Security Guide to Network Security Fundamentals Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 4 Vulnerability Assessment and Mitigating Attacks

Objectives • Define vulnerability assessment and explain why it is important • List vulnerability assessment techniques and tools • Explain the differences between vulnerability scanning and penetration testing • List techniques for mitigating and deterring attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Vulnerability Assessment • Systematic evaluation of asset exposure – Attackers – Forces of nature – Any potentially harmful entity • Aspects of vulnerability assessment – – – Asset identification Threat evaluation Vulnerability appraisal Risk assessment Risk mitigation Security+ Guide to Network Security Fundamentals, Fourth Edition 3

Vulnerability Assessment (cont’d. ) • Asset identification – Process of inventorying items with economic value • Common assets – – – People Physical assets Data Hardware Software Security+ Guide to Network Security Fundamentals, Fourth Edition 4

Vulnerability Assessment (cont’d. ) • Determine each item’s relative value – – Asset’s criticality to organization’s goals How much revenue asset generates How difficult to replace asset Impact of asset unavailability to the organization • Could rank using a number scale Security+ Guide to Network Security Fundamentals, Fourth Edition 5

Vulnerability Assessment (cont’d. ) • Threat evaluation – List potential threats • Threat modeling – Goal: understand attackers and their methods – Often done by constructing scenarios • Attack tree – Provides visual representation of potential attacks – Inverted tree structure Security+ Guide to Network Security Fundamentals, Fourth Edition 6

Table 4 -1 Common threat agents Security+ Guide to Network Security Fundamentals, Fourth Edition 7

Figure 4 -1 Attack tree for stealing a car stereo © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 8

Figure 4 -2 Attack tree for breaking into grading system © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 9

Vulnerability Assessment (cont’d. ) • Vulnerability appraisal – Determine current weaknesses • Snapshot of current organization security – Every asset should be viewed in light of each threat – Catalog each vulnerability • Risk assessment – Determine damage resulting from attack – Assess likelihood that vulnerability is a risk to organization Security+ Guide to Network Security Fundamentals, Fourth Edition 10

Table 4 -2 Vulnerability impact scale Security+ Guide to Network Security Fundamentals, Fourth Edition 11

Vulnerability Assessment (cont’d. ) • Single loss expectancy (SLE) – Expected monetary loss each time a risk occurs – Calculated by multiplying the asset value by exposure factor – Exposure factor: percentage of asset value likely to be destroyed by a particular risk Security+ Guide to Network Security Fundamentals, Fourth Edition 12

Vulnerability Assessment (cont’d. ) • Annualized loss expectancy (ALE) – Expected monetary loss over a one year period – Multiply SLE by annualized rate of occurrence – Annualized rate of occurrence: probability that a risk will occur in a particular year Security+ Guide to Network Security Fundamentals, Fourth Edition 13

Vulnerability Assessment (cont’d. ) • Estimate probability that vulnerability will actually occur • Risk mitigation – Determine what to do about risks – Determine how much risk can be tolerated • Options for dealing with risk – Diminish – Transfer (outsourcing, insurance) – Accept Security+ Guide to Network Security Fundamentals, Fourth Edition 14

Table 4 -3 Risk identification steps Security+ Guide to Network Security Fundamentals, Fourth Edition 15

Assessment Techniques • Baseline reporting – Baseline: standard for solid security – Compare present state to baseline – Note, evaluate, and possibly address differences Security+ Guide to Network Security Fundamentals, Fourth Edition 16

Assessment Techniques (cont’d. ) • Application development techniques – Minimize vulnerabilities during software development • Challenges to approach – Software application size and complexity – Lack of security specifications – Future attack techniques unknown Security+ Guide to Network Security Fundamentals, Fourth Edition 17

Assessment Techniques (cont’d. ) • Software development assessment techniques – Review architectural design in requirements phase – Conduct design reviews • Consider including a security consultant – Conduct code review during implementation phase • Examine attack surface (code executed by users) – Correct bugs during verification phase – Create and distribute security updates as necessary Security+ Guide to Network Security Fundamentals, Fourth Edition 18

Figure 4 -3 Software development process © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 19

Assessment Tools • IP addresses uniquely identify each network device • TCP/IP communication – Involves information exchange between one system’s program and another system’s corresponding program • Port number – Unique identifier for applications and services – 16 bits in length Security+ Guide to Network Security Fundamentals, Fourth Edition 20

Assessment Tools (cont’d. ) • Well-known port numbers – Reserved for most universal applications • Registered port numbers – Other applications not as widely used • Dynamic and private port numbers – Available for any application to use Security+ Guide to Network Security Fundamentals, Fourth Edition 21

Table 4 -4 Commonly used default network ports Security+ Guide to Network Security Fundamentals, Fourth Edition 22

Assessment Tools (cont’d. ) • Knowledge of what port is being used – Can be used by attacker to target specific service • Port scanner software – Searches system for available ports – Used to determine port state • Open • Closed • Blocked Security+ Guide to Network Security Fundamentals, Fourth Edition 23

