using the obtained information to acquire even more information. A typical example is the ethical hacker calling company’s IT department, professing to be an employee who has forgotten the authentication details. If the hacker supposedly has other information, the employee may be tricked into resetting the password. The remedy is creating awareness among the employees on the importance of security. • Physical entry: This test examines the company’s physical entry security blueprints. It involves scrutinizing security guards, access controls, and surveillance apparatus. 3. Methods of attack There are numerous ways of attacking and damaging IT systems Network-based attacks Network-based attacks are security incidences on network infrastructure (computer & network components and applications) utilising network protocol functions. This type of attack exploits vulnerabilities in both hardware and software so as to prepare and carry out attacks. These type of attacks include; IP spoofing, buffer overflow, sniffing, session hijacking, port scanning, Denial of service attacks and format string attacks, in addition to other exploits on vulnerabilities in network infrastructure (network protocols, application and operating systems ). Social engineering Social engineering attacks are efforts to control people with privileged knowledge to make them divulge security-related (sensitive information) such as passwords. For example, an attacker could disguise as an IT employee of an organization who scheme and deceive an unsuspecting user into divulging network passwords used for authorization. The range of attainable attack scenarios is exceptionally wide with this technique. To some extent, social engineering equally covers scenarios in which sensitive information is acquired by extortion. Evasion of physical security measures Physical security forms the core of IT security for the technical network infrastructure. If physical security measures are bypassed and physical access to IT systems is achieved, it takes minimum time for an attack or manipulation of data and cached applications to happen. An example is an unauthorized entry to computer facility of an organization and the removal of hard drives on which private data is stored. This class of attack also includes dumpster diving which is searching of waste for sensitive information documents (Stiawan, Idris and Abdullah, 2014). 4. Penetration Testing Engebretson (2013) defines Penetration Testing as legal and authorised attempt to locate and successfully exploit computer systems for the purpose of making the systems more secure. It is also known as hacking/red teaming/offensive security/white-hat hacking/pen testing (Engebretson, 2013). A penetration test therefore is an attempt to replicate the techniques that the intruders use to secure unauthorized access to a company’s networked systems and then compromise them. A pen-test identifies the vulnerabilities and documents how they can be exploited. It also shows how small weaknesses in a system can utilised by an attacker to infiltrate a computer or network. Pen-testing assists organizations to maintain a balance between business functionality and technical advancement; a feature that can aid in contingency planning in case a disaster strikes Types of penetration testing External Testing External testing is the conventional approach to penetration testing. This testing puts more emphasis on the server and network infrastructure as well as the software associated with the target. It uses publicly available data in analysis. The behavior of target host devices is observed and recorded. Internal Testing Internal testing utilizes a similar approach as external testing except testing is conducted from several network access points encompassing both the logical and physical sections Do-It-Yourself Testing. This is normally done by enterprises that have their own trained staff to carry out the tests. Automated Testing is used by security-testing firms who specialize in security assessments. Security software is run against the target and the security state of the target is assessed. The tools attempt to mimic the attacks used by the intruders. Depending on the outcome of the attacks the tool assesses and provides report on discovered security vulnerabilities. Manual Testing Testing is conducted via manual assessment of the state of security by a security expert. The objective is to assess the security state of the organization from a hacker’s perspective. Penetration Testing Procedures The procedure for penetration testing follows the ascribed stages shown describe below. 1. Research information regarding the target system Computers connected to the internet are network-configured and have a valid IP address blocks that are readily accessible from the organizations database. 2. Scan network infrastructure for services on offer Attempts are made to perform port scan operations of the computing devices being tested, open ports show the applications allocated to them. 3. Discover systems and applications Both the operating systems and applications names and versions in the network infrastructure can be ascertained by “fingerprinting”. 4. Researching Vulnerabilities Information concerning vulnerabilities of particular operating systems and applications can be analysed effectively by utilising the information gathered. 