Recognized Assessment Standards

This book is written in line with the most important assessment standards, USA NSA IAM and UK CESG CHECK, which the United States and the United Kingdom use for government and critical national infrastructure testing and assurance.

NSA IAM

The United States National Security Agency (NSA) has provided an INFOSEC Assessment Methodology (IAM) framework to help consultants and security professionals outside the NSA provide assessment services to clients in line with a recognized standard. The NSA IAM homepage is http://www.nsa.gov/isso/iam/index.htm.

The IAM framework defines three levels of assessment related to testing of IP-based computer networks:

  1. Assessment. This level involves discovering a cooperative high-level overview of the organization being assessed, including access to policies, procedures, and information flow. No hands-on network or system testing is undertaken at this level.

  2. Evaluation. Evaluation is a hands-on cooperative process that involves testing with network scanning and penetration tools and the use of specific technical expertise.

  3. Red Team. A Level 3 assessment is noncooperative and external to the target network, involving penetration testing to simulate the appropriate adversary. IAM assessment is nonintrusive, so within this framework, a Level 3 assessment involves full qualification of vulnerabilities.

This book covers only the technical network scanning and assessment techniques used within Levels 2 (Evaluation) and 3 (Red Team) of the IAM framework, since Level 1 assessment involves high-level cooperative gathering of information, such as security policies.

CESG CHECK

The Government Communications Headquarters (GCHQ) in the United Kingdom has an information assurance arm known as the Communications and Electronics Security Group (CESG). In the same way that the NSA IAM framework allows security consultants outside the NSA to provide assessment services, CESG operates a program known as CHECK to evaluate and accredit security testing teams within the United Kingdom to undertake government assessment work. The CESG CHECK homepage is accessible at http://www.cesg.gov.uk/site/check/index.cfm.

Unlike the NSA IAM, which covers many aspects of information security (including review of security policy, anti-virus, backups, and disaster recovery), CHECK squarely tackles the area of network security assessment. A second program is the CESG Listed Adviser Scheme (CLAS), which covers information security in a broader sense and tackles areas such as BS7799, security policy creation, and auditing.

To correctly accredit CHECK consultants, CESG runs an assault course to test the attack and penetration techniques and methods demonstrated by attendees. The unclassified CESG CHECK assault course notes list the areas of technical competence relating to network security assessment:

  • Use of DNS information retrieval tools for both single and multiple records, including an understanding of DNS record structure relating to target hosts

  • Use of ICMP, TCP, and UDP network mapping and probing tools

  • Demonstration of TCP service banner grabbing

  • Information retrieval using SNMP, including an understanding of MIB structure relating to target system configuration and network routes

  • Understanding of common weaknesses in routers and switches relating to Telnet, HTTP, SNMP, and TFTP access and configuration

The following are Unix -specific competencies:

  • Demonstration of common user enumeration attacks including finger, rusers, rwho, and SMTP techniques

  • Use of tools to enumerate Remote Procedure Call (RPC) services and demonstrate an understanding of the security implications associated with those services

  • Demonstration of enumerating, mounting, and manipulating NFS exported directories to gain access to files

  • Detection of insecure X Windows servers

  • Demonstration of vulnerabilities associated with poorly configured or vulnerable versions of the following:

  • FTP services allowing anonymous access

  • Common Unix web services

  • TFTP services

  • R-services (rsh, rexec, and rlogin)

  • Samba services

  • SNMP services

Here are Windows NT-specific competencies:

  • Tools that enumerate system details through the NetBIOS service, including users, groups, shares, domains, domain controllers, and password policies

  • Demonstration of user enumeration through RID cycling

  • Tools that brute-force valid username and password combinations remotely

  • Demonstration of remotely mapping network drives and accessing registries of remote hosts upon authenticating

  • Detecting and demonstrating presence of known security weaknesses within the following services:

  • Internet Information Server (IIS)

  • The IIS Web service

  • The IIS FTP service

  • SQL Server

  • SNMP services

This book clearly documents assessment in all these listed areas, along with background information to help you gain a sound understanding of the vulnerabilities presented. Although the CESG CHECK program assesses the methodologies of consultants who wish to perform U.K. government security testing work, internal security teams of organizations and companies outside the United Kingdom should be aware of its framework and common body of knowledge.