Figure 4 -4 Port scanner © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 24

Table 4 -5 Port scanning Security+ Guide to Network Security Fundamentals, Fourth Edition 25

Assessment Tools (cont’d. ) • Protocol analyzers – Hardware or software that captures packets: • To decode and analyze contents – Also known as sniffers – Example: Wireshark • Common uses for protocol analyzers – Used by network administrators for troubleshooting – Characterizing network traffic – Security analysis Security+ Guide to Network Security Fundamentals, Fourth Edition 26

Figure 4 -5 Protocol analyzer © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 27

Assessment Tools (cont’d. ) • Attacker can use protocol analyzer to display content of each transmitted packet • Vulnerability scanners – Products that look for vulnerabilities in networks or systems – Most maintain a database categorizing vulnerabilities they can detect Security+ Guide to Network Security Fundamentals, Fourth Edition 28

Figure 4 -6 Vulnerability scanner © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 29

Assessment Tools (cont’d. ) • Examples of vulnerability scanners’ capabilities – Alert when new systems added to network – Detect when internal system begins to port scan other systems – Maintain a log of all interactive network sessions – Track all client and server application vulnerabilities – Track which systems communicate with other internal systems Security+ Guide to Network Security Fundamentals, Fourth Edition 30

Assessment Tools (cont’d. ) • Problem with assessment tools – No standard for collecting, analyzing, reporting vulnerabilities • Open Vulnerability and Assessment Language (OVAL) – Designed to promote open and publicly available security content – Standardizes information transfer across different security tools and services Security+ Guide to Network Security Fundamentals, Fourth Edition 31

Figure 4 -7 OVAL output © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 32

Honeypots and Honeynets • Honeypot – Computer protected by minimal security – Intentionally configured with vulnerabilities – Contains bogus data files • Goal: trick attackers into revealing their techniques – Compare to actual production systems to determine security level against the attack • Honeynet – Network set up with one or more honeypots Security+ Guide to Network Security Fundamentals, Fourth Edition 33

Vulnerability Scanning vs. Penetration Testing • Vulnerability scan – Automated software searches a system for known security weaknesses – Creates report of potential exposures – Should be conducted on existing systems and as new technology is deployed – Usually performed from inside security perimeter – Does not interfere with normal network operations Security+ Guide to Network Security Fundamentals, Fourth Edition 34

Penetration Testing • • Designed to exploit system weaknesses Relies on tester’s skill, knowledge, cunning Usually conducted by independent contractor Tests usually conducted outside the security perimeter – May even disrupt network operations • End result: penetration test report Security+ Guide to Network Security Fundamentals, Fourth Edition 35

Penetration Testing (cont’d. ) • Black box test – Tester has no prior knowledge of network infrastructure • White box test – Tester has in-depth knowledge of network and systems being tested • Gray box test – Some limited information has been provided to the tester Security+ Guide to Network Security Fundamentals, Fourth Edition 36

Table 4 -6 Vulnerability scan and penetration testing features Security+ Guide to Network Security Fundamentals, Fourth Edition 37

Mitigating and Deterring Attacks • Standard techniques for mitigating and deterring attacks – – Creating a security posture Configuring controls Hardening Reporting Security+ Guide to Network Security Fundamentals, Fourth Edition 38

Creating a Security Posture • Security posture describes strategy regarding security • Initial baseline configuration – Standard security checklist – Systems evaluated against baseline – Starting point for security • Continuous security monitoring – Regularly observe systems and networks Security+ Guide to Network Security Fundamentals, Fourth Edition 39

Creating a Security Posture (cont’d. ) • Remediation – As vulnerabilities are exposed, put plan in place to address them Security+ Guide to Network Security Fundamentals, Fourth Edition 40

Configuring Controls • Properly configuring controls is key to mitigating and deterring attacks • Some controls are for detection – Security camera • Some controls are for prevention – Properly positioned security guard • Information security controls – Can be configured to detect attacks and sound alarms, or prevent attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 41

Configuring Controls (cont’d. ) • Additional consideration – When normal function interrupted by failure: • Which is higher priority, security or safety? – Fail-open lock unlocks doors automatically upon failure – Fail-safe lock automatically locks • Highest security level – Firewall can be configured in fail-safe or fail-open state Security+ Guide to Network Security Fundamentals, Fourth Edition 42

Hardening • Purpose of hardening – Eliminate as many security risks as possible • Techniques to harden systems – – Protecting accounts with passwords Disabling unnecessary accounts Disabling unnecessary services Protecting management interfaces and applications Security+ Guide to Network Security Fundamentals, Fourth Edition 43

Reporting • Providing information regarding events that occur • Alarms or alerts – Sound warning if specific situation is occurring – Example: alert if too many failed password attempts • Reporting can provide information on trends – Can indicate a serious impending situation – Example: multiple user accounts experiencing multiple password attempts Security+ Guide to Network Security Fundamentals, Fourth Edition 44