Who are we really defending from?
In all of technology, I don’t think that there is a field more misunderstood than hacking. To most, even the very word conjures up images of pimple-covered geeks with buck-teeth, staring at a bright green cursor on a black console and wielding black magic at the digital gates of a target. Some think of the modern “hactivism” movements of Anonymous and the likes, others think of stolen credit cards and breached e-commerce servers. Though these things are certainly what the media wants to portray of hacking, the reality is far, far different. I would even dare say that most of those who perform these actions aren’t even hackers – simply script-kiddies using the tools created by the best and the brightest.
So then, what is hacking? Hacking is the art of reverse-engineering protection. It is the art of gaining access. The true hackers that I have met over the years (the ones who further the art, attend the conferences, publish the exploits, etc) are puzzle-solvers, looking at firewalls and protocols as a Rubik’s Cube. There is no “evil” or “good” hacking, it’s a pursuit of knowledge – not knowledge of what your credit card number is or email account holds, but knowledge of the systems you used to secure your information. These people publish their work for the community at large, and hope that the systems they identify will be updated and provide new challenges and puzzles. Smarter mice require better mousetraps, and it is the end consumer who truly benefits.
Yes, I just said that true hackers are not a threat to, but a benefit to end-user security. And odds are, unless you’re a major multinational corporation that somehow became an interesting target for political purposes, you’ll probably never encounter one trying to break into your network.
The problem is, the tools and the whitepapers and the exploits then filter down to those less-skilled and less well-intentioned… the script-kiddies. Knowledgeable enough to be dangerous but motivated by other concepts than academic knowledge and understanding, these people wreak havoc on networks… and are usually there for one purpose – to steal your stuff. We can’t ever assume that they don’t know what they are doing, but we can assume that they will pursue any target not bolted down tight, small or large. We can also assume that they will go about their task using a variety of already-available tools that perform pre-defined actions.
This concept becomes their weakness – the things they are using against us are already existing, already accessible and will eventually be obsolete, leading them to need to find new tools and methods. If we know the tools, we can know what weaknesses we have to look out for. And if we can USE the tools… we can make sure we aren’t susceptible.
Tools of the Trade
As I mentioned before, there are numerous tools at your disposal for pentesting. The cheapest and most powerful tool is absolutely free – Backtrack Linux. Backtrack is pre-packaged to do one thing and do it well – audit networks. It comes pre-loaded with all the tools you could need, is updated routinely and runs like a champ. I love BT and have used it since v2. There’s only one problem with it: For someone learning the process or who will not use all of the tools on it, Backtrack is an overwhelming clusterf@#! of options with little to clarify how to even begin.
This is further compounded by the hardware limitations of Linux, particularly with wireless. Assuming you can get everything to work on whatever laptop you have available, you may still need a new wireless card, a second Ethernet card, and a variety of other bits and bobs to truly make an effective pentesting platform. It’s met with further limitations because that machine cannot be easily dedicated to stay on the network as an access point long-term, which is often necessary to test other important (more human) failings.
At the other end of the spectrum are the huge platforms designed by a security company for other security/auditing/pentesting companies, like CORE Impact and Metasploit Pro/Express. But these come with their own set of limitations – they run the tools that are programmed into them – often many at once – and routinely require that you disable certain network conditions in order to “properly” test. The “instant dump” of exploits can overwhelm IDSs and logging, so those routinely need to be turned off, which disables one of the key points of auditing – knowing how a problem will show up in your logs. Further adjustments to test for specific vulnerabilities prevent you from being able to audit the network that is actually running.
Of course, you get what you pay for as far as ease of use. Things like CORE Impact run thousands of dollars per license, but require little more than clicking a button to accomplish a wide array of tests. Though I agree with these methods as a convenience for those truly knowledgeable, I feel that they run afoul of the true goal – understanding why things are vulnerable, or how they are attacked. These products tell you simply “Yes, no, fix…”, which leads to a lack of understanding about what is actually going on. For all that money, you get to learn all about bugs… but nothing about exposure or how to better protect your network.
This set of circumstances means that it is very hard – particularly in smaller businesses – to find the tools necessary to properly and effectively audit. On one hand, we have an expensive vulnerability scan that’s so easy a monkey could do it, but it tells us nothing about how an attacker can get in or what they may actually accomplish once within the systems. On the other hand we have a free suite of bona fide hacking tools, but they are useless without both carefully selected hardware and the hacker that would run them.
The middle ground in this is my preferred solution, the Pwn Plug. It’s not free, but for $500 and up you get a pocket-sized powerhouse – an entire Debian Linux system in a little headless box with a network port, USB port, and all the options you need to test a network – and nothing more. Configure it, plug it into the wall, plug it into the network you’re auditing, and you’re off to the races.
Where we begin in a pentest (and valuable lessons from the RMS Titanic)
If you’ve been reading carefully so far, you’ll notice that all of the solutions listed above have a very important common point, leading to what might just be the most often heard question when introducing sysadmins to pentesting:
“All the pentesting platforms start from already being inside of the network. I’d never give some stranger a plug to go jack into my network, so why on earth would we start from there?”
It’s a perfectly rational question. If your outer perimeter is strong enough, it would be very, very hard to get into your network in the first place. Therefore, it seems like we’re skipping past the bulk of the security right off the bat – the most important security, in fact, which seems like it should be tested more thoroughly than anything else!
However, if we start from the idea that the outer layer is never breached, then there really is no point to testing anything inside the network. The guys who developed the hull of the RMS Titanic felt similarly. We all know that’s not how things work in the real world – we have to start with the assumption that our very first layer of protection (however good) has failed, and there is now someone on our network just past the router. In fact, it’s important to test at each layer of security present on the network and never, ever think your ship is unsinkable.
Pentesting tools can certainly help test your outermost layer of protection, but the reality for that outermost layer is that there are only two real-world outcomes – you either have a breach, or you don’t. If you don’t, there’s nothing to worry about. If you do, and you wasted all your time testing that and assuming it secure, you will have absolutely no clue as to what the attacker could have gained access to or how.
Most of the time, the outer layer is breached by an internal vulnerability anyway. Pretty much all of the major hacks of the past couple years have been started by “spear phishing”, using targeted emails to make employees run malicious code that sends out the first foothold for the attacker. These types of attacks are hard to prevent because they rely on the weakest link of all – reckless users. Even the best ship sinks when the user doesn’t read the warning and steers right into icebergs. No candy-coating necessary – users sometimes suck.
Just think of some of the dumb calls received by Tech Support, and ask yourself, “Can I really prevent them ALL from doing stupid things?”