Validating and Restoring Defense in Depth Using Attack Graphs

Size: px
Start display at page:

Download "Validating and Restoring Defense in Depth Using Attack Graphs"

Transcription

1 Validating and Restoring efense in epth Using Attack Graphs Richard Lippmann, Kyle Ingols, hris Scott, Keith Piwowarski, Kendra Kratkiewicz, Mike Artz, Robert unningham MIT Lincoln Laboratory 244 Wood Street Lexington, Massachusetts Abstract efense in depth is a common strategy that uses layers of firewalls to protect Supervisory ontrol and ata Acquisition (SAA) subnets and other critical resources on enterprise networks. A tool named NetSPA is presented that analyzes firewall rules and vulnerabilities to construct attack graphs. These show how inside and outside attackers can progress by successively compromising exposed vulnerable hosts with the goal of reaching critical internal targets. NetSPA generates attack graphs and automatically analyzes them to produce a small set of prioritized recommendations to restore defense in depth. Field trials on networks with up to 3,400 hosts demonstrate that firewalls often do not provide defense in depth due to misconfigurations and critical unpatched vulnerabilities on hosts. In all cases, a small number of recommendations was provided to restore defense in depth. Simulations on networks with up to 50,000 hosts demonstrate that this approach scales well to enterprise-size networks. I. INTROUTION efense in depth is a common strategy used to protect critical resources on enterprise networks as well as Supervisory ontrol and ata Acquisition (SAA) and other process control subnets. It relies primarily on multiple layers of firewalls between protected systems and the internet. There is often a perimeter firewall between a corporate enterprise network and the internet, internal firewalls protect subnets for separate enterprise units, and deeper internal firewalls protect critical subnets. It is difficult to verify the protection this affords against cyber attacks because firewall rules are complex and vulnerabilities on hosts exposed through firewalls are constantly being discovered and patched. This paper describes a tool named NetSPA (NETwork Security and Planning Architecture) that verifies and, if This work is sponsored by the United States Air Force under Air Force ontract FA Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government. necessary, provides suggestions to restore defense in depth for large enterprise networks. It provides a comprehensive solution that is not currently available due to the limitations of current security tools. For example Network vulnerability scanners, such as Nessus [1], discover hundreds or thousands of vulnerabilities on even small networks but do not indicate which of these enable an attacker to progress through a network to reach critical resources. A firewall ruleset evaluator identifies common misconfigurations, such as rules permitting arbitrary inbound traffic to a common server port (e.g. [2]), but again does not indicate which rules permit an attacker to reach critical resources. NetSPA uses attack graphs to measure and maintain network security. Many different representations have been proposed for attack graphs (e.g. [3] [9]). The representation we use is illustrated in Fig. 1. This attack graph starts at a root node that represents the attacker starting host. The root node in this graph is the upper node labeled attacker. Edges represent a specific instance of a vulnerability that an attacker is able to exploit. An edge connects a source node where the attack originated to a target node representing a new privilege provided by the attack. The new target node represents either increased privilege on an alreadycompromised host or new privilege on a new host. Multiple edges connect two nodes in an attack graph when there are multiple vulnerabilities that achieve the same goal and any one is sufficient to compromise the target host. This formally makes our attack graph a multigraph. An attack graph for a network shows all hosts that can be compromised by an attacker starting at a specific location and the sequences of actions that permit these compromises. This attack graph was generated using NetSPA from data collected at an actual site containing the network shown in Fig. 2. This site contains ivision and Office local area networks (LANs) separated from a larger outside enterprise network by the upper perimeter firewall. The Office LAN is in addition separated from the ivision LAN by the lower 1of10

2 External Network Attacker Host Internal Firewall Perimeter Firewall ivision LAN Office LAN Office MZ Fig. 1. Simplified Attack Graph for Real Network Fig. 2. Topology of Real Network internal firewall and there is an Office MZ subnet that contains servers accessible from hosts on the ivision LAN. SAA devices or other critical resources would be located on the Office LAN subnet to provide the greatest protection from attackers on the external network. There are more than 200 hosts on the ivision LAN and the external network but fewer than 10 hosts on the Office LAN. The original attack graph generated for this site contained thousands of nodes and edges and could not have been easily displayed in this paper. This complex graph was automatically simplified to create the graph shown on the left. In this graph, nodes represent many hosts compromised at the same level from the same source node and edges represent all vulnerabilities that can be used to compromise any of these hosts. The attack graph is simplified also to only show hosts that can be compromised at the system level that corresponds a UNI root or Windows administrator level. The attack graph shows that an attacker on the external network (Node N1) can directly compromise 93 hosts in the external network by exploiting 88 vulnerabilities across these hosts and that one server (Node N2) can also be compromised through the upper perimeter firewall. Following these hosts, the division LAN server (Node N2) can be used as a stepping stone to compromise 125 hosts in the ivision LAN by exploiting 103 vulnerabilities across these hosts. This server can also compromise a server in the Office MZ (Node N664) using any one of four vulnerabilities. Finally, the server in the Office MZ can be used as another stepping stone to compromise one host in the Office LAN using any of two vulnerabilities (Node N1982). Nodes for the two last machines have high numbers because they represent numbers from the original much larger attack graph before simplification. This simple graph shows that two stepping-stone hosts enable an outside attacker to compromise 220 hosts at this site and to reach into the most protected Office LAN in the network. Attack paths through firewalls shown in Fig. 1 were unexpected. They demonstrate that even three layers of firewall rules (counting the LAN MZ) are not providing defense in depth. Paths through all the firewalls were enabled by only ten critical unpatched vulnerabilities from among the thousands discovered by vulnerability scanners on these networks. This paper focuses on using NetSPA to verify the security of existing networks and, if necessary, create a prioritized list of recommendations for system administrators that provide the greatest improvement in network security by blocking the most destructive attack paths first. For example, in the above attack graph the first recommendation is to patch vulnerabilities on the NS server (Node N2). An automatic system was developed to create recommendations because attack graphs are often large, complex, and difficult to interpret visually. The rest of the paper covers the NetSPA system in detail, describes results obtained on operational networks, and discusses related work. Further details on the NetSPA system are available in a recent report [10]. II. NETSPA INPUTS AN TASKS A block diagram of NetSPA is shown in Fig. 3. The left side of this figure shows that NetSPA automatically imports the following into an internal database: 1) Vulnerability Scans, such as those produced by Nessus [1], that list where vulnerabilities are in the network and provide information on individual hosts and open ports. 2of10

