Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Similar documents
Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

2. INTRUDER DETECTION SYSTEMS

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

10 FOCUS AREAS FOR BREACH PREVENTION

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Security Audit What Why

Computer Security: Principles and Practice

IC32E - Pre-Instructional Survey

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

CYBERSECURITY RISK LOWERING CHECKLIST

Intrusion Detection Systems

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Security Solutions. Overview. Business Needs

Nebraska CERT Conference

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Cyber Criminal Methods & Prevention Techniques. By

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

IDS: Signature Detection

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

CIT 480: Securing Computer Systems. Putting It All Together

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CoreMax Consulting s Cyber Security Roadmap

MIS5206-Section Protecting Information Assets-Exam 1

Define information security Define security as process, not point product.

Information Security in Corporation

CISNTWK-440. Chapter 5 Network Defenses

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

CompTIA Security+(2008 Edition) Exam

How AlienVault ICS SIEM Supports Compliance with CFATS

Chapter 5: Vulnerability Analysis

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

CS 356 Operating System Security. Fall 2013

Carbon Black PCI Compliance Mapping Checklist

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

CND Exam Blueprint v2.0

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

External Supplier Control Obligations. Cyber Security

SECURING DEVICES IN THE INTERNET OF THINGS

CSE 565 Computer Security Fall 2018

Juniper Vendor Security Requirements

Trust Services Principles and Criteria

CyberArk Privileged Threat Analytics

Securing Devices in the Internet of Things

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Security Standards for Electric Market Participants

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Education Network Security

ANATOMY OF AN ATTACK!

SECURING DEVICES IN THE INTERNET OF THINGS

Designing and Building a Cybersecurity Program

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Information Security Controls Policy

ISO27001 Preparing your business with Snare

Raj Jain. Washington University in St. Louis

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Vulnerability Management

RiskSense Attack Surface Validation for IoT Systems

Compliance Audit Readiness. Bob Kral Tenable Network Security

Choosing the Right Security Assessment

Securing Information Systems

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

K12 Cybersecurity Roadmap

ICT Security Policy. ~ 1 od 21 ~

5. Execute the attack and obtain unauthorized access to the system.

10 Hidden IT Risks That Might Threaten Your Business

Information Security Management System

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Securing Access to Network Devices

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Security+ SY0-501 Study Guide Table of Contents

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

The McGill University Health Centre (MUHC)

CCISO Blueprint v1. EC-Council

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

CIS Controls Measures and Metrics for Version 7

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

Information System Security. Nguyen Ho Minh Duc, M.Sc

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Securing Information Systems

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

COMPUTER NETWORK SECURITY

Transcription:

Detection Vulnerability Assessment Week 4 Part 2 How Much Danger Am I In? Vulnerability Assessment Aspects of Assessment Vulnerability Assessment is a systematic evaluation of asset exposure to threats Such as: attackers forces of nature any potentially harmful entity 1. Asset identification 2. Threat evaluation 3. Vulnerability appraisal 4. Risk assessment 5. Risk mitigation 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 3 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 4 1. Asset Identification 1. Asset Identification Asset Identification is the process of inventorying items with economic value Common assets people physical assets data hardware software Determine item's relative value how critical is the asset for the company goals how much revenue asset generates how difficult to replace asset impact of the asset if it is unavailable to the organization Could rank using a number scale 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 5 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 6 1

2. Threat Evaluation Common Threat Agents Threat Evaluation is the process of listing dangers Understanding the threats (and how they work) gives insight into what is vulnerable Also, like Asset Evaluation, a ranking system is useful Category Natural disasters Theft Espionage Extortion Hardware failure Example Fire, flood, or earthquake destroys data Software is pirated, hardware stolen, or copyright infringed Spy steals production schedule Mail clerk is blackmailed into intercepting letters Firewall blocks all traffic 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 7 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 8 Common Threat Agents 2. Threat Evaluation Category Human error Sabotage Software attacks Software error Utility failure Example Employee drops a laptop in the parking lot Employee deletes data out of spite Virus, worm, denial of service, etc Bug in application prevents database access Electrical power is lost for an hour Threat modeling goal: understand attackers and their methods often done by constructing scenarios Attack tree provides visual representation of potential attacks inverted tree structure 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 9 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 10 Attack Tree: Car Radio Attack Tree: Grading System 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 11 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 12 2

