Recommendation on hackers attacking server

Posted on 2006-03-30
Last Modified: 2010-03-05
I don't know if this is appropriate or not.  I am seeking a way to find out if my company has security holes.  My boss does NOT want to install Microsoft 2003 patches (believe me I've recommended it stronglyy).  Is there a book where I can try to 'hack' our server from another IP address to show if there is vulnerability of not.  I swear I am not a hacker, but I need to see if our network is secure.  he is under the impression that if you are not trying to get in from a specific IP address, it's absolutely safe.  i wanted to mention that even has been hacked but held my tongue.  I need something nitty gritty.  The lowest of the low tricks.

If this is an inappropriate request, please let me know.  I don't mean to offend.

Question by:texastwostep
    LVL 32

    Expert Comment

    If I were in your shoes, I'd be getting my resume updated and start networking around for another position.  If something does happen (which IMHO is more likely all the time) and it's clear that you didn't keep the system updated who do you think is going to get the blame?  This sounds like a setup to me and your boss is trying to position you for a fall!!
    LVL 3

    Expert Comment

    What you are proposing to perform is a vulnerability assessment/penetration test.

    Guide to Penetration Testing,295582,sid7_gci1083683,00.html

    I strongly urge you: before you begin a penetration test, get management approval. In writing.

    LVL 3

    Expert Comment

    Jhance has a good point. You might consider putting your recommendations regarding security & concerns over lack of patching in writing so you have an email trail in the event of intrusion/outbreak.

    Author Comment

    I'll get it in writing, thanks.  Any recommendations on books?  I don't want to go 'underground' and be associated with groups of hackers that do this for fun.

    LVL 3

    Accepted Solution

    Going 'underground' isn't necessary, there are plenty of sources/howtos on performing vulnerability assessments and ethical hacking.

    First, read: search for information on how to perform a risk assessment, vuln assessment, pen test, etc.

    Second: you only mention attempting to determine security state from external attackers (i.e, ports/services available outside firewall). But unpatched/unhardened (default, "out-of-the-box" configurations) systems can leave a organization open to other vectors of attack, such as malware.

    Third: it's my experience that a organization that does not have a patch mgmt strategy isn't doing much else in the way of information security. Sounds like security is being left up to the firewall, the classic 'eggshell' principle of security. Read up on Layered Security.

    There's alot more I could write, but things you could begin to do after gaining written approval: familiarize yourself with and employ vulnerability scanners (ISS Security Scanner, GFI Languard, Nessus, etc.) to determine current security state and potential vulnerabilites.

    Hope this all helps.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now