Professional Documents
Culture Documents
Vulnerability Assessment
Techniques
Active Assessments
Any use of a network scanner to find hosts, services and
vulnerabilities
is a form of active assessment. Regardless if the scan is
sending one ICMP packet, or a full fledged DOS attack,
any assessment invoking placing packets on the wire to
interrogate a host for unknown services or
vulnerabilities is an active assessment.
Many network scanners have controls on how aggressive
they pursue their interrogation of the network and the
servers they encounter. For example, Nessus
(http://www.nessus.org), has a concept of safe checks
which causes it to be less intrusive when performing
security audits of network services.
Other commercial scanners have a similar mode which is
deceptively called passive scanning.
Kizza - Guide to Computer
Network Security
Passive Assessments
Sniffing network traffic to deduce a list of active systems,
active services, active applications and even active
vulnerabilities is referred to as a passive assessment.
Passive assessment is a continuous effort such that the
sniffer performing the analysis can see the network 24x7.
An active assessment is really a picture of the network at
a point in time. Passive assessments offer a more
accurate listing of who is actually using the network.
There are a lot of gotchas with passive assessment. For
example, how does one know if an IP address is active or
not? Consider a DHCP network (Dynamic Host
Configuration Protocol - a client/server protocol that
automatically provides an Internet Protocol (IP) host with
its IP address and other related configuration information
such as the subnet mask and default gateway.) . Through
the course of a week, many hosts will boot up and
receive an IP each day. If the host gets a different IP
each day, by the end of the week, it will look like many
hosts are active on the network.
Kizza - Guide to Computer
Network Security
Host-based audits
Host-based audits are conducted on
individual computers. The
advantages of host-based
assessment are:
Greatly reduced numbers of false
positive and false negative reports when
compared with network-based products.
Superior scalability over network-based
products.
Increased security over agent-less
assessments that require administrative
privileges. Kizza - Guide to Computer
8
Network Security
Network-based audits
Network-based audits are conducted from
central locations on the network The
advantages of network-based assessment
are:
Immediate network-wide vulnerability information
Immediate vulnerability information about
network resources that cannot install monitoring
agents; for example, network routers or firewalls.
Discovery of unknown computers and other
resources on the network.
Ability to audit the vulnerability of computers to
attacks from inside or outside the network.
Blended Assessments
A blended form of security assessment
utilizes a combination of active, passive
and host-based techniques. Each
method in the combo has several
advantages and disadvantages which
can be used to offset a variety of
technical and political limitations
imposed by large enterprise networks.
10
Additional features
Centralized reporting and management
of vulnerabilities.
Comprehensive "health check" of the
network is available from a central
location with a consistent, automated,
repeatable, and on-demand system.
Identifies vulnerabilities in mission
critical systems and applications, not
just the operating system.
Can be scalable to provide coverage
for the entire enterprise that can extend
across the Internet.
Kizza - Guide to Computer
Network Security
11
12
13
14
15
16
17
Network Services
Choosing what type of network services and protocols the
network will use is a daunting job. A few policies to choose
from
Permit all and deny as needed. It is easy to implement. Turn
on all services and protocols and turn them off selectively as
security holes become apparent. It is simple however, it is
prone to attacks.
Deny all mode is generally more secure but more complex to
implement.
Authenticated Data
To ensure a reasonable amount of data
integrity, you should authenticate most of the
traffic traversing the network. Traffic specific
to the operations of a secure network
infrastructure ( such as updating of routing
tables) should be authenticated.
Checksum protects against the injection of
spurious packets from an intruder. Combined
with sequence number techniques, checksum
can also protect against replay attacks.
Most security is always provided by complete
encryption routing tables. However encryption
has an overhead.
19
20
Data Integrity:
Software not related to work will not be used on any
computer that is part of the network.
All software images and operating systems should use
checksum verification scheme before installation to confirm
their integrity.
21
Data Confidentiality
This calls for encryption. The hardest part is to decide
which data to encrypt. The decision should be based on
the outcome of the Risk Assessment procedure in which
data is classified according to its security sensitivity.
Encrypt the data that will take the greatest risk without.
For example in an enterprise:
All data dealing with employee salary and benefits.
All data on product development
All data on sales, etc..
Pay attention to the local Network Address Translation
(NAT) a system used to help Network administrators
with large pools of hosts from renumbering them when
they all come on the Internet.
22
23
24
Equipment Certification
All new equipment to be added to the infrastructure
should adhere to specified security requirements.
Each site of the infrastructure should decide which
security features and functionalities are necessary to
support the security policy.
The following are good guidelines:
All infrastructure equipment must pass the acquisition
certification process before purchase
All new images and configurations must be modeled in
a test facility before deployment
All major scheduled network outages and interruptions
of services must announced to those to be affected
well ahead of time.
25
Audit Trails
Keep logs of traffic patterns and noting any deviations from
normal behavior found. Such deviations are the first clues to
security problems.
The data to be collected in the logs should include the following:
User name
Host name
Source and destination IP addresses
Source and destination port numbers
Timestamp
This collected data should be kept local to the resource until an
event is finished upon which it may be taken to a secure location.
Make sure that the paths (Channels) from the collection points to
the storage location are secure.
Audit data should be one of the most secured data on location and
in back ups.
Legal Considerations
Because of the content of the audit trail, a number of legal
questions arise that may need attention.
One area of concern is the privacy issue of the users and data
content because it may contain personal information.
Second area of concern is the knowledge of an intrusive behavior.
For example having knowledge of the intrusive behavior of others
including organization.
26
27
28
Incident Handling
A security bleach is an incident resulting from an external intruder,
unintentional damage, an employee testing some new program and
inadvertently exploiting a software vulnerability, or a disgruntled
employee causing intentional damage.
Build an Incident Response Team
This is centralized group which is the primary focus when an
incident occurs
It is a small core group with the following responsibilities:
Keeping up-to-date with the latest threats and incidents
Being the main point of contact for incident reporting
Notifying others of the incident
Assessing the damage and impact of the incident
Finding out how to avoid further exploitation of the same
vulnerability
Recovering from the incident
Core team members must be knowledgeable, all rounded with a
correct mix of technical, communication, and political skills.
29
Detecting an Incident
when looking for signs of a security bleach focus on the following:
Accounting discrepancies
Data modification and deletion
Users complaining of poor system performance
Atypical traffic patterns
Atypical time of system use
Large numbers of failed login attempts
Detecting anomalies of normal behavior requires having knowledge
of normal systems functions. Use audit trails to learn historical
behavior of the system.
You must follow certain steps when handling an incident whose
goals are defined by management and legal counsel.
But the most fundament goal is to restore the affected system and
to limit the impact and damage. In the worst-case scenario it is
better to shut down the system.
It is better to prioritize actions to be taken during an incident
handling
30
31
32
33
34
Passive Scanning
Strengths
The greatest strength of a passive scan is the lack of
any impact to the network and the minimal time it
takes to find real results.
A passive scanner operates 24x7 and when you want
to know what vulnerabilities it has seen, a report can
be immediately generated.
Passive scanning also has an advantage of
discovering client side vulnerabilities and
vulnerabilities in Intranet networks we dont have
permission to scan.
Weaknesses
Unfortunately, for a passive scan to work, a
detectable host must elicit or respond to a packet. If
a server never communicates on the network, the
console will never see it.
35
Host-based Scanning
Strengths
The greatest strengths that host-based scanning has
going for it are speed and accuracy. It takes a few
seconds in most cases to complete an audit of all
patches for a RedHat or Windows 2000 server if
credentials have been provided. This audit consists of
well-known APIs and patch management tools
provided by the underlying operating system.
Weaknesses
The biggest weakness for host-based scanning with
many scanners like Nessus and NeWT is that
credentials need to be supplied. Often, obtaining
these credentials is takes time. In many cases, an
IT group may not appreciate giving a security group
the ability to audit it at any time.
36