Kali Linux: system security assessment
- Transfer
→ Part 1. Kali Linux: security policy, protecting computers and network services
→ Part 2. Kali Linux: filtering traffic using netfilter
→ Part 3. Kali Linux: monitoring and logging
→ Part 4. Kali Linux: exercises to protect and monitor the system
Today, we continue to publish translations of selected chapters of Kali Linux Revealed . Here is the first section of Chapter 11: “Using Kali Linux to Assess the Security of Information Systems”.
At this point, we examined many of Kali Linux's capabilities, so you should already have a good understanding of the features of the system and how to solve many complex problems with it.
However, before embarking on the practical use of Kali, it is worthwhile to understand some concepts related to assessing the security of information systems. In this chapter we will talk about these concepts, so you will gain basic knowledge on this issue. Here we will also provide links to additional materials that are useful if you need to use Kali to perform a system security assessment.
To begin with, it is worthwhile to devote time to the very concept of “security” as applied to information systems. Trying to protect the information system, pay attention to its three main attributes:
Together, these concepts form the so-called CIA (Confidentiality, Integrity, Availability) model, and, in many ways, these are the main aspects that are paid attention to when protecting systems during standard deployment, support, or security assessment processes.
It is also useful to note that in some cases, certain aspects of the CIA will concern you more than others.
For example, you have a personal diary that contains your most cherished thoughts. The confidentiality of this information can be much more important than its integrity or availability. In other words, the main thing is that no one can read what is written in the diary. If someone writes something to him without reading, this is not so scary. Likewise, you do not need the diary to be absolutely always at hand.
On the other hand, if you are protecting a system that stores information about medical prescriptions, data integrity comes to the fore. It is important not to let outsiders read these notes, that is, to receive information about who uses what medicines. It’s important that the recipe lists be easily accessible. However, the most important thing is that no one can change the contents of the system (that is, affect its integrity), as this can lead to life-threatening consequences.
When you are engaged in system security and detect a problem, you need to understand which parts of the CIA are relevant to this problem. It can be something one of the list “confidentiality, integrity, availability”, or a combination of parts of the model. This approach helps to more fully understand the problem, allows you to categorize incidents and take appropriate measures. Understanding the essence of the CIA model, it is easy to classify vulnerabilities of different scales with its help. Here, for example, can be seen through a CIA prism a web application hacked by the method of embedding SQL code:
The concepts of the CIA model are quite simple, and if you really look at things, you, even without knowing about this model, intuitively use it. However, it’s important to make a meaningful use of the CIA model, as it can help you figure out which direction to focus your efforts on a case-by-case basis. This conceptual framework will help you identify critical system components. It will allow you to determine the amount of effort and resources that are worth investing in fixing the problems found.
Another concept that we will focus on is risk. The concept of “risk” consists of the concepts of “threat” and “vulnerability”. These concepts are not too complicated, but applying them is easy to make mistakes. We will consider them in more detail later, but to put it briefly, it can be noted that it is best to perceive risk as what you are trying to prevent, a threat - as someone who can, unwanted, commit it, and vulnerability - as something, capable of letting you do what you want to prevent. Appropriate efforts can be made to reduce the level of threat or eliminate vulnerability. The goal of these actions is to reduce risk.
For example, when visiting some countries, you may be at significant risk of contracting malaria. This is true for two reasons. Firstly, in some places there is a high risk of being bitten by a malaria mosquito. Secondly - you almost certainly have no immunity to malaria. Risk is infection. The threat is mosquitoes. Vulnerability is the lack of immunity to the disease. In order to reduce the likelihood of a threat, you can control the vulnerability with medication. In addition, you can try to control the threat using repellents and mosquito nets.
If you are preparing to use Kali Linux in a combat environment, you first need to make sure that you have a clean OS installed that works fine. A common mistake that many beginner pentesters make is that they use the same Kali instance in the course of security analysis of different systems. This approach can lead to problems for two main reasons:
That is why it is strongly recommended that you start working with a clean Kali installation, and that is why efforts to prepare a pre-configured version of Kali Linux, which is ready for automatic installation, quickly pay off.
To get a similar version of the system, refer to sections 9.3. " Build your own Live-ISO images " and 4.3. " Automatic installation ." The more serious you are about automating your work today, the less time you spend tomorrow.
Each pentester has its own requirements for the Kali working configuration, but there are some universal recommendations that everyone should pay attention to.
To get started - consider the possibility of an encrypted installation, as shown in section 4.2.2. "Installation on a fully encrypted file system . ” This will protect your data stored on a computer, usually on a laptop. If it is ever stolen, you will appreciate this precaution.
