View
227
Download
1
Category
Preview:
Citation preview
7/31/2019 network vulnerabilities
1/27
Chapter 4: Computer Network
Vulnerabilities
Computer Network Security
7/31/2019 network vulnerabilities
2/27
Kizza - Computer Network Security 2
Sources of Vulnerabilities
There is no definitive list of all possiblesources of these system vulnerabilitiesAmong the most frequently mentionedsources of security vulnerability problems incomputer networks are design flaws, poor security management, incorrect implementation,
Internet technology vulnerability, the nature of intruder activity, the difficulty of fixing vulnerable systems,
the limits of effectiveness of reactive solutions,
social engineering
7/31/2019 network vulnerabilities
3/27
Kizza - Computer Network Security 3
Computer Network Vulnerabilities
System vulnerabilities are weaknessesin the software or hardware on aserver or a client that can be exploited
by a determined intruder to gainaccess to or shut down a network.
A system vulnerability is a condition, aweakness of or an absence of securityprocedure, or technical, physical, or
other controls that could be exploitedby a threat
7/31/2019 network vulnerabilities
4/27
Kizza - Computer Network Security 4
Design Flaws
The two major components of a computersystem, hardware and software, quite oftenhave design flaws
Hardware systems are less susceptible to
design flaws than their softwarecounterparts owing to less complexity andthe long history of hardware engineering.
But even with all these factors backing uphardware engineering, design flaws are stillcommon.
But the biggest problems in system securityvulnerability are due to software designflaws
7/31/2019 network vulnerabilities
5/27
Kizza - Computer Network Security 5
three major factors contribute a greatdeal to software design flaws:
human factors, software complexity,
trustworthy software sources
7/31/2019 network vulnerabilities
6/27
Kizza - Computer Network Security 6
Human Factors - Poor softwareperformance can be a result of:
Memory lapses and attentional failures: Forexample, someone was supposed to haveremoved or added a line of code, tested, orverified but did not because of simpleforgetfulness.
Rush to finish: The result of pressure, most oftenfrom management, to get the product on themarket either to cut development costs or tomeet a client deadline can cause problems.
Overconfidence and use of nonstandard oruntested algorithms: Before algorithms are fully
tested by peers, they are put into the productline because they seem to have worked on a few
test runs.
7/31/2019 network vulnerabilities
7/27
Kizza - Computer Network Security 7
Malice: Software developers, like anyother professionals, have malicious peoplein their ranks. Bugs, viruses, and wormshave been known to be embedded anddownloaded in software, as is the casewith Trojan horse software, which boots
itself at a timed location.Complacency: When either an individual
or a software producer has significantexperience in software development, it is
easy to overlook certain testing and othererror control measures in those parts ofsoftware that were tested previously in asimilar or related product, forgetting that
no one software product can conform to
7/31/2019 network vulnerabilities
8/27
Kizza - Computer Network Security 8
Software Complexity - Professionals andnonprofessionals who use software know thedifferences between software programming andhardware engineering. It is in these differences that
underlie many of the causes of software failure andpoor performance. Consider the following: Complexity: Unlike hardwired programming in which it is
easy to exhaust the possible outcomes on a given set ofinput sequences, in software programming a similarprogram may present billions of possible outcomes on the
same input sequence. Difficult testing: There will never be a complete set of test
programs to check software exhaustively for all bugs for agiven input sequence.
Ease of programming: The fact that softwareprogramming is easy to learn encourages many people
with little formal training and education in the field to startdeveloping programs, but many are not knowledgeableabout good programming practices or able to check forerrors.
Misunderstanding of basic design specifications: Thisaffects the subsequent design phases including coding,documenting, and testing. It also results in improper andambiguous specifications of major components of thesoftware and in ill-chosen and oorl defined internal
7/31/2019 network vulnerabilities
9/27
Kizza - Computer Network Security 9
Trustworthy Software Sources There are thousands of software sources for the millions of
software products on the market today. However, if wewere required to name well known software producers,very few of us would succeed in naming more than ahandful. Yet we buy software products every day withouteven ever minding their sources. Most important, we donot care about the quality of that software, the honesty ofthe anonymous programmer, and of course the reliabilityof it as long as it does what we want it to do.
Even if we want to trace the authorship of the softwareproduct, it is impossible because software companies areclosed within months of their opening. Chances are when asoftware product is 2 years old, its producer is likely to beout of business. In addition to the difficulties in tracing the
producers of software who go out of business as fast asthey come in, there is also fear that such software may noteven have been tested at all.
The growth of the Internet and the escalating costs ofsoftware production have led many small in-housesoftware developers to use the marketplace as a giant
testing laboratory through the use of beta testing,shareware and freeware. Shareware and freeware have a
7/31/2019 network vulnerabilities
10/27
Kizza - Computer Network Security 10
Software Re-Use, Re-engineering, andOutlived Design
New developments in software engineering arespearheading new developments such assoftware re-use and software re-engineering.Software re-use is the integration and use ofsoftware assets from a previously developed
system. It is the process in which old orupdated software such as library, component,requirements and design documents, and designpatterns is used along with new software.
Both software re-engineering and re-use arehailed for cutting down on the escalatingdevelopment and testing costs. They havebrought efficiency by reducing time spentdesigning or coding, popularizedstandardization, and led to common look-and-feel between applications. They have made
debugging easier through use of thoroughlytested designs and code .
