IT security is probably one of the most well-known and widely used buzzwords in the world of information technology. With this widespread use and an increasing focus on the topic among the public and lawmakers, it is becoming more and more important for developers to consider IT security in the development and in the development processes of software.
While dealing with IT security, questions usually arise on how to approach the topic (practically) or how to test the software. To be able to answer these questions successfully, a useful way is to build a setup for it. In a Tech Talk, our Factor Ten colleague Michael Werner presented a lightweight setup that should enable developers and IT security enthusiasts to get started.
Since many roads lead to Rome and this setup can take on different forms, the blog article does not address a fully specified setup. Rather, we will discuss what the goal of this type of setup is, which technical implementation and, finally, which possible applications result from it. Thus, everyone can decide for themselves whether and in which configuration the setup can be used for their own purposes.
What is the goal of the presented setup?
Ultimately, the main goal of the setup is to provide an easy introduction to the topic of IT security. It is therefore also aimed at people who have less to no experience in the field. Therefore, three very important aspects result from this basic idea.
1. “Robustness” of the setup
Robustness in this context means two different aspects. On the one hand, the setup should be robust enough that if something goes wrong during tests or experiments, no damage is done to systems or a company’s infrastructure. On the other hand, the setup should be robust enough that if something goes wrong, it can be brought back up and running as quickly as possible.
Since the setup should also be about experimentation and knowledge building, many aspects of IT security should be able to be tested with it. Whether it is about attacks within networks, attacks on web servers or viruses, everything should be covered with as little or no adjustments to the setup as possible.
The setup should be kept simple enough to be used, adapted and set up even with little experience.
This section is probably the most interesting, but also probably the most unspectacular part of the blog article. The short answer to what the setup roughly looks like is a VM system consisting of Kali Linux, and the machines to be attacked communicating within a NAT network. To visualize the whole thing a bit better, here is a small overview.
This implementation allows to run the setup isolated on a host system, so that at no time other systems are at risk. If a VM breaks on the setup, a snapshot can theoretically be restored or it can quickly be completely rebuilt.
If different themes or attack constellations are to be tested, new or different VMs can be added for this purpose.
The user interface of programs like VirtualBox are simple enough that setting up this setup involves importing the Kali VM ISO file, creating a VM to attack via dialogs and changing a configuration in the network settings (the NAT network).
For those who have not heard the term Kali. Kali is a Debian-based open source operating system maintained by Offensive Security that comes pre-installed with tools for penetration testing. Therefore, it is well suited for this and similar setups.
As a side tip, there are so-called metasploitable VMs. These are Linux VMs that have known vulnerabilities. If knowledge in the area of IT security is to be built up, it can be worthwhile to take a look at it and play with this VM a bit. Since this VM contains vulnerabilities, it would be recommended to cut the host PC’s internet connection while using it, just to be on the safe side.
Due to the flexibility of this setup it can be used in many ways. On the one hand, it can be used to build up knowledge, in which topics can be practically retested. Accordingly, it can also be used for demos and training.
If the own developed software is included as a target, penetration test topics can be retested for the own development. Kali as a VM can, in theory, also be used to connect to external networks via the host. That is, it could be used to test one’s own corporate infrastructure.
Probably creative people still fall many other ways to use this setup. It is always important to keep in mind that the systems Kali is running against are allowed to be tested. It is considered always a permission and an agreement needed when I go against systems that are not provided by one!