Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network

Security Fundamentals,

Fourth Edition

Chapter 4

Vulnerability Assessment

and Mitigating Attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition

Objectives

• Define vulnerability assessment and explain why it is

important

• List vulnerability assessment techniques and tools

• Explain the differences between vulnerability

scanning and penetration testing

• List techniques for mitigating and deterring attacks

2


Vulnerability Assessment

• Systematic evaluation of asset exposure

– Attackers

– Forces of nature

– Any potentially harmful entity

• Aspects of vulnerability assessment

– Asset identification

– Threat evaluation

– Vulnerability appraisal

– Risk assessment

– Risk mitigation

3


Vulnerability Assessment (cont’d.)

• Asset identification

– Process of inventorying items with economic value

• Common assets

– People

– Physical assets

– Data

– Hardware

– Software

4



• Determine each item’s relative value

– Asset’s criticality to organization’s goals

– How much revenue asset generates

– How difficult to replace asset

– Impact of asset unavailability to the organization

• Could rank using a number scale

5



• Threat evaluation

– List potential threats

• Threat modeling

– Goal: understand attackers and their methods

– Often done by constructing scenarios

• Attack tree

– Provides visual representation of potential attacks

– Inverted tree structure

6

Security+ Guide to Network Security Fundamentals, Fourth Edition 7

Table 4-1 Common threat agents


Figure 4-1 Attack tree for stealing a car stereo © Cengage Learning 2012


Figure 4-2 Attack tree for breaking into grading system © Cengage Learning 2012



• Vulnerability appraisal

– Determine current weaknesses

• Snapshot of current organization security

– Every asset should be viewed in light of each threat

– Catalog each vulnerability

• Risk assessment

– Determine damage resulting from attack

– Assess likelihood that vulnerability is a risk to

organization

10


Table 4-2 Vulnerability impact scale



• Single loss expectancy (SLE)

– Expected monetary loss each time a risk occurs

– Calculated by multiplying the asset value by exposure

factor

– Exposure factor: percentage of asset value likely to be

destroyed by a particular risk

12



• Annualized loss expectancy (ALE)

– Expected monetary loss over a one year period

– Multiply SLE by annualized rate of occurrence

– Annualized rate of occurrence: probability that a risk

will occur in a particular year

13



• Estimate probability that vulnerability will actually

occur

• Risk mitigation

– Determine what to do about risks

– Determine how much risk can be tolerated

• Options for dealing with risk

– Diminish

– Transfer (outsourcing, insurance)

– Accept

14


Table 4-3 Risk identification steps

Assessment Techniques

• Baseline reporting

– Baseline: standard for solid security

– Compare present state to baseline

– Note, evaluate, and possibly address differences


Assessment Techniques (cont’d.)

• Application development techniques

– Minimize vulnerabilities during software development

• Challenges to approach

– Software application size and complexity

– Lack of security specifications

– Future attack techniques unknown


Assessment Techniques (cont’d.)

• Software development assessment techniques

– Review architectural design in requirements phase

– Conduct design reviews

• Consider including a security consultant

– Conduct code review during implementation phase

• Examine attack surface (code executed by users)

– Correct bugs during verification phase

– Create and distribute security updates as necessary



Figure 4-3 Software development process © Cengage Learning 2012

Assessment Tools

• IP addresses uniquely identify each network device

• TCP/IP communication

– Involves information exchange between one

system’s program and another system’s

corresponding program

• Port number

– Unique identifier for applications and services

– 16 bits in length


Assessment Tools (cont’d.)

• Well-known port numbers

– Reserved for most universal applications

• Registered port numbers

– Other applications not as widely used

• Dynamic and private port numbers

– Available for any application to use



Table 4-4 Commonly used default network ports


• Knowledge of what port is being used

– Can be used by attacker to target specific service

• Port scanner software

– Searches system for port vulnerabilities

– Used to determine port state

• Open

• Closed

• Blocked



Figure 4-4 Port scanner © Cengage Learning 2012


Table 4-5 Port scanning


• Protocol analyzers

– Hardware or software that captures packets:

