Transcript CIST 1601 Information Security Fundamentals

CIST 1601 Information Security Fundamentals
Chapter 11 Security and Vulnerability in the Network
Collected and Compiled
By JD Willard
MCSE, MCSA, Network+,
Microsoft IT Academy Administrator
Computer Information Systems Technology
Albany Technical College
Network Security Threats –Penetration
Testing
Vulnerability Scanning Overview (6:30)
Assessment Tools (6:56)
The CERT/CC is an organization that tracks and reports on computer and network
security threats. They are part of the Software Engineering Institute (SEI) at CarnegieMellon University.
Penetration testing (aka ethical hacking or “pen test”) involves the use of tools to
simulate attacks on the network and on the computer systems.
Penetration testing enables you to detect the existing vulnerabilities of the
infrastructure, with prior approval and authorization from senior management.
Penetration testing starts with defining management objectives for the tests, and
includes configuration reviews, vulnerability assessments, and social engineering.
Penetration tests are limited to the identification of the vulnerabilities in the system and
the detection of the impact of the vulnerability to the security of an infrastructure. This
process enables an organization to take corrective action, such as patching up the
systems against vulnerabilities or bugs.
A penetration test team reports the findings to the senior management after completing
the documentation process. ISS, Ballista, and SATAN are some examples of penetration
testing or ethical hacking tools used to identify network and system vulnerabilities.
Network Security Threats –Penetration
Testing Penetration Testing (10:04)
Penetration testing involves footprinting, scanning, and enumerating.
Footprinting obtains the active blueprint of an organization’s infrastructure and security profile. It
includes using the WhoIs and NsLookup tools.
Scanning identifies active computers, ports, and services.
Enumerating involves compiling the information from the scanning phase and identifying target
systems.
The IP addresses of the computers are usually discovered during a penetration test. As
components of the network are discovered, the methods used will be determined.
A penetration tester would need to be used outside your network. A penetration test
includes the following steps:
1. Gather initial information.
2. Determine the network range.
3. Identify active devices.
4. Discover open ports and access points.
5. Identify the operating systems and their settings.
6. Discover which services are using the open ports.
7. Map the network.
Penetration tests may cause some disruption to network operations as a result of the
actual penetration efforts conducted. Penetration tests can also make legitimate attacks
by generating false data in IDS/IPS systems.
Network Security Threats – Vulnerability
Scanning Vulnerability Scanning (6:30)
A vulnerability scanner is a software utility that will scan a range of IP
addresses, testing for the presence of known vulnerabilities in software
configuration and accessible services and offer suggestions on how to prevent
the issues. Unlike port scanners, which only test for the availability of services,
vulnerability scanners may check for the particular version or patch level of a
service to determine its level of vulnerability.
It’s better to run one on your own network before someone outside the
organization runs it against you. Two of the most well-known vulnerability
scanners are Nessus (http://www.nessus.org/nessus/) and the NMAP port
scanner (http://nmap.org/).
Regardless of the tool, there are five major tasks necessary in using them:
Passively Testing security Controls – It looks only for the openings that are there
and reports them back to you.
Interpreting Results – Most vulnerability scanners interpret the results of their
findings and deliver a report that can be shared with management.
Identifying Vulnerability – Just knowing that a port is open means little unless
you can associate it with the vulnerability tied to it.
Identifying Lack of Security Controls – You want to know not just what is weak,
but what is missing altogether.
Identifying Common Misconfigurations – Improperly configured applications and
services can allow more users to access an application than should, cause the
application to crash, or introduce any number of other security concerns.
Network Security Threats – Ethical Hacking
Penetration testing, also known as ethical hacking, is the vulnerability assessment
procedure performed by security professionals after receiving management approval.
When security tools are used by security experts to identify system vulnerabilities for
ethical purposes, it is termed as penetration testing or ethical hacking. Ethical hackers
use tools to assess security flaws, but do not exploit the vulnerabilities they discover in
an organization’s network infrastructure. The primary objective of penetration testing or
ethical hacking is to assess the capability of the system to resist attacks and to reveal
system and network vulnerabilities. ISS, Ballista, and SATAN are some examples of
penetration testing or ethical hacking tools used to identify network and system
vulnerabilities.
The three most commonly recognized approaches taken in ethical hacking undertakings:
Black Box – In black box testing, the administrator acts as if they have no prior knowledge of the
network. They act as if they are an attacker from the outside with no familiarity of the system and
look for an opening. This is also known as blind testing. Only a bare minimum of administrators know
what is happening. This allows other administrators to act normally while the attack is under way.
White Box – In white box testing, the ethical hacker begins from the premise of knowing
something about the network and systems in place, just like a malicious insider. They try to find a
weakness armed with information about the source code, the routing, and so on. This is also known
as full disclosure testing.
Gray Box – Also known as partial disclosure testing. The usual scenario trying to be created is one
of an outsider working in conjunction with an insider who has given them some information.
Because an insider is involved, the big question is what can an insider get to?
Assessment Types and Techniques
Assessment Techniques (6:35)
A baseline defines the minimum level of security and performance of a system
in an organization. A baseline is also used as a benchmark for future changes.
Any change made to the system should match the defined minimum security
baseline. A security baseline is defined through the adoption of standards in an
organization.
