One view of a Penetration Test in a Data Network
February 4, 2012Introduction
The digital world does not differ almost in anything from the real world, is defined as the reflection on which it is lived nowadays, it is as well as it is due to begin to visualize the concept of computer science security and of the areas associated to this, as far as the audit it is counted on the penetration tests, like a feedback process, that contributes in a high degree to the securing, management and maintenance of information system. That the this challenge to be faced when confronting and interacting with the digital world, knowing beforehand that there has to be control for a diversity of users to guarantee a balance that allows the operation, through schemes that prevent , detect and react to behaviors that in some cases have not been contemplated in the present legislations.
Security Computer Science is then an assembly of rules, call security policies, which are implanted and supported by schemes that involves hardware, software and people, who additionally count on processes like the audit for their evaluation and update, which can and must be alternated with tests of penetration for its benefits . The content of the present document wants to create a methodology oriented to penetration tests, that covers a high percentage with the most common weaknesses of a technological platform
Description
The penetration tests enter to form part of the securing processes, maintenance and evaluation of information system, their mission consists of proving the implanted policies of security in a technological platform, using a assembly of techniques that result in an analysis that demonstrates all the weaknesses that put in risk the confidentiality, integrity and availability of the information, giving a start point to proceed to the accomplishment of adjustments in the security policies and generating a feedback with other processes, the real knowledge of the present situation and determining the optimization and/or application of new technologies and processes that increase the reliability degree.
Objective
The general objective of a penetration test is by means of its execution, to detect the weaknesses and to contribute with recommendations to the process of security of a technological platform, and it also looks to enrich the processes of continuous improvement of the audit, management and maintenance of an information system.
Justification
The technology has facilitated and well-known improved the form to work of the companies, has offered speed in its operation through the use of information system, generating continuously a better reflected performance in the satisfaction of the final client; unfortunately this goes along with a series of serious disadvantages when the technology does not operate correctly, Pretended losses of yield in the servers, continuous disconnection of the workstations, frequent falls of the communication channels are just some examples that live the companies at the present time, where probably the most serious problem is the ignorance of the causes of these problems for lack of knowledge, tools or specialized services and even worse when the organization faces the use of Internet like means of commercialization of her goods and like a basic tool for his operation
To face this almost obligatory alternative is a challenge that is due to confront seriously, since the information system are remarkably at risk and therefore they must be protected through a culture of continuous improvement, generating a policy of security totally opened to changes, but of obligatory character in its fulfillment. Finally the application of the most advisable technologies for the atmosphere of work of the company is determined and which reflect 100% the decisions taken in the established policy.
The penetration tests must be made once are defined the operation and security policies , also the technological infrastructure has to be assured 100% and the results must give feedback the audit process, with which it is due to put in to generate the cycle of continuous improvement
Resources
Human
You must count on a human group whose knowledge cover the following areas: Operating systems, networking, applications and telephony, in addition it is important to have contact and/or access to the world underground (recognized groups of hackers).
Methodology
International policies and standards
Like introduction to the raised methodology, The existing policies and international standards are mentioned and where the penetration tests become vital, although they are only a single task within these, is very important to know the context in that they are developed, Up next will be a brief review of the standards which they have arisen through the time, as well as the ones used at the time
International Technology Security Evaluation Criteria (ITSEC)
Developed by European countries, is born of the combination of the criteria of the orange book and the best European evaluation criteria, additionally it covers contemplated integrity and availability that not tapeworm in the TCSEC
Common Criteria (CC) Represents the efforts of the international community in aligning and developing a criteria of evaluation in security, like result of the European and North American standards. The Common Criteria combines the best elements of the ITSEC, the CTCPEC (of Canada) and Criteria North American Federal (FC), the intention of the common criteria is to identify and to evaluate characteristic in products and systems, which are ratified by standard ISO 15408
27002 ISO
This based on the continuum of the 1995 standard British BS7799 and developed to provide a coherence with the controls jeopardize in the best ones you practice in security information and where the only source of information is the company C & A Systems Security LTD
Propose basic methodology
Desciption
As a global vision for the development of the penetration tests has a physical and logical integral perspective, commits and external of the objective, analogous it is described like the integration and comparison between the real world and the virtual world; consequently one resorts to the application of the scientific method like methodology to follow, from which the processes of obtaining of information, analysis of the information and formulation of hypothesis, the experimentation (development and use of tools) are derived and finally the documentation of the results and the conclusions; through the analysis of the results obtained in each one of the processes, one settles down the strategy and tactics to use. The propose strategy is supported in several known techniques as they are it social engineering, the common sense and the application of tools of hardware and software. 4 phases have been denominated that they search to contribute information to the process of securing of the information, with the results obtained and based on the cycle of prevention, detection and answers.