Penetration Testing Of General Hospital Information Technology Essay

Peprofitration Testing Of universal hospital culture Technology EssayPenetration scrutiny ducky vermiform process B has always been an strategic first- measurement in any certificate life cycle. By doing incursion experimenting, the Hospitals IT aggroup brush off obtain umteen invaluable instruction ab forth the Hospitals saucily developed shelter dust. basic t expose ensembley the process of incursion interrogation forget be involved with gathering nurture. Using these discipline to identity and consequently try to exploit the trade protection vulnerabilities.1/ wherefore do we requisite to do insight examinationingPenetration demonstrateing is one of the oldest and effective method to evaluate the surety measures measures of a ready reckoner system. Nowadays legion(predicate) organizations be victimization incursion examination in suppose to seize and fix gage impuissance before the get exposed. And for General Hospital after the process of creating a new warranter system, it is important that we do shrewdness interrogatory, non still(prenominal) to find forbidden about any potency vulnerability, blamelessly too to demonstrate the effectiveness of the new system, these ar adept a a couple of(prenominal) points on why General Hospital should do sixth sense testingThe main purport still for owing(p)er understanding of the received security system and finding any gap in security. This help the Hospitals IT team up to gain proper impression plans to minimize the threat of clap or misuse.The penetration test bequeath be documented c be waxy ( much education on this bellow), and these thoroughly documented results will help the managers in rat a strong business case to the Hospital board, explaining, justifying all told the reckon had been use for creating this new security system.Security is not a one-time solution, its rattling a long process of maintaining and upgrading along the way, as n ew wander are world discover. This pen-test whitethornbe the first that SGH cook, just itll definitely not be the last. By doing a proper pen-test, the result will act as a trusty foundation for future testing.2/ caliber of the testLike any big project, before we really act to complete the task, we grant to have a truly clear photo of the final product as well as the strategy, and all stairs of the way, committing without be after is one way to ensure to achieve failure (more tuition on planning in the next spark). As we go on later in this document, well call for that the Hospital will join with a security cooperator in secernate to carry the testing, the more reason for two party to sit down and agreed on the amount quality of this test. So, what makes a good penetration testing? range of a function of the test defying a clear scope, that will be most(prenominal) satis grammatical constituenty for the Hospital that will be the first and most important task, f or a good scope will help to prevent wasting of imagery at the same time able to cover either potential difference vulnerability (the scope defying will be in the next section, the planning leg).Reliable partner after the planning, sketch out a good strategy, its the security partner job to implement, launch the test, thats why we have to chose a skilled and experienced partner, the one who know what they are doing, in the fourth part section, we will chose a partner thatLegally capable.Technically capable advise abide the non disclosure agreement, and this is especially important, for we a hospital, workings with extremely gauzy education.Choosing correct and adequate serial of test, this depends heavily on the scope that we purpose on. Also the executing of the test moldiness follow strict methodological depth psychology, any test must be planned carefully, followed the plan, and the well documented. This is very important because if we treat the test just like a gue ssing game, to hold back where the bleachednesses are, its very possible that we are going to miss aboutthing, and that alone make the purpose of doing penetration testing completely voided.Result oriented the alone thing we care for its the result of the test, thats why the results should be well documented, the team should pay attention excessively to make the result understandable, so that the Hospital board washstand easily understand the problems, the consultant of the security partner federation should besides be ready to present and explain the results.With that act of quality in mind, we are going to proceed to the planning and besides steps accordingly. However, because we are not going to actually perform the test, so we are only going through planning, defying scope, chose a strategy, choosing the tests, and lastly defying methodology and standard for these series of test, we are going to explain what do we chose and why, as for the definition and how to exe cute please indicate to the vermiform adjunct.II/ The planning stageIn this part, we will cover the planning, defying scope, that lead to a strategy plant, which will be the back bone guide line for any go on tests to follow.The security priorities of various target are different, for a service net work it is important to have a elevated stability, approachability, or in case of an e-business intercommunicate, it requires proud authenticity. However none of that raft be implement to SGH, for a hospital the utmost priority are clandestineity, selective information law, we are softwooding with patients data here, in that location is no point in taking the Hippocratic Oath to keep the patients information confidential while on the former(a) hand s deficiencying off In putting parkway to protect those information. Not only that we are dealing with much higher(prenominal) s invite game here, which involve humans lives. This is no longer just protecting data for data re present silver. When I were young, I remember a movie where a patient with a broken scold put back together by metallic platting, years last mentioned he has give the