PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2004 by Ben Smith, David LeBlanc, Kevin Lam
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by
any means without the written permission of the publisher.
Library of Congress Cataloging-in-Publication Data
Lam, Kevin.
Assessing Network Security/ Kevin Lam, David LeBlanc, Ben Smith.
p. cm.
Includes index.
ISBN 0-7356-2033-4
1. Computer networks Security measures. I. LeBlanc, David, 1960- II. Smith, Ben. III. Title.
TK5105.59.L36 2004
005.8 dc22 2004049997
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWT 9 8 7 6 5 4
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further information
about international editions, contact your local Microsoft Corporation office or contact Microsoft Press
International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/learning/books/. Send
comments to
Active Directory, ActiveX, Encarta, FrontPage, Hotmail, InfoPath, Microsoft, Microsoft Press, MSDN, MSN,
Outlook, Visual Basic, Win32, Windows, Windows NT, and Windows Server are either registered trademarks
or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company
names mentioned herein may be the trademarks of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places,

and events depicted herein are fictitious. No association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this book is provided
without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its
resellers or distributors will be held liable for any damages caused or alleged to be caused either directly
or indirectly by this book.
Acquisitions Editor: Martin DelRe
Project Editor: Karen Szall
Technical Editor: Ramsey Dow
Indexer: Bill Meyers
Body Part No. X10-46140
To my mother, my “little” sister, Tiger and close friends—you
amaze me with your love, support and your ability
to tolerate me day in and day out.
—Kevin
In memory of Merlin who was a good friend for many years.
Finishing this book was much harder without you.
Merlin: 9/19/1992–1/16/2004.
—David
To Beth, for enduring another book;
thank you for everything.
—Ben

1
2
3
4
5
6
7

Contents at a Glance
Part I Planning and Performing Security Assessments
Introduction to Performing Security Assessments 3
Key Principles of Security 21
Using Vulnerability Scanning to Assess Network Security 37
Conducting a Penetration Test 57
Performing IT Security Audits 75
Reporting Your Findings 89
Building and Maintaining Your Security Assessment Skills 99
Part II
Penetration Testing for Nonintrusive Attacks
8 Information Reconnaissance 117
9 Host Discovery Using DNS and NetBIOS 137
10 Network and Host Discovery 153
11 Port Scanning 167
12 Obtaining Information from a Host 179
13 War Dialing, War Driving, and Bluetooth Attacks 195
Part III
Penetration Testing for Intrusive Attacks
14 Automated Vulnerability Detection 223
15 Password Attacks 239
16 Denial of Service Attacks 255
17 Application Attacks 269
18 Database Attacks 281
19 Network Sniffing 301
20 Spoofing 319
21 Session Hijacking 333
22 How Attackers Avoid Detection 355
23 Attackers Using Non-Network Methods to Gain Access 379
v

vi Contents at a Glance
Part IV Security Assessment Case Studies
24 Web Threats 399
25 E-Mail Threats 431
26 Domain Controller Threats 457
27 Extranet and VPN Threats 477
Part V
Appendixes
A Checklists 497
B References 515
Table of Contents
Acknowledgments xxi
Foreword xxiii
Introduction xxvii
Part I Planning and Performing Security Assessments
1 Introduction to Performing Security Assessments 3
Role of Security Assessments in Network Security 4
Why Does Network Security Fail? 5
Human Factors 6
Policy Factors 7
Misconfiguration 9
Poor Assumptions 11
Ignorance 12
Failure to Stay Up-to-Date 13
Types of Security Assessments 13
Vulnerability Scanning 14
Penetration Testing 16
IT Security Auditing 17
Frequently Asked Questions 18
2 Key Principles of Security 21