3 ata Preprocesssing Vulnerability Scanners (Nessus, ISS,...) Vulnerability Information (NV, VE,..) Firewall onfiguration Files (Sidewinder, heckpoint,...) Attack Graph Generation Relational atabase Attack Graph Analysis Recommendations and Results Topology Information, Asset Values,... Reachability Analysis Fig. 3. NetSPA System lock iagram 2) Vulnerability atabases, such as NV [11], that describe the prerequisites for and the effects of exploiting vulnerabilities. 3) Firewall Rules, such as Sidewinder rulesets, that describe how traffic may or may not flow through a filtering device. 4) Topology Information that specifies how firewalls and hosts from vulnerability scans are connected together. The first three items in the list can be obtained automatically and imported, but topology information needs to be provided by hand. This information is limited, doesn t change often, and is relatively easy to enter. The right side of Fig. 3 shows that NetSPA uses imported data to perform three main tasks. These are (1) ompute reachability, (2) reate an attack graph, and (3) Generate recommendations. Algorithms to perform these three tasks that are efficient in time and space are described below. III. REAHAILITY OMPUTATION Reachability is a critical prerequisite of attack graph construction. It refers to determining which ports on all other hosts in a network can be reached via TP or UP connections from all interfaces on all hosts in a network. This involves a complex analysis of firewall rules and the network topology to make sure there is at least one path between the two hosts of interest to the port of interest. Prior work often explicitly assumed reachability information was provided (e.g. [7], [12]). This is reasonable for theoretical analyses, but we have found empirically that computing reachability can sometimes be more costly than computing attack graphs. Alternatively, some systems (e.g. [3], [13]) assume that reachability can be determined using information from network vulnerability scanners. This approach does not scale to large networks and will miss reachability available to attackers because firewalls frequently allow connections only from specific source IP addresses. The straightforward approach to reachability analysis involves filling in elements in a reachability matrix. Each row in the matrix represents a source interface, and each column represents a destination port. Each cell of the matrix holds a oolean value, indicating whether or not reachability exists between the source interface and the destination port. Precomputing this matrix is both spaceintensive (roughly quadratic in the number of hosts in the network) and time-intensive. orrectly computing a cell s value is a computationally intensive task because each cell represents a potential traffic flow in the network. Our system determines if the network permits or denies the traffic by traversing the network model, crossing filtering devices and evaluating firewall rules when encountered. Two major improvements dramatically improved performance over the past year. The first improvement was to compute outbound reachability (rows in the matrix) only for hosts the attacker is actually able to compromise at a user or administrator level. Reachability from the non-compromised hosts is irrelevant to the attack graph, and this simple optimization saves large amounts of time when analyzing well-secured networks. The second improvement involves grouping hosts with similar reachability matrix entries. This is accomplished by separating the traditional reachability matrix into multiple submatrices for traffic within an individual subnet and traffic that crosses between subnets. Imagine a small hypothetical network with two subnets separated by a firewall. A full reachability matrix for this network is shown in Fig. 4. Interfaces and ports in the first subnet are listed before interfaces and ports in the second. The upper left and lower right submatrices represent intra-subnet reachability, and the remaining two submatrices are inter-subnet reachability. Interfaces that are fully interconnected without any in- 3of10

4 Target Host/Port Target Host/Port Source Interface Unfiltered Subnet 1 Filtered 2 -> 1 Filtered 1 -> 2 Unfiltered Subnet 2 Source Interface Unfiltered Subnet 1 Filtered 2 -> 1 Filtered 1 -> 2 Unfiltered Subnet 2 Fig. 4. Full Reachability Matrix Fig. 5. Reachability Matrix with Filtered and Unfiltered omains tervening filtering are placed in unfiltered reachability domains. Unfiltered reachability domains are formed for all interfaces in a subnet when there is no filtering between these interfaces. This method treats submatrices of the reachability matrix as individual subrows without losing information, as shown by the upper left and lower right subrows in Fig. 5. This method effectively reduces each unfiltered submatrix of dimensions m n to a subrow of length n. Interfaces that are in the same unfiltered domain and are treated identically by all filtering rules are placed in filtered reachability domains. These interfaces have identical reachability to destinations outside of their unfiltered reachability domains. This method also makes it possible to treat additional submatrices of the reachability matrix as individual subrows, as shown in Fig. 5. For each set of interfaces in a filtered reachability domain, reachability needs to be calculated for only one interface of the set (one row of the submatrix), and all other members of the set share that reachability information. The example of Fig. 5 shows a single filtered reachability domain in subnet one, and three filtered reachability domains in subnet two. Two of those three domains are singletons and apply to only one interface. Every interface with reachability information belongs to one unfiltered and one filtered reachability domain. Filtered reachability domains are constructed automatically using firewall rule sets to identify hosts that are treated identically by all firewalls as described in [10]. In most networks, the two types of reachability domains reduce computation and storage requirements substantially. If our sample network had 200 hosts in each subnet with one port open on each, then the number of unique entries in the reachability matrix starts at = 160, 000 without reachability domains. With reachability domains, the number of unique entries could drop as low as 800. This reduces storage and computation by more than two orders of magnitude. IV. SELETING SOURE AN ESTINATION ARESSES A naive approach to creating attack graphs would consider only IP addresses of physical hosts in a network as source and destination addresses. This may miss exploitable attack paths for two reasons. First, firewalls can include Network Address Translation (NAT) rules to translate destination IP addresses that don t exist on any physical host into a physical address. An attacker using such a destination address may be able to penetrate a firewall to an internal host accessed using destination NAT rules. This problem is addressed by adding a virtual destination host on each subnet in analyzed networks. This host includes all IP addresses mentioned in destination NAT rules across all firewalls. It forces our algorithms to reach any hosts that can only be accessed through destination NAT rules. A second limitation of using only IP addresses of physical hosts is that an attacker can sometimes spoof the source IP address of a host to use an IP address specifically allowed to pass through a firewall. An attacker using such a source address may be able to penetrate a firewall using custom pass rules inserted to satisfy some current or past requirement. This issue is addressed by allowing a user to select a virtual source host as the attacker starting node. In NetSPA, the attacker starting location can be the IP address of an actual physical host or a virtual host with a list of source IP addresses selected specifically to penetrate firewalls. A virtual host includes IP addresses found in any firewall rule and a representative address for each address range referenced by any firewall rule. These source addresses exercise all firewall rules and represent an attacker with complete knowledge of all firewall configurations. When a virtual attacker host is used, a worst-case assumption is made that an attacker can use any source IP address and attempt to bypass as many network restrictions as possible. 4of10