sackcer, and his doctor without knowing about the platting still send him to the magnetic resonance imaging machine (highly magnetic), and lead to his gruesome death. All of which cause by lack of dental documentation in his medical history. So in a nut shell, SGH highest priority is data Integrity and confidentiality, just in the mean time we still have to do minimum checking on every other(a) aspect, leave out nothing.The second as part of SGH mesh topology system is the force play, which in this case are doctors and nurses mostly. They are among the most highly trained employees, besides not in IT. Nowadays almost every hospital in capital of Singapore has been completely digitalized, dealing with data stall instead of subject files, also with many medical devices are being monitored by ready reckoner pro grams. The combination of high tech with unexperienced drug user leads to a very high chance of masking misuse, data infix wrongly. That put application security testing (cecal appendage B application security testing) priority a act higher than normal.So as a conclusion for the strategy of this penetration test we are going to do a penetration test follow Blind Testing strategy (Bind testing strategy adjunct B) to stimulate the action like a real hacking attempt by jade to obtain confidential data, or to modify, deleteetc. In the same time we will combine with certain Internal testing (Internal testing strategy), mostly cogitate on application security, misuse..etc, and of course a few basic test again common threat however we are not going to deep in that.After dogged on a plan and testing strategy, the next step will be vulnerability mindIII Vulnerability assessment (VA) wherefore should we do VA (VA appendix B)? In fact in that respect are some confusion in the midst of VA and pen-test, sometime people lable them as the same. Pen-test mostly consis of VA, but then take one step futher, find out the weak spot then pom-pom it. So basically before we do pen-test, the first step would be VA.For the detail of how to do VA please refer to VA vermiform appendix A . But basically we are going to series of techniques that tidy sum buoy be considered as search before attack.Passive enquiry learn as much as we fag about SGH, from out site point of view. unmannerly lineage monitoring utilizes Internet meta-searches focus on specific key discourses, or sensitive information to see if in that respect are any leaking. lucre mathematical function and OS fingerprinting from out side view, figuring out the structure of the communicate, even able to trail out a network diagram from the information gatherd through different toolsSpoofing trick the targeted computer in side the Hospital, sending out packets misrepresent that they are from indisputable computer address.Network sniffing capture data as it get off in and out the network, especially we have the different site between Clinics and Hospital, this piece of ass be a good check to see if our VPN is working properly.Trojan attack and yes the traditional, butter and bread Trojan attack, Even though its basic, but because its so popular, itll be a mistake to think that our conflagrate wall can do all the job, when Trojans combine with mixer engineering can be devastating.Brute force attack this can be optional as we mention before the availability of the network may not be our highest priority, however if the resource allow, we can still do it, as a better safe than sorry.Vulnerability run downning at long last we can use automated tools to scan the entire database looking for potential vulnerability (the how, and what tool can be found in VA appendix A)After all those test, its very likely that we may able to discover a few holes in our security system. However in companionship to make sure that in all those vulnerabilities weve just discover none are false positive we will go to the next step is exploit testing, meaning actually attack to see if any got through.IV penetration testing, different types of testExploit testing (exploit testing appendix B) normally is the final stage in the whole process of penetration testing. There are many type of test, each with different level of commitment. We have to chose which test, and how far do we want to push. This decision is based on two aspects. One is the predefined scope that everybody agreed on earlier, we will expect the test accordingly to that scope, to the strategy. The second is based on the result of VA, attack on every potential vulnerability that weve just found. In this scenario, because we have not actually performed the test, so we are going to chose based on the scope only.1/ Database IntegrityAs we discussed in the previous section, the integrity and confidentiality of SGH databas e is our highest priority. The fact that in the process of VA, we have through with(p) many test and checking, sniffing, mapping, Trojan, brute force, those are not only VA testing but actually a part of testing the confidentiality and integrity level of the data base also. Thats the fine line between VA and penetration testing as many of the assessment can actually be consider as exploitive. In the same manner in this stage of exploitive testing there still are test that could be done that may very well have been a part of VA likeWar dialling (war dialling appendix B) by calling a wide range number of telecommunicate inside SGH, we may catch a elbow roomm, remote access devices, and maintenance connection that may leave an lax on the hospital network. Why do we even consider this method? The fact that nowadays not only user, but even IT staff have very high ignorance when considering the phone network, while in fact they are the very primate assess point that possible for hac ker to exploit, you dont actually need to be ignorance, just careless is enough, like leaving an open modem on a scathing node of the network is enough to create an initiative.There are many tools we can use for war diallingToneLoc from Minor Threat and Mucho Maas, or its alternative ModemScan , they both can be use