Making Security Easy 21
Keeping Services Running 22
Allowing the Right Users Access to the Right Information 22
Defending Every Layer as if It Were the Last Layer of Defense 22
Keeping a Record of Attempts to Access Information 23
Compartmentalizing and Isolating Resources 24
Avoiding the Mistakes Everyone Else Makes 25
Controlling the Cost of Meeting Security Objectives 26
What do you think of this book?
We want to hear from you!
Microsoft is interested in hearing your feedback about this publication so we can
continually improve our books and learning resources for you. To participate in a brief
online survey, please visit: www.microsoft.com/learning/booksurvey/
viii Table of Contents
Risk Management 27
Learning to Manage Risk 27
Risk Management Strategies 30
Immutable Laws 31
Frequently Asked Questions 35
3 Using Vulnerability Scanning to Assess Network Security 37
Setting a Scope for the Project 38
Defining the Target 38
Defining the Target Scope 43
Defining Types of Vulnerabilities 44
Determining Goals 45
Choosing a Technology 46
Tools and Managed vs. Unmanaged Targets 47
Checklist for Evaluating Tools 49
Creating a Process for Scanning for Vulnerabilities 51
Detecting Vulnerabilities 51

Assigning Risk Levels to Vulnerabilities 53
Identifying Vulnerabilities That Have not Been Remediated 53
Determining Improvement in Network Security Over Time 53
Creating a Process for Analyzing the Results 54
Frequently Asked Questions 54
4 Conducting a Penetration Test 57
What the Attacker Is Thinking About 58
Notoriety, Acceptance, and Ego 59
Financial Gain 59
Challenge 61
Activism 62
Revenge 62
Espionage 62
Information Warfare 63
Defining the Penetration Test Engagement 64
Setting the Goals 64
Setting the Scope 69
Performing the Penetration Test 69
Locating Areas of Weakness in Network or Application Defenses 70
Table of Contents ix
Determining How Vulnerabilities Were Compromised 71
Locating Assets that Could be Accessed, Altered, or Destroyed 71
Determining Whether the Attack Was Detected 73
Identifying the Attack Footprint 73
Making Recommendations 74
Frequently Asked Questions 74
5 Performing IT Security Audits 75
Components of an IT Security Audit 75
Policy 76
Processes and Procedures 78

Operations 79
Preliminary Decisions 80
Legal Considerations 80
Regulatory Considerations 81
Operational Considerations 82
Organizational Considerations 82
Planning and Performing the Audit 83
Building Your Audit Framework 83
Setting the Scope and Timeline 86
Obtaining Legal and Management Approval 86
Completing the Audit 87
Analyzing and Reporting the Results 87
Frequently Asked Questions 88
6 Reporting Your Findings 89
Guidelines for Reporting Your Findings 89
Concise and Professional 90
Technically Accurate 91
Objective 91
Measurable 92
Framework for Reporting Your Findings 92
Define the Vulnerability 92
Document Mitigation Plans 95
Identify Where Changes Should Occur 96
Assign Responsibility for Implementing Approved Recommendations 97
Frequently Asked Questions 97
x Table of Contents
7 Building and Maintaining Your Security Assessment Skills 99
Building Core Skills 99
Improving Network, Operating System, and Application Skills 99
Developing Programming Skills 101

Practicing Security Assessments 103
Staying Up-to-Date 105
Finding a Course 106
Choosing a Conference 110
Internet-Based Resources 111
Internet Mailing Lists 111
Security Bulletins 112
Security Websites 112
Frequently Asked Questions 114
Part II Penetration Testing for Nonintrusive Attacks
8 Information Reconnaissance 117
Understanding Information Reconnaissance 118
Registrar Information 120
Determining Your Registrar Information 120
Countermeasures 122
IP Network Block Assignment 122
Determining Your Organization’s IP Network Block Assignment 123
Countermeasures 125
Web Pages 125
Reviewing Web Server Content 126
Countermeasures 129
Search Engines 129
Reviewing Your Website with Search Engines 129
Countermeasures 132
Public Discussion Forums 133
Taking a Snapshot of Your Organization’s Exposure 133
Countermeasures 134
Frequently Asked Questions 135
Table of Contents xi
9 Host Discovery Using DNS and NetBIOS

