Learning Objectives and Activities

profileyasernoory
Week15.docx

Week 15

Vulnerability Assessment

One of the most important assets any organization possesses is its data.  Many organizations do not seriously examine the vulnerabilities associated with data and thus are unprepared to adequately protect it.

What Is Vulnerability Assessment?

A vulnerability assessment is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful.  The first step in a vulnerability assessment is asset identification, defining an asset as any item that has a positive economic value.  After assets have been inventoried, the next step is to determine the potential threats against the assets that come from threat agents. Table 15-1 introduces common threat agents.  The next step in a vulnerability assessment, known as vulnerability appraisal, which is a process that takes a snapshot of the current security of the organization. It is important to understand that each threat can reveal multiple vulnerabilities and it is important that each vulnerability be cataloged.  The next step is to perform a risk assessment, which involves determining the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization. Table 15-2  shows how to rank vulnerabilities.  The final step in a vulnerability assessment is risk mitigation. 

Use Table 15-3 to see the vulnerability assessment actions and steps.

Assessment Techniques

Several different techniques can be used in a vulnerability assessment. Defining a baseline, which is an imaginary line by which an element is measured or compared, can be the standard.  Baseline reporting is a comparison of the present state of a system compared to its baseline.  Because flaws in software—operating systems, application programs, and utility programs—can all be points at which an attacker can try to penetrate and launch a successful attack, it is important that software vulnerabilities be minimized while the software is being developed (instead of being “patched” later).  From a practical standpoint, improvement to minimize errors is difficult because of the size and complexity, lack of formal specifications and future attacks.  

Assessment Tools

There are several different types of assessment tools used to perform vulnerability assessments, which include port scanners, protocol analyzers, vulnerability scanners, and honeypots and honeynets.  Because port numbers are 16 bits in length, they can have a decimal value from 0 to 65,535.  Table 15-4 shows common protocols and their respective port numbers. It is important to implement port security by disabling unused ports to reduce the number of threat vectors. Port scanner software can be used to search a system for port vulnerabilities.  

There are three port states, which are open, closed, and blocked.  Banner grabbing as a process of using a program to intentionally gather information.  A protocol analyzer (also called a sniffer) is hardware or software that captures packets to decode and analyze its contents. Table 15-6 summarizes the types of security-related information available from a protocol analyzer.  A vulnerability scanner is a generic term for a range of products that look for vulnerabilities in networks or systems.  A problem with vulnerability assessment tools is that no standard has been established for collecting, analyzing, and reporting vulnerabilities.  A honeypot is a computer typically located in an area with limited security and loaded with software and data files that appear to be authentic, yet they are actually imitations of real data files.  Note that, similar to a honeypot, a honeynet is a network set up with intentional vulnerabilities, whose purpose is to invite attacks so the attacker’s methods can be studied. Vulnerability Scanning vs. Penetration Testing

Two important vulnerability assessment procedures are vulnerability scanning and penetration testing, and both play an important role in uncovering vulnerabilities.

What Is Vulnerability Scanning?

A vulnerability scan is an automated software search (scan) through a system for any known security weaknesses (vulnerabilities) that then creates a report of those potential exposures.  The results of the scans should be compared against baseline scans so that any changes (such as new open ports or added services) will be investigated.  Table 15-7 shows intrusive and non-intrusive vulnerability scans.

Penetration Testing

Unlike a vulnerability scan, penetration testing (sometimes called a pentest) is designed to actually exploit any weaknesses in systems that are vulnerable.  Instead of using automated software, penetration testing relies upon the skill, knowledge, and cunning of the tester.  The end product of a penetration test is the penetration test report.  The three main techniques that a penetration tester can use are black box testing, white box testing and gray box testing.

Third-Party Integration

Risks of third-party integration are on-boarding and off-boarding, application and social media network sharing, privacy and risk awareness and data considerations.  Interoperability agreements can be used by third-parties to reach an understanding of their relationships and responsibilities. These include:

· Service Level Agreement (SLA)

· Blanket Purchase Agreement (BPA)

· Memorandum of Understanding (MOU)

· Interconnection Security Agreement (ISA)

Mitigating and Deterring Attacks

Although there are a wide variety of attacks, there are standard techniques that should be used in mitigating and deterring attacks.  

Creating a Security Posture

A security posture is an approach, philosophy, or strategy regarding security, made up of:

· Initial baseline configuration

· Continuous security monitoring

· Remediation

Selecting Appropriate Controls

Table 15-9 shows some common controls that are important to meet specific security goals.

Configuring Controls

Another key to mitigating and deterring attacks is the proper configuration of controls.  

Hardening

The purpose of hardening is to eliminate as many security risks as possible and make the system more secure.  Some of the different types of hardening techniques are:

· Protecting accounts with passwords

· Disabling any unnecessary accounts

· Disabling all unnecessary services

· Protecting management interfaces and applications

Reporting

It is important to provide information regarding the events that occur so that action can be taken.  A well-defined incident reporting and incident management process is important.

Week 15

Additional Resources

Powerpoint Presentation

which summarizes and supplements Ciampa, Chapter 15.

Links

Certified Ethical Hacker: http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

SANS Penetration Testing Curriculum: http://www.sans.org/security-training/curriculums/pen-tester 

Vulnerability Assessment Survey: http://www.symantec.com/connect/articles/vulnerability-assessment-survey  

Server Hardening Checklist: h ttps://wikis.utexas.edu/display/ISO/Windows+2008R2+Server+Hardening+Checklist  

Center for Internet Security: http://www.cisecurity.org/