Ch 1: Introducing Windows XP

  • Doc File 1,354.00KByte


Define vulnerability assessment and explain why it is important

List vulnerability assessment techniques and tools

Explain the differences between vulnerability scanning and penetration testing

List techniques for mitigating and deterring attacks

Vulnerability Assessment

Systematic evaluation of asset exposure


Forces of nature

Any potentially harmful entity

Aspects of vulnerability assessment

Asset identification

Threat evaluation

Vulnerability appraisal

Risk assessment

Risk mitigation

Asset identification

Process of inventorying items with economic value

Common assets


Physical assets




Determine each item’s relative value

Asset’s criticality to organization’s goals

How much revenue asset generates

How difficult to replace asset

Impact of asset unavailability to the organization

Could rank using a number scale

Threat evaluation

List potential threats

Threat modeling

Goal: understand attackers and their methods

Often done by constructing scenarios

Attack tree

Provides visual representation of potential attacks

Inverted tree structure

Common Threat Agents


Attack Tree


Vulnerability appraisal

Determine current weaknesses

Snapshot of current organization security

Every asset should be viewed in light of each threat

Catalog each vulnerability

Risk assessment

Determine damage resulting from attack

Assess likelihood that vulnerability is a risk to organization

Vulnerability Impact Scale


Single loss expectancy (SLE)

Expected monetary loss each time a risk occurs

Calculated by multiplying the asset value by exposure factor

Exposure factor: percentage of asset value likely to be destroyed by a particular risk

Annualized loss expectancy (ALE)

Expected monetary loss over a one year period

Multiply SLE by annualized rate of occurrence

Annualized rate of occurrence: probability that a risk will occur in a particular year

Estimate probability that vulnerability will actually occur

Risk mitigation

Determine what to do about risks

Determine how much risk can be tolerated

Options for dealing with risk


Transfer (outsourcing, insurance)


Risk Identification Steps

Assessment Techniques

Baseline reporting

Baseline: standard for solid security

Compare present state to baseline

Note, evaluate, and possibly address differences

Application development techniques

Minimize vulnerabilities during software development

Challenges to approach

Software application size and complexity

Lack of security specifications

Future attack techniques unknown

Software development assessment techniques

Review architectural design in requirements phase

Conduct design reviews

Consider including a security consultant

Conduct code review during implementation phase

Examine attack surface (code executed by users)

Correct bugs during verification phase

Create and distribute security updates as necessary


Assessment Tools

IP addresses uniquely identify each network device

TCP/IP communication

Involves information exchange between one system’s program and another system’s corresponding program

Port number

Unique identifier for applications and services

16 bits in length

Well-known port numbers

Reserved for most universal applications

Registered port numbers

Other applications not as widely used

Dynamic and private port numbers

Available for any application to use

Knowledge of what port is being used

Can be used by attacker to target specific service

Port scanner software

Searches system for available ports

Used to determine port state




Port Scanning

Protocol analyzers

Hardware or software that captures packets:

To decode and analyze contents

Also known as sniffers

Example: Wireshark

Common uses for protocol analyzers

Used by network administrators for troubleshooting

Characterizing network traffic

Security analysis

Attacker can use protocol analyzer to display content of each transmitted packet

Vulnerability scanners

Products that look for vulnerabilities in networks or systems

Most maintain a database categorizing vulnerabilities they can detect

Examples of vulnerability scanners’ capabilities

Alert when new systems added to network

Detect when internal system begins to port scan other systems

Maintain a log of all interactive network sessions

Track all client and server application vulnerabilities

Track which systems communicate with other internal systems

Vulnerability Scanner


Problem with assessment tools

No standard for collecting, analyzing, reporting vulnerabilities

Open Vulnerability and Assessment Language (OVAL)

Designed to promote open and publicly available security content

Standardizes information transfer across different security tools and services

Honeypots and Honeynets


Computer protected by minimal security

Intentionally configured with vulnerabilities

Contains bogus data files

Goal: trick attackers into revealing their techniques

Compare to actual production systems to determine security level against the attack


Network set up with one or more honeypots

Vulnerability Scanning vs. Penetration Testing


Vulnerability scan

Automated software searches a system for known security weaknesses

Creates report of potential exposures

Should be conducted on existing systems and as new technology is deployed

Usually performed from inside security perimeter

Does not interfere with normal network operations

Penetration Testing

Designed to exploit system weaknesses

Relies on tester’s skill, knowledge, cunning

Usually conducted by independent contractor

Tests usually conducted outside the security perimeter

May even disrupt network operations

End result: penetration test report

Black box test

Tester has no prior knowledge of network infrastructure

White box test

Tester has in-depth knowledge of network and systems being tested

Gray box test

Some limited information has been provided to the tester

Mitigating and Deterring Attacks

Standard techniques for mitigating and deterring attacks

Creating a security posture

Configuring controls



Creating a Security Posture

Security posture describes strategy regarding security

Initial baseline configuration

Standard security checklist

Systems evaluated against baseline

Starting point for security

Continuous security monitoring

Regularly observe systems and networks


As vulnerabilities are exposed, put plan in place to address them

Configuring Controls

Properly configuring controls is key to mitigating and deterring attacks

Some controls are for detection

Security camera

Some controls are for prevention

Properly positioned security guard

Information security controls

Can be configured to detect attacks and sound alarms, or prevent attacks

Additional consideration

When normal function interrupted by failure:

Which is higher priority, security or safety?

Fail-open lock unlocks doors automatically upon failure

Fail-safe lock automatically locks

Highest security level

Firewall can be configured in fail-safe or fail-open state


Purpose of hardening

Eliminate as many security risks as possible

Techniques to harden systems

Protecting accounts with passwords

Disabling unnecessary accounts

Disabling unnecessary services

Protecting management interfaces and applications


Providing information regarding events that occur

Alarms or alerts

Sound warning if specific situation is occurring

Example: alert if too many failed password attempts

Reporting can provide information on trends

Can indicate a serious impending situation

Example: multiple user accounts experiencing multiple password attempts

Last modified 1-24-12


Online Preview   Download