5 V. VULNERAILITY EVALUATION Attack graph generation requires knowledge of the prerequisites required for vulnerability exploitation and of the effect of exploitation on attacker privileges and the network. Previous work developed languages to represent attack prerequisites and effects. JIGSAW [14], LAMA [15], and AML [16], for example, use complicated models of prerequisites and attack effects. Other attack graph papers (e.g. [5], [7], [13]) define their own models. None of these approaches have been applied to large networks with many vulnerabilities and many require complex hand analysis of vulnerabilities to extract the information required. We developed a simpler approach that has been successfully applied to large networks with hundreds of vulnerabilities. Our approach uses an attacker model that is based solely on malicious actions. If a vulnerability exists, and the attacker can reach the vulnerable port, then it is assumed that the attacker can successfully exploit the vulnerability to its fullest extent. No attempt is made to model exploitation details as in [13] such as how exploit scripts are downloaded, installed, and executed because these tasks can be performed in many different ways. We take a similar approach to vulnerability classification. Prerequisites and post-conditions used for vulnerabilities are shown in Table I. The only prerequisite is locality and there are only four effects. This simplified classification is used because this information can be automatically extracted from existing data sources. Locality specifies the location of the attacker when exploiting a vulnerability and effect specifies the privilege level obtained by an attacker (Administrator, User, Other, or os). Initially, we thought that locality and effect information could easily be extracted from existing vulnerability in- Locality Effect TALE I VULNERAILITY LASSIFIATIONS Local Remote Administrator User Other os Exploit only from the vulnerable machine itself. Exploit remotely over the network. Administrator- or Root-level access to vulnerable host. User- or guest-level access to vulnerable host. onfidentiality and/or integrity loss, e.g. read files, corrupt limited files, learn about software versions running on a host. Target service or host disabled with no access to host. formation sources. Vulnerability scanners such as Nessus provide information on discovered vulnerabilities, and when VE identifiers [17] are provided, they can be used to crossreference vulnerability databases, such as NV [11] and ugtraq [18]. Unfortunately we found that VE identifiers are not always provided by vulnerability scanners, that databases are error-prone and often inconsistent, and that information is often provided as free-form text designed for human, not computer, consumption. We used machine learning techniques to develop a pattern classifier that unifies all of the available data, including human-readable text strings, and determines the locality and effect of vulnerabilities. A total of 215 vulnerabilities found on actual networks were first analyzed by hand to determine their locality and effect and features were extracted from Nessus, the NV database, and the VE text description of these vulnerabilities. Features included the values of categorical and binary data fields used by Nessus and the NV database to characterize vulnerabilities. They also included binary features that indicated the presence of common generic phrases in descriptive text such as execute arbitrary code and gain system privileges. ifferent types of classifiers were evaluated using the LNKnet pattern classification software package [19] with the goal of correctly determining locality and effect. A logistic regression classifier performed as well as more complex decision tree and support vector machine classifiers when measuring performance using 10-fold crossvalidation testing. The expected generalization error of this classifier estimated using such testing is nearly 100% correct for locality and better than 90% correct for effect. The small number of effect errors was caused primarily by missing values in the NV vulnerability database fields and ambiguous text descriptions. Although the classifier makes some errors, the consensus opinion provided is still better than that provided by any one of the individual data sources. It has been used successfully in many field trials to obtain locality and effect information for vulnerabilities that have not been hand-analyzed by a security expert who has examined all relevant information. There will always be some errors in vulnerability classification whether made by a automated classifier or a human expert. NetSPA is flexible enough to allow rapid regeneration of attack graphs to examine the effect of changing the locality and effect of specific critical vulnerabilities and to regenerate attack graphs when classifications change. VI. ATTAK GRAPH GENERATION The simple network shown in Fig. 6 illustrates how graphs are constructed. This network contains five hosts, A, 5of10

6 ,,, and, collocated on a hub. A is the attacker s starting location. The other four hosts have a remote-toadministrator vulnerability v 1, shown in graphs with a solid edge. Additionally, is able to remotely log on as the administrator to,, and. This is denoted v 2, because an attacker can use this capability as a remoteto-administrator vulnerability after compromising. It is shown as a dashed edge in graphs. A. Full Graph A full attack graph that shows all possible paths to compromise all vulnerable hosts has been generated in many previous studies (e.g. [5] [9]). A full graph for the simple network is shown in Fig. 7. Unfortunately, it is impractical to generate a full graph even for modest networks. The number of nodes in the full graph grows combinatorially as O(h!), where h is the number of vulnerable non-attacker hosts in the network.. Predictive Graph After exploring a number of alternative graph types and generative algorithms, we developed a graph, called a predictive graph, that can be built efficiently and has two critical properties. First, it determines all hosts that can be compromised by an attacker from a given starting location. Second, without regenerating the graph, it correctly predicts the effect of removing vulnerabilities. Removing vulnerabilities could correspond to patching vulnerable software, altering firewall rules to block access to a vulnerable service, or removing the vulnerable software altogether. The effect of removing vulnerabilities can be determined by removing the associated edges from the graph and observing which nodes are made unreachable from the starting location. ecause this does not involve regenerating the graph, but simply editing the graph, we call this a predictive graph. A predictive graph must make correct predictions when any combination of edges is removed. The predictive graphs we build are directed and acyclic. The predictive graph corresponding to the network in Fig. 6 is shown in Fig. 8. etailed pseudo code for the A Attacker Fig. 6. System Administrator A Sample Network User esktop User esktop User esktop predictive graph algorithm is available in [10]. A predictive graph is built in a breadth-first fashion from the root. To extend the graph from a given node, all of the vulnerabilities on all of the vulnerable ports that the attacker can reach from that node are explored. If the vulnerability yields a level of access not yet achieved on the path from the root to the current node, and the vulnerability instance has not been exploited by any node along the path from the root to the current node, then the graph records the exploit and adds the resulting node to the breadth-first queue. The second condition, checking for the vulnerability s prior use by any parent node, is the pruning condition that creates a predictive graph. The correctness of this pruning condition, which we have named dynamic pruning, is shown in [10]. Redundant paths in a full graph are eliminated in a predictive graph. The remaining structure fulfills the predictive requirement. For example, consider an analysis of the network in Fig. 6 to determine the effect of patching vulnerability v 1 on host. esignate this edge/host pair as E(v 1,) where, more generally, E(v, h) is the edge/host pair indicating that vulnerability v is exploited on host h. IfeveryE(v 1,) edge/host pair is removed from the predictive graph, then the graph correctly shows that is still vulnerable due to the path A E(v 1,) E(v 2,) starting from the attacking host. It is difficult to create computation bounds for predictive graphs because the graph size depends on the network topology, firewall settings, and location of vulnerable hosts and the attacker. On a flat network with h hosts interconnected with no filtering devices, computation is bounded by O(h 2 log h) which is roughly quadratic in the number of hosts. Simulation studies described below and field trials on actual networks suggest that complexity often grows less than quadratically even in complex enterprise networks. Predictive graphs were successfully computed for all actual and simulated networks used in this paper. These graphs, however, may become impractical to compute in some rare situations. One is when there are many firewall layers and when many different hosts are exposed and can be compromised directly through each firewall. A variant of a predictive graph, called the node-predictive graph, mitigates this problem. A node-predictive graph accurately predicts the effect of completely patching any combination of nodes, where nodes represent either individual hosts or groups of hosts. Node-predictive graphs are built using the predictive graph method with an algorithm called dynamic host collapse, or H. H places hosts into host groups, grouping them when the hosts have equivalent inbound compromisability. In other words, if two hosts can be compromised at the same level (user, administrator, other, os) from every host the attacker has already compromised, 6of10

