-
September 17th, 2003, 03:00 AM
#1
Member
Security Auditing Question
For my Applied Information Systems Security class, one of our project options is to audit a company's systems. Since my future father-in-law runs a lumber yard, I am taking that option. Here is a link to the project description. It is option number 3.
My question is, how can I find out what's legal? We have already signed a contract giving us permission to audit the system in just about any way we want, but what is going "too far"? Thanks!
-
September 17th, 2003, 03:21 AM
#2
I think that if you have the permission of the owners of the infrasturucture you can basically go to town!! But just be sure that you dont DOS any of their machines.
Before you start, get a good undestanding of their environment
Use tools carefully such as Nikto (or Whisker) and test the strength of their webiste, and use Nessus (again, carefully) to test the security of the hosts on the internal network.
You will also want to take care in handling your results. Maybe encrypt all of your documentation with PGP or similiar just in case they fall into the wrong hands! Also any confidential information you gather that wont or shouldnt be included in your report should be adequetely destroyed.
Remember....Rule number 1 in the real world is to cover your own arse
Nessus gives you some damn fine results and suggestions to fix them.
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
-
September 17th, 2003, 03:40 AM
#3
Member
Good call. We put a non-disclosure clause in the contract. We will be doing a full physical survey of the location, to determine things like A/V software, physical access to machines, firewall, etc.
But would something like trojaning a user's PC in order to gain access to server passwords be too much? Not that I am considering that, but I am afraid of going too far...
-
September 17th, 2003, 03:58 AM
#4
But would something like trojaning a user's PC in order to gain access to server passwords be too much? Not that I am considering that, but I am afraid of going too far...
You don't want to open them up any vulnerabilities or holes in the security, rather try to close or report potiential holes. Depending on what they give you access too... you don't need a trojan to gain access to their password DB. Just tell them in order to audit you need to test their password policies and point out potiential weaknesses.
security audit: Of data processing operations, an independent review and examination of system records and activities to (a) determine the adequacy of system controls, (b) ensure compliance with established security policy and operational procedures, (c) detect breaches in security, and (d) recommend any indicated changes in any of the foregoing.
http://www.atis.org/tg2k/_security_audit.html
Vulnerability scanners and review of their policies may be the best bet to start with.
NOTE: I've never actaully perfomed a secuirty audit... but I remember reading a nice paper on auditing security on securityfocus. You might want to take a good look at it.
http://securityfocus.com/infocus/1697
You are not trying to "crack" into their network per say... just trying to find ways that it could be done and then trying to prevent someone else from doing just that.
-
September 17th, 2003, 04:08 AM
#5
Member
Originally posted here by phishphreek80
You don't want to open them up any vulnerabilities or holes in the security, rather try to close or report potiential holes. Depending on what they give you access too... you don't need a trojan to gain access to their password DB. Just tell them in order to audit you need to test their password policies and point out potiential weaknesses...
So like testing their passwords via john the ripper or similar methods?
-
September 17th, 2003, 04:37 AM
#6
it might be nice if you appeared professional and started off by checking for service packs, hot fixs, services running, password policy, permissions...things like that then work your way up. if you waltz in and start cracking password (excuse me...testing password strength) and scanning for vulns your going to be seen as anything but pro
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
September 17th, 2003, 04:46 AM
#7
Member
Originally posted here by Tedob1
it might be nice if you appeared professional and started off by checking for service packs, hot fixs, services running, password policy, permissions...things like that then work your way up. if you waltz in and start cracking password (excuse me...testing password strength) and scanning for vulns your going to be seen as anything but pro
lol. You are right; we are not just going to start off with nmap and a copy of the latest MS DCOM exploit.
We are being graded on this, and it would not reflect highly on us if we didn't examine their policies before attempting any kind of vulnerability mapping. I know that an audit is not simply trying to crack some servers.
Thanks for all the replies; keep 'em coming!
-
September 17th, 2003, 06:23 AM
#8
Do you have permission to scan within the network, or does it have to be a remote scan?
If you can perform the audit at a local level (or even remotely), I would definetely give eEye's Retina a try. You can grab the trial with most features at http://www.eeye.com/html/Products/Retina/
Retina keeps an updated list of new vulns, so I imagine it would be very useful in your case!
Good luck
It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.
Hit it!
-
September 17th, 2003, 06:32 AM
#9
Member
Originally posted here by Showtime8000
Do you have permission to scan within the network, or does it have to be a remote scan?
If you can perform the audit at a local level (or even remotely), I would definetely give eEye's Retina a try. You can grab the trial with most features at http://www.eeye.com/html/Products/Retina/
Retina keeps an updated list of new vulns, so I imagine it would be very useful in your case!
Good luck
We can do both remote and local. I'll check Retina out!
-
September 17th, 2003, 06:49 AM
#10
You might also want to assess the "less fun" security aspects of the company.
As already previously stated, check out the companies security policies/standards/procedural documets etc...
I also think that the users security awareness plays a big part, and possibly the hardest to address. Look to see if users lock their PC's, put password on their monitors etc..
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|