CIST 1601 Information Security Fundamentals

1. CIST 1601 Information Security Fundamentals Chapter 11 Security and Vulnerability in the Network Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College

2. Vulnerability Scanning Overview (6:30) Assessment Tools (6:56) Network Security Threats –Penetration Testing The CERT/CC is an organization that tracks and reports on computer and network security threats. They are part of the Software Engineering Institute (SEI) at Carnegie-Mellon University. Penetration testing (aka ethical hacking or “pen test”) involves the use of tools to simulate attacks on the network and on the computer systems. Penetration testing enables you to detect the existing vulnerabilities of the infrastructure, with prior approval and authorization from senior management. Penetration testing starts with defining management objectives for the tests, and includes configuration reviews, vulnerability assessments, and social engineering. Penetration tests are limited to the identification of the vulnerabilities in the system and the detection of the impact of the vulnerability to the security of an infrastructure. This process enables an organization to take corrective action, such as patching up the systems against vulnerabilities or bugs. A penetration test team reports the findings to the senior management after completing the documentation process. ISS, Ballista, and SATAN are some examples of penetration testing or ethical hacking tools used to identify network and system vulnerabilities.

3. Penetration Testing (10:04) Network Security Threats –Penetration Testing Penetration testing involves footprinting, scanning, and enumerating. Footprinting obtains the active blueprint of an organization’s infrastructure and security profile. It includes using the WhoIs and NsLookup tools. Scanning identifies active computers, ports, and services. Enumerating involves compiling the information from the scanning phase and identifying target systems. The IP addresses of the computers are usually discovered during a penetration test. As components of the network are discovered, the methods used will be determined. A penetration tester would need to be used outside your network. A penetration test includes the following steps: 1. Gather initial information. 2. Determine the network range. 3. Identify active devices. 4. Discover open ports and access points. 5. Identify the operating systems and their settings. 6. Discover which services are using the open ports. 7. Map the network. Penetration tests may cause some disruption to network operations as a result of the actual penetration efforts conducted. Penetration tests can also make legitimate attacks by generating false data in IDS/IPS systems.

4. Vulnerability Scanning (6:30) Network Security Threats – Vulnerability Scanning A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services and offer suggestions on how to prevent the issues. Unlike port scanners, which only test for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. It’s better to run one on your own network before someone outside the organization runs it against you. Two of the most well-known vulnerability scanners are Nessus (http://www.nessus.org/nessus/) and the NMAP port scanner (http://nmap.org/). Regardless of the tool, there are five major tasks necessary in using them: Passively Testing security Controls – It looks only for the openings that are there and reports them back to you. Interpreting Results – Most vulnerability scanners interpret the results of their findings and deliver a report that can be shared with management. Identifying Vulnerability – Just knowing that a port is open means little unless you can associate it with the vulnerability tied to it. Identifying Lack of Security Controls – You want to know not just what is weak, but what is missing altogether. Identifying Common Misconfigurations– Improperly configured applications and services can allow more users to access an application than should, cause the application to crash, or introduce any number of other security concerns.

5. Network Security Threats – Ethical Hacking Penetration testing, also known as ethical hacking, is the vulnerability assessment procedure performed by security professionals after receiving management approval. When security tools are used by security experts to identify system vulnerabilities for ethical purposes, it is termed as penetration testing or ethical hacking. Ethical hackers use tools to assess security flaws, but do not exploit the vulnerabilities they discover in an organization’s network infrastructure. The primary objective of penetration testing or ethical hacking is to assess the capability of the system to resist attacks and to reveal system and network vulnerabilities. ISS, Ballista, and SATAN are some examples of penetration testing or ethical hacking tools used to identify network and system vulnerabilities. The three most commonly recognized approaches taken in ethical hacking undertakings: Black Box – In black box testing, the administrator acts as if they have no prior knowledge of the network. They act as if they are an attacker from the outside with no familiarity of the system and look for an opening. This is also known as blind testing. Only a bare minimum of administrators know what is happening. This allows other administrators to act normally while the attack is under way. White Box – In white box testing, the ethical hacker begins from the premise of knowing something about the network and systems in place, just like a malicious insider. They try to find a weakness armed with information about the source code, the routing, and so on. This is also known as full disclosure testing. Gray Box – Also known as partial disclosure testing. The usual scenario trying to be created is one of an outsider working in conjunction with an insider who has given them some information. Because an insider is involved, the big question is what can an insider get to?

6. Assessment Techniques (6:35) Assessment Types and Techniques A baseline defines the minimum level of security and performance of a system in an organization. A baseline is also used as a benchmark for future changes. Any change made to the system should match the defined minimum security baseline. A security baseline is defined through the adoption of standards in an organization. You should create a System Monitor chart based on a performance log. This will ensure that performance baseline statistics are recorded for an extended period of time. The first step to creating a performance baseline is to create a security policy. Without the policy, the baseline has no guidelines to follow. Metrics for security baselines and hardening efforts rely on identification of vulnerability and risk. It is necessary to have some mechanism for measuring vulnerability to determine whether a baseline has been met, or if a new security measure has been effective.