7 Level 0 (Root) Level 1 Level 2 Level 3 Level 4 A A Vulnerability v 1 Vulnerability v 2 Fig. 7. A Full Graph Fig. 8. A Predictive Graph then the hosts are equivalent from the point of view of the attack graph. This also means that if one host in a group can be compromised, then all hosts in that group can be compromised. A host group is treated like a single host by the attack graph generator and host groups are consistent across the graph. A detailed discussion of node-predictive graphs is available in [10]. VII. ATTAK GRAPH ANALYSIS Attack graphs are often too complex for hand analysis. To address this problem, an analysis system was developed that automatically provides system administrators with an easily understood, prioritized list of recommended network changes. The first step of creating recommendations requires computing a measure called the Network ompromise Percentage, or NP from the attack graph. The NP is the percentage of the hosts on the network on which the attacker has obtained user or administrator-level access. An NP of 0% indicates no compromises were possible; an NP of 100% indicates compromise of every host in the network. Hosts that provide critical network resources such as servers or that interface to SAA devices can be given higher weights, or asset values, in this calculation related to their importance as described in [10]. In this analysis it is assumed that all hosts are equally important. The NP assigns a simple, easy-to-understand number to an attack graph. The analysis system hypothesizes patches to hosts and evaluates their effects on the network s security. Each hypothetical patch or group of patches is called a recommendation. Recommendations are host-based, rather than vulnerability-based, to make them easy for an administrator to understand and implement. Per-host recommendations are generated by traversing the complete attack graph and recording all edges that can be used to compromise each host. This creates a list of exploitable vulnerabilities for each host and ignores vulnerabilities that the attacker cannot directly exploit. Group recommendations are also created that represent the impact of patching several hosts at once. This analysis begins at the attacker s starting node. For each child node (each representing a host the attacker can compromise directly), we compute the set of all hosts compromised below the child node. We then collect the child nodes into groups. A child node N c joins the recommendation group if the group already contains a node N d such that the set of hosts compromised below N c has a non-null intersection with the set of hosts compromised below N d. The algorithm thus forms groups of hosts which are stepping-stones to some common subset of additional hosts. Any singleton group is recursively explored, treating the single node in 7of10

8 the group as the attacker s starting node and running the algorithm again. Per-host and group recommendations make it possible to find and report both single-host and multiplehost stepping stones in the attack graph. Predictive graphs make it possible to predict the impact of recommendations without rebuilding the graph. This is accomplished by removing edges that target the host or hosts the recommendation suggests patching. Once the edges are removed from the graph, the graph s new NP is computed. A recommendation s value is the difference, NP, between the original and new NP. The collection of recommendations is sorted by NP and presented as an ordered list, in order of effectiveness. The recommendation which reduces the NP value the most is displayed first. VIII. FIEL TRIALS AN SALING A. Field Trials NetSPA has been evaluated on three real networks under the guidance and cooperation of system administrators of these networks. One network was at a military site and two were at our laboratory. One of the laboratory networks is shown in Fig. 2. This network was analyzed multiple times over a few years. One of the resulting attack graphs is shown in Fig. 1. For all networks, NetSPA required only a few minutes to build predictive graphs and generate recommendations. Initial vulnerability scans typically found vulnerabilities on hundreds to thousands of computers. When firewall information was available, NetSPA discovered previously unknown critical attack paths that were only uncovered by automatically gathering and analyzing both vulnerability and firewall configuration information. Some of these paths were surprising and unexpected. Recommendations NetSPA produced restored defense in depth by patching a small number of vulnerabilities on stepping-stone hosts that enabled attackers to penetrate a network. Hand examination of firewall rules and vulnerabilities identified by NetSPA recommendations revealed two common security problems. The first problem, also noted by [2], was misconfigured firewalls. Examples discovered include old legacy rules that unnecessarily allowed access from outside IP addresses or subnets and firewall rules where internal and external addresses are incorrectly interchanged. These were discovered by NetSPA s reachability analysis. Incorrect rules were primarily indicated by starting virtual IP addresses created as described in section IV that allowed attackers to penetrate firewalls. The second problem discovered by NetSPA was recently discovered, but unpatched, vulnerabilities on hosts that were exposed through firewalls. NetSPA identified a small number of critical vulnerabilities that needed to be patched to restore security. In these and other large networks it is often too costly to immediately patch every vulnerability found on every host whenever a new vulnerability is announced. NetSPA alleviates this problem by identifying a small number of critical vulnerabilities that can be more readily patched to maintain network security.. Simulated Scaling Experiments Simulation studies were performed to evaluate scaling performance using networks with up to 50,000 hosts. An enterprise network model was used that contains five enclaves where each enclave models a company or university site. Each enclave contains a perimeter firewall, hosts in a MZ, hosts in an administrative LAN, hosts in multiple IPv4 class subnets, and hosts behind internal firewalls protecting additional class subnets. The number of hosts in simulations was increased by scaling up the number of hosts in enclave subnets while keeping the number of subnets and enclaves constant. All experiments were performed on a single processor Pentium GHz machine with 1024 M P133 SRAM, running Microsoft Windows P. All times reported here are the overall totals, including database load, reachability computation, attack graph generation and analysis, and output. Total memory usage required by NetSPA never exceeded 250 M. Simulation parameters were adjusted to represent a simple and a complex network. The simple network has 10 open ports per host and 10 IP-specific filtering rules per perimeter firewall for a total of 50 rules in all firewalls. The complex network has 30 open ports per host and 400 IP-specific rules per perimeter firewall for a total of 2,000 rules in all firewalls. An additional experiment was run with an attacker starting from one fixed IP address instead of trying all IP addresses selected for the virtual attacker host. For these tests, firewall rules permitted the same level of attacker progress in either case, ensuring reachability computation was the only difference between the two simple enterprise cases. In all simulations, half of all hosts on the inside of each enclave contained a remote-to-administrator vulnerability and half contained no vulnerabilities. In addition, the perimeter firewall allowed one path into a simulated MZ subnet and one path out of this subnet into the interior of each enclave. The lowest curve in Fig. 9 shows the total NetSPA computation time for an attacker starting from one specific external IP address for the five-site simple enterprise network. This can be compared to the next higher curve in this figure, which is the total computation time for the enterprise network using the default external virtual attacker host that explores paths created with all IP addresses that occur in 8of10

