Other Monitoring Tools There is a wide range of available tools to perform monitoring. Many are automated and per- form the monitoring activities in real time. Some monitoring tools are developed in-house and are ad hoc implementations focusing on a single type of observation. Most monitoring tools are passive. This means they cause no effect on the monitored activity, event, or traffic and make no original transmissions of their own. A common example of a tool for monitoring physical access is the use of closed-circuit tele- vision CCTV. CCTV can be configured to automatically record the viewed events onto tape for later review, or personnel who watch for unwanted, unauthorized, and illegal activities in real time can watch it. Failure recognition and response is an important part of monitoring and auditing. Other- wise, what is the point of performing the monitoring and auditing activities? On systems that use manual review, failure recognition is the responsibility of the observer or auditor. In order to recognize a failure, one must understand what is normal and expected. When the monitored or audited events stray from this standard baseline, then a failure, breach, intrusion, error, or problem has occurred and a response must be initiated. Automated monitoring and auditing systems are usually programmed to recognize failures. Failure recognition can be based on signatures or be knowledge based. For a discussion of these two mechanisms, please see the intrusion detection discussion in Chapter 2. In either case of a manual or automated recognition, the first step in a response is to notify the authority responsible for sustaining security and handling the problem or breach. Often this is the local administrator, the local manager, or the local security professional. The notification usually takes the form of an alarm or warning message. Once notification is performed, the responsible personnel i.e., the administrator, manager, or security professional or the automated tool can perform a response. When a person is responsible for the response, they can adapt the response to the specific condition and situation. For this reason, personnel-controlled responses are often the most effective. Automated tool responses are typically predefined response scripts that are usu- ally much broader in scope than necessary. Automated tools are excellent for quick and efficient lockdown, but often the countermeasure or response imposed by a tool will significantly affect the ability of the system to continue to support and perform productive work. Whenever an auto- mated tool response is deployed, personnel should be notified so the response can be fine-tuned and the network can be returned to normal as soon as possible. Penetration Testing Techniques In security terms, a penetration occurs when an attack is successful and an intruder is able to breach the perimeter of your environment. The breach can be as small as reading a few bits of data from your network or as big as logging in as a user with unrestricted privileges. One of the primary goals of security is to prevent penetrations. One common method to test the strength of your security measures is to perform penetration testing. Penetration testing is a vigorous attempt to break into a protected network using any means necessary. It is common for organizations to hire external consultants to perform the penetration testing so the testers are not privy to confidential elements of the security’s config- uration, network design, and other internal secrets. Planning Penetration Testing Penetration testing is the art and science of evaluating implemented safeguards. It is just another name for launching intrusion attempts and attacks against a network. The activity in either is exactly the same, but penetration testing is performed with the approval and knowledge of senior management by security professionals in a controlled and monitored environment. Mali- cious users intent on violating the security of your IT environment perform intrusion attacks. If an internal user performs a test against a security measure without authorization, then it will be viewed as an attack rather than as a penetration test. Penetration testing will typically include social engineering attacks, network and system configuration review, and environment vulnerability assessment. Vulnerability analysis or vulnerability assessment is an element or phase within penetration testing where networks or hosts are evaluated or tested to determine whether or not they are vulnerable to known attacks. Penetration testing can be performed using automated attack tools or manually. Automated attack tools range from professional vulnerability scanners to wild, underground cracker hacker tools discovered on the Internet. Manual attacks often employ tools, such as penetration suites like ISS, Ballista and SATAN, but much more onus is placed on the attacker to know the details involved in perpetrating an attack. It is generally considered unethical and a poor business practice to hire ex- hackers, especially those with a criminal record, for any security activity includ- ing security assessment, penetration testing, or ethical hacking. Penetration testing should be performed only with the consent and knowledge of the man- agement staff. Performing unapproved security testing could result in productivity loss, trig- ger emergency response teams, or even cost you your job. However, even with full consent of senior management, your security assessment activities should fall short of actual damage to the target systems. Subversion or target destruction is never a valid or ethical activity of a pen- etration test. Furthermore, demonstration of the effect or flaws, weaknesses, and vulnerabil- ities should not be included as part of a penetration test. If such evidence is required, it should be performed only on a dedicated and isolated lab system created for the sole purpose of exploit demonstration. Regularly staged penetration attempts are a good way to accurately judge the security mech- anisms deployed by an organization. Penetration testing may also reveal areas where patches or security settings are insufficient and where new vulnerabilities have developed.