5. Exploiting vulnerabilities Identified vulnerabilities can be utilised to get the unauthorized access to the network infrastructure or to prepare more attacks In black box testing, the ethical hacker does not have previous knowledge or information concerning a system. This is possibly the closest to a true hacking attack, since the ethical hacker will have to conduct the reconnaissance phase in the same manner as an attacker. The ethical hacker collects lot of network and business information from Web sites, and media publications, preparing for the next advanced hacking strategies such as port scanning and social engineering. The ethical hacker mimics what hacker does but legally In contrast to black box testing, the ethical hacker in white box testing has full prior knowledge of the system. Rassoul, J. (2014), describes white box hacking as hacking where the ethical hackers have a more organized strategy than the typical hacker as they have access privileges to all of the target system SRS documentation, which may incorporate frames of source code, system diagrams and manuals(Rassoul, 2014). Penetration Testing Lifecycle Planning Phase In the planning phase, requirements are set, management approval is completed and well documented, and testing objectives are set and confirmed. The planning phase establishes the groundwork for a desired penetration test results. Actually no testing occurs in this stage. Pre-attack Phase This phase is centred on collecting as much information as possible concerning the target infrastructure to be attacked. This can either be invasive or noninvasive. Attack Phase The information collected in the pre-attack stage forms the rationale of the attack strategy. Before resolving on the attack approach, the tester may consider to perform an invasive information-collecting process such as scanning. Post-attack Phase This is an imperative stage of the testing process, as the tester is required to restore the network to its former state. This will include clean-up testing procedures and dismissal of exploits and vulnerabilities simulated. Table 1 shows infrastructure controls and their designated control objective Control Area Control Objectives Architecture and Design The design and implementation of network and application security controls that limit the target points of a successful attack from the enterprise environment. Reliable Network Topology System Documentation Securely designed software Reliable protocol selection Correctly set up time sources Access Control Systems which store more sensitive data like the servers or have high privilege or administrative functions should be categorized and access granted on a least privilege rule. These privileges should periodically be reviewed and dismissed when no longer required. Properly defined ACL’s Access Controls that are role oriented Authorization and authentication processes Fail secure systems Periodic reviews undertaken Authentication The genuine users of the system are correctly identified using suitable password management policies as well as detecting and preventing unauthorized access/intrusion Existence of default credentials User enumeration Intrusion alerts Legal warning messages Authentic account recovery Risk based password policy Configuration Management Relevant security parameters are set to the defined values which ensure maximum performance while exerting control on security and are protected from alteration or misuse. Precisely Configured Services System defaults withdrawn System hardening effected Proper security features activated Secure build processes Cryptography All sensitive data transmissions are transmitted securely over a cryptographically secure channel using established algorithms with a suitable key strength. Key data should be securely created, transmitted and protected suitable encryption algorithms Well established certification Authorities and standards Certificate invalidation and expiration Secure information transmission Vital Material Protection Patch Management Patches for both operating systems and applications are evaluated and applied in a timely manner, ensuring minimum exposure. Key security decisions are made using a risk based approach corresponding to vulnerability management policy Unsupported software Patch availability tracking Risk based prioritization Deployment techniques Automatic Missing patch detection Protective Monitoring System audit logs are centralised for more comprehensive analysis and reporting in order to detect unauthorised access and misuse of computing resources. Proper tracing of audit trail to facilitate forensic reviews in the event of a security incident. Proper logging feature Centralised audit logs Log probe and correlation Network intrusion detection System log integrity Impact and Vulnerability Descriptions An impact factor based on quality is linked to each of the vulnerability, in addition to a probability assignment of the extent of skill that an attacker would need to exploit the vulnerability. This information would facilitate in getting proper remedy in the HertfordFashion risk management efforts. The tables below shows Impacts and ease of exploitation factors and their associated descriptions Table 2 Impact Description Low Minimal effect on the business if exploited. Information divulged is of little value with no obligation or legal consequence. Minimal to no impact in view of standards compliance. Medium Modest financial impact as a result of legal actions and reputational outcomes. High Outstanding