Vulnerability Assessment



Similar documents
SANS Top 20 Critical Controls for Effective Cyber Defense

An Introduction to Network Vulnerability Testing

NETWORK PENETRATION TESTING

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cisco Security Optimization Service

About Effective Penetration Testing Methodology

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Penetration Testing - a way for improving our cyber security

AUTOMATED PENETRATION TESTING PRODUCTS

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

EC-Council Certified Security Analyst (ECSA)

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Hackers are here. Where are you?

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Vulnerability management lifecycle: defining vulnerability management

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Hobbled Penetration Testing: The Disconnect Between Testing and Real Attacks

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Goals. Understanding security testing

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Continuous Network Monitoring

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

The Importance of Vulnerability Assessment For Your Organisation

Digital Pathways. Penetration Testing

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Student Tech Security Training. ITS Security Office

Vulnerability Scanning & Management

AUTOMATED PENETRATION TESTING PRODUCTS

Network and Host-based Vulnerability Assessment

Critical Controls for Cyber Security.

FIVE PRACTICAL STEPS

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

GFI White Paper PCI-DSS compliance and GFI Software products

2 Copyright 2015 M. E. Kabay. All rights reserved. 4 Copyright 2015 M. E. Kabay. All rights reserved.

The SIEM Evaluator s Guide

locuz.com Professional Services Security Audit Services

BackTrack 5 tutorial Part I: Information gathering and VA tools

Cisco Advanced Services for Network Security

Security Management. Keeping the IT Security Administrator Busy

Hackers are here. Where are you?

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Hosts HARDENING WINDOWS NETWORKS TRAINING

Managing IT Security with Penetration Testing

Critical Security Controls

McAfee Database Security. Dan Sarel, VP Database Security Products

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

AN OVERVIEW OF VULNERABILITY SCANNERS

What is Penetration Testing?

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Vulnerability Management

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Web App Security Audit Services

IBM QRadar Security Intelligence April 2013

Patch management with WinReporter and RemoteExec

Special Issues for Penetration testing of Firewall

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Information Technology Security Review April 16, 2012

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

QRadar SIEM and FireEye MPS Integration

WHITEPAPER. Nessus Exploit Integration

How to effectively respond to an information security incident

Information Security Services

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Penetration Testing. Presented by

5 Tools For Passing a

Best Practices for PCI DSS V3.0 Network Security Compliance

IBM Managed Security Services Vulnerability Scanning:

AN ORTHUS RESEARCH WHITE PAPER. Published July Orthus Limited

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Marble & MobileIron Mobile App Risk Mitigation

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Analyze. Secure. Defend. Do you hold ECSA credential?

White Hats and Ethical Hacking: What You ve Been Doing Wrong. FocusOn CyberSecurity 30 March 2016

TIME TO LIVE ON THE NETWORK

Client logo placeholder XXX REPORT. Page 1 of 37

Defending Against Data Beaches: Internal Controls for Cybersecurity

Presented By: Bryan Miller CCIE, CISSP

!!!!!!!!!!!!!!!!!!!!!!

PCI DSS Reporting WHITEPAPER

FREQUENTLY ASKED QUESTIONS

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

SAST, DAST and Vulnerability Assessments, = 4

NERC CIP VERSION 5 COMPLIANCE

Transcription:

Vulnerability Assessment CSH5 Chapter 46 Vulnerability Assessment Rebecca Gurley Bace Topics in CSH5 Chapter 46 Scorekeeper of Security Taxonomy of VA Technologies Penetration Testing 1 Copyright 2014 M. E. Kabay. All rights reserved. 2 Copyright 2014 M. E. Kabay. All rights reserved. Scorekeeper of Security Introduction to Vulnerability What is Vulnerability? What is Vulnerability Assessment (VA)? Where does VA Fit into Security? History of VA Introduction to Vulnerability Information security tightly integrated into risk Vulnerability critical component of risk Significant evolution from 1960s through 2000s 3 Copyright 2014 M. E. Kabay. All rights reserved. 4 Copyright 2014 M. E. Kabay. All rights reserved. What is Vulnerability? Assessing deployed IT systems Determine security status Determine corrective measures Manage application of corrections Vulnerability assessment (VA): critical element in vulnerability Synergy between VA & other elements of security Four key functions (see next slide) Four Key Functions of Vulnerability Inventory Identify all systems in domain of interest Operating systems, platforms, topology Focus Determine data required for assessment Tune vulnerability assessment tools Assess Run automated & manual trests Evaluate (assess) results to judge risk Use security policy + best practices Respond Execute changes as required by assessment Fix specific weaknesses 5 Copyright 2014 M. E. Kabay. All rights reserved. 6 Copyright 2014 M. E. Kabay. All rights reserved.

