Ch 1: Introducing Windows XP
Objectives
Define vulnerability assessment and explain why it is important
List vulnerability assessment techniques and tools
Explain the differences between vulnerability scanning and penetration testing
List techniques for mitigating and deterring attacks
Vulnerability Assessment
Systematic evaluation of asset exposure
Attackers
Forces of nature
Any potentially harmful entity
Aspects of vulnerability assessment
Asset identification
Threat evaluation
Vulnerability appraisal
Risk assessment
Risk mitigation
Asset identification
Process of inventorying items with economic value
Common assets
People
Physical assets
Data
Hardware
Software
Determine each item’s relative value
Asset’s criticality to organization’s goals
How much revenue asset generates
How difficult to replace asset
Impact of asset unavailability to the organization
Could rank using a number scale
Threat evaluation
List potential threats
Threat modeling
Goal: understand attackers and their methods
Often done by constructing scenarios
Attack tree
Provides visual representation of potential attacks
Inverted tree structure
Common Threat Agents
[pic]
Attack Tree
[pic]
Vulnerability appraisal
Determine current weaknesses
Snapshot of current organization security
Every asset should be viewed in light of each threat
Catalog each vulnerability
Risk assessment
Determine damage resulting from attack
Assess likelihood that vulnerability is a risk to organization
Vulnerability Impact Scale
[pic]
Single loss expectancy (SLE)
Expected monetary loss each time a risk occurs
Calculated by multiplying the asset value by exposure factor
Exposure factor: percentage of asset value likely to be destroyed by a particular risk
Annualized loss expectancy (ALE)
Expected monetary loss over a one year period
Multiply SLE by annualized rate of occurrence
Annualized rate of occurrence: probability that a risk will occur in a particular year
Estimate probability that vulnerability will actually occur
Risk mitigation
Determine what to do about risks
Determine how much risk can be tolerated
Options for dealing with risk
Diminish
Transfer (outsourcing, insurance)
Accept
Risk Identification Steps
Assessment Techniques
Baseline reporting
Baseline: standard for solid security
Compare present state to baseline
Note, evaluate, and possibly address differences
Application development techniques
Minimize vulnerabilities during software development
Challenges to approach
Software application size and complexity
Lack of security specifications
Future attack techniques unknown
Software development assessment techniques
Review architectural design in requirements phase
Conduct design reviews
Consider including a security consultant
Conduct code review during implementation phase
Examine attack surface (code executed by users)
Correct bugs during verification phase
Create and distribute security updates as necessary
[pic]
Assessment Tools
IP addresses uniquely identify each network device
TCP/IP communication
Involves information exchange between one system’s program and another system’s corresponding program
Port number
Unique identifier for applications and services
16 bits in length
Well-known port numbers
Reserved for most universal applications
Registered port numbers
Other applications not as widely used
Dynamic and private port numbers
Available for any application to use
Knowledge of what port is being used
Can be used by attacker to target specific service
Port scanner software
Searches system for available ports
Used to determine port state
Open
Closed
Blocked
Port Scanning
Protocol analyzers
Hardware or software that captures packets:
To decode and analyze contents
Also known as sniffers
Example: Wireshark
Common uses for protocol analyzers
Used by network administrators for troubleshooting
Characterizing network traffic
Security analysis
Attacker can use protocol analyzer to display content of each transmitted packet
Vulnerability scanners
Products that look for vulnerabilities in networks or systems
Most maintain a database categorizing vulnerabilities they can detect
Examples of vulnerability scanners’ capabilities
Alert when new systems added to network
Detect when internal system begins to port scan other systems
Maintain a log of all interactive network sessions
Track all client and server application vulnerabilities
Track which systems communicate with other internal systems
Vulnerability Scanner
[pic]
Problem with assessment tools
No standard for collecting, analyzing, reporting vulnerabilities
Open Vulnerability and Assessment Language (OVAL)
Designed to promote open and publicly available security content
Standardizes information transfer across different security tools and services
Honeypots and Honeynets
Honeypot
Computer protected by minimal security
Intentionally configured with vulnerabilities
Contains bogus data files
Goal: trick attackers into revealing their techniques
Compare to actual production systems to determine security level against the attack
Honeynet
Network set up with one or more honeypots
Vulnerability Scanning vs. Penetration Testing
[pic]
Vulnerability scan
Automated software searches a system for known security weaknesses
Creates report of potential exposures
Should be conducted on existing systems and as new technology is deployed
Usually performed from inside security perimeter
Does not interfere with normal network operations
Penetration Testing
Designed to exploit system weaknesses
Relies on tester’s skill, knowledge, cunning
Usually conducted by independent contractor
Tests usually conducted outside the security perimeter
May even disrupt network operations
End result: penetration test report
Black box test
Tester has no prior knowledge of network infrastructure
White box test
Tester has in-depth knowledge of network and systems being tested
Gray box test
Some limited information has been provided to the tester
Mitigating and Deterring Attacks
Standard techniques for mitigating and deterring attacks
Creating a security posture
Configuring controls
Hardening
Reporting
Creating a Security Posture
Security posture describes strategy regarding security
Initial baseline configuration
Standard security checklist
Systems evaluated against baseline
Starting point for security
Continuous security monitoring
Regularly observe systems and networks
Remediation
As vulnerabilities are exposed, put plan in place to address them
Configuring Controls
Properly configuring controls is key to mitigating and deterring attacks
Some controls are for detection
Security camera
Some controls are for prevention
Properly positioned security guard
Information security controls
Can be configured to detect attacks and sound alarms, or prevent attacks
Additional consideration
When normal function interrupted by failure:
Which is higher priority, security or safety?
Fail-open lock unlocks doors automatically upon failure
Fail-safe lock automatically locks
Highest security level
Firewall can be configured in fail-safe or fail-open state
Hardening
Purpose of hardening
Eliminate as many security risks as possible
Techniques to harden systems
Protecting accounts with passwords
Disabling unnecessary accounts
Disabling unnecessary services
Protecting management interfaces and applications
Reporting
Providing information regarding events that occur
Alarms or alerts
Sound warning if specific situation is occurring
Example: alert if too many failed password attempts
Reporting can provide information on trends
Can indicate a serious impending situation
Example: multiple user accounts experiencing multiple password attempts
Last modified 1-24-12
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.