CH 04

Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 4
Vulnerability Assessment
and Mitigating Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
Objectives
Define vulnerability assessment and explain why it is
important
List vulnerability assessment techniques and tools
Explain the differences between vulnerability
scanning and penetration testing
List techniques for mitigating and deterring attacks
2
Vulnerability Assessment
Systematic evaluation of asset exposure
Attackers
Forces of nature
Any potentially harmful entity
Aspects of vulnerability assessment
Asset identification
Threat evaluation
Vulnerability appraisal
Risk assessment
Risk mitigation
3
Vulnerability Assessment (contd.)
Asset identification
Process of inventorying items with economic value
Common assets
People
Physical assets
Data
Hardware
Software
4
Determine each items relative value
Assets criticality to organizations goals
How much revenue asset generates
How difficult to replace asset
Impact of asset unavailability to the organization
Could rank using a number scale
5
Threat evaluation
List potential threats
Threat modeling
Goal: understand attackers and their methods
Often done by constructing scenarios
Attack tree
Provides visual representation of potential attacks
Inverted tree structure
6
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
Table 4-1 Common threat agents
Figure 4-1 Attack tree for stealing a car stereo
Cengage Learning 2012
Figure 4-2 Attack tree for breaking into grading system
Vulnerability appraisal
Determine current weaknesses
Snapshot of current organization security
Every asset should be viewed in light of each threat
Catalog each vulnerability
Risk assessment
Determine damage resulting from attack
Assess likelihood that vulnerability is a risk to
organization
10
Table 4-2 Vulnerability impact scale
Single loss expectancy (SLE)
Expected monetary loss each time a risk occurs
Calculated by multiplying the asset value by exposure
factor
Exposure factor: percentage of asset value likely to be
destroyed by a particular risk
12
Annualized loss expectancy (ALE)
Expected monetary loss over a one year period
Multiply SLE by annualized rate of occurrence
Annualized rate of occurrence: probability that a risk
will occur in a particular year
13
Estimate probability that vulnerability will actually
occur
Risk mitigation
Determine what to do about risks
Determine how much risk can be tolerated
Options for dealing with risk
Diminish
Transfer (outsourcing, insurance)
Accept
14
Table 4-3 Risk identification steps
Assessment Techniques
Baseline reporting
Baseline: standard for solid security
Compare present state to baseline
Note, evaluate, and possibly address differences
Assessment Techniques (contd.)
Application development techniques
Minimize vulnerabilities during software development
Challenges to approach
Software application size and complexity
Lack of security specifications
Future attack techniques unknown
Assessment Techniques (contd.)
Software development assessment techniques
Review architectural design in requirements phase
Conduct design reviews
Consider including a security consultant
Conduct code review during implementation phase
Examine attack surface (code executed by users)
Correct bugs during verification phase
Create and distribute security updates as necessary
Figure 4-3 Software development process
Assessment Tools
IP addresses uniquely identify each network device
TCP/IP communication
Involves information exchange between one
systems program and another systems
corresponding program
Port number
Unique identifier for applications and services
16 bits in length
Assessment Tools (contd.)
Well-known port numbers
Reserved for most universal applications
Registered port numbers
Other applications not as widely used
Dynamic and private port numbers
Available for any application to use
Table 4-4 Commonly used default network ports
Knowledge of what port is being used
Can be used by attacker to target specific service
Port scanner software
Searches system for available ports
Used to determine port state
Open
Closed
Blocked
Figure 4-4 Port scanner
Table 4-5 Port scanning
Protocol analyzers
Hardware or software that captures packets:
To decode and analyze contents
Also known as sniffers
Example: Wireshark
Common uses for protocol analyzers
Used by network administrators for troubleshooting
Characterizing network traffic
Security analysis

Figure 4-5 Protocol analyzer
Attacker can use protocol analyzer to display
content of each transmitted packet
Vulnerability scanners
Products that look for vulnerabilities in networks or
systems
Most maintain a database categorizing
vulnerabilities they can detect

Figure 4-6 Vulnerability scanner
Examples of vulnerability scanners capabilities
Alert when new systems added to network
Detect when internal system begins to port scan
other systems
Maintain a log of all interactive network sessions
Track all client and server application vulnerabilities
Track which systems communicate with other
internal systems
Problem with assessment tools
No standard for collecting, analyzing, reporting
vulnerabilities
Open Vulnerability and Assessment Language
(OVAL)
Designed to promote open and publicly available
security content
Standardizes information transfer across different
security tools and services
Figure 4-7 OVAL output
Honeypots and Honeynets
Honeypot
Computer protected by minimal security
Intentionally configured with vulnerabilities
Contains bogus data files
Goal: trick attackers into revealing their techniques
Compare to actual production systems to determine
security level against the attack
Honeynet
Network set up with one or more honeypots
Vulnerability Scanning vs.
Penetration Testing
Vulnerability scan
Automated software searches a system for known
security weaknesses
Creates report of potential exposures
Should be conducted on existing systems and as
new technology is deployed
Usually performed from inside security perimeter
Does not interfere with normal network operations
Penetration Testing
Designed to exploit system weaknesses
Relies on testers skill, knowledge, cunning
Usually conducted by independent contractor
Tests usually conducted outside the security
perimeter
May even disrupt network operations
End result: penetration test report
Penetration Testing (contd.)
Black box test
Tester has no prior knowledge of network
infrastructure
White box test
Tester has in-depth knowledge of network and
systems being tested
Gray box test
Some limited information has been provided to the
tester
Table 4-6 Vulnerability scan and penetration testing features
Mitigating and Deterring Attacks
Standard techniques for mitigating and deterring
attacks
Creating a security posture
Configuring controls
Hardening
Reporting

Creating a Security Posture
Security posture describes strategy regarding
security
Initial baseline configuration
Standard security checklist
Systems evaluated against baseline
Starting point for security
Continuous security monitoring
Regularly observe systems and networks
Creating a Security Posture (contd.)
Remediation
As vulnerabilities are exposed, put plan in place to
address them
Configuring Controls
Properly configuring controls is key to mitigating
and deterring attacks
Some controls are for detection
Security camera
Some controls are for prevention
Properly positioned security guard
Information security controls
Can be configured to detect attacks and sound
alarms, or prevent attacks
Configuring Controls (contd.)
Additional consideration
When normal function interrupted by failure:
Which is higher priority, security or safety?
Fail-open lock unlocks doors automatically upon
failure
Fail-safe lock automatically locks
Highest security level
Firewall can be configured in fail-safe or fail-open
state
Hardening
Purpose of hardening
Eliminate as many security risks as possible
Techniques to harden systems
Protecting accounts with passwords
Disabling unnecessary accounts
Disabling unnecessary services
Protecting management interfaces and applications
Reporting
Providing information regarding events that occur
Alarms or alerts
Sound warning if specific situation is occurring
Example: alert if too many failed password attempts
Reporting can provide information on trends
Can indicate a serious impending situation
Example: multiple user accounts experiencing
multiple password attempts

CH 04

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CH 04

Uploaded by

Copyright:

Available Formats

Security+ Guide to Network

You might also like