Show How Ethical Hacking Specifically Helps the Organization Document benefits that support the overall business goals: ߜ Demonstrate how security doesn’t have to be that expensive and can actually save the organization money long-term. • Security is much easier and cheaper to build in up front than to add on later. • Security doesn’t have to be inconvenient and can enable produc- tivity if it’s done properly. ߜ Talk about how new products or services can be offered for a competi- tive advantage if secure information systems are in place. • Certain federal regulations are met. • Managers and the company look good to customers. • Ethical hacking shows that the organization is protecting customer and other critical information. Get Involved in the Business Understand the business — how it operates, who the key players are, and what politics are involved: ߜ Go to meetings to see and be seen. This can help prove that you’re con- cerned about the business. ߜ Be a person of value who’s interested in contributing to the business. ߜ Know your opposition. Again, use The Art of War and the “know your enemy” mentality — if you understand what you’re dealing with, buy-in is much easier to get. Establish Your Credibility Focus on these three characteristics: ߜ Be positive about the organization, and prove that you really mean busi- ness. Your attitude is critical. ߜ Empathize with managers, and show them that you understand the busi- ness side. 321 Chapter 20: Ten Tips for Getting Upper Management Buy-In 29 55784x Ch20.qxd 3/29/04 4:20 PM Page 321 ߜ To create any positive business relationship, you must be trustworthy. Build up that trust over time, and selling security will be much easier. Speak on Their Level No one is really that impressed with techie talk. Talk in terms of the business. This key element of obtaining buy-in is actually part of establishing your credi- bility but deserves to be listed by itself. I’ve seen countless IT and security professionals lose upper-level managers as soon as they start speaking. A megabyte here; stateful inspection there; packets, packets everywhere! Bad idea! Relate security issues to everyday business processes and job functions. Period. Show Value in Your Efforts Here’s where the rubber meets the road. If you can demonstrate that what you’re doing offers business value on an ongoing basis, you can maintain a good pace and not have to constantly plead to keep your ethical hacking pro- gram going. Keep these points in mind: ߜ Document your involvement in IT and information security, and create ongoing reports for upper-level managers regarding the state of security in the organization. Give them examples of how their systems will be secured from known attacks. ߜ Outline tangible results as a proof of concept. Show sample vulnerability- assessment reports you’ve run on your own systems or from the security tool vendors. ߜ Treat doubts, concerns, and objections by upper management as requests for more information. Find the answers, and go back armed and ready to prove your ethical hacking worthiness. Be Flexible and Adaptable Prepare yourself for skepticism and rejection at first — it happens a lot — especially from such upper managers as CFOs and CEOs, who are often com- pletely disconnected from IT and security in the organization. Don’t get defensive. Security is a long-term process, not a short-term product or single assessment. Start small — with a limited amount of such resources as budget, tools, and time — if you must, and then build the program over time. 322 Part VII: The Part of Tens 29 55784x Ch20.qxd 3/29/04 4:20 PM Page 322 Chapter 21 Ten Deadly Mistakes In This Chapter ᮣ Obtaining written approval ᮣ Assuming that you can find and fix everything ᮣ Testing only once ᮣ Having bad timing S everal deadly mistakes — when properly executed — can wreak havoc on your ethical hacking outcomes and even your job or career. In this chapter, I discuss the potential pitfalls that you need to be keenly aware of. Not Getting Approval in Writing Getting approval for your ethical hacking efforts — whether it’s from upper management or the customer — is an absolute must. It’s your get out of jail free card. Obtain documented approval that includes the following: ߜ Explicitly lay out your plan, your schedule, and the affected systems. ߜ Get the authorized decision-maker to sign off on the plan, agreeing to the terms and agreeing not to hold you liable for malicious use or other bad things that can happen unintentionally. ߜ Get the signed original copy of the agreement. No exceptions here! 30 55784x Ch21.qxd 3/29/04 4:20 PM Page 323 Assuming That You Can Find All Vulnerabilities During Your Tests So many security vulnerabilities exist — some known and just as many or more unknown — that you can’t find them all during your testing. Don’t make any guarantees that you’ll find all security vulnerabilities. You’ll be starting something that you can’t finish. Stick to the following tenets: ߜ Be realistic. ߜ Use good tools. ߜ Get to know your systems, and practice honing your techniques. Assuming That You Can Eliminate All Security Vulnerabilities When it comes to computers, 100 percent security has never been attainable and never will be. You can’t possibly prevent all security vulnerabilities. You’ll do fine if you ߜ Follow best practices. ߜ Harden your systems. ߜ Apply as many security countermeasures as reasonably possible. Performing Tests Only Once Ethical hacking is a snapshot in time of your overall state of security. New threats and vulnerabilities surface continuously, so you must perform these tests regularly to make sure you keep up with the latest security defenses for your systems. 