9 Fig. 9. Seconds omplex Network (Overall) Simple Network (Overall) Simple, Single Source-IP Network (Overall) Total Hosts Growth as the Number of Hosts (Enterprise Network) any firewall rule. The total computational time is smaller with only a single starting IP address because reachability from the attacker s starting location has to be computed only from one IP address. An attack graph that includes only one IP starting address might be of interest if attackers were forced to use one or more fixed starting addresses. Overall run times for the simple enterprise network are roughly a minute for networks with up to 2,000 hosts and less than an hour for simple enterprise networks with up to 32,000 hosts. These are the most efficient attack graph generation times we are aware of. In fact, we are aware of no past paper on attack graphs where attack graphs are computed for networks with more than a few hundred hosts. In addition, the slopes of all curves indicate that computation grows less than quadratically in the number of hosts for this simulated enterprise network. This also is the lowest computational complexity growth rate for attack graphs that we are aware of. The upper curve of Fig. 9, shows the overall run time for the complex network. The overall run time with 10,000 hosts increases to roughly three hours for the complex network from 10 minutes for the simple network with a similar number of hosts. These run times are practical for even large enterprise networks. The increase in run times is caused by additional starting addresses for the virtual attacker host, additional firewall rules that need to be analyzed, and additional target ports that must be considered when computing reachability. I. RELATE WORK A comprehensive annotated review of past research on attack graphs is provided in [20]. Although research has made significant progress, no past paper on attack graphs that we are aware of reports on the analysis of real networks with more than hundreds of hosts. The two most capable past systems for network vulnerability analysis are the Topological Vulnerability Analysis (TVA) tool [3], [13] and the MulVAL Logic-based Network Security Analyzer [21]. The MulVAL system [21] uses hostbased data collection to accurately identify vulnerabilities on each host in a network and assumes reachability information is provided. It has been tested using data from a real network with three hosts and simple simulated networks obtained by duplicating each of these hosts. The goals of this system are similar to those of NetSPA. NetSPA, however, explicitly computes reachability, automatically imports vulnerability information, and has been used on real networks with thousands of hosts. The Topological Vulnerability Analysis (TVA) tool [13] was used to construct attack graphs for a small 17-host network, but scaling was poor. These tools rely on algorithms described in [12] where the the computation to compute attack graphs is bounded by O(h 6 ), where h represents the number of hosts in a network. Although this is polynomial and not combinatorial, as stated in [12], this approach will only scale to networks with at most tens or hundreds of hosts. Recent papers [3] suggest that scaling for the TVA tool has been improved, but run times or scaling results for large networks have not been presented. Other past systems used full attack graphs [5], [6], [9] and can not scale to large networks because the size of these graphs is combinatorial in the number of hosts. Past experiments [7] also demonstrate that model checking exhibits poor scaling for even small simulated networks with only ten s of hosts. One commercial tool named Skybox View [22] has been developed that uses attack graphs to analyze networks. Only general information is available at the company s web site [22] and a patent has been issued that describes the basic approach [23]. To the best of our understanding, this system computes what we call host-compromised attack graphs that determine only the shortest path to compromise hosts from a given starting location. A host-compromised graph is not predictive. It is thus more computationally expensive to formulate and evaluate recommendations using such graphs because a new graph must be built to determine which hosts can be compromised following each possible recommendation.. ONLUSIONS AN FUTURE WORK A tool named NetSPA (NETwork Security Planning Architecture) was developed to verify and, if necessary, restore the security of large enterprise networks. uring field trials, NetSPA successfully imported vulnerability scanner and firewall configuration information and was able to produce 9of10

10 attack graphs and make recommendations in only a few minutes for three actual networks with 200 to 3,400 hosts. Unexpected attack paths were generated that exposed incorrect firewall rules and critical unpatched vulnerabilities on hosts exposed through firewalls. The small number of highpriority recommendations provided by NetSPA were followed to successfully restore the security of these networks. Studies using simulated enterprise networks demonstrate that NetSPA can successfully analyze complex networks with than 50,000 hosts using general-purpose computing hardware. omputing reachability between all hosts was often more computationally intensive than constructing attack graphs. Although many past studies assume reachability information is available, much of our effort has focused on making reachability computation more efficient and accurate by grouping hosts into filtered and unfiltered reachability domains, emulating filtering devices, computing reachability on demand, and using efficient data structures and algorithms. Future work is planned in several areas. Attack graph building and reachability computations support most attacks found by network vulnerability scanners, but do not easily support some attacks that have multiple prerequisites. For example, they do not directly support trust relationship attacks where an attacker obtains a prerequisite for another attack (e.g. a password) from one host and then uses this prerequisite to compromise another remote host. They also do not directly model situations where an attacker compromises a firewall and changes the firewall rules, because this changes the network reachability. lient side attacks, where a client is compromised when connecting to a malicious server, are also not modeled. We are exploring attack graph modifications that would permit us to handle these attack types. In addition, we are exploring other uses of attack graphs. One is to perform what-if experiments and predictively explore the effect of changes in network security policy and of adding hypothetical zero-day vulnerabilities. A second is to use attack graphs to filter alerts from intrusion detection systems and firewalls as suggested by [15] and others. AKNOWLEGMENTS We would like to thank unnamed system administrators who helped us perform field trials, Peter Mell and Tim Grance who support the NIST IAT and NV databases, and the many developers of Nessus. REFERENES [1] Nessus, The Nessus Security Scanner, [2] A. Wool, A quantitative study of firewall configuration errors, omputer, vol. 37, no. 6, pp , [3] S. Noel and S. Jajodia, Understanding complex network attack graphs through clustered adjacency matrices, in ASA 05: Proceedings of the 21st Annual omputer Security Applications onference, Tucson, AZ, 2005, pp [4] W. Li, An approach to graph-based modeling of network exploitations, Ph.. dissertation, Mississippi State University, [5] L. P. Swiler et al., omputer-attack graph generation tool, in Proceedings ARPA Information Survivability onference and Exposition (ISE II), Los Alamitos, A, 2001, pp [6] T. Tidwell et al., Modeling internet attacks, in Proceedings of the Second Annual IEEE SM Information Assurance Workshop, West Point, NY, 2001, pp [7] O. Sheyner et al., Automated generation and analysis of attack graphs, in Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, A, 2002, pp [8] M. Artz, NETspa, a network security planning architecture, Master s thesis, Massachusetts Institute of Technology, [9] R. Ortalo, Y. eswarte, and M. Kaaniche, Experimenting with quantitative evaluation tools for monitoring operational security, IEEE Trans. Software Eng., vol. 25, no. 5, pp , [10] R. P. Lippmann et al., Evaluating and strengthening enterprise network security using attack graphs, MIT Lincoln Laboratory, Lexington, MA, Tech. Rep., 2005, ES-TR [11] P. Mel, T. Grance, et al., NV, The National Vulnerability atabase, National Institute of Standards and Technology, [12] P. Ammann,. Wijesekera, and S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of the 9th AM onference on omputer and ommunications Security. AM Press, 2002, pp [13] S. Jajodia, S. Noel, and. O erry, Topological analysis of network attack vulnerability, in Managing yber Threats: Issues, Approaches, and hallenges, A. L. V. Kumar, J. Srivastava, Ed. Kluwer Academic Publisher, 2003, ch. 5. [14] S. Templeton and K. Levitt, A requires/provides model for computer attacks, in Proceedings of the 2000 Workshop on New Security Paradigms. New York, NY: AM Press, [15] F. uppens and R. Ortalo, LAMA: A language to model a database for detection of attacks, in Proceedings of the Third International Workshop on Recent Advances in Intrusion etection, 2000, pp [16] S. heung, U. Lindqvist, et al., Modeling multistep cyber attacks for scenario recognition, in Proceedings of the Third ARPA Information Survivability onference and Exposition (ISE III), 2003, pp [17] VE, ommon Vulnerabilities and Exposures ictionary, The MITRE orporation, [18] The SecurityFocus Vulnerability atabase, SecurityFocus Symantec orporation, [19] R. P. Lippmann, L. Kukolich, and E. Singer, LNKnet: Neural network, machine learning, and statistical software for pattern classification, Lincoln Laboratory Journal, vol. 6, no. 2, pp , [20] R. P. Lippmann and K. W. Ingols, An annotated review of past papers on attack graphs, MIT Lincoln Laboratory, Lexington, MA, Tech. Rep., 2005, ES-TR [21]. Ou, S. Govindavajhala, and A. W. Appel, Mulval: A logicbased network security analyzer, in Proceedings of the 14th Usenix Security Symposium, [22] Skybox Security, Inc. [23] G. ohen et al., System and method for risk detection and analysis in a computer network, United States Patent 6,952,779, October of 10