To provide additional security while traveling, it makes sense to consider setting up the self-destruct function (for details, see “ Setting the self-destruct password to increase the level of system security ”) after sending a (encrypted) copy of the key to a colleague in the office. Thus, your data will be protected until you return to the office, where you can restore your computer using the decryption key.
In addition, you should carefully consider which packages are installed in the OS. When preparing for the next assignment, pay attention to what tools you may need. For example, when you are planning to search for holes in a wireless network, you may consider installing a meta package
For the same reason, you might need to double-check the network settings (for more details, see section 5.1. “ Network Settings ” and section 7.3. “ Protecting Network Services ”). Double check your DHCP settings and look at the services that are listening on your IP address. These settings can have a major impact on job success. You can’t analyze what you don’t see, and redundant services can give out your system and lead to its disconnection from the network even before you start the research.
Of particular importance is the attention to network settings if you are investigating network intrusions. During such investigations, any impact on systems that have been attacked must be avoided. Custom Kali version with meta package
In conclusion, we can say that the correct preparation of Kali Linux for work, the use of a clean, thoughtfully tuned system is the key to success.
Today we talked about the CIA model, and how to apply it in the classification of vulnerabilities and in planning measures to protect systems. We examined the concepts of risks, threats and vulnerabilities, talked about how to prepare Kali Linux for the practical tasks of a pentester. Next time we will talk about various types of events aimed at assessing the security of information systems.
Dear readers! Do you put the CIA model into practice?
→ Part 2. Kali Linux: filtering traffic using netfilter
→ Part 3. Kali Linux: monitoring and logging
→ Part 4. Kali Linux: exercises to protect and monitor the system
Today, we continue to publish translations of selected chapters of Kali Linux Revealed . Here is the first section of Chapter 11: “Using Kali Linux to Assess the Security of Information Systems”.
Chapter 11. Application of Kali Linux to assess the security of information systems
At this point, we examined many of Kali Linux's capabilities, so you should already have a good understanding of the features of the system and how to solve many complex problems with it.
However, before embarking on the practical use of Kali, it is worthwhile to understand some concepts related to assessing the security of information systems. In this chapter we will talk about these concepts, so you will gain basic knowledge on this issue. Here we will also provide links to additional materials that are useful if you need to use Kali to perform a system security assessment.
To begin with, it is worthwhile to devote time to the very concept of “security” as applied to information systems. Trying to protect the information system, pay attention to its three main attributes:
- Confidentiality: can individuals who should not have access to the system or information gain access to them?
- Integrity: Is it possible to modify a system or data unauthorized?
- Availability: Is it possible, given the time and method of access, to use the system or data normally?
Together, these concepts form the so-called CIA (Confidentiality, Integrity, Availability) model, and, in many ways, these are the main aspects that are paid attention to when protecting systems during standard deployment, support, or security assessment processes.
It is also useful to note that in some cases, certain aspects of the CIA will concern you more than others.
For example, you have a personal diary that contains your most cherished thoughts. The confidentiality of this information can be much more important than its integrity or availability. In other words, the main thing is that no one can read what is written in the diary. If someone writes something to him without reading, this is not so scary. Likewise, you do not need the diary to be absolutely always at hand.
On the other hand, if you are protecting a system that stores information about medical prescriptions, data integrity comes to the fore. It is important not to let outsiders read these notes, that is, to receive information about who uses what medicines. It’s important that the recipe lists be easily accessible. However, the most important thing is that no one can change the contents of the system (that is, affect its integrity), as this can lead to life-threatening consequences.
When you are engaged in system security and detect a problem, you need to understand which parts of the CIA are relevant to this problem. It can be something one of the list “confidentiality, integrity, availability”, or a combination of parts of the model. This approach helps to more fully understand the problem, allows you to categorize incidents and take appropriate measures. Understanding the essence of the CIA model, it is easy to classify vulnerabilities of different scales with its help. Here, for example, can be seen through a CIA prism a web application hacked by the method of embedding SQL code:
- Confidentiality: the application is hacked using a variation of SQL injection, which allows an attacker to extract the contents of a web application, gives full access to read all the data, but does not allow changing information or disrupting the database.
- Integrity: The application was hacked using SQL injection, which allows an attacker to modify information that is already in the database. An attacker could not read data or block access to the database.
- Accessibility: the application was attacked using SQL injection, which allows you to initiate a heavy query that consumes a large amount of server resources. Several of these requests result in a service failure (implementing a DoS attack). An attacker does not have the ability to read or modify data, but it can prevent ordinary users from working with a web application.
- Multiple threats: SQL injection gives full access to the operating system of the server on which the web application is running. Having such access, the attacker can violate the confidentiality of the system by gaining access to any data he needs, compromise the integrity of the system by changing the data, and, if he wants, can disrupt the functionality of the web application, which will lead to inaccessibility of the system for ordinary users.