324 Part VII: The Part of Tens 30 55784x Ch21.qxd 3/29/04 4:20 PM Page 324 Pretending to Know It All No one working with computers or information security knows it all. It’s basi- cally impossible to keep up with all the software versions, hardware models, and new technologies emerging all the time — not to mention all the associate security vulnerabilities! Good ethical hackers know their limitations — they know what they don’t know. However, they certainly know where to go to get the answers (try Google first). Running Your Tests without Looking at Things from a Hacker’s Viewpoint Think about how an outside hacker can attack your network and computers. You may need a little bit of inside information to test some things reasonably, but try to limit that as much as possible. Get a fresh perspective, and think outside that proverbial box. Study hacker behaviors and common hack attacks so you know what to test for. Ignoring Common Attacks Focus on the systems and tests that matter the most. You can hack away all day at a stand-alone desktop running MS-DOS from a 5 1 ⁄4-inch floppy disk with no network card and no hard drive, but does that do any good? Not Using the Right Tools Without the right tools for the task, it’s almost impossible to get anything done — at least not without driving yourself nuts! Download the free tools I mention throughout this book and list in Appendix A. Buy commercial tools if you have the inclination and the budget. No security tool does it all. Build up your toolbox over time, and get to know your tools well. This will save you gobs of effort, plus you can impress others with your results. 325 Chapter 21: Ten Deadly Mistakes 30 55784x Ch21.qxd 3/29/04 4:20 PM Page 325 Pounding Production Systems at the Wrong Time One of the best ways to lose your job or customers is to run hack attacks against production systems when everyone and his brother is using them. Mr. Murphy’s Law will pay a visit and take down critical systems at the absolute worst time. Make sure you know when the best time is to perform your test- ing. It may be in the middle of the night. (I never said being an ethical hacker was easy!) This may be reason enough to justify using security tools and other supporting utilities that can help automate certain ethical hacking tasks. Outsourcing Testing and Not Staying Involved Outsourcing is great, but you must stay involved. It’s a bad idea to hand over the reins to a third party for all your security testing without following up and staying on top of what’s taking place. You won’t be doing anyone a favor except your outsourced vendors by staying out of their hair. Get in their hair. (But not like gum — that just makes everything more difficult.) 326 Part VII: The Part of Tens 30 55784x Ch21.qxd 3/29/04 4:20 PM Page 326 Part VIII Appendixes 31 55784X PP08.qxd 3/29/04 4:20 PM Page 327 In this part . . . I n this final part of the book, Appendix A contains a listing of my favorite ethical hacking tools that I cover throughout this book, broken down into various categories for easy reference. In addition, I list various other ethical hacking resources that I think you’ll benefit from in your endeavors. Appendix B talks about the book’s companion Web site. Hope it all helps! 31 55784X PP08.qxd 3/29/04 4:20 PM Page 328 Appendix A Tools and Resources I n order to stay up to date with the latest and great ethical hacking tools and resources, you’ve got to know where to turn to. This Appendix contains my favorite security sites, tools, resources, and more that you can benefit from too in your ongoing ethical hacking program. Awareness and Training Greenidea, Inc. Visible Statement (www.greenidea.com) Interpact, Inc. Awareness Resources ( www.interpactinc.com) SANS Security Awareness Program ( store.sans.org) Security Awareness, Inc. Awareness Resources ( www.securityawareness.com) Dictionary Files and Word Lists ftp://ftp.cerias.purdue.edu/pub/dict ftp://ftp.ox.ac.uk/pub/wordlists packetstormsecurity.nl/Crackers/wordlists www.outpost9.com/files/WordLists.html Default vendor passwords www.cirt.net/cgi-bin/passwd.pl 32 55784x AppA.qxd 3/29/04 4:20 PM Page 329 General Research Tools CERT/CC Vulnerability Notes Database www.kb.cert.org/vuls ChoicePoint www.choicepoint.com Common Vulnerabilities and Exposures cve.mitre.org/cve Google www.google.com Hoover’s business information www.hoovers.com NIST ICAT Metabase icat.nist.gov/icat.cfm Sam Spade www.samspade.org U.S. Securities and Exchange Commission www.sec.gov/edgar.shtml Switchboard.com www.switchboard.com U.S. Patent and Trademark Office www.uspto.gov US Search.com www.ussearch.com Yahoo! Finance site finance.yahoo.com Hacker Stuff 2600 — The Hacker Quarterly magazine www.2600.com Computer Underground Digest www.soci.niu.edu/~cudigest Hackers: Heroes of the Computer Revolution book by Steven Levy Hacker t-shirts, equipment, and other trinkets www.thinkgeek.com Honeypots: Tracking Hackers www.tracking-hackers.com The Online Hacker Jargon File www.jargon.8hz.com PHRACK www.phrack.org 330 Part VIII: Appendixes 32 55784x AppA.qxd 3/29/04 4:20 PM Page 330 [...]