Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Transcription

1 Detection Vulnerability Assessment Week 4 Part 2 How Much Danger Am I In? Vulnerability Assessment Aspects of Assessment Vulnerability Assessment is a systematic evaluation of asset exposure to threats Such as: attackers forces of nature any potentially harmful entity 1. Asset identification 2. Threat evaluation 3. Vulnerability appraisal 4. Risk assessment 5. Risk mitigation 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Asset Identification 1. Asset Identification Asset Identification is the process of inventorying items with economic value Common assets people physical assets data hardware software Determine item's relative value how critical is the asset for the company goals how much revenue asset generates how difficult to replace asset impact of the asset if it is unavailable to the organization Could rank using a number scale 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

2 2. Threat Evaluation Common Threat Agents Threat Evaluation is the process of listing dangers Understanding the threats (and how they work) gives insight into what is vulnerable Also, like Asset Evaluation, a ranking system is useful Category Natural disasters Theft Espionage Extortion Hardware failure Example Fire, flood, or earthquake destroys data Software is pirated, hardware stolen, or copyright infringed Spy steals production schedule Mail clerk is blackmailed into intercepting letters Firewall blocks all traffic 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Common Threat Agents 2. Threat Evaluation Category Human error Sabotage Software attacks Software error Utility failure Example Employee drops a laptop in the parking lot Employee deletes data out of spite Virus, worm, denial of service, etc Bug in application prevents database access Electrical power is lost for an hour Threat modeling goal: understand attackers and their methods often done by constructing scenarios Attack tree provides visual representation of potential attacks inverted tree structure 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Attack Tree: Car Radio Attack Tree: Grading System 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

3 3. Vulnerability Appraisal 3. Vulnerability Appraisal Vulnerability Appraisal determine current weaknesses at a specific time Every asset should be viewed in light of each threat Catalog each vulnerability Impact No impact Small / minor Significant Major Catastrophic Description Would not have a notable affect on the company. (e.g. computer mouse is lost) Result in inconvenience that might require procedure change (lack of supplies) Results in low productivity and requires cost to alleviate (malware attack) Considerable negative impact on revenue (theft of project data) Causes the company to cease functioning or be crippled (tornado destroys all data) 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Risk Assessment 4. Risk Assessment Risk assessment determines the damage resulting from attack Assess likelihood that vulnerability is a risk to organization Exposure factor is the probability that an asset will be destroyed by a particular risk Annualized rate of occurrence is the probability that a risk will occur in a particular year 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Risk Assessment 5. Risk Mitigation Single loss expectancy (SLE) expected monetary loss each time a risk occurs calculated: asset value exposure factor Annualized loss expectancy (ALE) expected monetary loss over one year calculate: SLE annualized rate of occurrence Risk Mitigation is the process of eliminating risk to assets Common tasks what to do about risks how much risk can be tolerated 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

4 5. Risk Mitigation Options for dealing with risk diminish transfer (outsourcing, insurance) accept Assessment Techniques How to Protect Your System 6/18/2018 CSC Cook - Sacramento State - Summer Assessment Techniques Application Development There are a number of techniques that are employed to better assess risk Baseline reporting baseline is a standard for solid security compare system to baseline note, evaluate, and possibly address differences Minimize vulnerabilities during software development Challenges to approach: software application size and complexity smaller and simpler is better (simplicity!) lack of security specifications future attack techniques unknown new designs have flaws 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Software Assessment Assess Ports 1. Review design in requirements phase 2. Conduct design reviews consider including a security consultant review code during implementation phase examine the "attack surface" (code executed by users) 3. Correct bugs during verification phase 4. Create and distribute security updates Know the ports available on each system Some can be used by attacker to target specific service Port scanner software searches system for port vulnerabilities used to determine port state: open, closed, blocked 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

5 Assess Ports Some Common Port Numbers Well-known port numbers reserved for most universal applications e.g. HTTP, POP, SMTP Registered port numbers other applications not as widely used e.g. instant messengers, MMOs Dynamic and private port numbers available for any application to use attackers may put their software on these Port Name Notes 20 FTP Data Data for File Transfer Protocol 21 FTP Control Control commands for FTP 23 Telnet Remote control of the computer 25 SMTP Simple Mail Transfer Protocol 54 DNS Domain Name Service 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Some Common Port Numbers Protocol Analyzers Port Name Notes 69 TFTP Trivial File Transfer Protocol 80 HTTP Hypertext Transfer Protocol 989 FTPS - Data Data for Secure File Transfer Protocol 990 FTPS Control Control for Secure File Transfer Protocol Protocol analyzers is hardware or software that captures packets Another name for "sniffers" Legitimate uses: troubleshooting by network administrators characterizing network traffic security analysis what can attackers see? Example: Wireshark 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Vulnerability Scanners Products that look for vulnerabilities in networks or systems Most maintain a database categorizing vulnerabilities they can detect Example: Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner 6/18/2018 CSC Cook - Sacramento State - Summer

