Guide to Network Security 1st Edition - Dr. Ronny L. Bull

Guide to Network Security 1st Edition - Dr. Ronny L. Bull

Guide to Network Security st 1 Edition Chapter Nine Network Vulnerability Assessment Objectives Name the common categories of vulnerabilities Discuss common system and network vulnerabilities Find network vulnerabilities using scanning tools and in-depth penetration testing Access sources of information about vulnerabilities and determine how best to remediate those

vulnerabilities 2013 Course Technology/Cengage Learning. All Rights Reserved 2 Introduction To maintain secure networks: Must identify network vulnerabilities Self-assessment methods Scanning and penetration tools Network security vulnerability definition

Defect in a device, configuration, or implementation May lead to loss of revenue, information, or value 2013 Course Technology/Cengage Learning. All Rights Reserved 3 Common Vulnerabilities Major categories of network vulnerabilities Software or firmware defects Configuration or implementation errors Process or procedure weaknesses 2013 Course Technology/Cengage Learning. All Rights Reserved

4 Defects in Software or Firmware Buffer overruns Programmer does not ensure quantity of input data fits size of available data buffer Format string problems User input passed to a formatting function without validation Integer overflows Programmer does not restrict data to data type size

boundaries 2013 Course Technology/Cengage Learning. All Rights Reserved 5 Defects in Software or Firmware (contd.) C++ catastrophes Vulnerability specific to C++ and other objectoriented languages Attacker can modify contents of a class Takes advantage of uninitialized function pointers Attacker can take control of program execution

Catching exceptions Incorrect error-handling Attacker intercepts error-handling call to run malicious code 2013 Course Technology/Cengage Learning. All Rights Reserved 6 Defects in Software or Firmware (contd.) Command injection Program does not properly validate user input Input passed to a database

Failure to handle errors correctly Failing to catch an error and recover the program Leads to denial-of-service or program crash Opportunity to exploit the program execution flow Information leakage Release of sensitive data outside intended organization 2013 Course Technology/Cengage Learning. All Rights Reserved 7 Defects in Software or Firmware (contd.)

Race conditions Two threads, processes, or applications are able to modify a resource Programmer has not taken precautions to ensure desired order of events Poor usability User finds application difficult to work with Finds way to bypass security features 2013 Course Technology/Cengage Learning. All Rights Reserved 8

Defects in Software or Firmware (contd.) Not updating easily If update method is difficult to use, it wont be used Executing code with too much privilege Many applications require administrative privileges to install or run Application failure can be exploited by an attacker Failure to protect stored data Protect data during transit and while at rest 2013 Course Technology/Cengage Learning. All Rights Reserved

9 Defects in Software or Firmware (contd.) Weaknesses introduced with mobile code ActiveX control, Flash application, Java applet Attackers can exploit program vulnerabilities Use of weak password-based systems Best practices: strong passwords using encryption; enforcing periodic password changes Weak random numbers

Libraries that provide pseudo-random numbers often inadequate Use seed values and cryptographic libraries 2013 Course Technology/Cengage Learning. All Rights Reserved 10 Defects in Software or Firmware (contd.) Using cryptography incorrectly Developers may incorrectly implement cryptographic function Fail to follow proper steps to encrypt data properly

Failing to protect network traffic Vulnerable to eavesdropping Wired networks as vulnerable as wireless Improper use of PKI, especially SSL Application developer must implement correctly 2013 Course Technology/Cengage Learning. All Rights Reserved 11 Defects in Software or Firmware (contd.) Trusting network name resolution

DNS information can be manipulated by attackers Application should verify true communication destination during execution 2013 Course Technology/Cengage Learning. All Rights Reserved 12 Errors in Configuration or Implementation Apache HTTP Server example MaxClients configuration directive specifies number of concurrent requests that can be processed Default value is 256

Must have memory capacity to process those requests System administrator must set MaxClients value to match the hardware: Or denial of service situation will result 2013 Course Technology/Cengage Learning. All Rights Reserved 13 Weaknesses in Processes and Procedures Soft vulnerabilities that result from human error

