Summary
Troy University and the Alabama Computer Forensics Institute (ACFI) completed the task of carrying out a security assessment and subsequent penetration test of the STTarx product.
The purpose of these tests were to determine security vulnerabilities in the STTarx application in two applied environments.
Server configurations and web applications running on the servers were specified as part of the scope.
The tests assumed the identity of an attacker or a user with malicious intent.
No due care was attempted to prevent damage to the clients and the servers — the threat assessment included thorough, rigorous efforts to compromise traffic, clients and servers, employing a wide variety of techniques.
Approach
- Controlled test environment
- Perform broad scans to identify potential areas of exposure and services on the client and the server that may serve as entry points
- Perform targeted scans and manual investigation to validate any observed vulnerabilities
- Test identified components to gain access to (1) traffic, (2) client, and (3) server
- Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation
- Identify issues of immediate consequence and recommend solutions
- Open, live environment
- Perform broad scans to identify potential areas of exposure and services on the client and the server that may serve as entry points
- Perform targeted scans and manual investigation to validate any observed vulnerabilities
- Test identified components to gain access to (1) traffic, (2) client, and (3) server
- Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation
- Identify issues of immediate consequence and recommend solutions
During the network security checks, for both types of tests, we tried to probe ports present-known to us and all available ports.
We scanned all published services running on known ports and common operating system level services and attributes.
We sought configuration issues and logical errors present with the operating system and associated services.
Within the controlled test environment, both the client and server were unpatched Windows operating systems.
Scope
The scope of these tests fell into two categories.
In the controlled environment, we scanned the actual devices within the development group.
In the open, live environment, we scanned the entire IP subnet of the client and target server networks.
The total number of IP addresses scanned for the live test was 512.
Key Findings
Troy University and ACFI did not identify any open ports, live IP addresses in either environment running the STTarx product.
Troy University and ACFI did not identify any common insecure services such as VNC, Telnet, FTP, Terminal Services, MySQL, and Microsoft SQL as being externally accessible.
Troy University and ACFI often finds these types of services during external penetration tests.
During the course of this assessment we did not receive an Internet Control Message Protocol (ICMP) Echo Reply from any hosts.
Upon additional reviews of the test and live environments with Troy University personnel and STTarx managers, Troy verified that the configuration in place was for testing purposes and the intent of the configuration was live with no additional security measures in place, which could have affected discovery.
With known knowledge of the configurations in both environments, a directed assault was launched to the IP addresses of the clients and servers.
The assets did not respond to any attempt to attack the devices.
Furthermore, a vast array of attacks were offered.
Included among the attack types were denial of service, distributed denial of services, operating system exploitations, network payload manipulation, malware and viruses.
Once Troy University and ACFI completed its testing regime, another third-party was employed to verify test results and conduct another series of tests.
The group reached identical conclusions — the STTarx protected devices could not be observed nor compromised.
The tests were conducted by Troy University and ACFI eleven times.
Host discovery yielded no results.
Service enumeration yielded no results with known active IP addresses.
Vulnerability scans of known IP addresses to purposefully exposed services yielded no results.
Following the vulnerability scans, we performed manual tests.
Those tests yielded no results.
Conclusion
According to our tests, and verified by independent review, the STTarx product functioned as described.
In a controlled test environment where all variables were disclosed, the STTarx product performed without failure.
In a live, production environment, the STTarx product performed as described.
All tests to locate, infiltrate and erode the security of the STTarx solution were unsuccessful.