Methods of generating reports - Security and IT Consulting | Security Consulting Wizards Of America - IT and Security Solutions for Businesses Large and Small

Don’t Automate, get detailed
Each company has their own methods for Audits. SCWOA won’t just use automated tools and charge you for it. We believe that the best way to conduct audits is by hand. If you are paying us to do the work, we want to give you actual value for your dollars, not just provide you a template report.

This is our method for performing external security audits and penetration tests:
Requirements Phase: Review with client requirements of the security audit \ penetration test and the scope of work.
1. How many IP addresses do they have?
2. How many web pages?
3. Is this an external test, internal test or both?
4. Completion Date?
5. How through does the client want this test to be? Is this a quick port scan, or a web application scan of 1000’s of web pages?
6. Determine compliance requirements for the scan, such as SOX, HIPAA, PCI, etc… if any.
7. Confirm we have permission to start, and what we can and cannot test against.

Reconnaissance phase:
In this phase, we try to gather as much background information about the target as we can. All of this information is publically available, frequently on other web sites than the one maintained by the client.

Information we collect includes:
* Email and user account naming conventions, and valid email addresses.
* Phone \ fax numbers, Office locations and addresses.
* IT staff names and phone numbers.
* Additional TCPIP addresses.
* Relationships to other companies.

How we collect it:

* Start foot printing the target based on information the client gave us.
* Google searches.
* Whois record searches.
* Check if DNS zone transfers are possible.
* Check Internic for additional IP addresses registered by the client
* Review clients web page.
* Review email address header information for more TCPIP addresses.

Scanning Phase

Based on the information found above, and the client’s rules of engagement, we start scanning the external IP addresses for available ports and vulnerabilities. Depending on how stealthy we feel like being, depends on how long the scan takes. Firewalls that drop packets based on detecting port scans, do not stop us, we just make our scans run slower.
Tools we use include these open source tools, along with a handful of specialty tools that are bought commercially to complement the work we do by hand.

* NMAP
* Nessus
* Ping Sweep
* AMAP
* SNMP Scans
* L0pht Crack
* Kismet
* Airsnort
* Many others

Exploit phase:

Based on what we found in the scanning phase, the rules of engagement, and what our client asked for, will depend on what we do next.
If our client asked for a basic scan:
We make a note of the items found and move to the report phase.
If our client asked for a more in-depth scan and penetration test:
* We start actively trying to exploit the vulnerabilities found in the previous steps.
* We frequently use tools such as Metasploit to accomplish this.
* When we gain access: We see what is available one the box, and start attempting to steal passwords and any confidential data.
* We may call our client at this point and inform them of how we broke in.

Report Phase

We review the results with the client, along with recommendations.

* A report may also be submitted, if in scope.
* Recommendations include items such as:
o The web server should not have FTP open.
o We gained access to your server; it has not been patched in a number of years.
o Your wireless network had an easy to guess password.
o You have a firewall, but it has an excessive number of ports open and does not appear to be configured properly.
o SSH was left open to the Internet, and we brute forced the root password.