More difficult to detect and fix Examples of process or procedure vulnerabilities Policy is violated Processes that implement policy are inadequate or fail Solutions Awareness and training sessions for employees Regular review of policies and implementation 2013 Course Technology/Cengage Learning. All Rights Reserved 14

Finding Vulnerabilities on the Network Topics discussed in this section Various automated tools available Wide variety of network reconnaissance and vulnerability mapping capabilities Manual process of penetration testing 2013 Course Technology/Cengage Learning. All Rights Reserved 15 Scanning and Analysis Tools Used to collect information an attacker would need

to launch a successful attack Attack methodology Series of steps or processes used by an attacker Security analysis tools Simple to complex Some are developed by the security research community Available free on the Web 2013 Course Technology/Cengage Learning. All Rights Reserved 16

Figure 9-1 Standard attack methodology Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 17 Scanning and Analysis Tools (contd.) Reconnaissance Exploring the Internet presence of a target Also called footprinting Target IP addresses Identify Web sites assigned address range

Easily done using nslookup command Can also collect name, phone number, and e-mail address of technical contact 2013 Course Technology/Cengage Learning. All Rights Reserved 18 Scanning and Analysis Tools (contd.) Target Web site Collect information that can be used in social engineering attacks View Source command can be used to see code behind the page

Business research Source of attack intelligence: business-oriented Web sites Google hacking Attacker can discover additional Internet locations not commonly associated with the company 2013 Course Technology/Cengage Learning. All Rights Reserved 19 Scanning and Analysis Tools (contd.) Fingerprinting

Attacker communicates with systems on the target network Reveals information about internal structure and operational nature of target network Sam Spade Enhanced Web scanner Scans entire Web site for valuable information 2013 Course Technology/Cengage Learning. All Rights Reserved 20 Scanning and Analysis Tools (contd.)

Wget Tool that allows remote individual to mirror entire Web sites Used on UNIX or Linux systems Used to collect all the source code Port scanners Used to identify computers active on the network Most popular is Nmap Runs on UNIX and Windows systems 2013 Course Technology/Cengage Learning. All Rights Reserved 21

Table 9-1 Commonly used port numbers Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 22 Scanning and Analysis Tools (contd.) Firewall analysis tools Used to discover firewall rules Nmap option called Idle scanning can be used Firewalk: tool that reveals where routers and

firewalls are filtering traffic to the target host hping: modified ping client Supports multiple protocols and many parameters 2013 Course Technology/Cengage Learning. All Rights Reserved 23 Scanning and Analysis Tools (contd.) Operating system detection tools Used to determine remote computers operating system XProbe2: sends ICMP queries against the target host

Nmap: includes a version detection engine Wireless security tools recommended capabilities Sniff wireless traffic Scan wireless hosts Assess networks privacy or confidentiality level 2013 Course Technology/Cengage Learning. All Rights Reserved 24 Scanning and Analysis Tools (contd.) Wireless security tools examples

NetStumbler AirSnare Vistumbler Aircrack-ng Vulnerability scanner types Active Produces network traffic to actively probe systems Product examples: GFI LanGuard and Nessus 2013 Course Technology/Cengage Learning. All Rights Reserved

25 Figure 9-4 Wireless scanning with NetStumbler Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 26 Table 9-2 Top 10 vulnerability scanner products Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved

27 Figure 9-6 Vulnerability scanning with LanGuard Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 28 Figure 9-7 Vulnerability scanning with Nessus Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 29

Scanning and Analysis Tools (contd.) Vulnerability scanner types (contd.) Passive Listens to network traffic Identifies vulnerable versions of server and client software Product examples: Passive Vulnerability Scanner by Tenable Network Security and RNA by Sourcefire 2013 Course Technology/Cengage Learning. All Rights Reserved 30

Scanning and Analysis Tools (contd.) Vulnerability scanner types (contd.) Fuzzers Produce a variety of user inputs Monitor programs for unexpected crashes See Table 9-3 for fuzzing tool product examples Penetration Once necessary intelligence gained: Attacker can begin penetrating the network Automated tools used to exploit system vulnerabilities 2013 Course Technology/Cengage Learning. All Rights Reserved

31 Table 9-3 Fuzzing tools Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 32 Scanning and Analysis Tools (contd.) Penetration (contd.) Examples of testing tools Core Impact Immunitys CANVAS

