Recommendation on hackers attacking server

I don't know if this is appropriate or not.  I am seeking a way to find out if my company has security holes.  My boss does NOT want to install Microsoft 2003 patches (believe me I've recommended it stronglyy).  Is there a book where I can try to 'hack' our server from another IP address to show if there is vulnerability of not.  I swear I am not a hacker, but I need to see if our network is secure.  he is under the impression that if you are not trying to get in from a specific IP address, it's absolutely safe.  i wanted to mention that even microsoft.com has been hacked but held my tongue.  I need something nitty gritty.  The lowest of the low tricks.

If this is an inappropriate request, please let me know.  I don't mean to offend.

Thanks.
texastwostepAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jhanceCommented:
If I were in your shoes, I'd be getting my resume updated and start networking around for another position.  If something does happen (which IMHO is more likely all the time) and it's clear that you didn't keep the system updated who do you think is going to get the blame?  This sounds like a setup to me and your boss is trying to position you for a fall!!
0
tnapolitanoCommented:
What you are proposing to perform is a vulnerability assessment/penetration test.

Guide to Penetration Testing
http://searchnetworking.techtarget.com/general/0,295582,sid7_gci1083683,00.html

I strongly urge you: before you begin a penetration test, get management approval. In writing.


0
tnapolitanoCommented:
Jhance has a good point. You might consider putting your recommendations regarding security & concerns over lack of patching in writing so you have an email trail in the event of intrusion/outbreak.
0
texastwostepAuthor Commented:
I'll get it in writing, thanks.  Any recommendations on books?  I don't want to go 'underground' and be associated with groups of hackers that do this for fun.

Thanks.
0
tnapolitanoCommented:
Going 'underground' isn't necessary, there are plenty of sources/howtos on performing vulnerability assessments and ethical hacking.

First, read: search for information on how to perform a risk assessment, vuln assessment, pen test, etc.

Second: you only mention attempting to determine security state from external attackers (i.e, ports/services available outside firewall). But unpatched/unhardened (default, "out-of-the-box" configurations) systems can leave a organization open to other vectors of attack, such as malware.

Third: it's my experience that a organization that does not have a patch mgmt strategy isn't doing much else in the way of information security. Sounds like security is being left up to the firewall, the classic 'eggshell' principle of security. Read up on Layered Security.

There's alot more I could write, but things you could begin to do after gaining written approval: familiarize yourself with and employ vulnerability scanners (ISS Security Scanner, GFI Languard, Nessus, etc.) to determine current security state and potential vulnerabilites.

Hope this all helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.