What is Vulnerability Assessment (VA)? Analysis of security state of system Gather data sample (e.g., parameters on selected firewalls) Store data for future reference Compare with reference standards Identify discrepancies between current state & recommended standards or goals Examples of tools MS Baseline Security Analyzer For Windows 2000/XP & NT4 See http://www.techspot.com/tweaks/mbsa/index.shtml Server VAM http://www2.stillsecure.com/products/svam/svam1.html Sample Screen Shots from Baseline Security Analyzer 7 Copyright 2014 M. E. Kabay. All rights reserved. 8 Copyright 2014 M. E. Kabay. All rights reserved. FAB (Features and Benefits) of a VAS (Server VAM) Where does VA Fit into Security? (1) When systems 1 st deployed, can establish baseline security state When security breaches suspected, can focus on likely attack paths May be able to see if vulnerabilities have been exploited VA can identify areas where newly reported vulnerabilities should be patched Records of VA scans can be archived Serve for audits Compliance with certifications http://www2.stillsecure.com/products/svam/svam1.html 10 Copyright 2014 M. E. Kabay. All rights reserved. 9 Copyright 2014 M. E. Kabay. All rights reserved. Where does VA Fit into Security? (2) Brief History of VA (1) Support auditability Independent review of system records Determine adequacy of controls Ensure compliance with policy & procedures Detect breaches of security Recommend changes or guide recommendations Auditability in turn supports Incident handling & recovery Adjustment of security policies to meet needs Manual security audits established in 1950s Auditability defined 1970s for USAF study Eugene Spafford and Dan Farmer (Purdue) COPS VAS for UNIX Late 1980s Internet Security Scanner (ISS) early 1990s http://www.cert.org/advisories/ca-1993-14.html Dan Weitse Spaf 11 Copyright 2014 M. E. Kabay. All rights reserved. Some Famous Security Experts 12 Copyright 2014 M. E. Kabay. All rights reserved.

Brief History of VA (2) SATAN (Security Administrator Tool for Analyzing Networks) Farmer & Wietse Venema Posted 1995 http://www.porcupine.org/satan/ http://www.cerias.purdue.edu/about/history/coast/satan.php NESSUS http://www.tenable.com/products/nessus Free for individual use http://www.tenable.com/products/nessus/nessus-homefeed NMAP NetMAPper http://nmap.org/ Taxonomy of VA Technologies VA Strategy & Techniques Network Scanning Vulnerability Scanning Assessment Strategies Strengths & Weaknesses of VAS Roles for VA in System Security See Alphabetical List of Vulnerability Assessment Products http://www.timberlinetechnologies.com/products/vulnerability.html 14 Copyright 2014 M. E. Kabay. All rights reserved. 13 Copyright 2014 M. E. Kabay. All rights reserved. VA Strategy & Techniques Network scanning Vulnerability scanning Password cracking Log review Integrity checking Virus detection War dialing War driving Penetration testing Network Scanning Port scanner ICMP feature Identify hosts in network address range E.g., GRC ShieldsUP! (see next slide)* Identify visible & open ports Can spot undocumented equipment on network * https://www.grc.com/x/ne.dll?bh0bkyd2 15 Copyright 2014 M. E. Kabay. All rights reserved. 16 Copyright 2014 M. E. Kabay. All rights reserved. GRC ShieldsUP! Port Scanner Explanations of each visible (blue) port available Risky because can be seen by attackers Open ports shown in red Dangerous May be exploited Vulnerability Scanning (1) Heart of VA systems Beyond port scanning Analyze data to recognize known vulnerabilities May also attempt to correct problems Identifies deeper details Software versions Applications Configurations Current DB of known vulnerabilities especially valuable 17 Copyright 2014 M. E. Kabay. All rights reserved. 18 Copyright 2014 M. E. Kabay. All rights reserved.

