You are on page 1of 44

Security+ Guide to Network

Security Fundamentals,
Fourth Edition
Chapter 4
Vulnerability Assessment
and Mitigating Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
Objectives
Define vulnerability assessment and explain why it is
important
List vulnerability assessment techniques and tools
Explain the differences between vulnerability
scanning and penetration testing
List techniques for mitigating and deterring attacks
2
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment
Systematic evaluation of asset exposure
Attackers
Forces of nature
Any potentially harmful entity
Aspects of vulnerability assessment
Asset identification
Threat evaluation
Vulnerability appraisal
Risk assessment
Risk mitigation
3
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment (contd.)
Asset identification
Process of inventorying items with economic value
Common assets
People
Physical assets
Data
Hardware
Software
4
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment (contd.)
Determine each items relative value
Assets criticality to organizations goals
How much revenue asset generates
How difficult to replace asset
Impact of asset unavailability to the organization
Could rank using a number scale
5
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment (contd.)
Threat evaluation
List potential threats
Threat modeling
Goal: understand attackers and their methods
Often done by constructing scenarios
Attack tree
Provides visual representation of potential attacks
Inverted tree structure
6
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
Table 4-1 Common threat agents
Security+ Guide to Network Security Fundamentals, Fourth Edition 8
Figure 4-1 Attack tree for stealing a car stereo
Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 9
Figure 4-2 Attack tree for breaking into grading system
Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment (contd.)
Vulnerability appraisal
Determine current weaknesses
Snapshot of current organization security
Every asset should be viewed in light of each threat
Catalog each vulnerability
Risk assessment
Determine damage resulting from attack
Assess likelihood that vulnerability is a risk to
organization
10
Security+ Guide to Network Security Fundamentals, Fourth Edition 11
Table 4-2 Vulnerability impact scale
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment (contd.)
Single loss expectancy (SLE)
Expected monetary loss each time a risk occurs
Calculated by multiplying the asset value by exposure
factor
Exposure factor: percentage of asset value likely to be
destroyed by a particular risk
12
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment (contd.)
Annualized loss expectancy (ALE)
Expected monetary loss over a one year period
Multiply SLE by annualized rate of occurrence
Annualized rate of occurrence: probability that a risk
will occur in a particular year
13
Security+ Guide to Network Security Fundamentals, Fourth Edition
Vulnerability Assessment (contd.)
Estimate probability that vulnerability will actually
occur
Risk mitigation
Determine what to do about risks
Determine how much risk can be tolerated
Options for dealing with risk
Diminish
Transfer (outsourcing, insurance)
Accept
14
Security+ Guide to Network Security Fundamentals, Fourth Edition 15
Table 4-3 Risk identification steps
Assessment Techniques
Baseline reporting
Baseline: standard for solid security
Compare present state to baseline
Note, evaluate, and possibly address differences
Security+ Guide to Network Security Fundamentals, Fourth Edition 16
Assessment Techniques (contd.)
Application development techniques
Minimize vulnerabilities during software development
Challenges to approach
Software application size and complexity
Lack of security specifications
Future attack techniques unknown
Security+ Guide to Network Security Fundamentals, Fourth Edition 17
Assessment Techniques (contd.)
Software development assessment techniques
Review architectural design in requirements phase
Conduct design reviews
Consider including a security consultant
Conduct code review during implementation phase
Examine attack surface (code executed by users)
Correct bugs during verification phase
Create and distribute security updates as necessary
Security+ Guide to Network Security Fundamentals, Fourth Edition 18
Security+ Guide to Network Security Fundamentals, Fourth Edition 19
Figure 4-3 Software development process
Cengage Learning 2012
Assessment Tools
IP addresses uniquely identify each network device
TCP/IP communication
Involves information exchange between one
systems program and another systems
corresponding program
Port number
Unique identifier for applications and services
16 bits in length
Security+ Guide to Network Security Fundamentals, Fourth Edition 20
Assessment Tools (contd.)
Well-known port numbers
Reserved for most universal applications
Registered port numbers
Other applications not as widely used
Dynamic and private port numbers
Available for any application to use
Security+ Guide to Network Security Fundamentals, Fourth Edition 21
Security+ Guide to Network Security Fundamentals, Fourth Edition 22
Table 4-4 Commonly used default network ports
Assessment Tools (contd.)
Knowledge of what port is being used
Can be used by attacker to target specific service
Port scanner software
Searches system for available ports
Used to determine port state
Open
Closed
Blocked
Security+ Guide to Network Security Fundamentals, Fourth Edition 23
Security+ Guide to Network Security Fundamentals, Fourth Edition 24
Figure 4-4 Port scanner
Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 25
Table 4-5 Port scanning
Assessment Tools (contd.)
Protocol analyzers
Hardware or software that captures packets:
To decode and analyze contents
Also known as sniffers
Example: Wireshark
Common uses for protocol analyzers
Used by network administrators for troubleshooting
Characterizing network traffic
Security analysis

