Download Security+ Guide to Network Security Fundamentals, Fourth Edition

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cyberwarfare wikipedia , lookup

Unix security wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Information security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Airport security wikipedia , lookup

Security printing wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Mobile security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Transcript
Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 4
Vulnerability Assessment
and Mitigating Attacks
Objectives
• Define vulnerability assessment and explain why it is
important
• List vulnerability assessment techniques and tools
• Explain the differences between vulnerability
scanning and penetration testing
• List techniques for mitigating and deterring attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
2
Vulnerability Assessment
• Systematic evaluation of asset exposure
– Attackers
– Forces of nature
– Any potentially harmful entity
• Aspects of vulnerability assessment
–
–
–
–
–
Asset identification
Threat evaluation
Vulnerability appraisal
Risk assessment
Risk mitigation
Security+ Guide to Network Security Fundamentals, Fourth Edition
3
Vulnerability Assessment (cont’d.)
• Asset identification
– Process of inventorying items with economic value
• Common assets
–
–
–
–
–
People
Physical assets
Data
Hardware
Software
Security+ Guide to Network Security Fundamentals, Fourth Edition
4
Vulnerability Assessment (cont’d.)
• Determine each item’s relative value
–
–
–
–
Asset’s criticality to organization’s goals
How much revenue asset generates
How difficult to replace asset
Impact of asset unavailability to the organization
• Could rank using a number scale
Security+ Guide to Network Security Fundamentals, Fourth Edition
5
Vulnerability Assessment (cont’d.)
• Threat evaluation
– List potential threats
• Threat modeling
– Goal: understand attackers and their methods
– Often done by constructing scenarios
• Attack tree
– Provides visual representation of potential attacks
– Inverted tree structure
Security+ Guide to Network Security Fundamentals, Fourth Edition
6
Table 4-1 Common threat agents
Security+ Guide to Network Security Fundamentals, Fourth Edition
7
Figure 4-1 Attack tree for stealing a car stereo
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
8
Figure 4-2 Attack tree for breaking into grading system
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
9
Vulnerability Assessment (cont’d.)
• Vulnerability appraisal
– Determine current weaknesses
• Snapshot of current organization security
– Every asset should be viewed in light of each threat
– Catalog each vulnerability
• Risk assessment
– Determine damage resulting from attack
– Assess likelihood that vulnerability is a risk to
organization
Security+ Guide to Network Security Fundamentals, Fourth Edition
10
Table 4-2 Vulnerability impact scale
Security+ Guide to Network Security Fundamentals, Fourth Edition
11
Vulnerability Assessment (cont’d.)
• Single loss expectancy (SLE)
– Expected monetary loss each time a risk occurs
– Calculated by multiplying the asset value by exposure
factor
– Exposure factor: percentage of asset value likely to be
destroyed by a particular risk
Security+ Guide to Network Security Fundamentals, Fourth Edition
12
Vulnerability Assessment (cont’d.)
• Annualized loss expectancy (ALE)
– Expected monetary loss over a one year period
– Multiply SLE by annualized rate of occurrence
– Annualized rate of occurrence: probability that a risk
will occur in a particular year
Security+ Guide to Network Security Fundamentals, Fourth Edition
13
Vulnerability Assessment (cont’d.)
• Estimate probability that vulnerability will actually
occur
• Risk mitigation
– Determine what to do about risks
– Determine how much risk can be tolerated
• Options for dealing with risk
– Diminish
– Transfer (outsourcing, insurance)
– Accept
Security+ Guide to Network Security Fundamentals, Fourth Edition
14
Table 4-3 Risk identification steps
Security+ Guide to Network Security Fundamentals, Fourth Edition
15
Assessment Techniques
• Baseline reporting
– Baseline: standard for solid security
– Compare present state to baseline
– Note, evaluate, and possibly address differences
Security+ Guide to Network Security Fundamentals, Fourth Edition
16
Assessment Techniques (cont’d.)
• Application development techniques
– Minimize vulnerabilities during software development
• Challenges to approach
– Software application size and complexity
– Lack of security specifications
– Future attack techniques unknown
Security+ Guide to Network Security Fundamentals, Fourth Edition
17
Assessment Techniques (cont’d.)
• Software development assessment techniques
– Review architectural design in requirements phase
– Conduct design reviews
• Consider including a security consultant
– Conduct code review during implementation phase
• Examine attack surface (code executed by users)
– Correct bugs during verification phase
– Create and distribute security updates as necessary
Security+ Guide to Network Security Fundamentals, Fourth Edition
18
Figure 4-3 Software development process
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
19
Assessment Tools
• IP addresses uniquely identify each network device
• TCP/IP communication
– Involves information exchange between one
system’s program and another system’s
corresponding program
• Port number
– Unique identifier for applications and services
– 16 bits in length
Security+ Guide to Network Security Fundamentals, Fourth Edition
20
Assessment Tools (cont’d.)
• Well-known port numbers
– Reserved for most universal applications
• Registered port numbers
– Other applications not as widely used
• Dynamic and private port numbers
– Available for any application to use
Security+ Guide to Network Security Fundamentals, Fourth Edition
21
Table 4-4 Commonly used default network ports
Security+ Guide to Network Security Fundamentals, Fourth Edition
22
Assessment Tools (cont’d.)
• Knowledge of what port is being used
– Can be used by attacker to target specific service