Using DNS
Common Record Types
Examining a Zone Transfer
Using NetBIOS
Using LDAP
Frequently Asked Questions
10 Network and Host Discovery
Network Sweeping Techniques
ICMP Sweeps
UDP Sweeps
TCP Sweeps
Broadcast Sweeps
Countermeasures
Network Topology Discovery
Trace Routing
Firewalking
Countermeasures
Frequently Asked Questions
11 Port Scanning
TCP Connect Scans
Custom TCP Scans
SYN Scans
FIN Scans
SYN/ACK and ACK Scans
XMAS Scans
Null Scans
Idle Scans
UDP Scans
FTP Bounce Scans
Port Scanning Tips and Tricks

Fragmentation and Port Scans
Port Scanning Countermeasures
Frequently Asked Questions
137
137
138
146
148
151
151
153
154
156
158
158
159
160
162
163
164
165
165
167
168
171
172
172
173
173
173

173
174
176
176
177
178
178
xii Table of Contents
12 Obtaining Information from a Host 179
Fingerprinting 179
IP and ICMP Fingerprinting 180
TCP Fingerprinting 182
Countermeasures 183
Application Fingerprinting 183
Countermeasures 184
What’s On That Port? 184
Interrogating a Host 186
Countermeasures 192
Frequently Asked Questions 192
13 War Dialing, War Driving, and Bluetooth Attacks 195
Modem Detection—War Dialing 195
Anatomy of a War Dialing Attack 199
Countermeasures 202
Wireless LAN Detection—War Driving 204
MAC Address Filtering 204
Disabling a Service Set ID Broadcasting 205
Wired Equivalent Privacy 207
Anatomy of a War Driving Attack 211
Countermeasures 213
Bluetooth Attacks 215

Device Detection 217
Data Theft 218
Services Theft 218
Network Sniffing 219
Frequently Asked Questions 219
Part III Penetration Testing for Intrusive Attacks
14 Automated Vulnerability Detection 223
Scanning Techniques 224
Exploiting the Vulnerability 226
Banner Grabbing and Fingerprinting 225
Table of Contents xiii
Inference Testing 227
Replaying Network Sniffs 227
Patch Detection 228
Selecting a Scanner 228
Vulnerability Checks 229
Scanner Speed 230
Reliability and Scalability 230
Check Accuracy 231
Update Frequency 232
Reporting Features 233
Scanning Approaches 234
Host-Based Scanners 234
Network-Based Scanners 235
Dangers of Using Automated Scanners 235
Tips for Using Scanners Safely 237
Frequently Asked Questions 237
15 Password Attacks 239
Where to Find Passwords 239
Brute Force Attacks 240

Online Password Testing 241
Offline Password Testing 244
Offline Password Attack Strategies 245
Countermeasures 247
Password Disclosure Attacks 249
File System Passwords 249
Encrypted Passwords 250
Sniffing for Passwords 250
Keystroke Loggers 251
Countermeasures 251
Frequently Asked Questions 252
16 Denial of Service Attacks 255
Flooding Attacks 256
Countermeasures 260
Testing Flooding Attacks 260
xiv Table of Contents
Resource Starvation Attacks 261
CPU Starvation Attacks 261
Memory Starvation Attacks 262
Disk Storage Consumption Attacks 262
Disruption of Service 265
Frequently Asked Questions 266
17 Application Attacks 269
Buffer Overruns 270
Stack Overruns 271
Heap Overruns 273
Format String Bugs 275
Countermeasures 277
Integer Overflows 277
Countermeasures 279

Finding Buffer Overruns 279
Frequently Asked Questions 280
18 Database Attacks 281
Database Server Detection 282
Detecting Database Servers on Your Network 282
Countermeasures 286
Missing Product Patches 287
Detecting Missing Patches 288
Countermeasures 290
Unauthorized Access 291
Detecting the Potential for Unauthorized Access 291
Countermeasures 292
Weak Passwords 293
Detecting Weak Passwords 293
Countermeasures 294
Network Sniffing 295
Detecting Network Sniffing Threats 295
Countermeasures 295
SQL Injection 296
Table of Contents xv
Detecting SQL Injection Vectors 297
Countermeasures 298
Frequently Asked Questions 299
19 Network Sniffing 301
Understanding Network Sniffing 301
Debunking Network Sniffing Myths 303
Myth #1: An Attacker Can Remotely Sniff Networks 304
Myth #2: Switches Are Immune to Network Sniffing Attacks 306
Detecting Network Sniffing Threats 308
Manual Detection 309