Vulnerability Scanning (2) Typically slower than simpler port scanners Some scanning / testing may disrupt operations; e.g., DDoS testing False positive rates May be high Require more human judgement Vulnerability DB must be updated frequently Assessment Strategies Credentialed monitoring System data sources File contents System configuration Status information Nonintrusive Host-based Noncredentialed monitors Simulate system attacks Record responses Active approaches superior for networkrelated vulnerability assessment 19 Copyright 2014 M. E. Kabay. All rights reserved. 20 Copyright 2014 M. E. Kabay. All rights reserved. Strengths & Weaknesses of VAS (1) Strengths & Weaknesses of VAS (2) Benefits Save time & resources Training novices Updated for new info Address specific problems Benchmark security of systems to document progress toward goals Systematic & consistent Serve as quality assurance measures Routinely applied after making changes Weaknesses Not sufficient to secure system May diagnose, not fix If not up to date, may mislead users May reduce performance of operational / production network or system May be abused for malicious purposes 21 Copyright 2014 M. E. Kabay. All rights reserved. 22 Copyright 2014 M. E. Kabay. All rights reserved. Roles of VA in Security When new programs are installed After significant changes During or after security incidents Penetration Testing Introduction to Pen Testing Penetration Test Goals Attributes of Pen Testing Social Engineering Managing Pen Testing 23 Copyright 2014 M. E. Kabay. All rights reserved. 24 Copyright 2014 M. E. Kabay. All rights reserved.

Introduction to Pen Testing Penetration Test Goals VAS offer partial evaluation of vulnerabilities Actually testing for vulnerabilities by penetrating barriers is useful adjunct Penetration testing aka pen testing Pen testers aka Red Team from US Government parlance in capture/defend computer games Pen tests must be carefully planned & executed ALWAYS and ONLY with full authorization! Model real-world attacks closely Break out of policy bounds Out-of-the-box thinking Criminal-hacker techniques Test simultaneous security measures Identify potential access paths missed by VAS BUT Must not compromise production Should produce unambiguous results for 25 Copyright 2014 M. E. Kabay. All rights reserved. 26 Copyright 2014 M. E. Kabay. All rights reserved. Attributes of Pen Tests Testing models Zero knowledge Full knowledge Scope Physical Communications Systems Social engineering Sophistication Wide range of techniques Social Engineering Trickery & deceit applied to employees Often used by real criminals But may have serious legal, psychological, & morale implications Obtain legally binding authorization STRONGLY RECOMMEND that organization s staff be fully prepared to defend against social engineering attacks Otherwise will waste resources (too easy) Cause guilt, embarrassment, anger, and distress in tricked employees 27 Copyright 2014 M. E. Kabay. All rights reserved. 28 Copyright 2014 M. E. Kabay. All rights reserved. Managing Pen Testing Document & approve scenarios in advance Minimize damage to production / operations Do not cause distress Do not target / humiliate employees who have been involved in security failures! Don t strive to win at all costs: To leave a tested organization in worse condition than the test team found it is a hollow victory for all involved. 29 Copyright 2014 M. E. Kabay. All rights reserved. Review Questions 1. Distinguish between an IDS and a VAS. 2. If you wanted to check a system to see if it were protected against known attacks, would you use an IDS or would you use a VAS? 3. How do VAS support security audits? 4. In which decade were the first automated VAS developed? 5. Explain why the data store and analytical engine of an IDS should be situated off the system being monitored. 6. Compare and contrast credentialed vs. noncredentialed VAS monitoring. 7. Why should pen testers be careful in their use of social engineering? 30 Copyright 2014 M. E. Kabay. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information