This is the sixth and last installment of a six-part penetration testing tutorial for consultants and value-added resellers (VARs). Here we'll look at the human element of social
engineering testing, examine the role of intrusion detection systems (IDS) and look at the function of honey pots.
Social engineering describes the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of inappropriate trust relationships. It exploits the human side of computing, using the art of manipulation to trick someone into providing valuable information or allowing access to that information.
Social engineering is the hardest form of attack to defend against because it cannot be prevented with hardware or software alone. A company may have rock-solid authentication processes, VPNs, or firewalls, but still be vulnerable to attacks that exploit the human element.
Social engineering can be broken into two types: human-based, person to person interaction; and computer-based interaction using computer software that automates the attempt to engineer information.
Common techniques used by an intruder to gain either physical access or system access are:
- Asserting authority or pulling rank
Professing to have the authority, perhaps supported with altered identification, to enter the facility or system.
- Intimidating or threatening
Browbeating the access control subjects with harsh language or threatening behavior to permit access or release information.
- Praising, flattering or sympathizing
Using positive reinforcement to coerce the subject into providing access or information for system access.
Some examples of successful social engineering attacks are:
- Emails to employees from a tester requesting their passwords to validate the organizational
database after a network intrusion has occurred
- Emails to employees from a tester requesting their passwords because work has to be done over
the weekend on the system
- An email or phone call from a tester impersonating an official who is conducting an
investigation for the organization and requires passwords for the investigation
- An improper release of medical information to individuals posing as medical personnel and
requesting data from patients' records
- A computer repair technician convinces a user that the hard disk on his or her PC is damaged and irreparable, and installs a new hard disk for the user. The technician then takes the hard disk, extracts the information, and sells the information to a competitor or foreign government.
For example, an attacker may impersonate someone in an organization and make phone calls to employees of that organization requesting passwords for use in maintenance operations.
Some companies may want you to include some type of social engineering attempt in your pen test. Be sure your authorization to conduct such as test is bullet-proof, however, as some departments may get really unhappy when the SE is conducted. Sometimes the test disturbs employees and makes them feel like they're being spied on.
The only real defense against social engineering attacks is an information security policy that addresses such attacks and educates the users about these types of attacks.
Intrusion detection systems (IDS)
The IDS monitors packets on the network wire and endeavors to discover if a tester is attempting to break into a system.
Two common types of IDS:
- Signature Recognition
Like virus scanners, signature recognition IDS engineers code a pattern recognition for every tester technique.
- Anomaly detection
A "baseline" of such stats as CPU utilization, disk activity, user logins, file activity, etc., is measured. This type can detect attacks without specific coded patterns.
After capturing packets, a good IDS uses several techniques to identify behavior as an attack, such as protocol stack verification and application protocol verification.
Protocol stack verification looks for intrusions, such as "Ping -O-Death" and "TCP Stealth Scanning" that use violations of the IP protocols to attack. The verification system can flag invalid packets, which can include valid, but suspicious, behavior such as frequent fragmented IP packets.
Application protocol verification looks for intrusions that use invalid protocol behavior, such as "WinNuke", which uses NetBIOS protocol (adding OOB data or DNS cache poisoning, which has a valid but unusual signature.
Since many IDS simply rely on matching the patterns of well-known attack scripts, they can easily be evaded by simply changing the script and altering the appearance of the attack. For example, some POP3 servers are vulnerable to a buffer overflow when a long password is entered. This may be easy to evade by simply changing the password script.
Another way to avoid IDS detection is to send a TCP SYN packet that the IDS sees, but the victim host never sees. This causes the IDS to believe the connection is closed when in fact it is not. Depending upon the router configuration, a tester can first flood the link with high priority IP packets, and then send a TCP FIN as a low priority packet. This may result in the router's queue dropping the packet.
A honey pot is a program or system on the network intentionally configured to lure intruders. They
can simulate one or more network services running on an available port, hoping that an attacker will attempt an intrusion. An attacker assumes that you are running vulnerable services, and a honey pot can be used to log access attempts to those ports such as the attacker's keystrokes.
Honey pots are most successful when run on known servers, such as HTTP, mail, or DNS servers, because these systems advertise their services and are often the first point of attack. They are often used to augment the deployment of an IDS.
A honey pot is configured to interact with potential testers in such a way as to capture the details of their attacks. These details can be used to identify what the intruders are after, their skill level, and what tools they use.
Honey pots should be physically isolated from the real network and are commonly placed in a DMZ. All traffic to and from the honey pot should also be routed through a dedicated firewall. A honey pot is usually configured by installing the operating system using defaults -- no patches -- and the application designed to record the activities of the intruder.
Evidence of an intrusion into a honey pot can be collected through:
- The honey pot's firewall logs
- The honey pot's system logs
- Intrusion detection systems or other monitoring tools
A properly configured honey pot monitors traffic passively, doesn't advertise its presence, and provides a preserved prosecution trail for law enforcement agencies.
A good list of honey pot vendors can be found at Honeypots.net.
Possible drawbacks to honey pot implementation
It's important to be aware of the legal issues that arise from implementing a honey pot. Some organizations discourage the use of honey pots citing the legal concerns of luring intruders, and feel that no level of intrusion should be encouraged.
Before the intrusion occurs it is advisable to consult with local law enforcement authorities to determine the type and amount of data they will need in order to prosecute, and how to properly preserve the chain of evidence.
Also, as the honey pot must be vigilantly monitored and maintained, some organizations feel it is too resource-intensive for practical use.
About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is The CISSP and CAP Prep Guide, published by John S. Wiley and Sons.
This was first published in July 2007