The concepts of the CIA model are quite simple, and if you really look at things, you, even without knowing about this model, intuitively use it. However, it’s important to make a meaningful use of the CIA model, as it can help you figure out which direction to focus your efforts on a case-by-case basis. This conceptual framework will help you identify critical system components. It will allow you to determine the amount of effort and resources that are worth investing in fixing the problems found.
Another concept that we will focus on is risk. The concept of “risk” consists of the concepts of “threat” and “vulnerability”. These concepts are not too complicated, but applying them is easy to make mistakes. We will consider them in more detail later, but to put it briefly, it can be noted that it is best to perceive risk as what you are trying to prevent, a threat - as someone who can, unwanted, commit it, and vulnerability - as something, capable of letting you do what you want to prevent. Appropriate efforts can be made to reduce the level of threat or eliminate vulnerability. The goal of these actions is to reduce risk.
For example, when visiting some countries, you may be at significant risk of contracting malaria. This is true for two reasons. Firstly, in some places there is a high risk of being bitten by a malaria mosquito. Secondly - you almost certainly have no immunity to malaria. Risk is infection. The threat is mosquitoes. Vulnerability is the lack of immunity to the disease. In order to reduce the likelihood of a threat, you can control the vulnerability with medication. In addition, you can try to control the threat using repellents and mosquito nets.
11.1. Application of Kali Linux to assess the security of information systems
If you are preparing to use Kali Linux in a combat environment, you first need to make sure that you have a clean OS installed that works fine. A common mistake that many beginner pentesters make is that they use the same Kali instance in the course of security analysis of different systems. This approach can lead to problems for two main reasons:
- During the study, they often perform manual installation of packages, their configuration, or some other OS modifications. These single changes can help bring Kali up to speed or solve a specific problem. However, they are hard to control. They complicate OS support and its future configuration.
- Each task of assessing the security of a system is unique. Therefore, if, for example, you use an operating system in which notes, code and other changes remain after analyzing the system of one client and the other client, this can lead to confusion and result in mixed client data.
That is why it is strongly recommended that you start working with a clean Kali installation, and that is why efforts to prepare a pre-configured version of Kali Linux, which is ready for automatic installation, quickly pay off.
To get a similar version of the system, refer to sections 9.3. " Build your own Live-ISO images " and 4.3. " Automatic installation ." The more serious you are about automating your work today, the less time you spend tomorrow.
Each pentester has its own requirements for the Kali working configuration, but there are some universal recommendations that everyone should pay attention to.
To get started - consider the possibility of an encrypted installation, as shown in section 4.2.2. "Installation on a fully encrypted file system . ” This will protect your data stored on a computer, usually on a laptop. If it is ever stolen, you will appreciate this precaution.
To provide additional security while traveling, it makes sense to consider setting up the self-destruct function (for details, see “ Setting the self-destruct password to increase the level of system security ”) after sending a (encrypted) copy of the key to a colleague in the office. Thus, your data will be protected until you return to the office, where you can restore your computer using the decryption key.
In addition, you should carefully consider which packages are installed in the OS. When preparing for the next assignment, pay attention to what tools you may need. For example, when you are planning to search for holes in a wireless network, you may consider installing a meta package
kali-linux-wireless
that contains all the tools for researching wireless networks available in Kali Linux. Preparing to test the web application, you can prepare all the tools designed for such tasks by installing a meta package kali-linux-web
. When preparing the system for work, it is best to proceed from the assumption that during the testing session you will not have normal Internet access. Therefore, you need to prepare as best as possible in advance.For the same reason, you might need to double-check the network settings (for more details, see section 5.1. “ Network Settings ” and section 7.3. “ Protecting Network Services ”). Double check your DHCP settings and look at the services that are listening on your IP address. These settings can have a major impact on job success. You can’t analyze what you don’t see, and redundant services can give out your system and lead to its disconnection from the network even before you start the research.
Of particular importance is the attention to network settings if you are investigating network intrusions. During such investigations, any impact on systems that have been attacked must be avoided. Custom Kali version with meta package
kali-linux-forensic
loaded in forensic mode. In this mode, the OS does not mount drives automatically and does not use the swap partition. As a result, when using the digital forensics tools available in Kali, you can maintain the integrity of the system being analyzed. In conclusion, we can say that the correct preparation of Kali Linux for work, the use of a clean, thoughtfully tuned system is the key to success.
Summary
Today we talked about the CIA model, and how to apply it in the classification of vulnerabilities and in planning measures to protect systems. We examined the concepts of risks, threats and vulnerabilities, talked about how to prepare Kali Linux for the practical tasks of a pentester. Next time we will talk about various types of events aimed at assessing the security of information systems.
Dear readers! Do you put the CIA model into practice?