3. Vulnerability Appraisal 3. Vulnerability Appraisal Vulnerability Appraisal determine current weaknesses at a specific time Every asset should be viewed in light of each threat Catalog each vulnerability Impact No impact Small / minor Significant Major Catastrophic Description Would not have a notable affect on the company. (e.g. computer mouse is lost) Result in inconvenience that might require procedure change (lack of supplies) Results in low productivity and requires cost to alleviate (malware attack) Considerable negative impact on revenue (theft of project data) Causes the company to cease functioning or be crippled (tornado destroys all data) 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 13 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 14 4. Risk Assessment 4. Risk Assessment Risk assessment determines the damage resulting from attack Assess likelihood that vulnerability is a risk to organization Exposure factor is the probability that an asset will be destroyed by a particular risk Annualized rate of occurrence is the probability that a risk will occur in a particular year 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 15 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 16 4. Risk Assessment 5. Risk Mitigation Single loss expectancy (SLE) expected monetary loss each time a risk occurs calculated: asset value exposure factor Annualized loss expectancy (ALE) expected monetary loss over one year calculate: SLE annualized rate of occurrence Risk Mitigation is the process of eliminating risk to assets Common tasks what to do about risks how much risk can be tolerated 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 17 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 18 3

5. Risk Mitigation Options for dealing with risk diminish transfer (outsourcing, insurance) accept Assessment Techniques How to Protect Your System 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 19 Assessment Techniques Application Development There are a number of techniques that are employed to better assess risk Baseline reporting baseline is a standard for solid security compare system to baseline note, evaluate, and possibly address differences Minimize vulnerabilities during software development Challenges to approach: software application size and complexity smaller and simpler is better (simplicity!) lack of security specifications future attack techniques unknown new designs have flaws 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 21 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 22 Software Assessment Assess Ports 1. Review design in requirements phase 2. Conduct design reviews consider including a security consultant review code during implementation phase examine the "attack surface" (code executed by users) 3. Correct bugs during verification phase 4. Create and distribute security updates Know the ports available on each system Some can be used by attacker to target specific service Port scanner software searches system for port vulnerabilities used to determine port state: open, closed, blocked 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 23 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 24 4

Assess Ports Some Common Port Numbers Well-known port numbers reserved for most universal applications e.g. HTTP, POP, SMTP Registered port numbers other applications not as widely used e.g. instant messengers, MMOs Dynamic and private port numbers available for any application to use attackers may put their software on these Port Name Notes 20 FTP Data Data for File Transfer Protocol 21 FTP Control Control commands for FTP 23 Telnet Remote control of the computer 25 SMTP Simple Mail Transfer Protocol 54 DNS Domain Name Service 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 25 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 26 Some Common Port Numbers Protocol Analyzers Port Name Notes 69 TFTP Trivial File Transfer Protocol 80 HTTP Hypertext Transfer Protocol 989 FTPS - Data Data for Secure File Transfer Protocol 990 FTPS Control Control for Secure File Transfer Protocol Protocol analyzers is hardware or software that captures packets Another name for "sniffers" Legitimate uses: troubleshooting by network administrators characterizing network traffic security analysis what can attackers see? Example: Wireshark 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 27 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 28 Vulnerability Scanners Products that look for vulnerabilities in networks or systems Most maintain a database categorizing vulnerabilities they can detect Example: Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 29 5

Vulnerability Scanners Example Scanner Capabilities Creates report of potential exposures Should be conducted on existing systems and as new technology is deployed Usually performed from inside the security perimeter Does not interfere with normal network operations Watch for changes: alert when new systems added to network alert when a system configuration changes Track network activity detect when internal system begins to port scan other systems log interactive network sessions which systems talk to with other systems 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 31 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 32 Problems with Assessment Tools Penetration Testing There is no standard for collecting, analyzing, reporting vulnerabilities Open Vulnerability and Assessment Language (OVAL) designed to promote open and publicly available security content standardizes information transfer across different security tools and services Designed to exploit system weaknesses Someone is hired to attack relies on tester s skill, knowledge, cunning usually conducted by independent contractor usually conducted outside security perimeter May disrupt network operations End result: penetration test report 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 33 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 34 Types Penetration Testing Types Penetration Testing Black box test tester has no prior knowledge of network infrastructure the must hunt around like an attacker would White box test tester has in-depth knowledge of system simulates an inside job or attacker that researched target Gray box test some limited information has been provided to the tester tests average knowledge an attacker would have procured through dumpster-diving, etc allows a very in-depth analysis 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 35 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 36 6