Reviewing Network Architecture 310
Monitoring DNS Queries 310
Measuring Latency 310
Using False MAC Addresses and ICMP Packets 311
Using Trap Accounts 311
Using Non-Broadcast ARP Packets 312
Using Automated Detection Tools 312
Detecting Microsoft Network Monitor Installations 312
Countermeasures 313
Frequently Asked Questions 316
20 Spoofing 319
IP Spoofing 320
Countermeasures 322
Spoofing E-Mail 323
Countermeasures 324
DNS Spoofing 325
Attacking the Client 326
Attacking the DNS Server 327
Attacking Server Update Zones 328
Attacking Through the Name Registry 329
Countermeasures 329
Frequently Asked Questions 331
21 Session Hijacking 333
Understanding Session Hijacking 333
Network-Level Session Hijacking 335
xvi Table of Contents
Hijacking a TCP Session 336
Hijacking a UDP Session 338
Determining Your Susceptibility to Threats 339
Countermeasures 339

Tricks and Techniques 340
Host-Level Session Hijacking 345
User Session Hijacking 346
Server Port Hijacking 346
Application-Level Hijacking 351
Detecting Attacks 352
Countermeasures 353
Frequently Asked Questions 354
22 How Attackers Avoid Detection 355
Log Flooding 356
Logging Mechanisms 358
Detection Mechanisms 358
Fragmentation 361
Canonicalization 365
Decoys 366
How Attackers Avoid Detection Post-Intrusion 367
Using Rootkits 368
Hiding Data 369
Tampering with Log Files 375
Frequently Asked Questions 377
23 Attackers Using Non-Network Methods to Gain Access 379
Gaining Physical Access to Information Resources 379
Physical Intrusion 380
Remote Surveillance 383
Targeted Equipment Theft 386
Dumpsters and Recycling Bins 388
Lease Returns, Auctions, and Equipment Resales 388
Using Social Engineering 390
Bribery 391
Assuming a Position of Authority 391

Table of Contents xvii
Forgery 393
Flattery 393
Frequently Asked Questions
395
Part IV Security Assessment Case Studies
24 Web Threats
Client-Level Threats
Cross-Site Scripting Attacks
Unpatched Web Browser Attacks
Server-Level Threats
Repudiation
Information Disclosure
Elevation of Privileges
Denial of Service
Service-Level Threats
Unauthorized Access
Network Sniffing
Tampering
Information Disclosure
Frequently Asked Questions
25 E-Mail Threats
Client-Level Threats
Attaching Malicious Files
Exploiting Unpatched E-Mail Clients
Embedding Malicious Content
Exploiting User Trust
Server-Level Threats
Attaching Malicious Files
Spoofing E-Mail

Exploiting Unpatched E-Mail Servers
Spam
Why You Should Be Concerned About Spam
Tricks and Techniques
What Is Being Done About Spam
399
400
400
405
406
407
409
413
425
425
426
426
427
427
428
431
432
432
438
439
439
443
444
445
448

448
448
449
453
xviii Table of Contents
Frequently Asked Questions 454
26 Domain Controller Threats 457
Password Attacks 457
Countermeasures 458
Elevation of Privilege 462
Exploiting Nonessential Services 463
Exploiting Nonessential Accounts 466
Exploiting Unpatched Domain Controllers 467
Attacking Privileged Domain Accounts and Groups 468
Denial of Service 472
Countermeasures 472
Physical Security Threats 472
Countermeasures 473
Frequently Asked Questions 475
27 Extranet and VPN Threats 477
Fundamentals of Secure Network Design 479
Dual-Homed Host 479
Screened Host 481
Screened Subnets 482
Split Screened Subnets 483
Penetration Testing an Extranet 483
A Sample Extranet Penetration Test 485
Gathering Information 485
Getting Your Foot in the Door 486
Exploring the Internal Network 487

