Assignment 1.1 Rules of Engagement
Assignment Description:
For this assignment, you will need to review NASA's Standard Operating Procedure (SOP)
https://drive.google.com/file/d/1gJ0kd97Vg-MJxw_sfppeUCki8d0tYe8f/view?usp=sharing
Question 1: Review Section 1.5.2 (a-i) Conducting the Pen Test.
What is the focus and intent of these steps? What seems to be the priorities?
The focus and intent of the steps highlighted in Section 1.5.2 (a-i) Conducting the Pen Test seem to prioritize two areas: scope and visibility. These areas are prioritized in order to get rid of potential grey areas of the test (i.e., no knowing what tools the testers are using) and to provide legal protection to the testers. If we look at Section 1.5.2(a) Introductory Briefings, the steps are laid out to clearly define the scope of the test and to allow visibility into the test. Key players and personnel are defined, which would entail who are the testers, who are the POCs, who should be alerted of high and critical vulnerabilities found, who will know a test is happening, etc. An overview of pen tester capabilities provides visibility into what tools and scans will be run against systems and what will be intrduced into the environment. Going over resources, logistics, and scheduling allows all parties to be on the same page and leaves no room for grey areas. In sections b-i, the same intent and priorities can be applied; define scope and allow for visibility.
Question 2: Review Appendix A - Penetration Test Plan.
How does this plan relate to the attack methodology we covered in class? How does it correspond to the course syllabus?
Here is the Attack methodology we covered in class
Reconnaissance
identify potential targerts via OSINT
Scanning
Identify potential vulnerabilities and look for live hosts
Exploitation
Attempt to exploit vulnerabilities found
Reporting
Report found vulnerabilities and recommendations on how to fix them
The way our class is laid out, we are going to do a deep dive into each of those 4 steps. This means learning about different tools and methods a pen tester might use during a test of a system. Below are the steps highlighted in NASA's pen testing plan:
Planning and Enumeration
Defining scope, developing rules of engagement, and setting up boundaries of the testing
Vulnerability Analysis
Searching for vulnerabilities through various attack vectors.
Penetration Testing
Exploiting found vulnerabilities and recording them with recommendations on how they can be patched.
The part of NASA's pen testing plan that I don't think we are going to be going over as much is the defining of scope and the pre-planning of the test. Otherwise, the attack methodology in NASA's plan is very similar to what we will be learning in class.
Source: https://inldigitallibrary.inl.gov/sites/sti/sti/3494179.pdf
Question 3: Review Appendix B Rules to be followed
Identify 2 rules that may limit the testers from fully identifying all potential vulnerabilities. Breifly explain why NASA requires these limitations.
Rule 1: A full network scan will not be performed. A targeted network scan will be completed and limited to the subnets and targeted hosts, so as to control and further minimize load on the network infrastructure. Configurations of the boundary/edged routers at the points of interface of these systems with the rest of the NASA network will be checked, however. [Third party) will refrain from any denial-of-service attempts.
Rule 2: Any procedures that have potential negative impact on network traffic or interruption will be avoided. Where necessary to demonstrate to NASA the full nature and extent of a vulnerability, such procedure will either be performed during off-peak hours or will be demonstrated on a NASA test system configured to simulate the live network environment.
To the best of their abilities, penetration testers attempt to emulate the attack methodology of malicious actors. Since testers are under contract and have a defined scope and rules they must abide by, they are often times not able to test networks, systems, or environments in the same way malicious actors would. Rule 1 above states that a full network scan will not be performed. A malicious actor would not need to follow this rule and thus may gain insight into vulnerabilities that testers cannot. The reasoning for this limitation is to "further minimize load on the network infrastructure.". This would make it so that the systems are not down/lagging for an extended period of time and business can function as normal. Rule 2 above states that any procedures that have a potential negative impact on network traffic or interruption will be avoided. As mentioned in rule 1, the testers are not to perform DDoS attacks, and rule 2 further iterates this point and stresses that other procedures that have the same effect should be avoided as well. Rule 2 has the same rational as rule 1, limiting system downtime and allowing business functionality to continue as normal.
Question 4: What is War Dialing?
War dialing is a technique used in hacking to find network-connected devices by dialing a range of phone numbers. War dialing specifically looks for modems, which connect devices to an ISP. Even though modems are somewhat outdated technology, some enterprises still use them in their networking infrastructure, particularly if they haven't updated the networking infrastructure in a while.
Sources:
https://youtu.be/OCF68Fhh-lg?feature=shared
https://bluegoatcyber.com/blog/what-is-war-dialing/
https://www.verizon.com/about/blog/modem-vs-router
Last updated