financial loss as a result of damage to business identity by media involvement and data integrity compromise Table 3 Ease of exploitation Description Trivial Readily available tools for research and exploitation. Requires minimal research and knowledge to exploit a vulnerability Moderate Needs an average level of knowledge, skills in script programming and comprehension of the target network infrastructure. Difficult Exploitation achieved by a capable extremely skilled and motivated techservy. Table 4 Port Scan Details TCP and UDP port scans were carried out on hosts to determine running services on the hosts IP Address TCP Ports 10.0.0.11 80 (http), 443 (https)/ Table 5 Tools List The table below is a list of open source tools (applications and software suites) used to perform the assessment. Tool Description Virtualbox or VMWare Virtualbox or VMWare. This would allow development of various experiments for penetration testing. Can be obtained from http://www.vmware.com/uk/ https://www.virtualbox.org/ Nessus Nessus is an automated vulnerability scanner. http://www.nessus.org/nessus/ Figure 1 Applications architecture (2012) Major assets and risks The initial step in the process of security assessment of the network infrastructure is the identification and classification of assets commonly known as information sources. These sources require maximum protection possible as they are greatly exposed (vulnerable) to threats. The reason behind this classification is to obtain a priority list of the assets categorized on the levels of vulnerability (High/Medium/Low). Some of the typical assets related to network information and IT for the enterprise includes: Information & data Hardware and Software Services Documents Personnel Other general network infrastructure assets available for consideration are Network Endpoints/Devices, Wireless Access Points, Internet, UTM/ Firewall, Core Switch and Routers Potential security threats and/or vulnerabilities Threats can be typically classified into Errors Malicious damage/attack Fraud Theft Hardware or Software failure Threats normally occur due to vulnerabilities related with the use of information resources (assets). Vulnerabilities are features within the information resources that are used for exploitation by the threats to create harm. Examples of vulnerabilities are: Lack of proper user knowledge Lack of enough security functionality Poor choice of passwords/weak passwords Untested technology -poorly tested software Transmission over insecure channels (unprotected communications). Threats and Countermeasures A data base server can be attacked compromised in a number of ways. An attacker can exploit numerous configuration and application level vulnerabilities. The primary threats to a database server are: SQL injection Network eavesdropping Unauthorized server access/ intrusion Password cracking Most threats to an application server originate from within an organization . Typically application servers are isolated from Internet access. The core threats to an application server are: Network eavesdropping Unauthorized access Viruses, Trojan horses, and worms Viruses, Worms, and Trojan Horses These attacks are rarely detected until they severely begin to utilize most of system resources, thereby slowing down or suspend the running of other applications. Most IIS Application servers are likely to experience increased IIS attacks. Vulnerabilities to application servers Unpatched servers Running unnecessary services Unnecessary ISAPI filters and ISAPI extensions Countermeasures Countermeasures deployed to mitigate the risk caused by viruses, Trojan horses, and worms include: Immediate upgrade to the latest versions and releases (software patches) Disabling or removing dormant functionality like unused extensions and ISAPI filters Running most of the processes in least privileged accounts mode to minimize the extend of damage in the event of an attack Ethical Hacking & Countermeasures 1. Session Hijacking Session Hijacking describes the exploitation of a genuine computer session where an intruder takes control of session between two computing devices computers. This is achieved through stealing of a valid session ID which is used to gain entry into the network infrastructure systems and retrieve data. Session Hijacking is typically of three kinds namely; TCP, Blind and Man-in-the-Middle (MITM) hijacking. 2. Hacking Web Servers In most cases a security breach is a source of alarm as it causes more harm in client-enterprise relationships than the actual loss. Due to this fact web server’s security is critical for successful day to day functions of an enterprise. There are intrinsic security risks related to web servers and the LANs (local area networks). Compromised network infrastructure that hosts websites especially the web servers can subject the corporate network or the LAN to Internet threats. 3. Web Application Vulnerabilities A web application consists of multiple layers of functionality. Nevertheless, it is contemplated to be a three-layered architecture comprising of presentation (user interfaces), logic, and data layers (databases). A web application consists of web server, the application content hosted on the web server such as website, and a back end comprising of databases on which the application runs on. Attacks to these web applications are a result of vulnerabilities like cross-site and injection flaws, buffer overflows etc . 