The present invention is directed to a method, apparatus, system, article of manufacture, and/or signal for penetrating a computer or computer network, and in particular for finding network vulnerabilities which should be corrected.
Computer networks are often vulnerable to unwanted attackers who can find out about, access, and interrupt service. When attempting to make a computer or computer network secure against unauthorized access, it is common to hire someone to perform penetration tests. These persons, sometimes referred to as tiger teams, execute a variety of strategies in an attempt to gain control of systems within the computer or network, to access data, and to determine which parts of the computer or network are vulnerable to attack. They generally begin without any xe2x80x9ckeyxe2x80x9d or other access to the network, so they must discover vulnerabilities in much the same way as the unwanted computer hacker.
As an example, an imaginary tiger team may include Joe, Fred, and Mark, each of whom is expert in a specific system with a computer network. For example, Joe is knowledgeable with Windows NT, Fred knows UNIX systems, and Mark is familiar with NetWare. These are some of the common operating systems found in today""s computer networks. The team is hired to test a company""s network, meaning that they are asked to break into the network and produce a report on their results. They first gather as much information as possible about the network, hopefully learning the type of operating system that each computer in the network uses, which can be most useful. Once these and other systems are identified, each member of the tiger team goes after the type of machine they know best.
Mark may be first to achieve success. By accessing an improperly configured NetWare system, he is able to download its bindery, then crack an ill-chosen password and obtain the login name on the account. He tells Joe and Fred the login name and password to see if they have any luck with it. This is because the same user sometimes uses the same name and password on multiple systems. Sure enough, Joe is able to use the name and password that Mark stole from the NetWare system to access three different UNIX systems. The success and efficiency of the tiger team, however, is low because of the independent nature of each team member""s contribution. In other words, only minimal information is shared between the team members, thus resulting in poor penetration tests.
Even automated penetration software such as ISS Group""s Internet Security Scanner and Secure Network""s Ballista fall short of tiger team effectiveness. These automated tests decrease the labor cost of manual penetration tests, but they execute a variety of probes serially and independently in order to determine what vulnerabilities each computer has. They employ attack strategies at only one xe2x80x9clevelxe2x80x9d of penetration, meaning that if they run a number of penetration strategies, they are all run in series and independently without any strategy benefiting from the success of other strategies.
The need for a better solution for penetration testing is constantly growing relative to the number of businesses using networked computers. Network computing has provided a significant leap forward in the computer industry, and in the possibilities for information flow, but at the same time it has created a tremendous number of security problems.
Accordingly, it is an object of the present invention to exceed the effectiveness of a team of information security experts who conduct network penetration tests, and at a cost which makes frequent tests more practical.
Another object of the present invention is to provide faster penetration by using weaknesses discovered in one system to break into other systems.
Yet another object of the present invention is to provide a more effective penetration test, having higher accuracy. The present invention can rate vulnerabilities more accurately as medium or high risks, instead of low risks, because of its improved ability to invade a computer or network.
The present invention overcomes the inefficiencies of the prior art by offering a package that runs several types of penetration or break-in techniques automatically and in parallel, with the modules feeding their individual results to other modules in order to improve the overall penetration test. This xe2x80x9cmulti-levelxe2x80x9d approach is more than simply a parallel processing scheme since it can establish both hierarchies and priorities among the techniques to be run, and it can decide which information to share, thereby improving penetration efficiency and effectiveness.
These and other objects are achieved by providing a computer network penetration test system, comprising a plurality of scan modules for scanning a computer to learn vulnerabilities that the computer has to unwanted access, at least one of said scan modules producing an output based on a scan of the computer, and at least one other of said scan modules requiring an input before performing a network scan operation; a controller for instructing said one scan module to perform a scan of the computer and for producing said input to said one other scan module based on said output.
These and other objects are also achieved by providing a method of performing a penetration test on a computer network, comprising performing a first computer network scan to gather information about a secured network resource in the computer network; performing a second computer network scan to gather information about a second secured network resource in the computer network; and automatically sharing output data from the first computer network scan with the second computer network scan.
These and other objects can also be achieved by providing an article of manufacture bearing a machine readable program for carrying out the steps of scanning a computer network using a plurality of scan modules; and automatically sharing information from at least one of the scan modules to at least one other of the scan modules.