Expanding Your Influence 490
Frequently Asked Questions 494
Part V Appendixes
A Checklists 497
Penetration Test Checklists 497
Chapter 8: Information Reconnaissance 497
Chapter 9: Host Discovery Using DNS and NetBIOS 497
Chapter 10: Network and Host Discovery 498
Table of Contents xix
Chapter 11: Port Scanning
Chapter 12: Obtaining Information from a Host
Chapter 13: War Dialing, War Driving, and Bluetooth Attacks
Chapter 14: Automated Vulnerability Detection
Chapter 15: Password Attacks
Chapter 16: Denial of Service Attacks
Chapter 17: Application Attacks
Chapter 18: Database Attacks
Chapter 19: Network Sniffing
Chapter 20: Spoofing
Chapter 21: Session Hijacking
Chapter 22: How Attackers Avoid Detection
498
499
500
501
501
502
502
502
503

503
503
504
Chapter 23: Attackers Using Non-Network Methods to Gain Access 504
Chapter 24: Web Threats 504
Chapter 25: E-Mail Threats 505
Chapter 26: Domain Controller Threats 505
Chapter 27: Extranet and VPN Threats 505
Countermeasures Checklists 506
Chapter 8: Information Reconnaissance 506
Chapter 9: Host Discovery Using DNS and NetBIOS 506
Chapter 10: Network and Host Discovery 507
Chapter 11: Port Scanning 507
Chapter 12: Obtaining Information from a Host 507
Chapter 13: War Dialing, War Driving, and Bluetooth Attacks 508
Chapter 15: Password Attacks 508
Chapter 16: Denial of Service Attacks 509
Chapter 17: Application Attacks 509
Chapter 18: Database Attacks 509
Chapter 19: Network Sniffing 510
Chapter 20: Spoofing 510
Chapter 21: Session Hijacking 510
Chapter 22: How Attackers Avoid Detection 511
xx Table of Contents
Chapter 23: Attackers Using Non-Network Methods to Gain Access 511
Chapter 24: Web Threats 511
Chapter 25: E-Mail Threats 512
Chapter 26: Domain Controller Threats 512
Chapter 27: Extranet and VPN Threats 513
B References 515

Chapter 1: Introduction to Performing Security Assessments 515
Chapter 2: Key Principles of Security 515
Chapter 3: Using Vulnerability Scanning to Assess Network Security 515
Chapter 4: Conducting a Penetration Test 516
Chapter 5: Performing IT Security Audits 516
Chapter 6: Reporting Your Findings 516
Chapter 7: Building and Maintaining Your Security Assessment Skills 516
Chapter 8: Information Reconnaisance 517
Chapter 9: Host Discovery Using DNS and NetBIOS 517
Chapter 10: Network and Host Discovery 518
Chapter 11: Port Scanning 518
Chapter 12: Obtaining Information from a Host 518
Chapter 13: War Dialing, War Driving, and Bluetooth Attacks 518
Chapter 14: Automated Vulnerability Detection 519
Chapter 15: Password Attacks 519
Chapter 16: Denial of Service Attacks 519
Chapter 17: Application Attacks 520
Chapter 18: Database Attacks 520
Chapter 19: Network Sniffing 522
Chapter 20: Spoofing 523
Chapter 21: Session Hijacking 523
Chapter 22: How Attackers Avoid Detection 523
Chapter 23: Attackers Using Non-Network Methods to Gain Access 524
Chapter 24: Web Threats 524
Chapter 25: E-Mail Threats 524
Chapter 26: Domain Controller Threats 525
Chapter 27: Extranet and VPN Threats 526
Index 529
What do you think of this book?
We want to hear from you!