4. Web-Based Password-Cracking Techniques Authentication is the process of verifying that someone is really the one he/she claims to be generally, it entails the application of a user name and a password. Password cracking software is readily available and freely downloaded over the Internet. This software restores forgotten or stolen passwords of desktop computer and network resources. They can also be used to gain an unauthorized access to enterprise resources. 5. Hacking Web Browsers The INTERNET is flooded with web browsers such as Internet Explorer, Apple Safari and Mozilla Firefox among other many browsers. These are available in combination or as a single installation in most computers. Web browsers need to be configured securely as they are frequently used. Most of the web browsers come pre-installed with the operating system and the default setting are in most cases not securely configured. This gives rise to the need of configuring the security parameters to avoid unauthorized spy-ware installation and intrusion that takes over computers. 6. SQL Injection CRUD SQL commands like INSERT, RETRIEVE, UPDATE, and DELETE are utilized in executing database operations. The database can be a little playing field in the programmers mind and can make use these commands to manipulate the data in the database server. According to Agarwal and Singh (2013) SQL injection is defined as a procedure that makes use of un-validated input parameters and introduces the SQL commands through a web application, to be executed in a back-end database. 7. Hacking Database Servers Database servers hold critical data for corporate, customer, and financial entities. Attackers may hold this data hostage in exchange for monitory gains. This can be detrimental to an organization as it can sink the organization both economically and reputation wise. Attackers use the TCP port scan to find both commercial and open source database servers on the network. Once the database server has been detected and port scan is made to the TNS Listener, by utilizing SQL Injection. Attackers have the capacity to alter privilege level settings from a low-level to Database administrator level. Table 6 shows HertfordFashion vulnerability, exploitation and associated recommendations Vulnerability Exploitation Recommendations Predictable Session Identifiers SecurityToken is created using a predictable algorithm. An attacker requesting for a particular page has the capacity to decode, learn and reverse engineer the algorithm with ease Use a well-known an existing session management library. For example ASP.NET has libraries to for user state e.g the session state safely handles application database state storage as well as client session management Extreme dependency on Client SideValidation. The validation of client data is not implemented on the server side making it possible to enable disabled fields An attacker would simply require changing the browser security settings by selecting the disable JavaScript option can bypass the validation procedures Configure data validation procedures that ensure a default deny policy and restrict character classes to acceptable values. SQL Injection Allowed Arbitrary Database Access The web application accepts the injection of SQL queries through several entered input fields. The access, mining and gaining command execution through specific database packages is achievable by use of the many available SQL injection tools. Configure data validation procedures that ensure a default deny policy and restrict character classes to acceptable values. Unauthorised Execution of Administrative Functions Various privilege levels are not fully enforced. The application does not correctly confirm that the user is fully authorized to perform the operations requested. The functionality is precisely for administrative users after a successful authentication. Re-design the application logic and access controls to make sure that requests to execute high level privilege operations require that the calling user is sufficiently permitted to execute such functions. No consistent account lockout for some group of End-UserAccounts The web application does not impose an account lockout threshold for some group. An attacker could perform any number of login attempts Automated Brute-force tools are available for most of the protocols providing authentication, more so the HTTP. They can be easily configured and used with little IT knowledge or hacking skills. Consider introducing an account lockout procedure that limits the number of login attempts. Industry standards for maximum figure of failed logon attempts to a range of 3 to 5 attempts. Weak Password Complexity Rules The web application does not fully allow enforcement of minimum complexity rules for passwords. Brute-force attack could take an armature few seconds to guess the right password Consider introducing a functionality that enables the implementation of a minimum password strength that can be set to conform to the laid out security policy and best practices Forgotten Password Feature is subject to abuse The web application automatic password generator utilizes a predictable method for creating passwords. An attacker with an account and an associated valid email address can discover this vulnerability. Consider introducing a function that allows the user to be authenticated and forced to set their password to a value which is in line to a suitable password policy Web