Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments

Transcription

1 Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments Objectives Define risk and risk management Describe the components of risk management List and describe vulnerability scanning tools Define penetration testing Risk Management, Assessment, and Mitigation One of the most important assets any organization possesses is its data Importance of data is generally underestimated The first steps in data protection actually begin with understanding risks and risk management What Is Risk? Information Security Context: a risk is the likelihood that a threat agent will exploit a vulnerability More generally: Event or condition that could occur If it does occur, then it has a negative impact Risk generally denotes a potential negative impact to an asset Definition of Risk Management Unrealistic to assume all risks can be mitigated Would cost too much or take too long Some degree of risk must always be assumed Risk management Systematic and structured approach to managing the potential for loss that is related to a threat Section Summary One of the most important assets any organization possesses is its data Its importance is generally underestimated

2 Risk: Likelihood of a threat agent exploiting a vulnerability Unrealistic assumption that all risks can be mitigated due to cost and time factors Some degree of risk must always be assumed Risk management Systematic and structured approach to managing the potential for loss that is related to a threat Risk Management Steps Step One: Determine the assets that need to be protected Asset identification Process of inventorying and managing these items Types of assets: Data Hardware Personnel Physical assets Software Risk Management Steps (cont.) Assets have attributes that need to be compiled Determine each item s relative value Valuation factors include: How critical is this asset to the goals of the organization? How difficult would it be to replace it? How much does it cost to protect it? How much revenue does it generate? Risk Management Steps (Cont.) Steps in Risk Management (cont.) Valuation Factors (cont.) How quickly can it be replaced?

3 Cost of replacement? Impact if this asset is unavailable? Security implications if this asset is unavailable? Section Summary Step One: Determine assets requiring protection Asset identification: Process of asset inventory and management Types of assets: Data, Hardware, Personnel, Physical assets, Software Valuation factors include: Criticality; Replacement Difficulty; Cost of protection Generated Revenue; Speed of Replacement; Downtime Impact; Security implications of unavailable Steps in Risk Management (cont.) Step Two: Threat identification Threat agent: Person or thing with the power to carry out a threat against an asset Threat modeling Constructs scenarios of the types of threats that assets can face Helps to understand: Who the attackers are Why they attack How attacks might occur Steps in Risk Management (cont.) Attack tree Provides a visual image of the attacks that may occur against an asset Steps in Risk Management (cont.) Vulnerability Appraisal: Snapshot of current organizational security Every asset must be viewed in light of each threat Determining vulnerabilities often depends upon the background and experience of the assessor

4 Risk Assessment: Determining likelihood and damage that would result if the vulnerability is a risk to the organization Summary Threat agent: Person or thing with the power to carry out a threat against an asset Threat Modeling: Constructs scenarios based on types of threats that assets can face Threat Modeling Considerations: Who, Why, How attacks might occur Attack tree: tree hierarchy visualization of how attacks may occur against an asset Vulnerability Appraisal: Snapshot of organizations security that considers threats to each asset based on evaluators background and experience Risk Assessment: Determines likelihood and projected damage that would result if the vulnerability is a risk to the organization Steps in Risk Management (cont.) Calculating anticipated losses is helpful in determining vulnerability impact Two formulas are commonly used to calculate expected losses Single Loss Expectancy (SLE) The expected monetary loss every time a risk occurs Formula: Asset Value (AV) x Exposure Factor (EF) {SLE =AV x EF} Annualized Loss Expectancy (ALE) The expected monetary loss that can be expected for an asset due to a risk over a one-year period Formula: Single Loss Value (SLE) x Annualized Rate of Occurrence (ALO) {ALE = SLE x ALO} Instructors Note: You will need to know the formulas for testing and certification Continued below

5 Steps in Risk Management (cont.) Risk Mitigation: Determine what to do about the risks Risk Mitigation Options: Diminish the risk Transfer the risk Accept the risk Summary Risk Assessment Valuation formulas: Single Loss Expectancy (SLE): Calculates the expected monetary loss every time a risk occurs Annualized Loss Expectancy (ALE): Calculates the expected monetary loss for an asset over a one-year period Risk Mitigation: Determine what to do about the risks Risk Mitigation Options: Diminish the risk Transfer the risk Accept the risk Identifying Vulnerabilities Identifying vulnerabilities through a Vulnerability Appraisal Determines current security weaknesses that could expose assets to threats Two categories of software and hardware tools Vulnerability scanning Penetration testing Vulnerability Scanning Vulnerability scanning: Used to identify weaknesses in the system Importance: Identifies weaknesses that need to be addressed in order to increase the level of security Vulnerability Tools: Port Scanners Network Mappers