for Microsoft window platform.TeleSweep for Microsoft also, and its free.For mackintosh use Assault Dialer.Unix try PAWS, THC-SCAN NG, Telescan, IWAR (intelligent war dialler), or ShokDial(from http//www.tech-faq.com).2/ loving engineering testing tender engineering test (appendix B SE) is part of the blind strategy testing. The environment we are working on is SGH, where most of the employee dont have in-depth training in IT, an other point is the helpful nature, tell question is kind of comes with the job description, all in one word gullible nurses. For any cunning hacker, this is a big fat mournful target for societal engineering attack.For that reason, basic t raining in social attack is required, in the same time several test can be conduct, in the first place in two formsNon face-to-face the test can be done over mail, or phone, pretending to be someone who have authority, or who needs help to tricks the user to use beak, password, or giving out sensitive information.Face-to-face this is a more jump on kind of social engineering, by posting as an employee of authorized personnel , gaining physical access to restricted areas getting information, from intercepting mail to dumpster divingetcSocial engineering maybe no as technical as other test, but it has equal importance if not more, for the fact that there are actually no fool proof method to prevent social engineering attack other than out smart the attacker, which Is ironically we dont usually put the smartest people of the organization to the reception desk , the only thing we can do is to raise the level of awareness of the employee (there are books on this librate like the ar t of deception, the art of intrusion both by Mitnick Simon ) .3/ application program security testingThe second point from the scope as we discussed earlier is Application security there are a series of test for application security (technical detail on appendix A AppT) Code view, Authorization testing, Input governing body, cookie security, Lockout testing, there are also some test for the functionality of the application as well like input validation, Transaction testingetcFor why we need application testing we have discussed above, but then again, do we really need to do all those test? Yes, we do. The objective of doing so many test on Application alone is to fully evaluate the lead we have over our application (medical application, network application). The focus of those test still focus mainly on protecting the confidentiality and integrity of information, how to authenticate user, and also on the using of cookies (appendix B cookies)4/ other testThere are some other test like defensive measure of service testing, resource..etc but as we mention above, these are not compulsory, not that they are not important, but there are higher priority test that need to be done. But since these are common attack and easy to carry out, its recommended that if the resources allow, we should go ahead and perform the tests, even at basic level. (the detail of the test can be found at DoS testing appendix A).V Other detail of a penetration test1/ methodology and standardsmethodological analysis actually is a very important factor of a penetration test. A test that acts without a formal methodology has no real meaning, just poking around. But on the other hand, methodology should only acts as a framework, a discipline signpost to follow, we should not restrict the tester rather than let him/her fully inquiry his/her intuitions, while acting accordingly to the guideline. There are several methodology and standards, as for their technical detail, please refer to appe ndix A Metho2/ Security partnerThe reason why we needs to pay money for a third party to perform the test for us is Un honest point of view like a beta tester, sometime the programmer, or in this case the SGH IT team, cannot see ones own mistake clearly, so we need to take on trained professional to look for us.Highly experienced and highly trained for the member of the IT team, some may have done a penetration test before, some may not. But for a company that specialize in penetration testing. They have done it hundreds of time, even done it for some big organization, thats why with the experience and the training, its more likely that they can discover things that the IT team cannot. demonstrate result a Certified penetration testing company will have to satisfies certain level of standards (refer to appendix A Metho). If a test done by a Certified party, it can perish a potential strong legal parentage for future conflicts (for example Insurance conflicts).With all those reas on weve decided to hire a security partner to perform the test for us. In Singapore there are many company that have the certification and standards to perform such(prenominal) test, most trustworthy must beCiscoIBM (with the persuade penetration testing service)Obtechs Certified penetration testing specialist3/ Risks in doing penetration testingWhile doing penetration testing, there are certain risks that we should consider and be careful forRisk of exposure there are many sensitive data in the hospital, sometime these data can be expose during a pen-test it can be circumstantially or intentionally, we have to have strong agreement of the conditions and responsibility of the security partner.Time delay Pen-test take time, and for Hospital environment we cannot simply imprison down our data base for testing, thats why a strict time-frame. For the size of it of our Hospital system, the testing should not take more than a month.VI ConclusionAs we all know security is continuum, no absolute. finished the penetration tests we should be able to not only find out there are flaws in the security system, but we have to go further to understand the process failures that lead to those flaws. Through the test, we can see that even a brand new developed security system can have many vulnerability, its a reminder to us so that we never have a false sense of security.Appendix A1/ VA (Vulnerability assessment)As documented by