Penetration testing, Part 1

Once again I would like to share an essay from a student, one that describes network penetration tests to determine a company’s vulnerabilities.

Mark Fischer is a student in the first cohort of the Norwich University Master of Science in Information Assurance program. He has very kindly consented to share one of his essays with readers of this newsletter.

The students’ assignment was: “Interview appropriate colleagues in your organization and discuss real cases of penetration or, if there have been none (or if your organization has never noticed any), discuss the possible consequences of hypothetical penetration scenarios.” What follows is a lightly edited version of Fischer’s essay.

* * *

This report describes one of the penetration tests that I conducted on a client and identifies the vulnerabilities, viewed from the perspective of the attackers, that led to our success.

The target was a large insurance company with hundreds of employees on multiple floors of a large high-rise office building. It has an established IT audit function and a small IT security staff. For brevity I will refer to the target company as Acme Corp. – with no offense to Wile E. Coyote (whose dynamite and other attack tools always come from Acme) or to any real Acme Corporations.

My colleague and I were charged with examining both the physical security of the client and its internal network security. The first part was to determine how hard it would be for an outside attacker to gain access to the network. The second was to see how well defended the network was against an outsider or insider attack. This was done with a minimum of knowledge on the part of the client to test their IT staff’s ability to detect and respond to the attack. In this series of three articles, I’ll summarize the three main aspects of this penetration: physical security, social engineering, and network security.

Physical Security

Gaining access to the physical spaces of the target was simple, as they occupied about six floors of a high-rise office building. There was no security in the lobby, and we could easily take the elevator to the right floors. The first thing we did was take the elevator to the highest floor and walk down the stairwell. At each floor we used a pieces of duct tape to disable the lock on the stairwell door. The door closed, but did not lock. That gave us continuing access after hours in the event the elevators locked at a certain hour (they did).

We grabbed some empty file folders with the company logo and stuffed some blank paper in them. Carrying those gave us some visual credibility – we must work there, we have Acme file folders, right? We encountered many people, but no one questioned us about our lack of company ID badges.

Finally we plugged in our laptops and ran a few quick scans to get a feel for the network, what type of machines were there, what operating systems, etc. We didn’t do any attacks, just reconnaissance. After that, dinner and a night of planning the network attacks.

* * *

Mark Fischer mailto:Mark.Fischer@SecurityGuild.com > is the founder and Managing Director of Security Guild, LLC, an information security consulting company. He is a Certified Information Systems Security Professional (CISSP) and a graduate of the Rochester Institute of Technology. He has been building and breaking systems and networks for more than 15 years.