Practical Attack Graph Generation for Network Defense

Practical Attack Graph Generation for Network Defense Practical Attack Graph Generation for Network Defense Kyle Ingols, Richard Lippmann, Keith Piwowarski MIT Lincoln Laboratory 244 Wood Street Lexington, Massachusetts 02420-9108 Email: {kwi, rpl, piwowk}@ll.mit.edu

More information

Advances in Topological Vulnerability Analysis

Advances in Topological Vulnerability Analysis Advances in Topological Vulnerability Analysis Steven Noel 1, Matthew Elder 2, Sushil Jajodia 1, Pramod Kalapa 1, Scott O Hare 3, Kenneth Prole 3 1 Center for Secure Information Systems, George Mason University,

More information

Attack Graph Techniques

Attack Graph Techniques Chapter 2 Attack Graph Techniques 2.1 An example scenario Modern attack-graph techniques can automatically discover all possible ways an attacker can compromise an enterprise network by analyzing configuration

More information

Advanced Vulnerability Analysis and Intrusion Detection Through Predictive Attack Graphs

Advanced Vulnerability Analysis and Intrusion Detection Through Predictive Attack Graphs Advanced Vulnerability Analysis and Intrusion Detection Through Predictive Attack Graphs Steven Noel and Sushil Jajodia Center for Secure Information Systems, George Mason University, Fairfax, VA, USA

More information

Performance Impact of Connectivity Restrictions and Increased Vulnerability Presence on Automated Attack Graph Generation

Performance Impact of Connectivity Restrictions and Increased Vulnerability Presence on Automated Attack Graph Generation Performance Impact of Connectivity Restrictions and Increased Vulnerability Presence on Automated Attack Graph Generation James Cullum, Cynthia Irvine and Tim Levin Naval Postgraduate School, Monterey,

More information

A Review on Zero Day Attack Safety Using Different Scenarios

A Review on Zero Day Attack Safety Using Different Scenarios Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios

More information

A Framework for Analysis A Network Vulnerability

A Framework for Analysis A Network Vulnerability A Framework for Analysis A Tito Waluyo Purboyo 1, Kuspriyanto 2 1,2 School of Electrical Engineering & Informatics, Institut Teknologi Bandung Jl. Ganesha 10 Bandung 40132, Indonesia Abstract: administrators

More information

VEA-bility Security Metric: A Network Security Analysis Tool

VEA-bility Security Metric: A Network Security Analysis Tool VEA-bility Security Metric: A Network Security Analysis Tool Melanie Tupper Dalhousie University tupper@cs.dal.ca A. Nur Zincir-Heywood Dalhousie University zincir@cs.dal.ca Abstract In this work, we propose

More information

Topological Vulnerability Analysis

Topological Vulnerability Analysis Topological Vulnerability Analysis Sushil Jajodia and Steven Noel Traditionally, network administrators rely on labor-intensive processes for tracking network configurations and vulnerabilities. This requires

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Recommended Practice Case Study: Cross-Site Scripting. February 2007 Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber

More information

Virtual Terrain: A Security-Based Representation of a Computer Network

Virtual Terrain: A Security-Based Representation of a Computer Network Virtual Terrain: A Security-Based Representation of a Computer Network Jared Holsopple* a, Shanchieh Yang b, Brian Argauer b a CUBRC, 4455 Genesee St, Buffalo, NY, USA 14225; b Dept. of Computer Engineering,

More information

Statistical Analysis of Computer Network Security. Goran Kap and Dana Ali

Statistical Analysis of Computer Network Security. Goran Kap and Dana Ali Statistical Analysis of Computer Network Security Goran Kap and Dana Ali October 7, 2013 Abstract In this thesis it is shown how to measure the annual loss expectancy of computer networks due to the risk

More information

ISSN : 2347-7385. Asian Journal of Engineering and Technology Innovation 02 (05) 2014 (05-09) QR Code for Mobile users

ISSN : 2347-7385. Asian Journal of Engineering and Technology Innovation 02 (05) 2014 (05-09) QR Code for Mobile users ISSN : 2347-7385 Received on: 01-10-2014 Accepted on: 10-10-2014 Published on: 22-10-2014 Mehul Das Dept. of computerscience Dr.D.Y. PatilInsti. Of Engg. & Tech., Pune Email: Mehuldas3@gmail.com Vikram.jaygude20@gmail.com

