There are many damaging consequences of a poorly planned security assessment, says Gunter Ollmann.
ask me is what tools will I use to carry out the security assessment of their system or application. In some cases, this question may be driven by a fear that, owing to the fact that my parent organization is well known for producing vulnerability scanning products, I would restrict my investigation to only these tools. In more competitive situations, the client has decided to focus on the type and number of tools that will be utilized - the classic 'mine's bigger than yours' contest of, "so and so says they can detect 5,465 vulnerabilities against your 3,891."
Tools of the trade
Tools are an important aspect of security assessment consulting. While a skilled and deeply knowledgeable consultant can probably do without the use of vulnerability scanners against a small number of computer hosts, they are still very valuable and efficient tools that remove the work of vulnerability discovery. Used properly, and combined with other appropriate service specific tools, a consultant can focus on delivering security expertise and interpretation of the findings to their paying client, instead of wasting time and money attempting to showing off their skills.
This is not to say that security assessment tools are always correct or conclusive in their discovery of vulnerabilities. Using a combination of appropriate tools, experience and access to appropriate knowledge resources, a skilled consultant can identify and remove false positives from the list of findings.
At the high end of technical security assessment, a lot of emphasis is placed on the process of gaining administrative access through the exploitation of the discovered vulnerabilities. Obviously, by exploiting the flaw and obtaining interactive access to the host, the consultant has proved that a particular finding was not a false positive. Unfortunately, very few clients actually understand just how trivial the exercise can be once you have access to a large database of published or internally researched exploit code material. They place undue emphasis on actually exploiting the host - unaware of the full consequences.
Having identified a high risk vulnerability, I always ensure that the client's technical representative is fully appraised of the nature of the vulnerability and understands the consequences of either a successful or unsuccessful use of exploit code material. This ensures that appropriate permission is obtained and that the client can respond rapidly to any secondary effects should they grant permission.
Of all the consequences of actually exploiting a discovered vulnerability, it is the process of proving your success that can land you in the most hot water. With various country-specific laws and regulations pertaining to data privacy, data protection, confidentiality and their classification of computer misuse activities, it is not as simple as just taking a copy of the database containing customer details and presenting that material back to the client.
Even less likely sources of proof can result in unexpected legal implications. One common method is to take a copy of a time-stamped system log file. In an unfortunate example, one consultant that captured a copy of a proxy server's web browsing logs. Upon verifying that the log contained enough information to prove a successful host compromise, it was discovered that some personnel of the client had been viewing and downloading child pornography. Thus, the consultant was placed in the position of being legally obliged to report the incident to the police. Not only were the client and consultant placed in an embarrassing situation, but the subsequent police investigation required detailed forensic activities and resulted in the impounding of both the client's proxy server and the consultant's laptop.
Understanding the consequences
Just as it is important to fully understand the consequences of using exploit code against discovered vulnerabilities, security consultants also need to fully understand the mechanisms that their suite of tools use to discover vulnerabilities. Many vulnerability scanning or service-specific tools actually use common exploit code to identify vulnerabilities. In too many cases, I have seen other consultants blindly incorporate the latest vulnerability checks into their tools, select the 'run all but dangerous' checks, and proceed to affect file integrity of their client's systems.
My advice to other consultants is to always ensure that you know how each check in your suite of tools actually works, what the consequences of a check are likely to be, and fully explain the possible repercussions to the client. Furthermore, ensure you understand the legal implications of using exploit material and the consequences of accessing samples of the client's data.
For the organization employing the consultants carrying out the assessment, ensure that the consultants can confidently explain and evaluate the consequences of using their selected suite of tools and exploit material. Before granting permission to the consultants to carry out any exploitation, ensure that you have the time and resources to deal with even the remotest consequences.
Gunter Ollmann is manager of X-Force Security Assessment Services EMEA for Internet Security Systems (www.iss.net).