Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 4 Vulnerability Assessment and Mitigating Attacks.

Security+ Guide to Network Security Fundamentals,

Fourth Edition

Chapter 4Vulnerability Assessment

and Mitigating Attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition

Objectives

• Define vulnerability assessment and explain why it is important

• List vulnerability assessment techniques and tools

• Explain the differences between vulnerability scanning and penetration testing

• List techniques for mitigating and deterring attacks

2


Vulnerability Assessment

• Systematic evaluation of asset exposure– Attackers– Forces of nature– Any potentially harmful entity

• Aspects of vulnerability assessment– Asset identification– Threat evaluation– Vulnerability appraisal– Risk assessment– Risk mitigation

3


Vulnerability Assessment (cont’d.)

• Asset identification– Process of inventorying items with economic value

• Common assets– People– Physical assets – Data– Hardware– Software

4



• Determine each item’s relative value– Asset’s criticality to organization’s goals– How much revenue asset generates– How difficult to replace asset– Impact of asset unavailability to the organization

• Could rank using a number scale

5



• Threat evaluation– List potential threats

• Threat modeling– Goal: understand attackers and their methods– Often done by constructing scenarios

• Attack tree– Provides visual representation of potential attacks– Inverted tree structure

6

Security+ Guide to Network Security Fundamentals, Fourth Edition 7

Table 4-1 Common threat agents


Figure 4-1 Attack tree for stealing a car stereo© Cengage Learning 2012


Figure 4-2 Attack tree for breaking into grading system© Cengage Learning 2012



• Vulnerability appraisal– Determine current weaknesses

• Snapshot of current organization security

– Every asset should be viewed in light of each threat– Catalog each vulnerability

• Risk assessment– Determine damage resulting from attack– Assess likelihood that vulnerability is a risk to

organization

10


Table 4-2 Vulnerability impact scale



• Single loss expectancy (SLE)– Expected monetary loss each time a risk occurs– Calculated by multiplying the asset value by exposure

factor– Exposure factor: percentage of asset value likely to be

destroyed by a particular risk

12



• Annualized loss expectancy (ALE)– Expected monetary loss over a one year period– Multiply SLE by annualized rate of occurrence– Annualized rate of occurrence: probability that a risk

will occur in a particular year

13



• Estimate probability that vulnerability will actually occur

• Risk mitigation– Determine what to do about risks– Determine how much risk can be tolerated

• Options for dealing with risk– Diminish– Transfer (outsourcing, insurance)– Accept

14


Table 4-3 Risk identification steps

Assessment Techniques

• Baseline reporting– Baseline: standard for solid security– Compare present state to baseline– Note, evaluate, and possibly address differences


Assessment Techniques (cont’d.)

• Application development techniques– Minimize vulnerabilities during software development

• Challenges to approach– Software application size and complexity– Lack of security specifications– Future attack techniques unknown


Assessment Techniques (cont’d.)

• Software development assessment techniques– Review architectural design in requirements phase– Conduct design reviews

• Consider including a security consultant

– Conduct code review during implementation phase• Examine attack surface (code executed by users)

– Correct bugs during verification phase– Create and distribute security updates as necessary



Figure 4-3 Software development process© Cengage Learning 2012

Assessment Tools

• IP addresses uniquely identify each network device

• TCP/IP communication– Involves information exchange between one

system’s program and another system’s corresponding program

• Port number– Unique identifier for applications and services– 16 bits in length


Assessment Tools (cont’d.)

• Well-known port numbers– Reserved for most universal applications

• Registered port numbers– Other applications not as widely used

• Dynamic and private port numbers– Available for any application to use



Table 4-4 Commonly used default network ports


• Knowledge of what port is being used– Can be used by attacker to target specific service

• Port scanner software– Searches system for port vulnerabilities– Used to determine port state

• Open

• Closed

• Blocked



Figure 4-4 Port scanner© Cengage Learning 2012


Table 4-5 Port scanning


• Protocol analyzers– Hardware or software that captures packets:

• To decode and analyze contents

– Also known as sniffers

• Common uses for protocol analyzers– Used by network administrators for troubleshooting– Characterizing network traffic– Security analysis



Figure 4-5 Protocol analyzer© Cengage Learning 2012


• Attacker can use protocol analyzer to display content of each transmitted packet