... RAT attacks, 138 war dialing attack process, 106 108 case study, 107 configuring programs for, 110 111 defined, 105 dialing-in process, 110 113 documenting testing process, 34 information gathering stage, 108 109 355 356 Hacking For Dummies war dialing (continued) modems for, 109 protecting against, 114–115 scanning modems, ports, 46–47 software tools, 109 wardriving (directional) antennas, 150 weak... goals for, 30–32 IM (instant messaging) security, 274–275 for insecure Web logs in, 280–282 Linux security, 195–201 locations for, 36 logging and documenting, 40 for malware intrusions, 244–253 for NetBIOS attacks, 174–176 NetWare security systems, 216–224 process of, 19 results from, 19–20, 299–301 retesting, 20, 324 for rogue file permissions, 207 for rogue NLMs, 226 for share permissions, 187–189 for. .. security automated, 307–308 for e-mail attacks, 271 for Linux systems, 212–213 managing, 306–307 for NetWare systems, 220, 234 for Windows systems, 188–190, 308 PatchManager (Big Fix) patch-automation software, 307 pcAnyware remote-connectivity software, 106 penetration testing, 10, 34 perimeter e-mail protection, 263 personal liability insurance, 30 349 350 Hacking For Dummies personnel security-awareness... (modems), 106 outcomes, identifying before starting hacking process, 30 outsourcing ethical hacking, 313–315 security monitoring, 312–313 •P• Pandora NetWare hacking suite, 229–230 password-cracking tool, 85 password attacks brute-force attacks, 88 cracking tools, 85–87 dictionary attacks, 87–88 how they work, 86 inference attacks, 84 keystroke logging, 97–98 locations for, 36 network analyzers, 98 100 recognizing,... site, 27 sponsorship for ethical hacking importance of obtaining, 15 tips for obtaining, 319–322 written approvals, 323 spyware, 241 startup files, testing for malware intrusions, 247–248 stealthy versus open hacking approaches, 40–41 A Step-by-Step Guide to Computer Attacks and Effective Defenses (Skoudis), 238 strangers, responding to with caution, 67, 75 353 354 Hacking For Dummies SuperScan port... 139 information provided by, 121–122, 124–125 mapping programs, 246 NetWare systems, 217–219, 227 number assignments, viewing, 48 for open ports, 46–47 ping sweeps, 124 tools for, 46 portals, security, 18 PortSentry intrusion-prevention software, 199 Prescan tool (ToneLoc), 108 Pretty Good Privacy (PGP) encryption for password databases, 92 using, 19 privacy and civil liberty, 26 need for, during hacking. .. 97–98 for Linux systems, 199, 210, 212–213 malware attack prevention, 253–254 NetBIOS attack prevention, 176–177 for NetWare systems, 220, 223–225, 228–234 Network File System protection, 207 network-analyzer attack prevention, 99 100 , 139–140 network-infrastructure attack prevention, 146 null connection attack prevention, 184–186 ongoing ethical hacking, 311–312 operating system protection, 101 102 ... (ToneLoc software), 109 MITM (Man-in-the-Middle) attacks, 140 Mitnick, Kevin (hacker), 22 mobile device testing, 32 See also wireless LANs (WLANs) modems identifying COM port, 111 physical placement, 115 protecting against war dialing, 114–115 unsecured, 46, 105 106 vulnerability testing, 113–114 for war dialing, 109 – 110 monitoring security events, 312–313 Mucho Maas (ToneLoc software), 109 •N• NAT (NetBIOS... 97–98 for Linux systems, 199, 210, 212–213 malware attack prevention, 253–254 NetBIOS attack prevention, 176–177 for NetWare systems, 220, 223–225, 228–234 Network File System protection, 207 network-analyzer attack prevention, 99 100 , 139–140 network-infrastructure attack prevention, 146 null connection attack prevention, 184–186 ongoing ethical hacking, 311–312 operating system protection, 101 102 ... timelines for, 33–36, 326 for unauthorized access points, 158–159 for unprotected shares, 187–189 for URL filter bypasses, 290–292 for vulnerable malware ports, 244 Web directory security, 283–284 Windows system security, 171–173, 180–184, 189–191 TFN (Tribe Flood Network) DoS attacks, 144 Tiger Linux security-auditing tool, 195, 211–212 tiger teams, 31 Timbuktu for Apple remote-connectivity software, 106 . 148 client operating systems, 32 Cobb, Chey (Network Security For Dummies) , 101 , 264, 308 code-injection attacks, 286–287 340 Hacking For Dummies 34 55784X index.qxd 3/29/04 4:20 PM Page 340 . • backdoor system access for propagating malware, 244 using unsecured modems, 106 background checks, 60 banner-grabbing attacks Netcat for, 130–131 telnet for, 130 testing for, 263–264 BBSs (bulletin. goals, for ethical hacking plan, 30 • C • Cain and Abel password-capture software, 85 Caldwell, Matt (GuardedNet, Inc.), 149 called IDs, 62 Cantenna kits, 150 case studies hacking e-mail, 259 hacking