Week 4 - Vulnerability Assessment and Pen Testing Flashcards
Vulnerability Assessment Elements
– Identify what needs to be protected (asset identification),
– What pressures are against those assets (threat evaluation),
– How susceptible current protection is (vulnerability appraisal),
– What damages could result from the threats (risk assessment),
– Analysis of what to do about it (risk mitigation);
Asset Identification
- Asset identification - Process of inventorying items with economic value
- Common assets
– People
– Physical assets
– Data
– Hardware
– Software
Asset’s Relative Value
- After an inventory of the assets has been taken, it is important to determine each item’s relative value.
- Value based on:
– Asset’s criticality to organization’s goals,
– How much revenue asset generates,
– How difficult to replace asset,
– Impact of asset unavailability to the organization; - Can rank using a number scale;
Threat Evaluation
- Threat evaluation - List potential threats from threat agent,
- Threat agents are not limited to attackers,
- Also include natural disasters like fire or severe weather;
Threat Modeling
- Threat modeling – Goal of understanding attackers and their methods.
- Attack tree - Provides visual representation of potential attacks as inverted tree structure.
- Attack tree displays:
– Goal of attack,
– Types of attacks that could occur,
– Techniques used in attacks;
Vulnerability Appraisal
- Vulnerability appraisal - Determine current weaknesses as snapshot of current organization security,
- Every asset should be viewed in light of each threat,
- Catalog each vulnerability;
Risk Assessment
- Risk assessment - Determine damage resulting from attack and assess likelihood that vulnerability is risk to organization.
- Determining damage from attack first requires realistic look at several different types of attacks that might occur.
- Based upon vulnerabilities recognized in vulnerability appraisal, a risk assessment of impact can then be undertaken.
- Not all vulnerabilities pose the same risk.
Risk Mitigation
- Risk mitigation - Determine what to do about risks.
- Risk can never be entirely eliminated; would cost too much or take too long.
- Some risks must be accepted by default and degree of risk must always be assumed.
- Question is not, “How can we eliminate all risk?” but “How much acceptable risk can we tolerate?”.
- Once “toleration” level is known, steps can be taken to mitigate risk.
Baseline Reporting
- Baseline - Imaginary line by which an element is measured or compared; can be seen as standard.
- IT baseline is checklist against which systems can be evaluated and audited for security posture.
- Outlines major security considerations for system and becomes the starting point for solid security.
- Baseline reporting - Comparison of present state of system to its baseline.
- Deviations include not only technical issues but also management and operational issues.
Software Programing Vulnerabilities
- Important for software vulnerabilities be minimized
while software being developed instead of after released. - Software improvement to minimize vulnerabilities
difficult:
– Size and complexity
– Lack of formal specifications
– Ever-changing attacks
Assessment Tools
- Many tools available to perform vulnerability assessments:
– Port scanners,
– Banner grabbing tools,
– Protocol analyzers,
– Vulnerability scanners,
– Honeypots and honeynets;
Ports
- TCP/IP networks exchange information between program running on one system (process) and same/corresponding process running on remote
system. - Each packet/datagram contains source port and destination port.
- Identifies both originating application/service on local system and corresponding application/service on remote system .
Port Categories
- Port numbers 16 bit length so have decimal value from 0-65,535.
- Well-known port numbers (0–1023) - Reserved for most universal applications.
- Registered port numbers (1024–49151) - Other applications not as widely used.
- Dynamic and private port numbers (49152–65535) - Available for use by any application.
Port Security
- Because port numbers are associated with applications and services, if attacker knows specific port is accessible could indicate what services are
being used. - Implement by disabling unused application/service ports to reduce number of threat vectors.
Port Scanner
- Software can be used to search system for port vulnerabilities.
- Port scanners typically used determine state of port to know what applications/services are running.
- Three port states:
– Open - Application/service assigned to port is listening for any instructions.
– Closed - No process is listening.
– Blocked - Host system does not reply to any inquiries to this port number.