• Port scanner software
– Searches system for available ports
– Used to determine port state
• Open
• Closed
• Blocked
Security+ Guide to Network Security Fundamentals, Fourth Edition
23
Figure 4-4 Port scanner
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
24
Table 4-5 Port scanning
Security+ Guide to Network Security Fundamentals, Fourth Edition
25
Assessment Tools (cont’d.)
• Protocol analyzers
– Hardware or software that captures packets:
• To decode and analyze contents
– Also known as sniffers
– Example: Wireshark
• Common uses for protocol analyzers
– Used by network administrators for troubleshooting
– Characterizing network traffic
– Security analysis
Security+ Guide to Network Security Fundamentals, Fourth Edition
26
Figure 4-5 Protocol analyzer
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
27
Assessment Tools (cont’d.)
• Attacker can use protocol analyzer to display
content of each transmitted packet
• Vulnerability scanners
– Products that look for vulnerabilities in networks or
systems
– Most maintain a database categorizing
vulnerabilities they can detect
Security+ Guide to Network Security Fundamentals, Fourth Edition
28
Figure 4-6 Vulnerability scanner
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
29
Assessment Tools (cont’d.)
• Examples of vulnerability scanners’ capabilities
– Alert when new systems added to network
– Detect when internal system begins to port scan
other systems
– Maintain a log of all interactive network sessions
– Track all client and server application vulnerabilities
– Track which systems communicate with other
internal systems
Security+ Guide to Network Security Fundamentals, Fourth Edition
30
Assessment Tools (cont’d.)
• Problem with assessment tools
– No standard for collecting, analyzing, reporting
vulnerabilities
• Open Vulnerability and Assessment Language
(OVAL)
– Designed to promote open and publicly available
security content
– Standardizes information transfer across different
security tools and services
Security+ Guide to Network Security Fundamentals, Fourth Edition
31
Figure 4-7 OVAL output
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
32
Honeypots and Honeynets
• Honeypot
– Computer protected by minimal security
– Intentionally configured with vulnerabilities
– Contains bogus data files
• Goal: trick attackers into revealing their techniques
– Compare to actual production systems to determine
security level against the attack
• Honeynet
– Network set up with one or more honeypots
Security+ Guide to Network Security Fundamentals, Fourth Edition
33
Vulnerability Scanning vs.
Penetration Testing
• Vulnerability scan
– Automated software searches a system for known
security weaknesses
– Creates report of potential exposures
– Should be conducted on existing systems and as
new technology is deployed
– Usually performed from inside security perimeter
– Does not interfere with normal network operations
Security+ Guide to Network Security Fundamentals, Fourth Edition
34
Penetration Testing
•
•
•
•
Designed to exploit system weaknesses
Relies on tester’s skill, knowledge, cunning
Usually conducted by independent contractor
Tests usually conducted outside the security
perimeter
– May even disrupt network operations
• End result: penetration test report
Security+ Guide to Network Security Fundamentals, Fourth Edition
35
Penetration Testing (cont’d.)
• Black box test
– Tester has no prior knowledge of network
infrastructure
• White box test
– Tester has in-depth knowledge of network and
systems being tested
• Gray box test
– Some limited information has been provided to the
tester
Security+ Guide to Network Security Fundamentals, Fourth Edition
36
Table 4-6 Vulnerability scan and penetration testing features
Security+ Guide to Network Security Fundamentals, Fourth Edition
37
Mitigating and Deterring Attacks
• Standard techniques for mitigating and deterring
attacks
–
–
–
–
Creating a security posture
Configuring controls
Hardening
Reporting
Security+ Guide to Network Security Fundamentals, Fourth Edition
38
Creating a Security Posture
• Security posture describes strategy regarding
security
• Initial baseline configuration
– Standard security checklist
– Systems evaluated against baseline
– Starting point for security
• Continuous security monitoring
– Regularly observe systems and networks
Security+ Guide to Network Security Fundamentals, Fourth Edition
39
Creating a Security Posture (cont’d.)
• Remediation
– As vulnerabilities are exposed, put plan in place to
address them
Security+ Guide to Network Security Fundamentals, Fourth Edition
40
Configuring Controls
• Properly configuring controls is key to mitigating
and deterring attacks
• Some controls are for detection
– Security camera
• Some controls are for prevention
– Properly positioned security guard
• Information security controls
– Can be configured to detect attacks and sound
alarms, or prevent attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
41
Configuring Controls (cont’d.)
• Additional consideration
– When normal function interrupted by failure:
• Which is higher priority, security or safety?
– Fail-open lock unlocks doors automatically upon
failure
– Fail-safe lock automatically locks
• Highest security level
– Firewall can be configured in fail-safe or fail-open
state
Security+ Guide to Network Security Fundamentals, Fourth Edition
42
Hardening
• Purpose of hardening
– Eliminate as many security risks as possible
• Techniques to harden systems
–
–
–
–
Protecting accounts with passwords
Disabling unnecessary accounts
Disabling unnecessary services
Protecting management interfaces and applications
Security+ Guide to Network Security Fundamentals, Fourth Edition
43
Reporting
• Providing information regarding events that occur
• Alarms or alerts
– Sound warning if specific situation is occurring
– Example: alert if too many failed password attempts
• Reporting can provide information on trends
– Can indicate a serious impending situation
– Example: multiple user accounts experiencing
multiple password attempts
Security+ Guide to Network Security Fundamentals, Fourth Edition
44