By Tim McElligott
Oct 9, 2006 12:00 PM
You know who's watching your network and you may even trust them, but who's watching who's watching your network?
One of the best, most common strategies in security of all kinds is the concept of layering. In network security, that can mean establishing multiple layers of authentication or a series of checkpoints such as firewalls, border controllers, intrusion detection and intrusion prevention systems. These are all designed to address an attack or attempted breach of one sort or another. But how do you know these layered systems are doing all they can do - outside of the reports they generate that tell you so?
Penetration testing may be the answer. Having a neutral third party deliberately, but safely, try to contravene your network defenses can provide, if not the final proof, then the best possible information.
Penetration testing, a.k.a. pen-test, is not a new concept to service providers. The practice has been widespread since carriers first separated the signaling and bearer channels of their networks and groups of professional, but ethical, hackers would try to bust into lab-based signal transfer points with the carriers' blessing. But IP changes everything - everything but the need for more penetration testing.
One thing IP has changed is the service providers' aversion to testing in live networks. IP is real time. The threats that lurk in every corner of the network are real time. Therefore, validating one's defenses must be real time. A pen-test is conducted in real time.
Often the pen-test is part of an overall security assessment conducted by consultants, such as Atlanta-based Internet Security Systems (ISS) or a vendor's professional services organization such as Lucent Technologies' Worldwide Services. Just as often, at least with large service providers, internal security or operations teams self-script the pen-test. And sometimes, as with Core Security Technologies, it is an automated tool designed to replace expensive and timely consulting projects.
Not everyone thinks the process can be automated just yet, particularly with the emergence of voice over IP (VoIP) and services based on session initiation protocol (SIP.)
"VoIP is relatively new in term of maturity," said Vik Muiznieks, managing director of the global security and reliability practice for Lucent. "And what you almost always see when introducing new technologies like VoIP, for security you really need skilled people. The tolls haven't yet caught up with that technology."
He is referring to comprehensive automation tools, as even in his group's services practice, they use many commercial products to help them perform security assessments and pen-tests. Particularly for VoIP, Muiznieks said his group ultimately does a lot of custom coding to enhance available tools.
"Tools today can do what moderately interested non-professionals might do by looking for standard vulnerabilities on easy targets," Muiznieks said. "They won't replicate the dedicated efforts of a professional targeting attacks specifically on someone's infrastructure."
Muiznieks' group has about 50 security experts, some of who are from what he likes to think was "the ethical side of the hacking community." Lucent also uses contractors for big jobs and is often called into assess network that are not comprised of Lucent intrusion prevention or detection systems. That works both ways, as consultants are often brought in to penetrate Lucent's defenses.
"If you are a large service provider, you want to make sure you don't have the fox watching the hen house," Muiznieks said. "You want at least to get different opinions."
Lucent recently completed a VoIP security assessment for EarthLink, which included pen-testing. Muiznieks said the assessment helped EarthLink uncover previously unpublished vulnerabilities on some of their terminal devices and helped demonstrate the return on investment (ROI) in their VoIP infrastructure.
Proving the ROI on security assessment, however, is not always easy. "For EarthLink, it allowed them to see what their risks were if they didn't identify and take care of them. Sometimes it is not a pure ROI, but it about assessing the risk," Muiznieks said.
Mary Powers, security manager for EarthLink, told an audience at a recent Gartner Security Conference that, "[Lucent's] assessment and penetration tests provide an easily demonstrated ROI for protecting new services infrastructures," she said. "[Now] we have a better understanding of how to specify security requirements to our vendors in the future."
ISS also takes the services approach to security assessment and pen-tests. "Our specialty is pre-emptive security," said Brad MacKenzie, manager of the penetration testing practice for ISS.
ISS takes the same view of comprehensive tools for pen-testing as Lucent. It uses tools, including its own Internet Scanner and Enterprise Scanner, but "you still need someone who is relatively skilled behind the tools to make sure they are functioning properly and giving valid results," MacKenzie said. "ISS believes the real advantage of having a human consultant is that a penetration tester not only recognizes vulnerabilities in systems but also has the ability to exploit those vulnerabilities - just as an attacker would - in order to assess the business risk of the vulnerability."
MacKenzie said the pen-test provides the checks and balances in a security assessment, and it provides a good eye - opener for companies that have trouble mapping a technical probability to a business risk.
"It allows companies to see the vulnerabilities in a server or a database and what affect that has on organizations when it comes to intellectual property and confidential data," he said.