6 Protocol analyzers Vulnerability scanners (include Open Vulnerability and Assessment Language or OVAL) Password crackers Port Scanners IP address The primary form of address identification on a TCP/IP network Used to uniquely identify each network device Port number TCP/IP uses a numeric value as an identifier to applications and services on the systems Examples: TCP Port 80 for WWW service TCP Port 25 for SMTP service Datagrams (packets) Port scanner contains both source and destination IP as well as source port and destination port Scans a target to determine if the system is listening on a given port Identifies possible applications running that could be exploited Three port states: Open System responds with a reply Closed System responds service is unavailable Blocked No reply sent (a.k.a. Stealth Mode) Network Mappers Software tools that can identify network connected endpoints Most network mappers utilize the TCP/IP protocol ICMP Protocol Analyzers Protocol analyzer (also called a sniffer) Captures packets for decoding and analysis Can fully decode application-layer network protocols

7 Common Use Cases: Network troubleshooting Network traffic characterization Security analysis Vulnerability Scanner Refers to a range of products that look for vulnerabilities in networks or systems Intended to identify vulnerabilities and alert network administrators to these problems Most maintain a database that categorizes and describes the vulnerabilities that it can detect Some scanners combine the features of a port scanner and network mapper Provides for OS Fingerprinting and targeting scanning based on identified OS Open Vulnerability and Assessment Language (OVAL) OVAL International Standards-Based format for security related data exchange of vulnerability data Provides a common language for the exchange of information regarding security vulnerabilities These vulnerabilities are identified using industry-standard tools Allows interoperability between security venders, researchers, and platforms Open Vulnerability and Assessment Language (OVAL) (cont.) Vulnerability definitions are formatted in Extensible Markup Language (XML) Queries are accessed using the database Structured Query Language (SQL) Windows, Linux, and UNIX platforms are support with OVAL signatures Appliance Venders and researchers provide OVAL formatted signatures for scanner use Password Crackers Password: A secret combination of letters and numbers that only the user knows Provides Single Factor Authentication that is often considered weak security; frequent focus of attacks

8 Password Cracker programs Use the file of hashed passwords and then attempts to break the hashed passwords offline The most common offline password cracker programs are based on dictionary attacks or rainbow tables Password Crackers (cont.) Shadow password Summary Optional implementation in UNIX and Linux systems Not Invoked: File containing hashed system passwords and user information visible to all users File stored in /etc/passwd Invoked: File can only be accessed at the highest level and contains only the hashed passwords File stored in /etc/shadow (Linux) or /etc/master.passwd (Unix) Two categories of software and hardware tools: Vulnerability scanning and Penetration testing Vulnerability scanning: Used to identify weaknesses in the system Vulnerability Tools: Port Scanners; Network Mappers; Protocol analyzers; Password crackers; Vulnerability scanners Port Scanner: Uses a combination of IP address responses to specified port probes to determine services the system is actively listening 3 Port Scan responses options: Open; Closed; Blocked 3 Ports classifications: Well-Known, Registered, & Private numbers Network Mapper: Use ICMP and other techniques to illicit a response from a network endpoint. Protocol Analyzer: Capture and decode application layer packets for use in trouble shooting, traffic characterization, and security analysis Open Vulnerability and Assessment Language (OVAL): International standards-based data exchange format that provides interoperability between security implementations and is support on all major OS categories.

9 Password Cracker: Uses captured password hashes and performs dictionary or rainbow table attacks to recover user passwords Shadow Password: More secure password storage option in Linux and Unix that restricts hashed user name / password combinations to a more restricted file space within the directory structure. Penetration Testing Method of evaluating the security of a computer system or network by simulating a malicious attack instead of just scanning for vulnerabilities Involves a more active analysis of a system for vulnerabilities One of the first tools that was widely used for penetration testing as well as by attackers was SATAN SATAN could improve the security of a network by performing penetration testing To determine the strength of the security for the network and what vulnerabilities may still have existed SATAN would: Recognize several common networking-related security problems Report the problems without actually exploiting them Offer a tutorial that explained the problem, what its impact could be, and how to resolve the problem