7. Secure Network Administration Principals Rule-Based Management Rule-based management, also known as label-based management, defines conditions for access to objects. The access is granted to the object based on both the object’s sensitivity label and the user’s sensitivity label. With all rules, an action must be defined. That action is triggered when conditions are/aren’t met. Port Security Port security works at level 2 of the OSI model and allows an administrator to configure switch ports so that only certain MAC addresses can use the port. Three areas of port security to be familiar with are: MAC Limiting and Filtering – Limit access to the network to MAC addresses that are known, and filter out those that are not. MAC filtering is not foolproof, and a quick look in a search engine will turn up tools that can be used to change the MAC address and help miscreants circumvent this control. 802.1X – Discussed in the next section. Disable Unused Ports – All ports not in use should be disabled. Working with 802.1X The IEEE standard 802.1X defines port-based security for wireless network access control. As such, it offers a means of authentication and defines the Extensible Authentication Protocol over IEEE 802, and is often known as EAP over LAN (EAPOL). The biggest benefit of using 802.1X is that the access points and the switches do not need to do the authentication but instead rely on the authentication server to do the actual work.

8. Secure Network Administration Principals Flood Guards and Loop Protection A flood guard is a protection feature built into many firewalls that allow the administrator to tweak the tolerance for unanswered login attacks. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack. If a resource, either inbound or outbound, appears to be overused, then the flood guard kicks in. Loop protection is a similar feature that works in layer 2 switching configurations and is intended to prevent broadcast loops. When configuring it in most systems, you can choose to disable broadcast forwarding and protect against duplicate ARP requests (those having the same target protocol address). Preventing Network Bridging Network bridging occurs when a device has more than one network adapter card installed and the opportunity presents itself for a user on one of the networks to which the device is attached to jump to the other. To prevent network bridging, you can configure your network such that when bridging is detected, you shut off/disable that jack. You can also create profiles that allow for only one interface. It is not uncommon for a network bridge to appear in the Network Sharing Center. If it does appear, you will want to delete it. Windows Internet Connection is often pointed to as a cause of unintended bridging and should be disabled. Log Analysis Log analysis is crucial to identifying problems that occur related to security. As an administrator, you have the ability to turn on logging at many different locations and levels. Not only do you need to collect and analyze the logs, but you also need to store them for a time in the future when you want to compare what is happening now to then (baselining).

9. Mitigation and Deterrent Techniques Manual Bypassing of Electronic Controls When an application, system, or safeguard fails, either through a crash or someone bypassing the expected control path, there are two states it can fail in; failsafe (secure) or failopen (not secure). When using failsafe, the application stops work, reports an error, and closes out/exits. The alternative, known as failopen, is for the application to stop running and let you know that it encountered the unexpected character. You can enter what the character is supposed to be at a prompt, and the application will pick back up where it left off, continuing the process. The problem with this scenario is that when the application crashes, it stays running at the elevated privileges needed to make the changes and is susceptible to an attacker breaking out of it in order to do harm. The choice of states to fail in is relevant not only to applications you create but also to firewalls (when the control fails, is all traffic blocked or allowed?), databases, and network appliances. Monitoring System Logs There are four logs that exist on most systems. These are event logs, security logs, access logs and audit logs. You can view the event logs in Event Viewer. The options within Event Viewer allow you to perform such actions as save the log file, open saved logs, filter the log file, and see/change properties. The Security Logs are accessed beneath Windows Logs in Event Viewer, and each event is preceded by either a key (audit success) or a lock (audit failure). You should look at these logs periodically and not just when something goes wrong.

10. Security Posture (4:39) Mitigation and Deterrent Techniques Security Posture The security posture is the approach a business takes to security. This runs the entire gamut from the planning phase to implementation and everything in between: hardware, software, settings, and so on. Reporting Almost every department generates its own reports and uses what they find as a dashboard for action. When it comes to analyzing or sharing security report information with others, you want to focus on three key areas: AlarmsAlarms are indications of a problem currently going on. These are conditions that you must respond to right now. Alarm rates can indicate trends that are occurring, and after you solve the problem, you need to look for indications that the condition may not be isolated. Alerts Slightly below alarms are alerts; these are issues that you need to pay attention to but are not bringing the system to its knees at this very moment. TrendsTrends indicate where problems are occurring. By focusing on trends, you can identify weaknesses in your system and areas where you need to devote more resources to head off future problems. Detection/Prevention Controls One of the easiest ways to detect and prevent problems is to let people know that they are being monitored. In the physical world, monitoring can be done by either cameras or guards. Where possible, you can combine guards with cameras to create a potent deterrent. The cameras can send signals to a room where they are monitored by a guard capable of responding to a situation when a need arises.

11. The End