More information

A NEW METRICS FOR PREDICTING NETWORK SECURITY LEVEL

A NEW METRICS FOR PREDICTING NETWORK SECURITY LEVEL Volume 3, No. 3, March 2012 Journal of Global Research in Computer Science RESEARCH PAPER Available Online at www.jgrcs.info A NEW METRICS FOR PREDICTING NETWORK SECURITY LEVEL Tito Waluyo Purboyo *1,

More information

Modeling Modern Network Attacks and Countermeasures Using Attack Graphs

Modeling Modern Network Attacks and Countermeasures Using Attack Graphs Modeling Modern Network Attacks and Countermeasures Using Attack Graphs Kyle Ingols, Matthew Chu, Richard Lippmann, Seth Webster, Stephen Boyer MIT Lincoln Laboratory 244 Wood Street Lexington, Massachusetts

More information

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options White paper What a Vulnerability Assessment Scanner Can t Tell You Leveraging Network Context to Prioritize Remediation Efforts and Identify Options november 2011 WHITE PAPER RedSeal Networks, Inc. 3965

More information

Chapter 5 TOPOLOGICAL ANALYSIS OF NETWORK ATTACK VULNERABILITY 1. INTRODUCTION

Chapter 5 TOPOLOGICAL ANALYSIS OF NETWORK ATTACK VULNERABILITY 1. INTRODUCTION Chapter 5 TOPOLOGICAL ANALYSIS OF NETWORK ATTACK VULNERABILITY Sushil Jaodia, Steven Noel, Brian O Berry Center for Secure Information Systems, George Mason University Abstract: Key words: To understand

More information

NETWORK PENETRATION TESTING

NETWORK PENETRATION TESTING Tim West Consulting 6807 Wicklow St. Arlington, TX 76002 817-228-3420 Twest@timwestconsulting.com OVERVIEW Tim West Consulting Tim West Consulting is a full service IT security and support firm that specializes

More information

Optimal IDS Sensor Placement And Alert Prioritization Using Attack Graphs

Optimal IDS Sensor Placement And Alert Prioritization Using Attack Graphs Optimal IDS Sensor Placement And Alert Prioritization Using Attack Graphs Steven Noel and Sushil Jajodia Center for Secure Information Systems George Mason University, Fairfax, Virginia Abstract We optimally

More information

Institut Teknologi Bandung, Jl. Ganesha 10 Bandung 40553, Indonesia

Institut Teknologi Bandung, Jl. Ganesha 10 Bandung 40553, Indonesia Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com A Review of

More information

Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network.

Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network. Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network. R.Dhaya 1 D.Deepika 2 Associate Professor, Department of CSE, Velammal Engineering

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

More information

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations

More information

A Novel Approach on Zero Day Attack Safety Using Different Scenarios

A Novel Approach on Zero Day Attack Safety Using Different Scenarios A Novel Approach on Zero Day Attack Safety Using Different Scenarios 1Shaik Yedulla Peer,2N. Mahesh, 3 R. Lakshmi Tulasi 2 Assist Professor, 3 Head of The Department sypeer@gmail.com Abstract-A zero day

More information

Cisco IPS Tuning Overview

Cisco IPS Tuning Overview Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the

More information

Metrics Suite for Enterprise-Level Attack Graph Analysis

Metrics Suite for Enterprise-Level Attack Graph Analysis Metrics Suite for Enterprise-Level Attack Graph Analysis Cyber Security Division 2012 Principal Investigators Meeting October 11, 2012 Sushil Jajodia (PI), Steven Noel (co-pi) Metrics Suite for Enterprise-Level

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Effective Network Vulnerability Assessment through Model Abstraction

Effective Network Vulnerability Assessment through Model Abstraction Effective Network Vulnerability Assessment through Model Abstraction Su Zhang 1, Xinming Ou 1, and John Homer 2 1 Kansas State University, {zhangs84,xou}@ksu.edu 2 Abilene Christian University, jdh08a@acu.edu

More information

Windows Remote Access

Windows Remote Access Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by

More information

GVScan: Scanning Networks for Global Vulnerabilities

GVScan: Scanning Networks for Global Vulnerabilities 1 GVScan: Scanning Networks for Global Vulnerabilities Fabrizio Baiardi, Fabio Corò and Federico Tonelli Department of Computer Science, University of Pisa, Pisa, Italy Email: [baiardi,fcoro,tonelli]@di.unipi.it

More information

NV: Nessus Vulnerability Visualization for the Web

NV: Nessus Vulnerability Visualization for the Web NV: Nessus Vulnerability Visualization for the Web Lane Harrison harrisonlt@ornl.gov Evan Downing epdowning@gmail.com Riley Spahn spahnrb1@ornl.gov John R. Goodall jgoodall@ornl.gov Mike Iannacone iannaconemd@ornl.gov

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Details: Introduction When computers in a private network connect to the Internet, they physically

More information

Network security (Part II): Can we do a better job? "

Network security (Part II): Can we do a better job? Network security (Part II): Can we do a better job? Rattikorn Hewett Outline State of the practices Drawbacks and Issues A proposed alternative NSF SFS Workshop August 14-18, 2014 2 Computer Network Computer

More information

Attack graph analysis using parallel algorithm

Attack graph analysis using parallel algorithm Attack graph analysis using parallel algorithm Dr. Jamali Mohammad (m.jamali@yahoo.com) Ashraf Vahid, MA student of computer software, Shabestar Azad University (vahid.ashraf@yahoo.com) Ashraf Vida, MA

More information

How to Painlessly Audit Your Firewalls

How to Painlessly Audit Your Firewalls W h i t e P a p e r How to Painlessly Audit Your Firewalls An introduction to automated firewall compliance audits, change assurance and ruleset optimization May 2010 Executive Summary Firewalls have become

More information

Proactive Intrusion Prevention and Response via Attack Graphs

Proactive Intrusion Prevention and Response via Attack Graphs Proactive Intrusion Prevention and Response via Attack Graphs Steven Noel and Sushil Jajodia Center for Secure Information Systems, George Mason University {snoel, jajodia}@gmu.edu Network defense today

More information

Virtualized Security: The Next Generation of Consolidation

Virtualized Security: The Next Generation of Consolidation Virtualization. Consolidation. Simplification. Choice. WHITE PAPER Virtualized Security: The Next Generation of Consolidation Virtualized Security: The Next Generation of Consolidation As we approach the

More information

Using Skybox Solutions to Achieve PCI Compliance

Using Skybox Solutions to Achieve PCI Compliance Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary

More information

Scalable, Graph-Based Network Vulnerability Analysis

Scalable, Graph-Based Network Vulnerability Analysis Scalable, Graph-Based Network Vulnerability Analysis Paul Ammann ISE Department, MS 4A4 Center for Secure Inf. Sys. George Mason University Fairfax, VA 22030, U.S.A. +1 703 993 1660 pammann@gmu.edu Duminda

