This is the sixth and last installment of a six-part penetration testing tutorial for consultants and value-added resellers (VARs). Here we'll look at the human element of social engineering testing, examine the role of intrusion detection systems (IDS) and look at the function of honey pots.
Social engineering
Social engineering describes the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of inappropriate trust relationships. It exploits the human side of computing, using the art of manipulation to trick someone into providing valuable information or allowing access to that information.
Social engineering is the hardest form of attack to defend against because it cannot be prevented with hardware or software alone. A company may have rock-solid authentication processes, VPNs, or firewalls, but still be vulnerable to attacks that exploit the human element.
Social engineering can be broken into two types: human-based, person to person interaction; and computer-based interaction using computer software that automates the attempt to engineer information.
Common techniques used by an intruder to gain either physical access or system access are:
Some examples of successful social engineering attacks are:
For example, an attacker may impersonate someone in an organization and make phone calls to employees of that organization requesting passwords for use in maintenance operations.
Some companies may want you to include some type of social engineering attempt in your pen test. Be sure your authorization to conduct such as test is bullet-proof, however, as some departments may get really unhappy when the SE is conducted. Sometimes the test disturbs employees and makes them feel like they're being spied on.
The only real defense against social engineering attacks is an information security policy that addresses such
To continue reading for free, register below or login
To read more you must become a member of SearchSecurityChannel.com
attacks and educates the users about these types of attacks.
Intrusion detection systems (IDS)
The IDS monitors packets on the network wire and endeavors to discover if a tester is attempting to break into a system.
Two common types of IDS:
After capturing packets, a good IDS uses several techniques to identify behavior as an attack, such as protocol stack verification and application protocol verification.
Protocol stack verification looks for intrusions, such as "Ping -O-Death" and "TCP Stealth Scanning" that use violations of the IP protocols to attack. The verification system can flag invalid packets, which can include valid, but suspicious, behavior such as frequent fragmented IP packets.
Application protocol verification looks for intrusions that use invalid protocol behavior, such as "WinNuke", which uses NetBIOS protocol (adding OOB data or DNS cache poisoning, which has a valid but unusual signature.
Since many IDS simply rely on matching the patterns of well-known attack scripts, they can easily be evaded by simply changing the script and altering the appearance of the attack. For example, some POP3 servers are vulnerable to a buffer overflow when a long password is entered. This may be easy to evade by simply changing the password script.
Another way to avoid IDS detection is to send a TCP SYN packet that the IDS sees, but the victim host never sees. This causes the IDS to believe the connection is closed when in fact it is not. Depending upon the router configuration, a tester can first flood the link with high priority IP packets, and then send a TCP FIN as a low priority packet. This may result in the router's queue dropping the packet.
Honey pots
A honey pot is a program or system on the network intentionally configured to lure intruders. They can simulate one or more network services running on an available port, hoping that an attacker will attempt an intrusion. An attacker assumes that you are running vulnerable services, and a honey pot can be used to log access attempts to those ports such as the attacker's keystrokes.
Honey pots are most successful when run on known servers, such as HTTP, mail, or DNS servers, because these systems advertise their services and are often the first point of attack. They are often used to augment the deployment of an IDS.
A honey pot is configured to interact with potential testers in such a way as to capture the details of their attacks. These details can be used to identify what the intruders are after, their skill level, and what tools they use.
Honey pots should be physically isolated from the real network and are commonly placed in a DMZ. All traffic to and from the honey pot should also be routed through a dedicated firewall. A honey pot is usually configured by installing the operating system using defaults -- no patches -- and the application designed to record the activities of the intruder.
Evidence of an intrusion into a honey pot can be collected through:
A properly configured honey pot monitors traffic passively, doesn't advertise its presence, and provides a preserved prosecution trail for law enforcement agencies.
A good list of honey pot vendors can be found at Honeypots.net.
Possible drawbacks to honey pot implementation
It's important to be aware of the legal issues that arise from implementing a honey pot. Some organizations discourage the use of honey pots citing the legal concerns of luring intruders, and feel that no level of intrusion should be encouraged.
Before the intrusion occurs it is advisable to consult with local law enforcement authorities to determine the type and amount of data they will need in order to prosecute, and how to properly preserve the chain of evidence.
Also, as the honey pot must be vigilantly monitored and maintained, some organizations feel it is too resource-intensive for practical use.
About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons.