• To decode and analyze contents

– Also known as sniffers

• Common uses for protocol analyzers

– Used by network administrators for troubleshooting

– Characterizing network traffic

– Security analysis



Figure 4-5 Protocol analyzer © Cengage Learning 2012


• Attacker can use protocol analyzer to display

content of each transmitted packet

• Vulnerability scanners

– Products that look for vulnerabilities in networks or

systems

– Most maintain a database categorizing

vulnerabilities they can detect



Figure 4-6 Vulnerability scanner © Cengage Learning 2012


• Examples of vulnerability scanners’ capabilities

– Alert when new systems added to network

– Detect when internal system begins to port scan

other systems

– Maintain a log of all interactive network sessions

– Track all client and server application vulnerabilities

– Track which systems communicate with other

internal systems



• Problem with assessment tools

– No standard for collecting, analyzing, reporting

vulnerabilities

• Open Vulnerability and Assessment Language

(OVAL)

– Designed to promote open and publicly available

security content

– Standardizes information transfer across different

security tools and services



Figure 4-7 OVAL output © Cengage Learning 2012

Honeypots and Honeynets

• Honeypot

– Computer protected by minimal security

– Intentionally configured with vulnerabilities

– Contains bogus data files

• Goal: trick attackers into revealing their techniques

– Compare to actual production systems to determine

security level against the attack

• Honeynet

– Network set up with one or more honeypots


Vulnerability Scanning vs.

Penetration Testing

• Vulnerability scan

– Automated software searches a system for known

security weaknesses

– Creates report of potential exposures

– Should be conducted on existing systems and as

new technology is deployed

– Usually performed from inside security perimeter

– Does not interfere with normal network operations


Penetration Testing

• Designed to exploit system weaknesses

• Relies on tester’s skill, knowledge, cunning

• Usually conducted by independent contractor

• Tests usually conducted outside the security

perimeter

– May even disrupt network operations

• End result: penetration test report


Penetration Testing (cont’d.)

• Black box test

– Tester has no prior knowledge of network

infrastructure

• White box test

– Tester has in-depth knowledge of network and

systems being tested

• Gray box test

– Some limited information has been provided to the

tester



Table 4-6 Vulnerability scan and penetration testing features

Mitigating and Deterring Attacks

• Standard techniques for mitigating and deterring

attacks

– Creating a security posture

– Configuring controls

– Hardening

– Reporting


Creating a Security Posture

• Security posture describes strategy regarding

security

• Initial baseline configuration

– Standard security checklist

– Systems evaluated against baseline

– Starting point for security

• Continuous security monitoring

– Regularly observe systems and networks


Creating a Security Posture (cont’d.)

• Remediation

– As vulnerabilities are exposed, put plan in place to

address them


Configuring Controls

• Properly configuring controls is key to mitigating

and deterring attacks

• Some controls are for detection

– Security camera

• Some controls are for prevention

– Properly positioned security guard

• Information security controls

– Can be configured to detect attacks and sound

alarms, or prevent attacks


Configuring Controls (cont’d.)

• Additional consideration

– When normal function interrupted by failure:

• Which is higher priority, security or safety?

– Fail-open lock unlocks doors automatically upon

failure

– Fail-safe lock automatically locks

• Highest security level

– Firewall can be configured in fail-safe or fail-open

state


Hardening

• Purpose of hardening

– Eliminate as many security risks as possible

• Techniques to harden systems

– Protecting accounts with passwords

– Disabling unnecessary accounts

– Disabling unnecessary services

– Protecting management interfaces and applications


Reporting

• Providing information regarding events that occur

• Alarms or alerts

– Sound warning if specific situation is occurring

– Example: alert if too many failed password attempts

• Reporting can provide information on trends

– Can indicate a serious impending situation

– Example: multiple user accounts experiencing

multiple password attempts


Summary

• Vulnerability assessment

– Methodical evaluation of exposure of assets to risk

– Five steps in an assessment

• Risk describes likelihood that threat agent will

exploit a vulnerability

• Several techniques can be used in a vulnerability

assessment

• Port scanners, protocol analyzers, honeypots are

used as assessment tools


Summary (cont’d.)

• Vulnerability scan searches system for known

security weakness and reports findings

• Penetration testing designed to exploit any

discovered system weaknesses

– Tester may have various levels of system knowledge

• Standard techniques used to mitigate and deter

attacks

– Healthy security posture

– Proper configuration of controls

– Hardening and reporting


Documents

Security+ Guide to Network Security Fundamentals, Fourth Edition