Metasploit Framework See Figure 9-10 for screenshot of the Metasploit Framework 2013 Course Technology/Cengage Learning. All Rights Reserved 33 Figure 9-10 Vulnerability exploitation with the Metasploit Framework Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 34

Scanning and Analysis Tools (contd.) Exploitation Tools and techniques for breaking into more systems Gaining further network access or gaining access to more resources Netcat Utility to assist with file transfer Can be used as a remote shell utility Allows control of a remote system Can act as a port scanner

2013 Course Technology/Cengage Learning. All Rights Reserved 35 Scanning and Analysis Tools (contd.) Packet sniffer Network tool that collects copies of packets Legal requirements for using a packet sniffer Must be connected to a network the organization owns Must be directly authorized by the network owners Must have knowledge and consent of the content creators

Wireshark Free, client-based network protocol analyzer 2013 Course Technology/Cengage Learning. All Rights Reserved 36 Table 9-4 Top 10 packet sniffers Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 37

Scanning and Analysis Tools (contd.) Return Attackers action to ensure ability to return to the target unobstructed Examples: installing backdoors, installing bots, or creating user accounts 2013 Course Technology/Cengage Learning. All Rights Reserved 38 Penetration Testing Specialized service to assess security posture Many organizations use regularly

Uses all techniques and tools available to an attacker Attempts to penetrate organizations defenses Scope May be limited Depends on goal of the test Identifying vulnerability or carrying out exploit 2013 Course Technology/Cengage Learning. All Rights Reserved 39 Penetration Testing (contd.)

Can be conducted by internal teams or outsourced Categories of testing Black box Team is given no information Gray box Team is given some general information White box Team is given full information about organizations network structure and defenses 2013 Course Technology/Cengage Learning. All Rights Reserved

40 Recommended Vulnerability Assessment Methodology Stages in evaluating and validating vulnerabilities Stage 1: identify technical weaknesses while minimizing organizational impact Review documentation Review rule sets and security configurations

Perform wireless scanning Identify active hosts and known vulnerabilities Stage 2: validate technical weaknesses Review rule sets and security configurations Identify active hosts and known vulnerabilities Perform a penetration test using social engineering 2013 Course Technology/Cengage Learning. All Rights Reserved 41 Recommended Vulnerability Assessment Methodology (contd.) Stages in evaluating and validating vulnerabilities

(contd.) Stage 3: identify and validate technical weaknesses from the attackers viewpoint Conduct external penetration test Review audit logs 2013 Course Technology/Cengage Learning. All Rights Reserved 42 Addressing Vulnerabilities Options for addressing a vulnerability

Fix it Mitigate it Ignore it Remove the system, service, or process 2013 Course Technology/Cengage Learning. All Rights Reserved 43 Vulnerability Disclosure Approaches to handling the disclosure of

vulnerabilities Full disclosure Delayed disclosure Disclose only after a fix is available Responsible disclosure Report vulnerability to the vendor first Allow vendor time to fix 2013 Course Technology/Cengage Learning. All Rights Reserved 44 Vulnerability Disclosure (contd.)

Public disclosure lists Vendor announcements Full-disclosure mailing lists The Common Vulnerabilities and Exposures database (CVE List) Maintained by Mitre Corporation The National Vulnerability Database (NVD) Sponsored by the Department of Homeland Security Internet Storm Center Mission: provide network threat detection and analysis 2013 Course Technology/Cengage Learning. All Rights Reserved

45 Vulnerability Disclosure (contd.) Forum of Incident Response and Security Teams (FIRST) Organization that facilitates information sharing on latest cyber threats and attacks United States Computer Emergency Response Team (US-CERT) Centralized collection and reporting facility Tracks and disseminates information about current computer security threats

2013 Course Technology/Cengage Learning. All Rights Reserved 46 Vulnerability Disclosure (contd.) Information Sharing and Analysis Center (IT-ISAC) Specialized forum for managing risks to IT infrastructure Group is made up of members in the IT sector 2013 Course Technology/Cengage Learning. All Rights Reserved 47

