Magazine article Security Management

Facing Your Flaws: The Red Team Probes the Network for a Company to Identify Possible Vulnerabilities and Design Flaws. (Computer Security)

Magazine article Security Management

Facing Your Flaws: The Red Team Probes the Network for a Company to Identify Possible Vulnerabilities and Design Flaws. (Computer Security)

Article excerpt

WHEN THE UNITED STATES military wants to test the security of a facility, it often calls in specialized teams to analyze, evaluate, and test the installation's perimeter. These "tiger teams" will look for potential weak points, such as easily scaled fences, open gates, or dark corners that could hide an intruder. Similarly, when network administrators want to test the security of their networks, they can call in a specialized group of computer professionals known as "red teams" to look for holes that will let malicious intruders enter the network. These security consultants test a company's network security to identify and plug holes before outsiders can exploit them.

THERE ARE TWO TYPES of tests that red teams can conduct. First is a vulnerability test. Second is a penetration test. The vulnerability test is designed to test the overall security health of an organization. At the completion of the vulnerability test, a company will know how effective its security is and how to correct any identified vulnerabilities. The penetration test is a covert attempt to break into systems using the same means as a malicious intruder. The process does not include providing corrective measures at the end of the test to mitigate future compromises.

In both cases, testing procedures can be directed externally, internally, or in both directions. External testing normally focuses on the organization's Internet perimeter, which commonly includes routers, firewalls, virtual private networks (VPNs), Web and e-mail servers, and other systems.

Internal testing centers on the inside of the network, where organizations usually have fewer security mechanisms and procedures. The systems tested in an internal assessment include desktops, printers, servers, and laptops. Physical security should also be assessed during internal testing, because critical systems can be compromised quickly if physical access controls are weak.

To examine the methods used by a red team, the following account explores how a vulnerability test of the external security would be conducted at AcmeProducts.com, a fictional small e-commerce company that sells a variety of merchandise (such as books, games, and software) online through thousands of credit card transactions each year.

AcmeProducts.com's configuration is typical for an e-commerce company of its size. The company s network includes an external router connected to a firewall that connects the internal network to the outside world. The internal network consists of a series of Web and database servers. A firewall is their primary source of security. Because of limited resources, additional security measures, such as intrusion detection devices and strong authentication methods, have not been deployed.

Network system testing on a company the size of AcmeProducts.com takes about a week and typically involves three team members with diverse backgrounds in fields such as programming, UNIX, or networks, but each is a certified information security specialist. On larger jobs, such as a bank or financial institution, as many as ten testers could work as long as two or three months.

Liability. Before the testing can begin, executives from AcmeProducts.com meet with the red team members to create a detailed set of rules for the test. For example, AcmeProducts.com's managers require the testing team to sign nondisclosure agreements to protect any sensitive information the testers might access during the test. Absent such rules, both sides face potential problems, such as a tester accessing systems and using sensitive corporate information for unethical purposes, such as extortion or commercial espionage.

The red team asks AcmeProducts.com to sign liability waivers stating that if the network is damaged during the test (for example, if the testing unintentionally creates a denial of service situation or crashes the company's network), the team will not be held responsible. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.