Server Default/Test Content The application web server had default and development content present and accessible to users In most of the tested cases genuine requests for known default content locations will get the content. Get rid of the default, outdated, development and test data from production webservers. Recommendations summary Considering the impact to the enterprise as shown by the penetration test, optimum resources need to be allocated to ensure contingency policy is adhered to and remedy efforts are put in timely fashion. Some of the important items that need to be factored in include: 1. Introduce change control to all systems: wrong configurations and insecure deployment operations were found across the enterprise systems. Change control processes on servers thoroughly mitigate the vulnerabilities that arose. 2. Introduce periodic firewall rule set reviews: there should be periodic reviews on the set firewall rules to ensure maximum intrusion defense. A reference should be made to NIST SP 800-41 for principles on firewall configuration. 3. Introduce a comprehensive patch management program: Operating a uniform patch management program as stipulated in NIST SP 800-40 guidelines. This forms an important feature in maintaining a strong security. This helps to reduce the attack interaction platforms that results from operating on unpatched internal services. 4. Perform periodic vulnerability assessments: It is the duty of the organizations to conduct vulnerability assessments exercise as a means of effective organizational risk management strategy. The organization will be able to establish the security controls that are put in place. Some of the questions needed to be answered are; are the policies and controls properly installed? If so, are they performing as they were intended and are they bringing the desired outcomes? It is therefore recommended that NIST SP 800-30 to be referenced for proper guidelines in conducting a good risk management program. 5. Limit the network access to server management interfaces: Proper network architecture segmentation will decrease the number of internal attacks against the application servers and the webserver environments. The HertfordFashion enterprise will thrive well under proper e-commerce business environment with little or no exposure to internal systems attack. FIPS 191 standards provide clear guidelines on maximizing the security of local area networks. 6. Limit the access to critical systems: It is recommended that the HertfordFashion database servers should be located separately from other network systems. Some database control measures should be introduced to limit the number of commands needed to execute a business operation. This should conform to system design concept where levels of privileges are set. A system design with such a feature greatly reduces the extent of damage that can be inflicted on corporate resources. NIST SP 800-27 RevA provides proper principles for achieving a security foundation for IT systems. 7. Apply industry methodologies for secure software design: software designers should implement a low level coding for any credentials within the custom applications. This will enable the users to easily interact with the systems and provide the required credentials so as to access confidential and sensitive data. This is a sure way of providing better security where audit trails can be used to link particular business operations/actions to specific user accounts. Works cited 1) Agarwal, M. and Singh, A. (2013). Metasploit penetration testing cookbook. Birmingham, UK: Packt Publishing. 2) Allen, L. (2012). Advanced penetration testing for highly-secured environments. Birmingham: Packt Pub. 3) Bradbury, D. (2011). Hacking wifi the easy way. Network Security, 2011(2), pp.9-12. 4) Coleman, E. (2012). Coding freedom. Princeton: Princeton University Press. 5) Ec-Council., (2009). Web Applications and Data Servers. Course Technology Ptr. 6) Engebretson, P. (2013). The basics of hacking and penetration testing. Amsterdam: Syngress, an imprint of Elsevier. 7) Forte, D. (2010). Preventing and investigating hacking by auditing web applications. Network Security, 2010(2), pp.18-20. 8) Henry, K. (2012). Penetration testing. Ely, Cambridgeshire, U.K.: IT Governance Pub. 9) Hurley, C. (2007). WarDriving & [and] wireless penetration testing [learn the methods used by professionals to perform WarDriving and wireless penetration testing ; perform wireless penetration testing using Linux, OS X, and Windows; coverage of WarDriving with handheld devices and direction finding; your guide to mapping WarDrives]. Rockland, MA: Syngress. 10) Klevinsky, T., Laliberte, S. and Gupta, A. (2002). Hack I.T.. Boston: Addison-Wesley. 11) Malin, C., Casey, E., Aquilina, J. and Rose, C. (2014). Malware forensics field guide for Linux systems. Amsterdam: Elsevier. 12) Nemati, H. (2011). Pervasive information security and privacy developments. Hershey, PA: Information Science Reference. 13) PATTYN, B. (2009). Justification in the Liberal Era. Ethical Perspectives, 16(2), pp.165-188. 14) Schneier, B. (2004). Hacking the business climate for network security. Computer, 37(4), pp.87-89. 15) Stiawan, D., Idris, M. Y. and Abdullah, A. H., (2014). Penetration Testing and Network Auditing: Linux. Journal of Information Processing Systems. 16) Simpson, M. (2012). Hands-on ethical hacking and network defense. New York: Wadsworth Publishing Co. Read More