Testing for client-side vulnerabilities

Believe it or not, organizations are getting better at protecting network perimeters. Companies with mature security programs, such as financial institutions, usually make a point of allowing only certain ports through the firewall and hardening Internet-accessible servers to minimize attack surface. As a result, when searching for low-hanging fruit, attackers are paying closer attention to client-side vulnerabilities on internal workstations. So should you, when performing security assessments.

A client-side vulnerability often takes the form of unpatched software on a desktop or laptop. Depending on the nature of the vulnerable application, an attacker could exploit it via a specially-crafted email attachment or by convincing the user to visit a malicious Web site. Web browsers are common targets. Other attractive targets include Adobe Acrobat, Macromedia Flash, QuickTime and Java Runtime Environment.

Modeling real-world attacks
When assessing your organization's exposure to such threats via client-side penetration testing, you should mimic two common scenarios:

A related attack tactic involves relying on social engineering to convince the user to install a backdoor program without bothering to exploit a software vulnerability. The attacker may initiate contact through an email or an instant message, enticing the victim to launch an attachment or to download and run some program.

The mechanics of client-side testing
Here are three methods for testing your organization's exposure to client-side attacks during a security penetration test

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Winning the war: Personal information protection Why financials must implement Web application security best practices Identity management for financial firms in turbulent times Identity management for financial firms in turbulent times How to use data loss prevention tools to stop data exfiltration Security questions to ask SaaS vendors when outsourcing services Book chapter: Remote deposit capture risks How to communicate the value of security controls for online transactions How to perform a network device audit Emerging themes in identity access management Emerging attacks to financial institutions Download presentations from Financial Information Security Decisions 2009 Man pleads guilty in online banking hacking scam Banks using Twitter need to proceed with caution, experts say ATM malware used in Russia lets attackers control machines Infected bank computers part of massive botnet, Finjan says Financial services hit hard by data breaches, Verizon finds Study: banking Trojans dynamic, insidious Credit unions confirm new processor credit card breach Three men arrested in connection with Heartland breach FBI investigates coordinated ATM scam

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

, listed in the increasing degree of intrusiveness:

If you are looking to install software on the client-system in the last two scenarios, penetration testing tools such as Metasploit, CANVAS, and CORE IMPACT can be beneficial. Each offers a mechanism for targeting client-side vulnerabilities, and may also assist in generating a backdoor program for the medium-impact scenario described above.

If nothing else, identify client-side vulnerabilities
Assessing an organization's exposure to client-side threats via penetration testing is not for everyone. If you cannot justify a penetration test that employs the methods described earlier, at least examine the workstations to identify missing patches. Such a vulnerability assessment may lack the pizzazz of attempting to plant a backdoor; however, it will highlight the type of vulnerabilities an attacker may target via client-side techniques. Your examination should include both mainstream software from Microsoft, as well as applications from vendors such as Adobe, Apple and Sun.

As attackers shift their tactics to targeting client-side vulnerabilities, organizations must keep up by assessing their exposure to such threats. By incorporating client-side testing into your security assessments, you will be able to collect metrics for that will help you prioritize your security-improvement efforts.

About the author:
Lenny Zeltser is the New York security consulting leader at SAVVIS, Inc. He is also a senior faculty member at SANS Institute, where he teaches a course on reverse-engineering malware.