Security+ Guide to Network Security Fundamentals, Fourth Edition 26
Security+ Guide to Network Security Fundamentals, Fourth Edition 27
Figure 4-5 Protocol analyzer
Cengage Learning 2012
Assessment Tools (contd.)
Attacker can use protocol analyzer to display
content of each transmitted packet
Vulnerability scanners
Products that look for vulnerabilities in networks or
systems
Most maintain a database categorizing
vulnerabilities they can detect

Security+ Guide to Network Security Fundamentals, Fourth Edition 28
Security+ Guide to Network Security Fundamentals, Fourth Edition 29
Figure 4-6 Vulnerability scanner
Cengage Learning 2012
Assessment Tools (contd.)
Examples of vulnerability scanners capabilities
Alert when new systems added to network
Detect when internal system begins to port scan
other systems
Maintain a log of all interactive network sessions
Track all client and server application vulnerabilities
Track which systems communicate with other
internal systems
Security+ Guide to Network Security Fundamentals, Fourth Edition 30
Assessment Tools (contd.)
Problem with assessment tools
No standard for collecting, analyzing, reporting
vulnerabilities
Open Vulnerability and Assessment Language
(OVAL)
Designed to promote open and publicly available
security content
Standardizes information transfer across different
security tools and services
Security+ Guide to Network Security Fundamentals, Fourth Edition 31
Security+ Guide to Network Security Fundamentals, Fourth Edition 32
Figure 4-7 OVAL output
Cengage Learning 2012
Honeypots and Honeynets
Honeypot
Computer protected by minimal security
Intentionally configured with vulnerabilities
Contains bogus data files
Goal: trick attackers into revealing their techniques
Compare to actual production systems to determine
security level against the attack
Honeynet
Network set up with one or more honeypots
Security+ Guide to Network Security Fundamentals, Fourth Edition 33
Vulnerability Scanning vs.
Penetration Testing
Vulnerability scan
Automated software searches a system for known
security weaknesses
Creates report of potential exposures
Should be conducted on existing systems and as
new technology is deployed
Usually performed from inside security perimeter
Does not interfere with normal network operations
Security+ Guide to Network Security Fundamentals, Fourth Edition 34
Penetration Testing
Designed to exploit system weaknesses
Relies on testers skill, knowledge, cunning
Usually conducted by independent contractor
Tests usually conducted outside the security
perimeter
May even disrupt network operations
End result: penetration test report
Security+ Guide to Network Security Fundamentals, Fourth Edition 35
Penetration Testing (contd.)
Black box test
Tester has no prior knowledge of network
infrastructure
White box test
Tester has in-depth knowledge of network and
systems being tested
Gray box test
Some limited information has been provided to the
tester
Security+ Guide to Network Security Fundamentals, Fourth Edition 36
Security+ Guide to Network Security Fundamentals, Fourth Edition 37
Table 4-6 Vulnerability scan and penetration testing features
Mitigating and Deterring Attacks
Standard techniques for mitigating and deterring
attacks
Creating a security posture
Configuring controls
Hardening
Reporting

Security+ Guide to Network Security Fundamentals, Fourth Edition 38
Creating a Security Posture
Security posture describes strategy regarding
security
Initial baseline configuration
Standard security checklist
Systems evaluated against baseline
Starting point for security
Continuous security monitoring
Regularly observe systems and networks
Security+ Guide to Network Security Fundamentals, Fourth Edition 39
Creating a Security Posture (contd.)
Remediation
As vulnerabilities are exposed, put plan in place to
address them
Security+ Guide to Network Security Fundamentals, Fourth Edition 40
Configuring Controls
Properly configuring controls is key to mitigating
and deterring attacks
Some controls are for detection
Security camera
Some controls are for prevention
Properly positioned security guard
Information security controls
Can be configured to detect attacks and sound
alarms, or prevent attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 41
Configuring Controls (contd.)
Additional consideration
When normal function interrupted by failure:
Which is higher priority, security or safety?
Fail-open lock unlocks doors automatically upon
failure
Fail-safe lock automatically locks
Highest security level
Firewall can be configured in fail-safe or fail-open
state
Security+ Guide to Network Security Fundamentals, Fourth Edition 42
Hardening
Purpose of hardening
Eliminate as many security risks as possible
Techniques to harden systems
Protecting accounts with passwords
Disabling unnecessary accounts
Disabling unnecessary services
Protecting management interfaces and applications
Security+ Guide to Network Security Fundamentals, Fourth Edition 43
Reporting
Providing information regarding events that occur
Alarms or alerts
Sound warning if specific situation is occurring
Example: alert if too many failed password attempts
Reporting can provide information on trends
Can indicate a serious impending situation
Example: multiple user accounts experiencing
multiple password attempts
Security+ Guide to Network Security Fundamentals, Fourth Edition 44