Tips and tools for sane configuration, penetration testing, and fuzz testing your systems.
Ian Davis
Published on August 17, 2016
Complete system security is an unreachable goal in today's technological landscape. As Dennis Hughes of the FBI has been quoted as saying, “The only secure computer is one that's unplugged, locked in a safe, and buried twenty feet under the ground in a secret location... and I'm not even too sure about that one.” In a world where securing systems by unplugging, locking, and burying them is not an option, there are steps that you can take to reduce the attack surface of your systems. The Attack Surface Analysis Cheat Sheet by the Open Web Application Security Project (OWASP) provides additional information about the attack surface.
Processes such as sane system configuration can diminish the attack surface, while penetration testing and fuzz testing can help engineers harden a system by breaking it with skilled exploitation and unexpected input to find vulnerabilities that can be fixed. Such techniques improve system security by detecting and removing vulnerabilities before malicious entities have a chance to exploit them.
Sane configurationsSane configurations are key to hardening any system because any vulnerability is exploitable to some degree. For instance, support of legacy ciphers for SSH such as arcfour or protocols such as TLSv1.0 for web servers is a way for an attacker to gain access to and compromise a system. To prevent these and other vulnerabilities, follow the principle of least privilege when it comes to user authorizations; give a user or process the bare minimum access and clearance that is needed to complete required tasks. Prevent intrusions from the network by closing unused ports to reduce the accessible entry points from network attackers. Additionally, ensure that firewall protocols are enabled, which further restricts possible network attacks. Use a facility such as seccomp to filter system call availability to a process thereby reducing the exposed kernel surface.
Unused packages are potential attack vectors that offer no additional functionality. Verify that installed applications and packages are required and remove the ones that are not. A simple example is if the system is accessed through the console only, remove all unused GUI support. The Configuration Assessment Tool available from the Center for Internet Security (CIS-CAT) is a useful application that allows users to run varying depths of hardening benchmarks to indicate where a system falls short of meeting the wanted standard. CIS-CAT is highly recommended to help you discover the subtler configuration hardening vulnerabilities of your system.
In addition to system hardening, software distributors provide important software and security updates to users. Code fixes and improvements make an impact on system security. Systems that are out of date are easier targets for attackers. According to the United States Computer Emergency Readiness Team, up to 85% of targeted attacks could be avoided if the victim had a properly updated system ( https://www.us-cert.gov/ncas/alerts/TA15-119A ). Attack success rates can be drastically reduced if systems are properly updated. Common attacks are widely known to the public, including malicious entities. Conscientious vendors make efforts to release patches in a timely manner. However, if system administrators fail to apply updates, the patches are useless for protecting the systems and the services they offer. Efforts must be made to ensure that all systems receive timely updates.
Penetration testingPenetration testing is a method of finding system vulnerabilities by using automated tools or customized attacks. The goal of penetration testing is to subvert system security and gain access to data through unintended modes of operation without the expected permissions or credentials. These attacks use known exploits and vulnerabilities present in the targeted system. Penetration testing requires a different mindset than traditional verification methods such as verification testing. Unlike more conventional testing, penetration testers attempt to access system components and data by using the tools and approach of a malicious attacker. Though the philosophy of penetration testing might appear backwards, it provides a more transparent and complete system security profile than conventional testing alone.
The penetration testing toolchain includes examples such as Metasploit , a fully featured penetration testing framework that contains databases of known exploits as well as tools to scan networks and exposed systems. Other examples, such as, Nmap and Wireshark test the network with port scans or packet inspection respectively. Both of these tools give insight into how the system acts and responds on the network. Port scans show which applications and system utilities are actively available through the network as well as showing which ports are unused and should be considered for blocking. Anything accessible from the network is a possible target, so locking down access is a priority. The following tools offer automated vulnerability detection on a variety of targets and are incredibly useful:
IBM Security AppScan Nexpose OpenVAS NessusIn addition to scans and tools, deep knowledge of the system that is being attacked is always beneficial. Creating a specific exploit and manually executing the payload is much more complex than the automation that defines many forms of penetration testing. Once an exploit is found, automated tests and payload delivery systems can be created, but finding such attacks is a painstaking process.
Deciding on potential targets for an attack can be difficult. When attempting to exploit a complex system, decide on which attack vectors are more fruitful than others. If there is a process running that has a web interface or networked components, it might be a better target than a less exposed application. An additional indicator is the presence of specialized software. Rather than attempting to use a vector that has an established community and support history, targeting software that fills a specific purpose or one that is built to run within a niche environment is likely a better option.
Fuzz testing Fuzz testing, which is defined by OWASP as “finding implementation bugs using malformed/semi-malformed data injection in an automated fashion” ( https://www.owasp.org/index.php/Fuzzing ), is another method to verify the stability of the system and supported applications. An example fuzz on an application would be on a program that accepts