Re: network auditing

["Lee Rich" <lee.rich () wlga gov uk>]

One thing that a lot of people forget is that it's not just how well you implement security on your hardware/network, 
but how those legitimate users cope with security. I'm sure you've heard the phrase 'loose lips sink ships'. A major 
part of any attack will be to obtain access to the target system with valid credentials. Social Engineering is the 
phrase we're looking for.

You could have all the security holes under the sun and a firewall riddled wit holes, but if the hacker can get a valid 
user/pass combo they won't even bother to 'hack' away and maybe flag themselves up.

Security is a field whereby you not only deal with your IT, but you educate the users of your IT on best practices and 
policies.

Also, don't just look at what ports are open, look at what kinds of access you have from outside. Does your system have 
a modem waiting on a phone line which you use for administration?

Think outside the box. (pun intended)

-Lee Rich
securirty () wlga gov uk

-----Original Message-----
From: cc <cc () belfordhk com>
To: Security Basics <security-basics () securityfocus com>
Sent: 14/10/2003 11:20
Subject: network auditing


Hi,

I was just reading the thread on the "NASA security Audit"
and felt that perhaps I should think of a way to audit
two networks that I'm in charge of.

I'm relatively new at security issues(esp. audits,
penetration tests, etc..) so perhaps someone could
clarify some questions.

Does one really need a certification in order to
do all this auditing?   Right now, I'm learning
the whole security process on my own and as it
stands, it's quite overwhelming.

I have a firewall and an IDS set up(Just learnt not
too tell anyone what type..*grin*),  so all I'm
interested in knowing is whether or not I can
drill through the firewall and make it such that
the attack is undetected.

Sure I can go out and ask people to test the
networks; but as far as I know, that's a very
stupid thing to do. (Am I correct?)

I've read about the 'blackbox' and 'crystal' tests
(from the NASA Audit thread) and would like to know
how I can apply those tests, especially what type
of tools required.  (Or should I even bother?)

So far, (if someone can tell me if I've
gotten this concept of an audit right) I've
grasped that an external audit is as
follows:

1) Port scan the target network IP.
2) Get the list of open/closed ports are available
   (probably just Open ports, right?)

3) For each port use a specific tool to gain
   access (starting from a simple approach to
   a more technically involved approach).  ie.
   ftp port use ftp.

4) if simple access isn't available (ie cannot
   do any ftp password guessing either by
   brute force or dictionary approach to
   standard account names), then try using
   particular vulnerabilities in that protocol
   to attack/gain access to the system.

That's basically it, right?

Are there any particular books that I should take
a gander at?

Thank you for your help in understanding
this overwhelming topic.






---------------------------------------------------------------------------
----------------------------------------------------------------------------
***************************************************************
SAVE PAPER - THINK BEFORE YOU PRINT!   
I ARBED PAPUR - PWYLLWCH CYN PRINTIO!  
***************************************************************

---------------------------------------------------------------------------
----------------------------------------------------------------------------