TCP Connect Scan
Involves completing a ‘three-way handshake’ with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage is that it works against any TCP/IP stack.
TCP SYN Scan
Sends a SYN packet, and if open, it will respond with SYN+ACK. The scanner then closes the connected before the “handshake” is completed.
Very popular as most sites do not log these attempts, also known as “half-open scanning”.
TCP FIN Scan
Sends a finish (FIN) message without first sending a SYN packet, a closed port will reply but an open port will ignore.
Popular as it can pass through firewalls and avoid detection.
Xmas Tree Scan
Flags FIN, URG, PSH are all set to watch how a host responds to the strange packet, which can in turn determine its operating system.
Banner
A Message that service transmits when another program connects to it.
Banner grabbing
- Used as assessment tool to perform inventory on services and systems operating on server.
- Can be done by using Telnet to create connection with host and then querying each port.
Protocol Analyzers
Hardware or software that captures packets to decode and analyze contents.
- Common uses for protocol analyzers:
– Used by network administrators for troubleshooting,
– Characterizing network traffic,
– Security analysis;
Open Vulnerability and Assessment Language (OVAL)
- Problem with assessment tools is no standard for collecting, analyzing, reporting vulnerabilities.
- Designed to promote open and publicly available security content.
- International standard to list and rate vulnerabilities.
- Consistent with the CVE list.
- Standardizes information transfer across different security tools and services.
Honeypot
Computer protected by minimal security and intentionally configured with
vulnerabilities and contains bogus data files.
Goal is trick attackers into revealing their techniques.
Honeynet
Network set up with intentional vulnerabilities and honeypots.
Vulnerability Scan
- Automated software searches a system for known security weaknesses.
- Creates report of potential exposures.
Intrusive vulnerability scan
Attempts to actually penetrate system in order to perform simulated attack.
Non-intrusive vulnerability scan
Uses only available information to hypothesize status of the vulnerability.
Credentialed vulnerability scan
Scanner that permit username and password of active account to be stored and used.
Non-credentialed vulnerability scans
Scanner that do not use credentials.
Penetration Testing
Designed to exploit system weaknesses.
- Relies on tester’s skill and knowledge,
- Usually conducted by independent contractor,
- Tests usually conducted outside the security perimeter and may even disrupt network operations,
- End result is penetration test report;
Third-Party Integration
Risk of combining systems and data with outside entities, continues to
grow.
- On-boarding - Start-up relationship between partners.
- Off-boarding - Termination of agreements.
Service Level Agreement (SLA)
Service contract between a vendor and a client.
Blanket Purchase Agreement (BPA)
Prearranged purchase or sale agreement between a government agency and a business.
Memorandum of Understanding (MOU)
Describes agreement between two or more parties.
Interconnection Security Agreement (ISA)
Agreement intended to minimize security risks for data transmitted across a network.
Mitigating and Deterring Attacks
- Standard techniques for mitigating and deterring
attacks:
– Creating a security posture,
– Selecting and configuring controls,
– Hardening,
– Reporting;
Creating a Security Posture
- Describes strategy regarding security.
- Elements of security posture:
– Initial baseline configuration,
– Continuous security monitoring,
– Remediation;
Selecting Appropriate Controls
- Selecting appropriate controls to use is key to mitigating and deterring attacks.
- Many different controls can be used.
- Common controls are important to meet specific security goals.
Configuring Controls
- Key to mitigating and deterring attacks is proper configuration and testing of the controls.
- One category of controls is those either detect or prevent attacks.
Hardening
Eliminate as many security risks as possible.
- Techniques to harden systems:
– Protecting accounts with passwords,
– Disabling unnecessary accounts,
– Disabling unnecessary services,
– Protecting management interfaces and applications;
Reporting
- Providing information regarding events that occur.
- Alarms or alerts - Sound warning if specific situation is occurring.
- Reporting can provide information on trends.
- Can indicate a serious impending situation.