6 Vulnerability Scanners Example Scanner Capabilities Creates report of potential exposures Should be conducted on existing systems and as new technology is deployed Usually performed from inside the security perimeter Does not interfere with normal network operations Watch for changes: alert when new systems added to network alert when a system configuration changes Track network activity detect when internal system begins to port scan other systems log interactive network sessions which systems talk to with other systems 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Problems with Assessment Tools Penetration Testing There is no standard for collecting, analyzing, reporting vulnerabilities Open Vulnerability and Assessment Language (OVAL) designed to promote open and publicly available security content standardizes information transfer across different security tools and services Designed to exploit system weaknesses Someone is hired to attack relies on tester s skill, knowledge, cunning usually conducted by independent contractor usually conducted outside security perimeter May disrupt network operations End result: penetration test report 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Types Penetration Testing Types Penetration Testing Black box test tester has no prior knowledge of network infrastructure the must hunt around like an attacker would White box test tester has in-depth knowledge of system simulates an inside job or attacker that researched target Gray box test some limited information has been provided to the tester tests average knowledge an attacker would have procured through dumpster-diving, etc allows a very in-depth analysis 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

7 Honeypots and Honeynets Honeypots & Honeynets Laying a Tasty Little Trap When an attacker breaks into a computer it is often to destroy data or steal it They, naturally, look in some areas and for specific files This knowledge of attacker behavior can be used against them 6/18/2018 CSC Cook - Sacramento State - Summer Honeypots and Honeynets Typical Attributes A honeypot is decoy computer designed to catch the attention of attackers A honeynet is a decoy network of honeypots Protected by minimal security Intentionally configured with vulnerabilities Contains bogus data files designed to look interesting perhaps these are the files that the attacker is after e.g. source code, password file 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Goals Reveal their techniques real system can be protected better as a result perhaps show knowledge about the attacker Alert the admin Waste the attacker's time "Shields Up!" Mitigating and Deterring Attacks 6/18/2018 CSC Cook - Sacramento State - Summer

8 Mitigating and Deterring Attacks Creating a Security Posture Defense and deterring attacks is essential for any network Standard techniques: 1. creating a security posture 2. configuring controls 3. hardening 4. reporting A security posture describes strategy regarding security Initial baseline configuration standard security checklist systems evaluated against baseline starting point for security 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Creating a Security Posture Configuring Controls Continuous security monitoring regularly observe systems and networks look for any unauthorized changes Remediation vulnerabilities will be exposed, put plan in place to address them Properly configuring controls is key to mitigating and deterring attacks Information security controls can be configured to detect attacks sound alarms prevent attacks 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Configuring Controls Configuring Controls: Failure Some controls are for detection security camera motion detector Some controls are for prevention properly positioned security guard locked door When normal function interrupted by failure: which is higher priority: security or safety? Fail-open lock unlocks doors automatically upon failure e.g. train brakes pressure loss causes lock Fail-safe lock automatically locks upon failure highest security level 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

9 Hardening Reporting Hardening is elimination as many security risks as possible Techniques to harden systems protect accounts with passwords disabling unnecessary accounts disabling unnecessary services protecting management interfaces and applications Reporting is providing information regarding events that occur Alarms or alerts sound warning if specific situation is occurring e.g. alert if too many failed password attempts 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Reporting Reporting can important provide information on trends Can indicate a serious impending situation e.g. multiple user accounts experiencing multiple password attempts Intrusion Detection Alert! Alert! Alert! 6/18/2018 CSC Cook - Sacramento State - Summer Intrusion Detection Host Intrusion Detection System Passive and active security can be used in a network Active measures provide higher level of security Intrusion detection system (IDS) is an active security measure that can detect an attack as it occurs Host intrusion detection system (HIDS) is a software-based application that can detect attack as it occurs Installed on each host needing protection Monitors: system calls and file system access recognize unauthorized Registry modification all input and output communications 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

10 Disadvantages of Host IDS Network IDS Cannot monitor network traffic that does not reach local system All log data is stored locally Resource-intensive and can slow system Network intrusion detection system (NIDS) watches for attacks on the network NIDS sensors installed on firewalls and routers which gather information and report back to central device 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Network IDS Intrusion Prevention system Passive NIDS will simply sound an alarm Active NIDS will sound alarm and take action filtering out intruder s IP address terminate TCP session collect data on suspect Network intrusion prevention system (NIPS) is similar to active NIDS Attributes monitors network traffic to immediately block a malicious attack NIPS sensors located in line on firewall itself 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Monitoring Methodologies Monitoring Methodologies Anomaly-based monitoring compares current detected behavior with baseline any changes raise an alarm Signature-based monitoring looks for well-known attack signature evidence unknown signatures still a danger Behavior-based monitoring detects abnormal actions by processes or programs alerts admin who decides whether to allow or block Heuristic monitoring uses experience-based techniques can find attack-like behavior 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer

11 Port Scanning Detection Methodology Detect Port Scan? Comments Anomaly-based Signature-based Depends Depends Only if app had tried to scan previously and baseline was established. Only if signature of scanning by this application was created Monitoring System Logs Behavior-based Depends Only if this action is different from other applications Heuristic-based Yes IDS is triggered if any app tries to scan multiple ports Software that Helps 6/18/2018 CSC Cook - Sacramento State - Summer Monitoring System Logs Monitoring System Logs A log is a record of events Log entries contain information related to a specific event e.g. IP address, dates, services Monitoring logs is useful determine how an attack occurred whether successfully resisted Audit log can track user authentication attempts Access log can provide details about requests for specific files 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer Important Logs Benefits of Monitoring System event logs record: client requests and server responses usage information account information operational information Security application logs: anti-virus software log automated patch update service log Identify security incidents, policy violations, fraudulent activity Provide information shortly after event occurs Provide information to help resolve problems Help identify operational trends and long-term problems Provide documentation of regulatory compliance 6/18/2018 CSC Cook - Sacramento State - Summer /18/2018 CSC Cook - Sacramento State - Summer