As some of my readers may know I have a certificate on ISO/IEC 27001 internal auditing. (Not that there are many customers interested in this … security in Germany still is a waste land.) The ISO/IEC 27001 standard defines a systematic process oriented approach to security. At its core it demands (besides other things) defined processes for a thorough periodical risk analysis to derive appropriate security measures. Control, audit and continuous improvement processes must be included in the process landscape – up to highest company level. So far so good. Of course, technical measures have to be taken into account – but the whole “control” catalog of Appendix A is written in a very general way and has to be broken down to specific requirements of a company.
Despite working on process consulting, I carry around a technical mindset from my time in physics and numerical math. So, in a way, I like looking at the technical basics in a security context – though I would not call me a real technical expert on “hacking”. Still I have a profound interest in pen-testing tools. In my opinion every type of security auditor should have a reasonable amount of knowledge about technical risks, pen-testing and possible attack vectors. However, after working a while with common scanning and attack tools in isolated pen-test environments – with the legal consent of the owners – one gets a strange feeling:
When you judge the effectiveness of security measures and test them by standard analysis tools: Don’t you miss the creativity of real hackers? Are the “real” threats covered by pen-testing tools like vulnerability scanners and Metasploit stuff, at all?
Another critical point is the threat level assigned by tools like Nessus or OpenVAS to detected system vulnerabilities – if you concentrate on the most “severe”, high point alerts, you may almost always miss some “low” risks and underlying threats, which alone or in combination can be used for a systematic privilege escalation. That there is some truth in this statement you may already find out on metasploitable training machines.
So, one of the questions nagging in a corner of my mind from time to time was: Is there some literature which gives you a broader insight in the way a hacker may think? In action? Yesterday, I started reading a series of books of an author calling himself “Spark FLOW”.
My preliminary “verdict” as a non-hacker, but as a defense and security oriented person after 2 out of 7 books is:
Very interesting reading – though based on somewhat “constructed” scenarios (so far). Creative, varying use/combination of attack methods on different types of machines … I learned quite a bit about some Windows weaknesses and privilege escalation. But also Linux gets its amount of hacks and related comments. It is almost provocative that the first book rather early describes compromising a Linux machine in a DMZ ….(because – as the author explains in a footnote – “otherwise it would be too simple if we directly landed on Windows from the start”).
However, more important: Although written very attack-oriented – it gave me a hell to think about counter-measures. Which I, probably, have a better grasp on regarding Linux machines. But there a some Windows systems in our nets, too.
I would like very much to see a kind of summary table of this guy at the end of each of his books with a systematic collection of weaknesses and vulnerabilities exploited – and his ideas on reasonable countermeasures on the admins’ side.
Anyway – the reading was “enjoyable” and a bit frightening at the same time. It triggers some serious thinking. I recommend the book series of Sparc Flow to all “admins” and to all “sec staff” members who want to learn more about a hacker’s mindset and its flexibility.