SANS, Vulnerabilities are the gateways by which threats are manifested. In other words, a system compromise can occur through a weakness found in a system. A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise.How do these weaknesses occur? There are two points to consider This newly developed security system for SGH were born with it, means while underdeveloping by mistake the developing team creat the weakness. Many vulnerabilities occur as a result of misconfigurations by system administrators. Misuse by user, all can lead to the result of making a hole in the security system.There are many ways to search for vulnerability, however in our scenario, it is trounce to do it as a out side hacker would do it, before attacking a system, the hacker also have to perform a vulnerability assessment test on the system, only different would be we are going to do it on full scale, not only from outside looking in but also from the insider view. There are however certain number of technique that could in effect point out the weaknesses if the system have one.Passive query As the name suggests, a passive research is a method use to gather as much information about an organizations systems configuration from exoteric domain sources such aso DNS (domain name service)o in advance(p) (Rseaux IP Europens)o USENET (newsgroups)o ARIN (American Registry for Internet Numbers)Passive research is generally performed at the beginning of an external penetration test.Open s ource monitoring This service is an associated technique that utilizes Internet meta-searches (multiple searches of Web sites, newswires, newsgroups and other sources) targeted on keyword that are important to the organization. The data is collected and discoveries are highlighted to the organization. This helps mark whether organizations confidential information has been leaked or whether an electronic conversation involving them has taken place. This enables an organization to take necessary measures to ensure confidentiality and integrity.Network mapping and OS fingerprinting visual percept of network configuration is an important part of penetration testing. Network mapping is use to create a picture of the configuration of the network being tested. A network diagram can be created which infers the logical locations and IP addresses of routers, firewalls, Web servers and other border devices.Additionally, this examination can assist in identifying or fingerprinting operating sy stems. A combination of results from passive research and tools such as ping, traceroute and nmap, can help create a somewhat accurate network map.An extension of network mapping is Port Scanning. This technique is aimed at identifying the type of services in stock(predicate) on the target machine. The scan result reveals important information such as function of a computer (whether it is a Web server, mail server etc) as well as revealing ports that may be serious security risks such as telnet. Port scans should include number of individual tests, includingo transmission control protocol (Transmission Control Protocol) scano Connect scano SYN (or half(prenominal) open) scano RST (or Xmas-tree) scano UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) scans. Tools such as nmap can perform this type of scan.o Dynamic ports apply by RPC (Remote Procedure Call) should be scanned using tool such as RPCinfo.Spoofing Spoofing involves creation of TCP/IP packets u sing somebody elses Internet addresses and then sending the same to the targeted computer making it believe that it came from a trusted source. It is the act of using one machine to impersonate another. Routers use the goal IP address in order to forward packets through the Internet, but ignore the source IP address. The destination machine only uses that source IP address when it responds back to the source. This technique is use in indwelling and external penetration testing to access computers that have been instructed to only state to specific computers. This can result in sensitive information be released to unofficial systems. IP spoofing is also an integral part of many network attacks that do not need to see responses (blind spoofing).Network sniffing Sniffing is technique used to capture data as it travels across a network. Sniffing is an important information gathering technique that enables capturing of specific information, such as passwords and also an entire conver sation between specific computers, if required. To perform sniffing, the network card of computer needs to be put in promiscuous mode, so that it captures all data being sent across the network.Sniffing is extensively used in internal testing where the sniffer or the computer in promiscuous mode is directly attached to the network enabling capturing of a great deal of information. Sniffing can be performed by a number of commercial tools such as Ethereal, Network Associates SnifferPro and Network Instruments Observer.Trojan attack Trojans are venomed programs that are typically sent into network as e-mail attachments or transferred via IM chat rooms. These programs run in stealth mode and get installed on the client computer without the users knowledge. Once installed, they can open remote control channels to attackers or capture information. A penetration test aims at attempting to send specially prepared Trojans into a network.Brute force attack A brute force attack involves tryi ng a gigantic number of alphanumeric combinations and exhaustive trial and error methods in order find real authentication credentials. The objective behind this time down mold is to gain access to the target system. Brute force attacks can overload a system and can possibly stop it from responding to permit requests. Additionally, if account lockout is being used, brute force attacks may close the account to lucid users.Vulnerability scanning/analysis Vulnerability scanning/analysis is an exhaustive examination of targeted areas of an organizations network infrastructure aimed at determining their current state. The targets range