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

A Practical Approach to Threat Modeling

A Practical Approach to Threat Modeling A Practical Approach to Threat Modeling Tom Olzak March 2006 Today s security management efforts are based on risk management principles. In other words, security resources are applied to vulnerabilities

More information

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Cyber Security RFP Template

Cyber Security RFP Template About this document This RFP template was created to help IT security personnel make an informed decision when choosing a cyber security solution. In this template you will find categories for initial

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

Meeting the Challenges of Virtualization Security

Meeting the Challenges of Virtualization Security Meeting the Challenges of Virtualization Security Coordinate Security. Server Defense for Virtual Machines A Trend Micro White Paper August 2009 I. INTRODUCTION Virtualization enables your organization

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Threat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone)

Threat Modelling for Web Application Deployment. Ivan Ristic ivanr@webkreator.com (Thinking Stone) Threat Modelling for Web Application Deployment Ivan Ristic ivanr@webkreator.com (Thinking Stone) Talk Overview 1. Introducing Threat Modelling 2. Real-world Example 3. Questions Who Am I? Developer /

More information

Firewall Policy Anomalies- Detection and Resolution

Firewall Policy Anomalies- Detection and Resolution Firewall Policy Anomalies- Detection and Resolution Jitha C K #1, Sreekesh Namboodiri *2 #1 MTech student(cse),mes College of Engineering,Kuttippuram,India #2 Assistant Professor(CSE),MES College of Engineering,Kuttippuram,India

More information

Customer Service Description Next Generation Network Firewall

Customer Service Description Next Generation Network Firewall Customer Service Description Next Generation Network Firewall Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Interoute Communications Limited

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE: PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration

More information

An Introduction to Network Vulnerability Testing

An Introduction to Network Vulnerability Testing CONTENTS Introduction 3 Penetration Testing Overview 4 Step 1: Defining the Scope 4 Step 2: Performing the Penetration Test 5 Step 3: Reporting and Delivering Results 6 VeriSign SecureTEST 7 Common Vulnerability

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

The Trivial Cisco IP Phones Compromise

The Trivial Cisco IP Phones Compromise Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

UNCLASSIFIED Version 1.0 May 2012

UNCLASSIFIED Version 1.0 May 2012 Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice

More information

Network and Host-based Vulnerability Assessment

Network and Host-based Vulnerability Assessment Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:

More information

Deploy Remote Desktop Gateway on the AWS Cloud

Deploy Remote Desktop Gateway on the AWS Cloud Deploy Remote Desktop Gateway on the AWS Cloud Mike Pfeiffer April 2014 Last updated: May 2015 (revisions) Table of Contents Abstract... 3 Before You Get Started... 3 Three Ways to Use this Guide... 4

More information

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Scaling 10Gb/s Clustering at Wire-Speed

Scaling 10Gb/s Clustering at Wire-Speed Scaling 10Gb/s Clustering at Wire-Speed InfiniBand offers cost-effective wire-speed scaling with deterministic performance Mellanox Technologies Inc. 2900 Stender Way, Santa Clara, CA 95054 Tel: 408-970-3400

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access The World s Premier Online Practical Network Defense course PND at a glance: Self-paced, online, flexible access 1500+ interactive slides (PDF, HTML5 and Flash) 7+ hours of video material 10 virtual labs

More information

Extreme Networks Security Analytics G2 Risk Manager

Extreme Networks Security Analytics G2 Risk Manager DATA SHEET Extreme Networks Security Analytics G2 Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance HIGHLIGHTS Visualize current and potential

More information

A Model Design of Network Security for Private and Public Data Transmission

A Model Design of Network Security for Private and Public Data Transmission 2011, TextRoad Publication ISSN 2090-424X Journal of Basic and Applied Scientific Research www.textroad.com A Model Design of Network Security for Private and Public Data Transmission Farhan Pervez, Ali

More information

Cyberspace Forensics Readiness and Security Awareness Model

Cyberspace Forensics Readiness and Security Awareness Model Cyberspace Forensics Readiness and Security Awareness Model Aadil Al-Mahrouqi Sameh Abdalla Tahar Kechadi Abstract The goal of reaching a high level of security in wire- less and wired communication networks

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Visualize current and potential network traffic patterns

More information

VEA-bility Analysis of Network Diversification

VEA-bility Analysis of Network Diversification VEA-bility Analysis of Network Diversification Melanie Tupper Supervised by Nur Zincir-Heywood Faculty of Computer Science, Dalhousie University tupper@cs.dal.ca zincir@cs.dal.ca August 31, 2007 Abstract:

More information

Patch and Vulnerability Management Program

Patch and Vulnerability Management Program Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report 2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report 28 September 2012 Submitted to: Donald Lafleur IS Audit Manager ND State Auditor

More information

Cisco Change Management: Best Practices White Paper

Cisco Change Management: Best Practices White Paper Table of Contents Change Management: Best Practices White Paper...1 Introduction...1 Critical Steps for Creating a Change Management Process...1 Planning for Change...1 Managing Change...1 High Level Process

More information

Efficiently Managing Firewall Conflicting Policies

Efficiently Managing Firewall Conflicting Policies Efficiently Managing Firewall Conflicting Policies 1 K.Raghavendra swamy, 2 B.Prashant 1 Final M Tech Student, 2 Associate professor, Dept of Computer Science and Engineering 12, Eluru College of Engineeering

More information

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February-2015. Version 1.

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February-2015. Version 1. Supporting Document Mandatory Technical Document Evaluation Activities for Stateful Traffic Filter Firewalls cpp February-2015 Version 1.0 CCDB-2015-01-002 Foreword This is a supporting document, intended

More information

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup Network Anomaly Detection A Machine Learning Perspective Dhruba Kumar Bhattacharyya Jugal Kumar KaKta»C) CRC Press J Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor

More information

Vulnerability Assessment Report Format Data Model

Vulnerability Assessment Report Format Data Model I3E'2005 Vulnerability Assessment Report Format Data Model Dr.D.Polemi G.Valvis Issues Attack paradigm Vulnerability exploit life cycle Vulnerability assessment process Challenges in vulnerability assessment

More information

Software Vulnerability Assessment

Software Vulnerability Assessment Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com SMALL BUSINESS NETWORK SECURITY GUIDE WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION AUGUST 2004 SMALL BUSINESS NETWORK SECURITY GUIDE: WHY A REAL FIREWALL PROVIDES THE BEST NETWORK PROTECTION

More information

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2 Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta. Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks

More information

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Getting Started with the iscan Online Data Breach Risk Intelligence Platform Getting Started with the iscan Online Data Breach Risk Intelligence Platform 2 Table of Contents Overview... 3 Data Breach Risk Intelligence... 3 Data Breach Prevention Lifecycle Defined... 3 Choosing

More information