Vulnerability Risk Assessment Organization must assess risk posed by each vulnerability Remediation efforts should be proportional to assessed risk Vendors may assign priorities to fixes Problem: inconsistent terminology between vendors Common Vulnerability Scoring System (CVSS) Standardized method for rating IT vulnerabilities Consists of three metric groups Base, temporal, environmental 2013 Course Technology/Cengage Learning. All Rights Reserved

48 Figure 9-20 CVSS metric groups and how they interact Cengage Learning 2013 2013 Course Technology/Cengage Learning. All Rights Reserved 49 Vulnerability Risk Assessment (contd.) Other factors

Exposure Criticality of the affected assets Compensating factors Downtime requirements 2013 Course Technology/Cengage Learning. All Rights Reserved 50 Summary Information security professionals must systematically identify system vulnerabilities

Methods: scanning and penetration testing Categories of network vulnerabilities Software or firmware defects Configuration or implementation errors Process or procedure weaknesses Various sources are available for tracking current threats Vendor announcements, full-disclosure mailing lists, and CVE 2013 Course Technology/Cengage Learning. All Rights Reserved 51

Summary (contd.) Tools to assess network vulnerabilities Intrusion detection/prevention systems Active and passive vulnerability scanners Automated log analyzers Protocol analyzers (sniffers) Penetration testing assesses an organizations

security posture on a regular basis 2013 Course Technology/Cengage Learning. All Rights Reserved 52

Recently Viewed Presentations

  • Cal Poly State University, SLO HVAC Best Practi

    Cal Poly State University, SLO HVAC Best Practi

    CSU Sustainability Policy . Major revision to policy since last CSU Executive Order 987 (2006) Academics: "The CSU will seek to further integrate sustainability into the academic curriculum working within the normal campus consultative process."
  • International Business Fourth Edition CHAPTER 1 Globalization 1-3

    International Business Fourth Edition CHAPTER 1 Globalization 1-3

    Globalization: Pros& Cons Pros Increased revenue opportunity through global sales. Reduced costs by producing in 'low cost' countries. Cons Different nations = different problems. Similarities between nations may be superficial. Global planning may be easy, but global execution is not.
  • Economics Unit I Quiz Questions for Review

    Economics Unit I Quiz Questions for Review

    Government data show that the country is currently producing at the level of 2,000 bicycles and 30,000 pairs of shoes. Mark that point on the graph and label it C. Evaluate the efficiency of the economy at this point. Suppose...
  • Brasil: Desigualdade Social e Instituições

    Brasil: Desigualdade Social e Instituições

    - O monitoramento para fins de prestação de contas (notadamente na contratação interna) tornou-se universal. - O monitoramento a fim de identificar e enfrentar os problemas de implementação está se generalizando. - As revisões de gastos (avaliações rápidas para fins...
  • Popkin Software: Software Quality Assurance November 2004 Mariya

    Popkin Software: Software Quality Assurance November 2004 Mariya

    It has a beneficial side effect in pointing out incompleteness and ambiguities in specifications Compatibility Test Compatibility Test is done to determine how well software performs in a particular hardware/software/operating system/network/etc. environment All user interface development should adhere to the...
  • Linear machines 28/02/2017 Decision surface for Bayes classifier

    Linear machines 28/02/2017 Decision surface for Bayes classifier

    SVM not linearly separable case * Linear SVM: not linearly separable case ξ slack variable enables incorrect classifications („soft margin"): ξt=0 if the classification is correct, else it is the distance from the margin C is a metaparameter for the...
  • Step Up to Quality Pilot Data Presentation of

    Step Up to Quality Pilot Data Presentation of

    Step Up To Quality media kit. Step Up To Quality benchmark poster. Step Up To Quality banner displayed inside or outside your center. Have parents reported that the Step Up To Quality rating was important in choosing your center for...
  • Gravimetric Analysis a. simple, very little equipment or ...

    Gravimetric Analysis a. simple, very little equipment or ...

    Gravimetric Analysisa. simple, very little equipment or training is requiredb. fast c. can be fairly specific. Example: A solution contains Hg2+. We can determine the amount of Hg2+ by precipitating it with a solution of Cl-. Assume there are no...