from a single system or only critical systems to scanning the entire network. It is usually performed using automated tools that test for a multitude of potential weaknesses in a system against a database of cognize vulnerabilities and report potential security holes. And although they dont actively prevent attacks, many scanners propose additional tools to help fix found vulnerabilities. Some of the commonly used vulnerability scanners include the open-source Nessus Projects Nessus, ISS Internet Scanner, GFI Softwares GFI LANguard Network Security Scanner, eEye digital Securitys Retina Network Security Scanner, the BindView RMS vulnerability-management solutions and Network Associates CyberCop.2/ application testing ( AppT )For the purpose of application testing there are several test that can be done* Code review Code reviews involve analysing all the application-based code to ensure that it does not contain any sensitive information that an intruder might use to exploit an application. For example Publicly available application code may include test comments, names or clear text passwords that will give an intruder a great deal of information about the application.* Authorization testing Involves testing the systems obligated for the initiation and maintenance of user sessions. This will require testingo Input validation of login fields bad characters or overlong inputs can prepare unpredictable resultso Cookie security cookies can be stolen and legitimate sessions can be used by an unauthorised individual ando Lockout testing testing the timeout and intrusion lockout parameters set in the application, to ensure legitimate sessions cannot be hijacked.This is performed to discover whether the login system can be forced into permitting unauthorised access. The testing will also reveal whether the system is susceptible to denial of service attacks using the same techniques.* Functionality testing This involves testing the systems responsible for the applications functionality as presented to a user. This will require testingo Input validation bad characters, specific URLs or overlong inputs can produce unpredictable results ando Transaction testing ensuring that the application performs to specification and does not permit the user to abuse the system.3/ DoS testingDenial of service testing invol ves attempting to exploit specific weaknesses on a system by weary the targets resources that will cause it to stop responding to legitimate requests. This testing can be performed using automated tools or manually. The different types of DoS can be broadly classified into software exploits and flooding attacks. Decisions regarding the extent of Denial of emolument testing to be incorporated into a penetration testing exercise depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. Denial of service can take a number of formats those that are important to test for are listed below* option overload these attacks intend to overload the resources (i.e. memory) of a target so that it no longer responds.* Flood attacks this involves sending a large amount of network requests with the intention of overloading the target. This can be performed viaICMP (Internet Control Message Protocol), known as smurf attacksU DP (User Datagram Protocol), known as fraggle attacks* Half open SYN attack this involves partially opening numerous TCP connections on the target, so that legitimate connections could not be started.* Out-of-band attacks these attempt to crash targets by breaking IP header standardso Oversized packets (ping of death) the packet header indicates that there is more data in the packet than there actually is.o Fragmentation (teardrop attack) sends overlapping abrupt packets (pieces of packets) which are under length.o IP source address spoofing (land attack) causes a computer to create a TCP connection to itself.o twisted UDP packet header (UDP bomb) UDP headers indicate an incorrect length.4/ Methodology and standards (Metho)The Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog has become a de-facto methodology for performing penetration testing and obtaining security metrics. harmonise to Pete Herzog, The primary goal of the OSSTMM is to provide transpa rency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their preys already meager security budget those who would side-step business values with over-hyped threats of legal compliancy, cyber-terrorism, and hackers. The OSSTMM covers the whole process of risk assessment involved in a penetration test, from initial requirements analysis to report generation. The six areas of testing methodology covered are* Information security* Process security* Internet technology security* Communications security* Wireless security* Physical securityThe OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, re gulations, and ethical concerns are regularly added and updated.The National Institute of Standards and Technology (NIST) discusses penetration testing in Special Publication 800-42, Guideline on Network Security Testing. NISTs methodology is less all-embracing than the OSSTMM however it is more likely to be accepted by regulatory agencies.Standards in penetration testingLets take a look at some of the standards and guidelines availableStandards for Information Systems Auditing (ISACA) ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACAs cornerstone certification. cop The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those const ituting the GSI (Government assure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. CHECK consultants are only required when the assessment for HMG or related parties, and meets the requirements above. In the absence of other standards, CHECK became the de-facto standard for penetration tests and penetration testing in the UK. Companies belonging to CHECK must have employees that are security cleared and have passed the CESG Hacking Assault Course. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association.OSSTMM The aim of The Open Source Security Testing Methodology Manual is to se