What is the proper methodology for security site assessments?

• Published: 19 May 2008

About the author Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.

Security assessments have evolved over the years and are much less about black art than methodological approaches today. Using a sound methodology is critical to producing expected results and ensuring comprehensive coverage of the target. For example, the methodology proposed in Hacking Exposed includes footprinting, scanning, enumeration, gaining access, escalating privilege, pilfering, covering tracks, creating back doors and (optionally) denial of service. This approach was designed to emulate the methodology of a malicious intruder and is thus suitable for security assessments focused on simulating such attacks, i.e., so-called penetration tests. These provide the customer with a real-world view of what an experienced, dedicated adversary could do in a limited period of time. Various security assessment tools are used for each phase of the methodology -- for example, footprinting employs tools like whois and ARIN, scanning involves port scanners like nmap, and gaining access requires platform-specific tools like psexec and lsadump for Windows. Various commercial and free suites exist that bundle many of these functions into combined vulnerability assessment tools (for example, Nessus, Foundstone, SPI Dynamics).