Microsoft is interested in hearing your feedback about this publication so we can
continually improve our books and learning resources for you. To participate in a brief
online survey, please visit: www.microsoft.com/learning/booksurvey/
Acknowledgments
When you look at the cover of this book, you will only see our names. This is mis-
leading. In reality, it took an entire team of amazingly talented people to create
this book and we would like to take this opportunity to thank these people.
First, we would like to thank the amazing team we worked with at Microsoft
Press. A big thank you to Martin DelRe, our acquisitions editor. Without his belief
in us and in our idea, this book would have never materialized. Devon Musgrave,
our development editor, took that initial idea and helped us massage it into some-
thing worthy of publishing. Our technical editor, Ramsey Dow (the “feedback
machine”), was instrumental in keeping us honest and accurate. Ramsey saved us
numerous times from making embarrassing mistakes or omissions and provided
invaluable tips and suggestions, but all remaining transgressions are ours. Much
credit also goes to our copyeditors, Victoria Thulman and Brenda Pittsley. With-
out their remarkably keen eyes this book would not be remotely clear or readable
and would certainly contain too many adverbs. We would like to thank graphic
artist, Joel Panchot, and desktop publisher, Kerri DeVault, for turning our stack of
Microsoft Word documents into a great-looking book. Finally, the biggest thank
you needs to go to Karen Szall, our project editor extraordinaire, who had the
toughest job of all: dealing with the three of us. Thank you!
We would also like to say thanks to the following people for their valuable
input, important feedback, and contributions to the contents of this book: Chip
Andrews, Rob Beck, Rich Benack, John Biccum, Timothy Bollefer, Naveen
Chand, Scott Charney, Steve Clark, Scott Culp, Diana Dee, Kurt Dillard, David
Fosth, Michael Howard, Anoop Jalan, Jesper Johansson, Richie Lai, Steve Lipner,
Mark Miller, Mark Mortimore, Fritz Ohman, Manish Prahbu, Eric Rachner, Steve
Riley, Caesar Samsi, Joel Scambray, Lara Sosnosky, J.P. Stewart, Frank Swiderski,
Jonathan Wilkins, and Jeff Williams. Additionally, it should be noted that much

of the original thought contained in Chapter 5 came from David Gunter and
Irfan Mirza. These folks are top-notch and represent some of the finest security
professionals in the industry, so we were really grateful for the opportunity to
pick their brains.
Finally, to our families and friends who had to deal with the stress that
radiated from us as we wrote this book. Thank you for your continual support
in keeping sane.
xxi

Foreword
Probably the most obvious question a prospective reader (one with at least
passing familiarity with the computer security book genre) might ask about
Assessing Network Security is: Why does the world need yet another network
security pen-testing book?
The answer, it turns out, is refreshingly obvious: This book contains a tre-
mendous trove of quality information from authentic practitioners of the trade.
In fact, the value of this compendium is even greater when one considers the
ever-increasing number of pretenders lining the shelves of late.
And let’s face facts—IT security folks don’t have a lot of time to sit around
sifting wheat from chaff. The stakes are getting too high nowadays.
■ The ongoing “malware-of-the-month” hit parade is making it down-
right debilitating to run anything at less than 99.9 percent security for
any Internet facing business.
■ Internet-wide DDoS is maturing into a functional tool for industrial
blackmail (and if you think Microsoft or SCO will remain the targets
forever, just wait…).
■ Brand damage from application vulnerabilities increasingly hits the
bottom line of companies where subscriber trust is the prime value
proposition.
■ Regulatory liability is on the verge of skyrocketing, if HIPAA, Sarbanes-

Oxley, Gramm-Leach-Bliley, the California Security Breach Notification
Act, and continued European Union data protection directives are any
indication.
As the authors note in their introduction, Sun Tzu’s directive on waging
efficient war could not be more relevant: “Know the enemy.” The key differ-
ence with Assessing Network Security is the reconnaissance information pre-
sented here is well-organized, accurate, sharpened with an experienced eye,
and packaged in the wisdom of the authors’ combined years of delivering net-
work security as engineers, consultants, and strategists at some of the world’s
most respected organizations. Some of these key differentiators include the
book’s organization around the tried and true attack/countermeasure metaphor;
thinking “outside the box” in the chapter covering war dialing, war driving, and
xxiii
xxiv Foreword
Bluetooth; and the comprehensive coverage of the entire network “stack,” from
ICMP to application-level bugs like buffer overflows, format strings, heap over-
runs, integer overflows, and so on.
Penetration testing remains the gold standard by which security is mea-
sured today. The only drawback to this approach is the potential for uneven
results due to differing pen-tester skill levels. With this book you can avoid this
pitfall and be sure that your network security scanning/penetration testing/
auditing program will be systematic, comprehensive, guided by experienced
hands, and pegged to real-world, measurable goals.
—Joel Scambray
Senior Director, Policy & Research, MSN Security
Co-author, Hacking Exposed series
Computer security has been an issue for almost two decades. In 1986, the
United States government convicted its first hacker and an astronomer at Ber-
keley detected an intrusion in military computers that led to the discovery of a
military cyber-espionage program. Only two years later, in 1988, the world suf-