Honeypots and Honeynets Honeypots & Honeynets Laying a Tasty Little Trap When an attacker breaks into a computer it is often to destroy data or steal it They, naturally, look in some areas and for specific files This knowledge of attacker behavior can be used against them 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 38 Honeypots and Honeynets Typical Attributes A honeypot is decoy computer designed to catch the attention of attackers A honeynet is a decoy network of honeypots Protected by minimal security Intentionally configured with vulnerabilities Contains bogus data files designed to look interesting perhaps these are the files that the attacker is after e.g. source code, password file 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 39 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 40 Goals Reveal their techniques real system can be protected better as a result perhaps show knowledge about the attacker Alert the admin Waste the attacker's time "Shields Up!" Mitigating and Deterring Attacks 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 41 7

Mitigating and Deterring Attacks Creating a Security Posture Defense and deterring attacks is essential for any network Standard techniques: 1. creating a security posture 2. configuring controls 3. hardening 4. reporting A security posture describes strategy regarding security Initial baseline configuration standard security checklist systems evaluated against baseline starting point for security 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 43 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 44 Creating a Security Posture Configuring Controls Continuous security monitoring regularly observe systems and networks look for any unauthorized changes Remediation vulnerabilities will be exposed, put plan in place to address them Properly configuring controls is key to mitigating and deterring attacks Information security controls can be configured to detect attacks sound alarms prevent attacks 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 45 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 46 Configuring Controls Configuring Controls: Failure Some controls are for detection security camera motion detector Some controls are for prevention properly positioned security guard locked door When normal function interrupted by failure: which is higher priority: security or safety? Fail-open lock unlocks doors automatically upon failure e.g. train brakes pressure loss causes lock Fail-safe lock automatically locks upon failure highest security level 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 47 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 48 8

Hardening Reporting Hardening is elimination as many security risks as possible Techniques to harden systems protect accounts with passwords disabling unnecessary accounts disabling unnecessary services protecting management interfaces and applications Reporting is providing information regarding events that occur Alarms or alerts sound warning if specific situation is occurring e.g. alert if too many failed password attempts 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 49 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 50 Reporting Reporting can important provide information on trends Can indicate a serious impending situation e.g. multiple user accounts experiencing multiple password attempts Intrusion Detection Alert! Alert! Alert! 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 51 Intrusion Detection Host Intrusion Detection System Passive and active security can be used in a network Active measures provide higher level of security Intrusion detection system (IDS) is an active security measure that can detect an attack as it occurs Host intrusion detection system (HIDS) is a software-based application that can detect attack as it occurs Installed on each host needing protection Monitors: system calls and file system access recognize unauthorized Registry modification all input and output communications 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 53 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 54 9

Disadvantages of Host IDS Network IDS Cannot monitor network traffic that does not reach local system All log data is stored locally Resource-intensive and can slow system Network intrusion detection system (NIDS) watches for attacks on the network NIDS sensors installed on firewalls and routers which gather information and report back to central device 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 55 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 56 Network IDS Intrusion Prevention system Passive NIDS will simply sound an alarm Active NIDS will sound alarm and take action filtering out intruder s IP address terminate TCP session collect data on suspect Network intrusion prevention system (NIPS) is similar to active NIDS Attributes monitors network traffic to immediately block a malicious attack NIPS sensors located in line on firewall itself 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 57 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 58 Monitoring Methodologies Monitoring Methodologies Anomaly-based monitoring compares current detected behavior with baseline any changes raise an alarm Signature-based monitoring looks for well-known attack signature evidence unknown signatures still a danger Behavior-based monitoring detects abnormal actions by processes or programs alerts admin who decides whether to allow or block Heuristic monitoring uses experience-based techniques can find attack-like behavior 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 59 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 60 10

Port Scanning Detection Methodology Detect Port Scan? Comments Anomaly-based Signature-based Depends Depends Only if app had tried to scan previously and baseline was established. Only if signature of scanning by this application was created Monitoring System Logs Behavior-based Depends Only if this action is different from other applications Heuristic-based Yes IDS is triggered if any app tries to scan multiple ports Software that Helps 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 61 Monitoring System Logs Monitoring System Logs A log is a record of events Log entries contain information related to a specific event e.g. IP address, dates, services Monitoring logs is useful determine how an attack occurred whether successfully resisted Audit log can track user authentication attempts Access log can provide details about requests for specific files 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 63 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 64 Important Logs Benefits of Monitoring System event logs record: client requests and server responses usage information account information operational information Security application logs: anti-virus software log automated patch update service log Identify security incidents, policy violations, fraudulent activity Provide information shortly after event occurs Provide information to help resolve problems Help identify operational trends and long-term problems Provide documentation of regulatory compliance 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 65 6/18/2018 CSC 115 - Cook - Sacramento State - Summer 2017 66 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback