Security+ Guide to Network Security Fundamentals, Fourth Edition

Chapter 4 Vulnerability Assessment and Mitigating Attacks

Objectives
Define vulnerability assessment and explain why it is important List vulnerability assessment techniques and tools Explain the differences between vulnerability scanning and penetration testing List techniques for mitigating and deterring attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition

Vulnerability Assessment
Systematic evaluation of asset exposure
Attackers Forces of nature Any potentially harmful entity

Aspects of vulnerability assessment

Asset identification Threat evaluation Vulnerability appraisal Risk assessment Risk mitigation
3

Security+ Guide to Network Security Fundamentals, Fourth Edition

Vulnerability Assessment (contd.)

Asset identification
Process of inventorying items with economic value

Common assets
People Physical assets Data Hardware Software

Security+ Guide to Network Security Fundamentals, Fourth Edition

Vulnerability Assessment (contd.)

Determine each items relative value
Assets criticality to organizations goals How much revenue asset generates How difficult to replace asset Impact of asset unavailability to the organization

Could rank using a number scale

Security+ Guide to Network Security Fundamentals, Fourth Edition

Vulnerability Assessment (contd.)

Threat evaluation
List potential threats

Threat modeling
Goal: understand attackers and their methods Often done by constructing scenarios

Attack tree
Provides visual representation of potential attacks Inverted tree structure

Security+ Guide to Network Security Fundamentals, Fourth Edition

Table 4-1 Common threat agents

Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 4-1 Attack tree for stealing a car stereo

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 4-2 Attack tree for breaking into grading system

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

Vulnerability Assessment (contd.)

Vulnerability appraisal
Determine current weaknesses
Snapshot of current organization security

Every asset should be viewed in light of each threat Catalog each vulnerability

Risk assessment
Determine damage resulting from attack Assess likelihood that vulnerability is a risk to organization

Security+ Guide to Network Security Fundamentals, Fourth Edition

10

Table 4-2 Vulnerability impact scale

Security+ Guide to Network Security Fundamentals, Fourth Edition

11

Vulnerability Assessment (contd.)

Single loss expectancy (SLE)
Expected monetary loss each time a risk occurs Calculated by multiplying the asset value by exposure factor Exposure factor: percentage of asset value likely to be destroyed by a particular risk

Security+ Guide to Network Security Fundamentals, Fourth Edition

12

Vulnerability Assessment (contd.)

Annualized loss expectancy (ALE)
Expected monetary loss over a one year period Multiply SLE by annualized rate of occurrence Annualized rate of occurrence: probability that a risk will occur in a particular year

Security+ Guide to Network Security Fundamentals, Fourth Edition

13

Vulnerability Assessment (contd.)

Estimate probability that vulnerability will actually occur Risk mitigation
Determine what to do about risks Determine how much risk can be tolerated

Options for dealing with risk

Diminish Transfer (outsourcing, insurance) Accept
Security+ Guide to Network Security Fundamentals, Fourth Edition 14

Table 4-3 Risk identification steps

Security+ Guide to Network Security Fundamentals, Fourth Edition

15

Assessment Techniques
Baseline reporting
Baseline: standard for solid security Compare present state to baseline Note, evaluate, and possibly address differences

Security+ Guide to Network Security Fundamentals, Fourth Edition

16

Assessment Techniques (contd.)

Application development techniques
Minimize vulnerabilities during software development

Challenges to approach
Software application size and complexity Lack of security specifications Future attack techniques unknown

Security+ Guide to Network Security Fundamentals, Fourth Edition

17

Assessment Techniques (contd.)

Software development assessment techniques
Review architectural design in requirements phase Conduct design reviews
Consider including a security consultant

Conduct code review during implementation phase

Examine attack surface (code executed by users)

Correct bugs during verification phase Create and distribute security updates as necessary

Security+ Guide to Network Security Fundamentals, Fourth Edition

18

Figure 4-3 Software development process

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

19

Assessment Tools
IP addresses uniquely identify each network device TCP/IP communication
Involves information exchange between one systems program and another systems corresponding program

Port number
Unique identifier for applications and services 16 bits in length

Security+ Guide to Network Security Fundamentals, Fourth Edition

20

Assessment Tools (contd.)

Well-known port numbers
Reserved for most universal applications

Registered port numbers

Other applications not as widely used

Dynamic and private port numbers

Available for any application to use

Security+ Guide to Network Security Fundamentals, Fourth Edition

21

Table 4-4 Commonly used default network ports

Security+ Guide to Network Security Fundamentals, Fourth Edition

22

Assessment Tools (contd.)

Knowledge of what port is being used
Can be used by attacker to target specific service

Port scanner software

Searches system for available ports Used to determine port state
Open Closed Blocked

Security+ Guide to Network Security Fundamentals, Fourth Edition

23

Figure 4-4 Port scanner

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

24

Table 4-5 Port scanning

Security+ Guide to Network Security Fundamentals, Fourth Edition 25

Assessment Tools (contd.)

Protocol analyzers
Hardware or software that captures packets:
To decode and analyze contents

Also known as sniffers Example: Wireshark

Common uses for protocol analyzers

Used by network administrators for troubleshooting Characterizing network traffic Security analysis

Security+ Guide to Network Security Fundamentals, Fourth Edition

26

Figure 4-5 Protocol analyzer

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

27

Assessment Tools (contd.)

Attacker can use protocol analyzer to display content of each transmitted packet Vulnerability scanners
Products that look for vulnerabilities in networks or systems Most maintain a database categorizing vulnerabilities they can detect

Security+ Guide to Network Security Fundamentals, Fourth Edition

28

Figure 4-6 Vulnerability scanner

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

29

Assessment Tools (contd.)

Examples of vulnerability scanners capabilities
Alert when new systems added to network Detect when internal system begins to port scan other systems Maintain a log of all interactive network sessions Track all client and server application vulnerabilities Track which systems communicate with other internal systems

Security+ Guide to Network Security Fundamentals, Fourth Edition

30

Assessment Tools (contd.)

Problem with assessment tools
No standard for collecting, analyzing, reporting vulnerabilities

Open Vulnerability and Assessment Language (OVAL)

Designed to promote open and publicly available security content Standardizes information transfer across different security tools and services

Security+ Guide to Network Security Fundamentals, Fourth Edition

31

Figure 4-7 OVAL output

Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition

32

Honeypots and Honeynets

Honeypot
Computer protected by minimal security Intentionally configured with vulnerabilities Contains bogus data files

Goal: trick attackers into revealing their techniques

Compare to actual production systems to determine security level against the attack

Honeynet
Network set up with one or more honeypots

Security+ Guide to Network Security Fundamentals, Fourth Edition

33

Vulnerability Scanning vs. Penetration Testing

Vulnerability scan
Automated software searches a system for known security weaknesses Creates report of potential exposures Should be conducted on existing systems and as new technology is deployed Usually performed from inside security perimeter Does not interfere with normal network operations

Security+ Guide to Network Security Fundamentals, Fourth Edition

34

Penetration Testing
Designed to exploit system weaknesses Relies on testers skill, knowledge, cunning Usually conducted by independent contractor Tests usually conducted outside the security perimeter
May even disrupt network operations

End result: penetration test report

Security+ Guide to Network Security Fundamentals, Fourth Edition

35

Penetration Testing (contd.)

Black box test
Tester has no prior knowledge of network infrastructure

White box test

Tester has in-depth knowledge of network and systems being tested

Gray box test

Some limited information has been provided to the tester

Security+ Guide to Network Security Fundamentals, Fourth Edition

36

Table 4-6 Vulnerability scan and penetration testing features

Security+ Guide to Network Security Fundamentals, Fourth Edition

37

Mitigating and Deterring Attacks

Standard techniques for mitigating and deterring attacks
Creating a security posture Configuring controls Hardening Reporting

Security+ Guide to Network Security Fundamentals, Fourth Edition

38

Creating a Security Posture

Security posture describes strategy regarding security Initial baseline configuration
Standard security checklist Systems evaluated against baseline Starting point for security

Continuous security monitoring

Regularly observe systems and networks

Security+ Guide to Network Security Fundamentals, Fourth Edition

39

Creating a Security Posture (contd.)

Remediation
As vulnerabilities are exposed, put plan in place to address them

Security+ Guide to Network Security Fundamentals, Fourth Edition

40

Configuring Controls
Properly configuring controls is key to mitigating and deterring attacks Some controls are for detection
Security camera

Some controls are for prevention

Properly positioned security guard

Information security controls

Can be configured to detect attacks and sound alarms, or prevent attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition

41

Configuring Controls (contd.)

Additional consideration
When normal function interrupted by failure:
Which is higher priority, security or safety?

Fail-open lock unlocks doors automatically upon failure Fail-safe lock automatically locks
Highest security level

Firewall can be configured in fail-safe or fail-open state

Security+ Guide to Network Security Fundamentals, Fourth Edition

42

Hardening
Purpose of hardening
Eliminate as many security risks as possible

Techniques to harden systems

Protecting accounts with passwords Disabling unnecessary accounts Disabling unnecessary services Protecting management interfaces and applications

Security+ Guide to Network Security Fundamentals, Fourth Edition

43

Reporting
Providing information regarding events that occur Alarms or alerts
Sound warning if specific situation is occurring Example: alert if too many failed password attempts

Reporting can provide information on trends

Can indicate a serious impending situation Example: multiple user accounts experiencing multiple password attempts

Security+ Guide to Network Security Fundamentals, Fourth Edition

44