You should create a System Monitor chart based on a performance log. This will
ensure that performance baseline statistics are recorded for an extended period
of time. The first step to creating a performance baseline is to create a security
policy. Without the policy, the baseline has no guidelines to follow.
Metrics for security baselines and hardening efforts rely on identification of
vulnerability and risk. It is necessary to have some mechanism for measuring
vulnerability to determine whether a baseline has been met, or if a new security
measure has been effective.
Secure Network Administration Principals
Rule-Based Management
Rule-based management, also known as label-based management, defines conditions for
access to objects. The access is granted to the object based on both the object’s
sensitivity label and the user’s sensitivity label. With all rules, an action must be defined.
That action is triggered when conditions are/aren’t met.
Port Security
Port security works at level 2 of the OSI model and allows an administrator to configure
switch ports so that only certain MAC addresses can use the port. Three areas of port
security to be familiar with are:
MAC Limiting and Filtering – Limit access to the network to MAC addresses that are known, and
filter out those that are not. MAC filtering is not foolproof, and a quick look in a search engine will
turn up tools that can be used to change the MAC address and help miscreants circumvent this
control.
802.1X – Discussed in the next section.
Disable Unused Ports – All ports not in use should be disabled.
Working with 802.1X
The IEEE standard 802.1X defines port-based security for wireless network access
control. As such, it offers a means of authentication and defines the Extensible
Authentication Protocol over IEEE 802, and is often known as EAP over LAN (EAPOL). The
biggest benefit of using 802.1X is that the access points and the switches do not need to
do the authentication but instead rely on the authentication server to do the actual
work.
Secure Network Administration Principals
Flood Guards and Loop Protection
A flood guard is a protection feature built into many firewalls that allow the administrator to tweak the
tolerance for unanswered login attacks. By reducing this tolerance, it is possible to reduce the likelihood of
a successful DoS attack. If a resource, either inbound or outbound, appears to be overused, then the flood
guard kicks in.
Loop protection is a similar feature that works in layer 2 switching configurations and is intended to
prevent broadcast loops. When configuring it in most systems, you can choose to disable broadcast
forwarding and protect against duplicate ARP requests (those having the same target protocol address).
Preventing Network Bridging
Network bridging occurs when a device has more than one network adapter card installed and the
opportunity presents itself for a user on one of the networks to which the device is attached to jump to the
other.
To prevent network bridging, you can configure your network such that when bridging is detected, you
shut off/disable that jack. You can also create profiles that allow for only one interface.
It is not uncommon for a network bridge to appear in the Network Sharing Center. If it does appear, you
will want to delete it. Windows Internet Connection is often pointed to as a cause of unintended bridging
and should be disabled.
Log Analysis
Log analysis is crucial to identifying problems that occur related to security. As an administrator, you have
the ability to turn on logging at many different locations and levels. Not only do you need to collect and
analyze the logs, but you also need to store them for a time in the future when you want to compare what
is happening now to then (baselining).
Mitigation and Deterrent Techniques
Manual Bypassing of Electronic Controls
When an application, system, or safeguard fails, either through a crash or someone
bypassing the expected control path, there are two states it can fail in; failsafe (secure)
or failopen (not secure). When using failsafe, the application stops work, reports an
error, and closes out/exits. The alternative, known as failopen, is for the application to
stop running and let you know that it encountered the unexpected character. You can
enter what the character is supposed to be at a prompt, and the application will pick
back up where it left off, continuing the process. The problem with this scenario is that
when the application crashes, it stays running at the elevated privileges needed to make
the changes and is susceptible to an attacker breaking out of it in order to do harm.
The choice of states to fail in is relevant not only to applications you create but also to
firewalls (when the control fails, is all traffic blocked or allowed?), databases, and
network appliances.
Monitoring System Logs
There are four logs that exist on most systems. These are event logs, security logs, access
logs and audit logs. You can view the event logs in Event Viewer. The options within
Event Viewer allow you to perform such actions as save the log file, open saved logs,
filter the log file, and see/change properties.
The Security Logs are accessed beneath Windows Logs in Event Viewer, and each event is
preceded by either a key (audit success) or a lock (audit failure). You should look at these
logs periodically and not just when something goes wrong.
Mitigation and Deterrent Techniques
Security Posture (4:39)
Security Posture
The security posture is the approach a business takes to security. This runs the entire
gamut from the planning phase to implementation and everything in between:
hardware, software, settings, and so on.
Reporting
Almost every department generates its own reports and uses what they find as a
dashboard for action. When it comes to analyzing or sharing security report information
with others, you want to focus on three key areas:
Alarms
Alarms are indications of a problem currently going on. These are conditions that
you must respond to right now. Alarm rates can indicate trends that are occurring, and after you
solve the problem, you need to look for indications that the condition may not be isolated.
Alerts
Slightly below alarms are alerts; these are issues that you need to pay attention to
but are not bringing the system to its knees at this very moment.
Trends
Trends indicate where problems are occurring. By focusing on trends, you can
identify weaknesses in your system and areas where you need to devote more resources to head off
future problems.
Detection/Prevention Controls
One of the easiest ways to detect and prevent problems is to let people know that they
are being monitored. In the physical world, monitoring can be done by either cameras or
guards. Where possible, you can combine guards with cameras to create a potent
deterrent. The cameras can send signals to a room where they are monitored by a guard
capable of responding to a situation when a need arises.
The End