TDI has performed penetration testing services for the National Aeronautic and Space Administration (NASA) to reveal any risks that might cause system downtime or service interruption, and to subsequently minimize these risks. TDI's expertise was brought to bear to understand that the location of firewalls and routers, the operating systems, the configuration of servers and clients, network connections, and hardware and software that reside on NASA's networks all contribute to determining weaknesses.
By mimicking hackers and thus using their techniques, TDI personnel demonstrated the true state of the target's security posture with penetration testing. Though we use automated tools for some of the more commonplace and documented vulnerabilities, we took a more manual approach to test the latest vulnerabilities that are particular to the target network configuration.
Our penetration test was accomplished through a variety of techniques and tools to illustrate susceptible components of network security defenses, such as:
- Port Scanning: systematically scanning ports of relevant servers. TDI identified open ports and open services that reflect security infrastructure vulnerabilities.
- Denial of Service (DoS): characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. TDI assessed the level of susceptibility to these attacks. We evaluated potential vulnerability to DoS. TDI did NOT actually launch DoS attacks or exploitations.
- Password Cracking: any program that can decrypt passwords or otherwise disable password protection. TDI used tools such as L0phtcrack and rainbow tables to illustrate poor user password protection and other password vulnerabilities.
- Spoofing: the ability to forge one's source address; the act of using one machine to impersonate another. TDI used this method to illustrate the strength of firewall configurations. In addition, we used methods and techniques known as "firewalking" to assess inadvertent firewall mis-configurations.
- Buffer Overflows: TDI tested vulnerabilities with respect to buffer overflows.
Our penetration testing efforts included discovering the identities of systems, mapping the ports and services on those systems, enumerating them, and using various strategies to intrude upon those systems.
Since 2004, TDI has supported NASA in its need to address cyber security holes in its networks. Our expertise has allowed NASA to continue focusing on its mission while allowing TDI to provide NASA with information assurance. Our continued support of NASA, year after year, with specific requests for our personnel's expertise, is a clear indicator of our successful delivery to this symbolic institution of ingenuity and technological advancement.