Hackers are looking for your company’s network. Unless you are offline and have no internet connectivity, the company network is discoverable. For IT professionals responsible for protecting and fortifying their network’s defenses you need to be aware of how visible you are and if you have left open any obvious and fixable holes. Here are 10 ways to test your network’s defense.
NOTE: Be sure to get the approval before doing any of this, as it may be considered a violation of company policy.
1. Use ShieldsUp!
ShieldsUp! Is a service that will scan your current public IP address for symptoms of open ports. This is one of the many amazing free services and tools offered by noted software engineer and IT security expert Steve Gibson.
2. Scan your public addresses using Shodan
Shodan will scan each of your public IP addresses to see what the world can see about your IP surface. You may be amazed what is being announced by your own system’s automated and default communication settings.
3. Use vulnerability and DAST scanners
DAST is dynamic application security testing. There are several online DAST scanning providers who can perform a type of online vulnerability scanning against your public systems. This includes TinFoilSecurity, Pentest-Tools, Detectify, ScanMyServer and Probe.ly. Some services offer a free initial or partial scan, while others may require full registration and subscriptions before you can use their scanner. Be sure to contact providers and ask for a free trial of their service before getting locked into a contract in the event their service does not provide you with useful insight into your public-facing security stance.
There are dozens of great broad-target vulnerability scanners, such as Nessus, Retina, Acunetix, Netsparker and Nexpose. Set up a scan to run from an outside system—simulating being across the internet—and scan all of your publicly exposed systems. I would consider running several scans using several different products. Don’t forget that in addition to the many excellent commercial products, there are several free-to-use products as well, such as OpenVAS and SUCURI.
4. Run a network sniffer and analyze the traffic
Do you really know what protocols are being used across the boundary of your network? Do you know if any plaintext protocols are in use? Do you know what information is still leaking out of your organization even with the security protocols that are in use? A network sniffer, such as Wireshark, Fiddler, Burp, OWASP ZAP, SolarWinds Network Performance Monitor, and Paessler PRTG Network Monitor, can help you quickly understand more about your network communications.
5. Consider using an exploitation framework
An exploitation framework is a tool that is able to exploit vulnerabilities in targets. Most of these tools have a large database of exploits and attacks that can be used on a manual or automated basis. Some examples include MetaSploit, Core Impact and Immunity Canvas. Be aware that this class of tools has the potential to cause harm, so use with preparation and caution.
6. Check your websites with SSL Labs
Many remote attacks and intrusions occur against or through a company’s site. So, you need to know when your encryption is less than ideal. Qualys maintains a service called SSL Labs where you can evaluate the SSL and TLS security of your company’s public-facing web services. Also, you should no longer be using or even supporting SSL, but instead supporting the latest versions of TLS, such as 1.3, 1.2 and potentially 1.1.
7. Run several thorough nmap scans
The command line tool nmap is not solely a port scanner. It has many other amazing capabilities, including operating system identification, application/service detection, vulnerability scanning, and attack/exploit capabilities. Many of these additional capabilities are made possible through its scripting capabilities. Nmap includes over 600 pre-made scripts that can be used to test and evaluate the attack surface of a system. To learn more, visit the main information pages about the nmap scripting engine documentation portal.
8. Evaluate your website’s history
Did you know there are services that have been making backup copies of the web since the mid-1990s? One of these, WayBackMachine, is hosted by the Internet Archive. Once content has been published to a web page, it won’t take long, typically less than a few minutes, before that content is detected and cached/copied by another online service. If you have ever had an event where confidential documents were posted by accident, it is likely that even after you removed them from your site that copies still remain accessible online. You should peruse the historical copies of your company’s content to see what security, private, or sensitive information is out there and take steps to make that information less useful.
9. Check for account compromises
With the plethora of system hacks occurring, attackers are stealing and dumping collections of account credentials and other personal details about employees and customers. You need to be aware when your site or your employees’ information has been compromised from other systems and services. Two services I recommend for this type of research are Microsoft Regional Director Troy Hunt’s haveibeenpwned.com and spycloud.com. Use both of these sites to research individual email accounts to determine if information has been leaked and what that information might be.
10. Don’t forget about the weakest link!
Network defenses are not just about the hardware and software technology, we must also evaluate the human security side of things. Everyone should take the Cybersecurity Foundations course so they have a better understanding of the challenges of designing a secure system, touching on all the cyber roles needed to provide a cohesive security solution.
Social engineering is on the rise as attackers realize they may not always have the skills to breach the IT security, but they may be able to find a weak point by focusing on the personnel. You can elect to perform simulated social engineering attacks yourself, by suing tools such as the Social-Engineer Toolkit, LUCY, or Gophish, or you can opt for a consultation service, such as Cofense, KnowBe4 and Proofpoint.
You’re on your way to building stronger network defenses
With these tools and techniques, you are sure to gain a better understanding of your company’s network defenses. With this knowledge you can make a plan to resolve the discovered problems in order to improve your security stance through reduction of your attack surface. Have other suggestions?
- CND - Certified Network Defender
- CEH - Certified Ethical Hacker
- CompTIA Security+
- Cybersecurity Foundations