1. Reconnaissance seeks to identify possible network interconnections and find potential "holes" in an organization's Internet / network configuration.
2. Penetration Tests seek to exploit identified vulnerabilities.
3. Operational Attacks involve the removal / alteration of data, installing "back doors" for subsequent unauthorized access, hiding the "tracks" of attack activities and more.

(Please note that the RCL/CyberComm Team may choose to use Techniques or Tools not listed in this document as state-of-practice for these items change with alarming frequency.)

However, it should be noted that off-site testing could only identify those potential problems for which it is targeted; for example, Reconnaissance and Penetration Tests are unlikely to reveal vulnerabilities arising from such circumstances as:

• Changes to network configurations, system software or application(s) that occur after testing has been completed.
• Special access privileges awarded to individuals or "partners" via virtual private networks (e.g., network connections maintained with parent or sister companies, information / transaction services) or remote login facilities not at use at the time of the tests (e.g., employees working at home).
• Poor separations of duties within clients' network administration functions.

These circumstances are more appropriately addressed by adding:

1. Periodic Re-testing - a service that the RCL/CyberComm Team also provides - through which the changes to networks or special accesses may be detected.
2. Network Security Reviews by the RCL/CyberComm Team, which add a layer of on-site activities to examine actual system environment(s) and network administration practices of clients; comparing these to best practice guidelines and identifying security-related "fixes" that have not yet been applied or administrative processes in need of repair.
   Note that Network Security Reviews include selected portions of the areas defined in BS7799 Network Security Standards. These areas are: (1) Business Continuity Planning, (2) System Access, (3) System Development and Maintenance, (4) Physical and Environmental Security, (5) Compliance, (6) Personnel Security, (7) Security Organization, (8) Computer/Network Management, (9) Asset Control, and (10) Security Policy.

It should also be noted that both off-site and on-site testing described above can be done as additional services under RCL's Risk Reviews for fidelity bond, commercial crime, professional liability, Directors & Officers coverages and the like. But regardless of circumstances:

• The RCL/CyberComm Team will obtain an Indemnification Agreement from clients before undertaking any of the testing activities described in this document.
• Clients will be asked to complete an Internet Questionnaire identifies key components of their network environment(s), security arrangement associated therewith and unusual network services being provided within their environment(s), if any.

REPORTING

Irrespective of the level of Enterprise Security assessment selected, the RCL / CyberComm Team will render timely reports that:

• Summarize tests (and, where applicable, review activities) performed and their results,
  
• Identify relative levels of resulting risks, and
  
• Provide recommendations to assist clients in overcoming identified deficiencies.

Furthermore, reports will be prepared in "plain English" with computer / network jargon kept to absolute minimum levels or, where necessarily used, technical terms fully explained - this in keeping with the philosophy of the RCL/CyberComm Team that all affected management of clients must understand reported results and thereby be in a position to support recommended changes.

OFFERINGS

The RCL/CyberComm Team has established the following two offerings for one-time Reconnaissance & Penetration Tests of clients' Internet sites (but, please note that neither offering includes Operational Attacks).

• One "administrative domain", defined as a logical grouping of URLs and/or IP Addresses under the direct administrative control of clients , not to exceed four (4) URL or IP Address combinations. ("URL" stands for Universal Resource Locators that are the "names" of sites on the World Wide Web, e.g., www.cybercommunications.com or www.riskconcepts.com. IP Addresses are the numeric designations of sites on the World Wide Web that are referenced by URLs; more than one URL may refer to the same IP Address. Some IP Addresses applicable to a clients' networks may not be under their direct administrative control (i.e., when clients maintain hardware / software connected to the Internet within their own facilities). For example, URLs maintained on behalf of clients by Internet Service Providers that not connected to clients' networks. In these cases, additional Indemnification Agreements will be obtained and the third-party network administrators contacted before Footprinting or otherwise testing the additional IP Address(es).)
• Scanning of Ports "0" to "10,000", together with any Port(s) above this range that are identified as "active" in the Internet Questionnaire, at each URL / IP Address. (Ports are the channels through which Internet communications are routed. Some Ports are commonly reserved for certain functions (Port 25 is typically used to send e-mail via the Internet while Port 110 is typically used to receive e-mail). The most commonly used Ports are in the range "0" to "1,023", but "65,535" is the maximum value.)
• One Penetration Test attack, based on the information derived from Reconnaissance, for a duration of approximately two hours to simulate the most likely method that, in the judgment of the RCL/CyberComm Team, hackers might use to attempt to gain access.
• An outline-style report of the results that: (a) identifies potential vulnerabilities discovered during tests, (b) conveys the results of the Internet Questionnaire completed by clients and (c) provides recommendations regarding new precautions clients can implement to improve their Internet security.

Premium Testing that includes:

• One or two "administrative domains" not to exceed six (6) URL and IP Address combinations.
• Scanning of Ports "0" to "30,000" , together with any Port(s) above this range that are identified as "active" in the Internet Questionnaire, at each URL / IP Address.
• Two to three more extensive Penetration Test attacks, based on the information derived from Reconnaissance, to simulate the most likely methods that, in the judgment of the RCL/CyberComm Team, hackers might use to attempt to gain access.
• A detailed report findings that: (a) provides a basic network architecture assessment, (b) identifies potential security vulnerabilities discovered during tests, (c) conveys the results of the questionnaire completed by clients and (d) provides recommendations regarding new precautions clients can implement to improve their Internet security.

When questionnaires and /or Reconnaissance results identify clients with very complex Internet / network environments , testing may be limited to activities deemed by the RCL/CyberComm Team to derive maximum comfort clients.(Very complex Internet / network environments are those with more than the maximum number of IP Addresses (some of which may not be under clients' direct administrative control) or more than an average of seven active Ports per IP address.)

EVEN MORE ABOUT INTERNET SECURITY TESTING METHODS

During Reconnaissance:

1. The first step, Footprinting, uses a structured methodology to systematically amass information from a multitude of sources and compile this into a unique profile of a client's Internet presence (e.g., a list of IP address ranges, Domain Name Servers and mail servers).
2. Information garnered during Footprinting dictates the set of Scanning techniques/tools - such as ping sweeps, port scans and other automated discovery tools - used during the process of connecting to clients' Ports to determine what services are in "listening" state and, thereby, the types of operating system and applications (and often their versions) are in use.
3. The next step, called Enumeration, is to identify valid user accounts or poorly protected resources via active connections to clients' systems and directed queries that will lead to: (a) conclusions regarding potential access security weaknesses (e.g., once a valid username or share resource is identified it is only a matter of time and the correct tools before useable passwords are determined).

Accordingly, Reconnaissance establishes the foundation for Penetration Tests and / or Operational Attacks that, as can be seen from the diagram above, embody escalating levels of intrusion.

Penetration Tests determine if identified, active ports can be penetrated and access beyond clients' security perimeters can be attained, thereby isolating areas where malicious activity can be exploited and/or intellectual property compromised. Finally,Operational Attacks seek to exploit specific weakness to the extent that some critical portion network services can be infiltrated and/or controlled.

It should be noted that productive Reconnaissance appreciably heightens the risk that clients' systems will be attacked by third parties with levels of intensity associated with Operational Attacks. Accordingly, in those instances where Reconnaissance uncovers weaknesses considered to be serious, clients are be informed of these conditions and then retested after "fixes" are applied to their networks.

* * * * *

For further information about the RCL / CyberComm Teams' Internet Testing Services, to obtain a quote for these services or to schedule Internet Security Testing for your website(s), please contact:

Click here to email RCL for client references or to request our complete brochure.

(Last updated: February 20, 2008 )