The rules of engagement: Testing the security of your 
enterprise - Part 4
--------------------------------------------------------------------
By Winn Schwartau

OK. You have set your goals for your assessment, and you have specified 
the nature of the threat you wish to measure your assessment against. 
Great. Now, before the assessment actually begins, you need to do one 
more thing. Establish the Rules of Engagement. This is especially 
important when you are using outside firms. What rules are they 
supposed to follow?

In planning attacks against your own organization, it is critical to 
establish exactly how the friendly hacks will be carried out. Most 
companies are afraid of what "bad guys" can do to them. This may mean 
a professional criminal, foreign nationals or spies, a competitor, a 
terrorist - or maybe just a sixteen-year-old with a keyboard.

In developing the Rules of Engagement, you have to agree upon methods to 
attack the firm's networks and Web sites including remote 
penetrations, telephone systems, maintenance ports, and any other 
'electronic doors' to the enterprise.

Now, criminals will do a lot of things that even we, as 'friendly 
hackers' will not, and can not legally do. The so-called 'Out of 
Bounds Behavior' must be defined and adhered to. Nonetheless, all 
possible methods must be considered ahead of time. I like to put these 
issues on the table even if only to have them consciously removed. 
Assuming that the customer understands all possibilities is a freshman 
mistake. The bad guys will not preclude using them just because they 
are illegal and it is prudent to understand how far real criminals 
might be willing to go. 

Attack Methodology                                              Permitted?
        
Electronic Mapping - External                           Yes
Electronic Mapping - Internal                           Yes
Social Engineering By Telephone                         Yes
Social Engineering By Mail                                      No
Adopt Employee Identity - Remote                                Yes
Adopt Employee Identity - On Site                               No
Break into Employee Workstations?                               Yes
Read Corporate E-mail                                   No
Pretend to Be Technical Supplier                                Yes
Dumpster Diving - On Site Outside                               No
Dumpster Diving - On Site inside                                Yes
Dumpster Diving - Off Site                                      Yes
Target Sensitive Corporate Resources                    No
Personnel Extortion, Blackmail and Coercion             No
Investigate Personnel Backgrounds of Staff              No
Penetration of Business Partners                                No

Some of these actions may seem really crazy at first, but think how far 
the 'bad guys' could go if they chose to. How can we impose our 
personal bias limits on attack methodologies knowing full well that 
they do not reflect the real world? 

A portion of any efficient attack is to assemble competitive information 
on the target through open sources, such as public documents, 
financial reports and technical documentation. Both time and money can 
be saved if the company just hands it over to the friendly hackers. 
The kind of information that a real attacker would find of value 
includes:
* Operating systems
* Open technical on systems in use 
* Major venders used within the enterprise
* Physical address of data center and telephone centers  
* Phone exchanges information   

Conducting an analysis of your network's security is a normal method of 
insuring business process integrity. The depth of the analysis will be 
determined by your company's particular needs, worries, connectivity, 
and amount of reliance upon IP and other networks to conduct business. 
You, your security staff and your contractor or consultants should 
work together to define the goals, methods and processes for the 
entire project. 

Lastly, and just as important as every other step in assessing your 
security profile, do not assume that just because you have gone 
through the testing process that your networks are secure. All you 
really know is the condition of your networks at the moment of their 
evaluation. Just like the rest of your company's infrastructure, 
security is a dynamic, ever changing condition that requires constant 
vigilance. So, the prudent security manager will use the first 
comprehensive testing as a benchmark, and continue to sponsor periodic 
reviews of the system. Especially important is to perform a 
predeployment analysis of systems before they go online - not after 
you suffer the consequences.