fered it first distributed denial of service attack: the Morris worm. Yet despite all
this, computer security remained the concern of only a few. For governments,
enterprises, and consumers, the IT revolution generally—and the Internet in
particular—remained an unbounded utopia of rapid technological change
offering improved efficiencies and an improved quality of life. Indeed, even in
1996 when the President’s Commission on Critical Infrastructure Protection
issued its seminal report noting that public safety, national security, and eco-
nomic prosperity were at risk, few people paid the report much attention.
On 9/11, all that changed. While not directly a cyber-event, the cyber rami-
fications were huge. The Regional Bell Operating Company for the Northeast—
Verizon—lost expensive switching equipment and the cell phone network was
overloaded. And as the United States began asking key questions about the iden-
tities and motives of the attackers, there was another key question being asked:
“When would the stock market be trading again?” The answer to that question
was about people, processes and, most importantly, the availability of tech-
nology. And if there was anyone who did not fully appreciate the challenge after
9/11, Nimda and Slammer provided yet new examples of the importance of cyber
security on society outside of traditionally accepted computer networks.
As security became the focal point for governments, enterprises, and con-
sumers, new questions arose, such as “What does it mean to be secure?” The
question itself suggests that the answer is binary: either one is secure or one is
not. But like security in the physical world, the answer is not binary; it is all
about managing risk. Conceptually, risk management concepts that apply to
Foreword xxv
physical world assets work in the cyber world to identify the assets to be pro-
tected; identify threats to those assets; build a security program to mitigate risks
to information assets; and then implement and test that program regularly,
revising it as circumstances warrant. But how does one implement a robust
cyber-security program? There are many things enterprises can do: make secu-
rity a key factor when purchasing products; mandate that all machines adhere

to standard, secure configurations; use two factor authentication; and carefully
manage identities and access controls. And that’s just to start. Similarly impor-
tant is penetration testing—and it is in this area that this book will help.
In my nineteen years as a criminal prosecutor, I spent almost nine years
investigating and prosecuting cyber criminals. Hacking has changed dramati-
cally over the years; young people exploring networks by hunting and pecking
over keyboards have given way to more sophisticated criminals who develop
and run scripts in an attempt to hack into banks or steal economic proprietary
information. Although they may successfully exploit software vulnerabilities or
configuration errors, their process is to “test the locks” and look for points of
entry. It is indisputable, therefore, that there is value in testing one’s own locks
and repairing those that are weak, ahead of one’s adversary. Penetration testing
is the process of using white-hatted hackers to systematically look for points of
weakness and batten down the hatches.
It is important, too, that companies reap the full benefit of penetration
testing. Although it is, of course, a good thing to find a hole and close it, that is
not enough. One should also use penetration testing to identify and rectify busi-
ness processes that may not be sufficiently robust. Put another way, if penetra-
tion testing finds a flaw, those responsible for fixing the problem should also
ask a whole series of tough questions, such as:
■ Are we using the right products?
■ Are our configuration settings, used here and across the company,
the correct ones?
■ Are our system administrators and users properly trained?
■ Have we given our people the resources and tools necessary to keep
us secure?
By taking a holistic approach, penetration testing becomes a proactive tool
with impact. And when a pen-testing team tells management that they were
unable to compromise any important asset, all may sleep just a little bit better.
—Scott Charney

Chief Trustworthy Computer Strategist
Microsoft Corporation