It is crucial to ensure that computer systems and networks are adequately protected, particularly when operating in environments with sensitive data. Security is a continuous process, and the requirements for a secure system are constantly evolving. Staying up-to-date and regularly assessing protection against attacks and malware is key. Recently, our admin team participated in a training session on this very topic. In this blog post, our Xperts have summarised the most important points and compiled them into a concise format.

Pentesting: A Building Block for Security

Pentesting, short for Penetration Testing, is a method used to systematically assess the security of computer systems or networks. IT security firms simulate targeted attacks to uncover potential vulnerabilities before real hackers can exploit them. The goal is to identify and fix security gaps to enhance the resilience of the system against attacks. Pentests can be conducted by internal or external specialists. When opting for external specialists, it's essential to ensure they have a strong reputation and relevant experience.

Preparation: The First Step Towards a Successful Pentest

A brief summary of the preparation phase:

• Define objectives: Clearly outline and describe the goals for the pentest. These objectives should be jointly established by both the client and the pentester.
• Consider legal aspects: Ensure the pentest complies with all relevant laws and regulations. This protects both parties from potential legal consequences.
• Organisational requirements: Specify which systems and areas will be tested and who within the organisation will be responsible for coordinating with the pentester.
• Time planning: Select an appropriate time to minimise the impact on the systems to be tested and avoid disrupting regular operations.
• Written documentation: All conditions and agreements should be documented in writing and signed by both parties.

Information Gathering: Knowledge is Power

During the information gathering phase, all available sources are used to collect data on the target systems and potential vulnerabilities.

• Social Engineering: Gaining information from stakeholders
• Automated tools: Using tools like Maltego, nmap, and Wireshark
• Dumpster Diving: Searching through the target organisation's waste
• Online resources: Using company websites, social media profiles, and job portals

Comprehensive information gathering creates a detailed picture of the target environment and serves as a foundation for the next steps.

Evaluation and Risk Analysis: Setting Priorities

The collected information is evaluated based on its usefulness for the pentest assignment. This includes determining targets for potential attacks and focusing on systems with identified vulnerabilities. Precise documentation and clear communication with the client are essential afterward. Additionally, any risks to the production environment must be identified and discussed with the client.

Execution of Attacks: The Stress Test

In this phase, the planned attacks are carried out. The actual risk of supposed vulnerabilities is assessed, and if necessary, an attack may be omitted in favour of a dry run. All findings and deviations from the plan should be carefully documented.

Examples of attacks:

• People: CEO fraud, Nigeria connection, love scamming
• Networks: MAC table flooding, OSPF spying, STP manipulation
• Software: Buffer overflow attacks, fuzzing, malicious routines
• Hardware: Use of malicious USB sticks, keyloggers, vandalism, theft
• Systems: Malware, “zombification,” backdoors, crypto miners
• Services: DNS cache poisoning, ARP spoofing, SSL splitting
• Infrastructure: Destruction, unauthorised access, deliberate opening

These diverse attack methods cover a wide range of potential threats.

Reporting: Results and Recommendations

The reporting phase involves detailing each testing step. Discovered vulnerabilities are evaluated and documented according to the risk of a potential attack and its impact. Recommendations for mitigating vulnerabilities and risks are included in a report, and the results are presented to selected stakeholders.

Recommendations for reporting: Standard tools and file formats should be used in reporting, and terminology and language should be consistent to ensure readability. Since the final report addresses various audiences, a glossary is necessary to make technical terms easily accessible. Additionally, centralised storage and version control are recommended to facilitate access and make changes to the report more transparent.

Finally, we would like to provide a brief overview of the most important tools, methods, and vulnerabilities.

Network Statistics and Tools: The Technical Foundation

Network statistics and tools play a crucial role in IT security. Network cards and their configuration are fundamental elements for the functioning and management of networks. The right network tools help admins maintain oversight and detect potential threats early. It is important to note that these tools can also be used by cybercriminals to scout and exploit vulnerabilities.

Built-in Tools and Additional Tools for Information Gathering

• Netstat: Displays network connections and their status.
• Services.msc: Graphical interface for managing Windows services.
• sc query type=service state=all: Queries all services and their status.
• Iftop: Displays network traffic in real-time.
• Resource Monitor: Provides insights into system resource usage.
• Netcat: A versatile tool, also known as the "Swiss Army Knife" for network connections.
• Ping and Tracert / traceroute: Basic tools for diagnosing network connections and routes.

Network Cards and Configuration: Maintaining an Overview

The configuration and monitoring of network cards are essential for network security:

• Ipconfig: Displays IP configurations on Windows.
• Get-netadapter (Powershell): Provides detailed information about network adapters.
• Ip a and ifconfig: Similar functions on Linux to retrieve and modify network configurations.

Vulnerabilities: The Achilles' Heel of IT

IT systems are inherently vulnerable due to the software components they run. Vulnerabilities that are overlooked during quality assurance become gateways for these threats. According to the BSI, there are 47 fundamental hazards, ranging from fire and eavesdropping to resource shortages and attacks. Exploits are pre-built routines designed to take advantage of these vulnerabilities.

Vulnerability Scans: Proactive Security

Vulnerability scans are essential for checking IT systems for potential security gaps. These scans can be performed manually with tools like Nmap or automated with solutions such as OpenVAS, Nessus, and InsightVM/Nexpose. Automated tools often offer professional, paid versions and generate lists of detected vulnerabilities, which can then be further analysed to select appropriate exploits.

CVE: Standardised Vulnerability Naming

The Common Vulnerabilities and Exposures (CVE) system provides a unified naming convention for vulnerabilities to avoid duplicate naming. Each vulnerability is identified by a unique CVE number, e.g., CVE-2017-5754 for the Meltdown vulnerability. The scoring is determined using the Common Vulnerability Scoring System (CVSS).

Exploits: The Tools of Cybercriminals

Exploits take advantage of software bugs to execute malicious code, often by provoking buffer overflows. Once successfully executed, they can also deploy internal payloads. Exploits can be sourced from online repositories such as Exploit-DB.com or offline collections like Metasploit (under Kali Linux). These tools offer both advantages (free, customisable) and disadvantages (programming skills required).

Conclusion

The tools and techniques presented here are double-edged—they are valuable for securing and monitoring networks, but they can also be used by cybercriminals to identify and exploit vulnerabilities. Therefore, it is crucial for admins to be aware of these threats and take appropriate measures to protect their networks and counter potential attacks. A systematic approach that considers technical, organisational, and legal aspects is key to a robust IT security strategy.

Sources:

Federal Office for Information Security
CVEdetails