We help IT Professionals succeed at work.

Recommendation on hackers attacking server

texastwostep
texastwostep asked
on
Medium Priority
449 Views
Last Modified: 2010-03-05
I don't know if this is appropriate or not.  I am seeking a way to find out if my company has security holes.  My boss does NOT want to install Microsoft 2003 patches (believe me I've recommended it stronglyy).  Is there a book where I can try to 'hack' our server from another IP address to show if there is vulnerability of not.  I swear I am not a hacker, but I need to see if our network is secure.  he is under the impression that if you are not trying to get in from a specific IP address, it's absolutely safe.  i wanted to mention that even microsoft.com has been hacked but held my tongue.  I need something nitty gritty.  The lowest of the low tricks.

If this is an inappropriate request, please let me know.  I don't mean to offend.

Thanks.
Comment
Watch Question

Commented:
If I were in your shoes, I'd be getting my resume updated and start networking around for another position.  If something does happen (which IMHO is more likely all the time) and it's clear that you didn't keep the system updated who do you think is going to get the blame?  This sounds like a setup to me and your boss is trying to position you for a fall!!
What you are proposing to perform is a vulnerability assessment/penetration test.

Guide to Penetration Testing
http://searchnetworking.techtarget.com/general/0,295582,sid7_gci1083683,00.html

I strongly urge you: before you begin a penetration test, get management approval. In writing.


Jhance has a good point. You might consider putting your recommendations regarding security & concerns over lack of patching in writing so you have an email trail in the event of intrusion/outbreak.

Author

Commented:
I'll get it in writing, thanks.  Any recommendations on books?  I don't want to go 'underground' and be associated with groups of hackers that do this for fun.

Thanks.
Going 'underground' isn't necessary, there are plenty of sources/howtos on performing vulnerability assessments and ethical hacking.

First, read: search for information on how to perform a risk assessment, vuln assessment, pen test, etc.

Second: you only mention attempting to determine security state from external attackers (i.e, ports/services available outside firewall). But unpatched/unhardened (default, "out-of-the-box" configurations) systems can leave a organization open to other vectors of attack, such as malware.

Third: it's my experience that a organization that does not have a patch mgmt strategy isn't doing much else in the way of information security. Sounds like security is being left up to the firewall, the classic 'eggshell' principle of security. Read up on Layered Security.

There's alot more I could write, but things you could begin to do after gaining written approval: familiarize yourself with and employ vulnerability scanners (ISS Security Scanner, GFI Languard, Nessus, etc.) to determine current security state and potential vulnerabilites.

Hope this all helps.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.