The rules of engagement: Testing the security of your enterprise - Part 4 -------------------------------------------------------------------- By Winn Schwartau OK. You have set your goals for your assessment, and you have specified the nature of the threat you wish to measure your assessment against. Great. Now, before the assessment actually begins, you need to do one more thing. Establish the Rules of Engagement. This is especially important when you are using outside firms. What rules are they supposed to follow? In planning attacks against your own organization, it is critical to establish exactly how the friendly hacks will be carried out. Most companies are afraid of what "bad guys" can do to them. This may mean a professional criminal, foreign nationals or spies, a competitor, a terrorist - or maybe just a sixteen-year-old with a keyboard. In developing the Rules of Engagement, you have to agree upon methods to attack the firm's networks and Web sites including remote penetrations, telephone systems, maintenance ports, and any other 'electronic doors' to the enterprise. Now, criminals will do a lot of things that even we, as 'friendly hackers' will not, and can not legally do. The so-called 'Out of Bounds Behavior' must be defined and adhered to. Nonetheless, all possible methods must be considered ahead of time. I like to put these issues on the table even if only to have them consciously removed. Assuming that the customer understands all possibilities is a freshman mistake. The bad guys will not preclude using them just because they are illegal and it is prudent to understand how far real criminals might be willing to go. Attack Methodology Permitted? Electronic Mapping - External Yes Electronic Mapping - Internal Yes Social Engineering By Telephone Yes Social Engineering By Mail No Adopt Employee Identity - Remote Yes Adopt Employee Identity - On Site No Break into Employee Workstations? Yes Read Corporate E-mail No Pretend to Be Technical Supplier Yes Dumpster Diving - On Site Outside No Dumpster Diving - On Site inside Yes Dumpster Diving - Off Site Yes Target Sensitive Corporate Resources No Personnel Extortion, Blackmail and Coercion No Investigate Personnel Backgrounds of Staff No Penetration of Business Partners No Some of these actions may seem really crazy at first, but think how far the 'bad guys' could go if they chose to. How can we impose our personal bias limits on attack methodologies knowing full well that they do not reflect the real world? A portion of any efficient attack is to assemble competitive information on the target through open sources, such as public documents, financial reports and technical documentation. Both time and money can be saved if the company just hands it over to the friendly hackers. The kind of information that a real attacker would find of value includes: * Operating systems * Open technical on systems in use * Major venders used within the enterprise * Physical address of data center and telephone centers * Phone exchanges information Conducting an analysis of your network's security is a normal method of insuring business process integrity. The depth of the analysis will be determined by your company's particular needs, worries, connectivity, and amount of reliance upon IP and other networks to conduct business. You, your security staff and your contractor or consultants should work together to define the goals, methods and processes for the entire project. Lastly, and just as important as every other step in assessing your security profile, do not assume that just because you have gone through the testing process that your networks are secure. All you really know is the condition of your networks at the moment of their evaluation. Just like the rest of your company's infrastructure, security is a dynamic, ever changing condition that requires constant vigilance. So, the prudent security manager will use the first comprehensive testing as a benchmark, and continue to sponsor periodic reviews of the system. Especially important is to perform a predeployment analysis of systems before they go online - not after you suffer the consequences.