• Vulnerability scanners– Products that look for vulnerabilities in networks or

systems– Most maintain a database categorizing vulnerabilities

they can detect



Figure 4-6 Vulnerability scanner© Cengage Learning 2012


• Examples of vulnerability scanners’ capabilities– Alert when new systems added to network– Detect when internal system begins to port scan

other systems– Maintain a log of all interactive network sessions– Track all client and server application vulnerabilities– Track which systems communicate with other

internal systems



• Problem with assessment tools– No standard for collecting, analyzing, reporting

vulnerabilities

• Open Vulnerability and Assessment Language (OVAL)– Designed to promote open and publicly available

security content– Standardizes information transfer across different

security tools and services



Figure 4-7 OVAL output© Cengage Learning 2012

Honeypots and Honeynets

• Honeypot– Computer protected by minimal security– Intentionally configured with vulnerabilities– Contains bogus data files

• Goal: trick attackers into revealing their techniques– Compare to actual production systems to determine

security level against the attack

• Honeynet– Network set up with one or more honeypots


Vulnerability Scanning vs. Penetration Testing

• Vulnerability scan– Automated software searches a system for known

security weaknesses– Creates report of potential exposures– Should be conducted on existing systems and as

new technology is deployed– Usually performed from inside security perimeter– Does not interfere with normal network operations


Penetration Testing

• Designed to exploit system weaknesses

• Relies on tester’s skill, knowledge, cunning

• Usually conducted by independent contractor

• Tests usually conducted outside the security perimeter– May even disrupt network operations

• End result: penetration test report


Penetration Testing (cont’d.)

• Black box test– Tester has no prior knowledge of network

infrastructure

• White box test– Tester has in-depth knowledge of network and

systems being tested

• Gray box test– Some limited information has been provided to the

tester



Table 4-6 Vulnerability scan and penetration testing features

Mitigating and Deterring Attacks

• Standard techniques for mitigating and deterring attacks– Creating a security posture– Configuring controls– Hardening– Reporting


Creating a Security Posture

• Security posture describes strategy regarding security

• Initial baseline configuration– Standard security checklist– Systems evaluated against baseline– Starting point for security

• Continuous security monitoring– Regularly observe systems and networks


Creating a Security Posture (cont’d.)

• Remediation– As vulnerabilities are exposed, put plan in place to

address them


Configuring Controls

• Properly configuring controls is key to mitigating and deterring attacks

• Some controls are for detection– Security camera

• Some controls are for prevention– Properly positioned security guard

• Information security controls– Can be configured to detect attacks and sound

alarms, or prevent attacks


Configuring Controls (cont’d.)

• Additional consideration– When normal function interrupted by failure:

• Which is higher priority, security or safety?

– Fail-open lock unlocks doors automatically upon failure

– Fail-safe lock automatically locks• Highest security level

– Firewall can be configured in fail-safe or fail-open state


Hardening

• Purpose of hardening– Eliminate as many security risks as possible

• Techniques to harden systems– Protecting accounts with passwords– Disabling unnecessary accounts– Disabling unnecessary services– Protecting management interfaces and applications


Reporting

• Providing information regarding events that occur

• Alarms or alerts– Sound warning if specific situation is occurring– Example: alert if too many failed password attempts

• Reporting can provide information on trends– Can indicate a serious impending situation– Example: multiple user accounts experiencing

multiple password attempts


Summary

• Vulnerability assessment– Methodical evaluation of exposure of assets to risk– Five steps in an assessment

• Risk describes likelihood that threat agent will exploit a vulnerability

• Several techniques can be used in a vulnerability assessment

• Port scanners, protocol analyzers, honeypots are used as assessment tools


Summary (cont’d.)

• Vulnerability scan searches system for known security weakness and reports findings

• Penetration testing designed to exploit any discovered system weaknesses– Tester may have various levels of system knowledge

• Standard techniques used to mitigate and deter attacks– Healthy security posture– Proper configuration of controls– Hardening and reporting


Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 4 Vulnerability Assessment and Mitigating Attacks.

Documents

security guide

network security fundamentals

vulnerability risk assessment

edition chapter

edition objectives

revenue asset

particular risk

threat catalog