Copyright Goodheart-Willcox Co., Inc. 80 Security Essentials Penetration Testing Cleanup At the conclusion of the penetration testing, it is important to perform a cleanup of the environment. During the test, the team may have made changes, installed soft- ware and tools, and created accounts. The cleanup includes removing executable scripts, temporary files, backdoors, or rootkits used during the test. If user accounts were created during the test, they should also be removed. Reconfigured devices or software must be reset to their original state. Baselines and Performance Conducting security evaluations requires a point of reference for which to compare findings. A baseline is a starting point from which data comparisons are made. Establishing and reviewing baselines related to how a system is used is referred to as usage auditing. For example, when evaluating security of a computer system or network, base- lines are set that show the network’s data rate, traffic statistics, or CPU speed under normal usage. The information is the baseline to compare the same type of data recorded during sluggish performance or an outage to help determine which opera- tions are essential to the system. If a system seems sluggish and slow in responding to requests, the current amount of network traffic or CPU speed is compared with the baseline. A baseline deviation is a change or difference in data when compared to an original baseline. A large deviation may indicate a problem, such as a user streaming media or downloading large volumes of information. Companies victimized by advanced persistent threats often do not recognize symptoms of an attack. Symptoms of persistent threats typically include large, unex- pected flows of data and collection of large amounts of data before it is moved off- site. If a company establishes a baseline and sees unusual patterns that deviate from the normal patterns, it may help identify and ward off a larger security attack. Establishing Baselines Establishing baselines provides insight into varying levels of network usage under normal circumstances. Microsoft Windows has built-in tools that can assist with cre- ating baselines and monitoring systems, such as Resource Monitor and Performance Monitor, as shown in Figure 3-1. A Resource Monitor is a comprehensive utility that displays real-time data on various hardware elements. A Performance Monitor tracks specific data over a wide range of components, such as ■ ■■ network traffic ■■ memory usage ■■ CPU usage and ■ disk space. To establish a baseline, the Performance Monitor is used when a system is known to be in normal operating condition. Then, data can be recorded for elements you wish to track. Be sure to save the file in a secure location for future reference. By knowing the baseline data, you could view, for example, if there is an unex- pected spike in disk usage. This may indicate a large number of downloads or a high number of files being saved or deleted. Someone downloading a large quantity of files could point to a hacked system or an insider threat. High network traffic can also indicate malware or the presence of a remote user accessing the system. Performance data is used to monitor the operating condition of hardware. Spikes in disk usage can indicate a failing hard drive, which would result in the loss of criti- cal business data. If the CPU or memory usage is increasing over time or is 1.8 2.1 TECH TIP Consider establishing base- lines that could indicate other potential vulnerabilities such as physical disk activity. If a drive containing sensitive or confidential information shows an unusual spike in activity, it could be indicative of an excessive number of files being copied or accessed. Additionally, in Windows, the Performance Monitor can be configured to monitor read, write, and idle time on a disk, which can further indicate unusual activity.