The pen-test also is used during the deployment of new network components, many of which may be secure out of the box, but can become insecure through misconfiguration. And like Lucent, ISS says VoIP is a whole new ballgame when it comes to security.
"VoIP is not a simple thing. The kinds and amount of systems required to deploy a VoIP infrastructure at the telco level is mind-boggling," MacKenzie said. He added that the only network that can't be penetrated is one with no electricity. And no single tool can cover the entire gamut of vulnerabilities.
"A tool doesn't build a house; it's the tradesman that does. I may have a lot of tools in my toolbox, but I'm not going to be building a house anytime soon," MacKenzie said.
The folks at Core Security Technologies are tradesman. They launched their business in 1996 as security consultants similar to those in both Lucent's and ISS' security services groups. But in 2002, they went the product route and introduced Core Impact, an automated, comprehensive pen-test product for assessing specific information security threats to an organization.
The company's tagline - "Ethical hacking for uncompromising security" - only tells part of the story. For the hacking Core Security provides is both ethical and safe.
An oxymoron? No, said Max Caceres, director of product management for Core Security. "It is safe because our attacks carry a benign payload, not malicious. The payloads do not install any software on the computers they are attacking," he said.
Core Impact focuses mainly on code execution problems and other critical breach points where an attacker can take control of a device and use it maliciously.
Last month, the technology allowed Core Security to issue advisories disclosing multiple vulnerabilities that could severely impact the users of America Online's ICQ global instant-messaging service. Undetected, they would have allowed an attacker to execute code and take control of a user's computer.
And despite others saying that VoIP was too new for a pure-product solution, Core Impact published two advisories recently regarding vulnerabilities that could severely impact enterprise phone systems, including the open source Asterisk PBX and IAXclient, an open-source library that implements the IAX2 VoIP protocol used by several VoIP software phones.
The company also recently automated SaskTel's in-house process for pen-test and were told by SaskTel that by using Core Impact, one person can now do in a day what it took a team of experts a week to do.
"For SaskTel, it was about making better use of their resources. For others that do testing for the first time, it's about identifying critical issues right away," Caceres said.
In addition to SaskTel, Core Technologies has several other service provider customers, including Alltel, AT&T, Deutsche Telekom, Nextel, Sprint and T-Mobile. Overall, it has about 350 customers for its automated pen-test product.
"Telecom providers tend to be further along in terms of security, so penetration testing is nothing new to them," Caceres said. "But our tools bring them a lot of efficiencies in terms of automation because they have see attacks on their networks every day. And we continually update our products with new attacks that can be downloaded from our servers, similar to anti-virus protection."
Caceres said the company's product was born out if its consulting practice, where it built tools to aid its experts in assessing security. "So we built a product with all the [capabilities] we wanted in a penetration testing tool," he said.
Core Security is out to prove that the pen-test can be automated, safe and powerful. It is up against some powerful consultancies. But it knows the consulting business well - having been there - and still chose to put its money behind a product approach. It already has changed a few minds and is looking to change a few more. In the long run, there will always be room for both.
VULNERABILITY ASSESSMENT VERSUS THE PEN-TEST
| TESTING SCOPE | Scans for all potential network vulnerabilities | Identifies vulnerabilities and determines if they can actually be exploited |
| VULNERABILITY RELEVANCE | Categorizes vulnerabilities based on standardized, theoretical information | Tests vulnerabilities on specific network resources, enabling prioritization of remediation efforts |
| USEFULNESS OF TEST RESULTS | Provides false positives, identifying vulnerabilities that cannot be exploited | Exploits vulnerabilities, identifying only those that pose actual threats to network resources |
| NETWORK CONNECTION TESTING | Does not address connections between network components | Exploits trust relationships between network components to demonstrate actual attack paths |
| REMEDIATION ASSISTANCE | Delivers long lists of vulnerabilities, limits remediation options to widespread patching | Assesses potential risk of specific vulnerabilities, allows for necessary patching. Tests patches and other mitigation strategies, such as IPS |
| TESTING OF OTHER SECURITY INVESTMENTS | Does not simulate attacks to test IDS, IPS or other technologies | Launches real-world attacks to determine if other security investments are functioning properly |
| SECURITY RISK ASSESSMENT | Only identifies missing patches, making it impossible to truly assess security risks | Safely mimics the actions of hackers and worms, providing risk evaluations based on tangible network threats |
Source: Telephony Online