7/31/2019 network vulnerabilities
11/27
Kizza - Computer Network Security 11
Poor Security ManagementSecurity management is both a technical and an administrative
security process that involves security policies and controls that theorganization decides to put in place to provide the required level ofprotection. In addition, it also involves security monitoring andevaluation of the effectiveness of those policies.The most effective way to meet those goals is to implement securityrisk assessment through a security policy and securing access tonetwork resources through the use of firewalls and strong
cryptography. These and others offer the security required for thedifferent information systems in the organization in terms ofintegrity, confidentiality, and availability of that information.Security management by itself is a complex process; however, if itis not well organized it can result in a security nightmare for theorganization.Poor security management is a result of little control over security
implementation, administration, and monitoring. It is a failure inhaving solid control of the security situation of the organization whenthe security administrator does not know who is setting theorganizations security policy, administering security compliance, andwho manages system security configurations and is in charge ofsecurity event and incident handling.
7/31/2019 network vulnerabilities
12/27
Kizza - Computer Network Security 12
Good security management is made up of anumber of implementable security componentsthat include
risk management,
information security policies and procedures,standards, guidelines,information classification,security monitoring,security education.
These core components serve to protect the organizations
resources. A risk analysis will identify these assets, discover the
threats that put them at risk, and estimate the possibledamage and potential loss a company could endure if anyof these threats become real. The results of the riskanalysis help management construct a budget with the
necessary funds to protect the recognized assets from theiridentified threats and develop applicable security policiesthat provide direction for security activities. Securityeducation takes this information to each and everyemployee.
Security policies and procedures to create, implement,and enforce security issues that may include people andtechnology.
7/31/2019 network vulnerabilities
13/27
Kizza - Computer Network Security13
Information classification to manage thesearch, identification, and reduction of
system vulnerabilities by establishingsecurity configurations.
Security monitoring to prevent and detectintrusions, consolidate event logs for
future log and trend analysis, managesecurity events in real-time, manageparameter security including multiplefirewall reporting systems, and analyze
security events enterprise-wide.Security education to bring security
awareness to every employee of theorganization and teach them their
individual security responsibility.
7/31/2019 network vulnerabilities
14/27
Kizza - Computer Network Security14
Incorrect Implementation
Incorrect implantation very often is a resultof incompatible interfaces. Two productmodules can be deployed and work together
only if they are compatible. That meansthat the module must be additive, that isthe environment of the interface needs toremain intact.
An incompatible interface, on the otherhand, means that the introduction of themodule has changed the existing interfacein such a way that existing references to theinterface can fail or behave incorrectly.
7/31/2019 network vulnerabilities
15/27
Kizza - Computer Network Security 15
Incompatibility in system interfacesmay be cause by a variety of
conditions usually created by thingssuch as:
Too much detail
Not enough understanding of theunderlying parameters
Poor communication during design
Selecting the software or hardwaremodules before understanding thereceiving software
Ignoring integration issues
Error in manual entry
7/31/2019 network vulnerabilities
16/27
Kizza - Computer Network Security 16
Internet Technology
Vulnerability
The fact that computer and telecommunicationtechnologies have developed at such an amazingand frightening speed and people haveoverwhelmingly embraced both of them hascaused security experts to worry about the sideeffects of these booming technologies.Internet technology has been and continues to bevulnerable. There have been reports of all sorts ofloopholes, weaknesses, and gaping holes in bothsoftware and hardware technologies.
No one knows how many of these vulnerabilitiesthere are both in software and hardware. Theassumption is that there are thousands. As historyhas shown us, a few are always discovered everyday by hackers
7/31/2019 network vulnerabilities
17/27
Kizza - Computer Network Security 17
Although the list spans both hardware andsoftware, the problem is more prevalentwith software. In fact softwarevulnerabilities can be put into fourcategories:
Operating system vulnerabilities: Operating
systems are the main sources of all reportedsystem vulnerabilities.
Port-based vulnerabilities: Besides operatingsystems, network service ports take secondplace is sourcing system vulnerabilities. Forsystem administrators, knowing the list of mostvulnerable ports can go a long way to helpenhance system security by blocking thoseknown ports at the firewall.
Application software based errors
7/31/2019 network vulnerabilities
18/27
Kizza - Computer Network Security 18
Changing Nature of Hacker
Technologies and Activities
It is ironic that as useful technology develops sodoes the bad technology. What we call usefultechnology is the development in all computer and
telecommunication technologies that are drivingthe Internet, telecommunication, and the Web.Bad technology is the technology that systemintruders are using to attack systems.Unfortunately these technologies are all developing
in tandem.In fact there are times when it looks like hackertechnologies are developing faster that the rest ofthe technology. One thing is clear, though: hacker
technology is flourishing.
7/31/2019 network vulnerabilities
19/27
Kizza - Computer Network Security 19
Systems
It is difficult to fix known system vulnerabilities. There isconcern about the ability of system administrators to copewith the number of patches issued for system vulnerabilities.As the number of vulnerabilities rises, system and networkadministrators face a difficult situation. They are challengedwith keeping up with all the systems they have and all thepatches released for those systems. Patches can be difficult to
apply and might even have unexpected side effects as a resultof compatibility issues [2].Beside the problem of keeping abreast of the number ofvulnerabilities and the corresponding patches there are alsologistic problems between the time a vendor releases asecurity patch, and the time a system administrator fixes the
vulnerable computer system.There are several factors affecting the quick fixing of patches.Sometimes it is the logistics of the distribution of patches.Many vendors disseminate the patches on their Web sites;others send e-mail alerts. However, sometimes busy systemsadministrators do not get around to these e-mails andsecurity alerts until sometime after. Sometimes it can bemonths or years before the patches are implemented on ama orit of the vulnerable com uters.
7/31/2019 network vulnerabilities
20/27
Kizza - Computer Network Security 20
Limits of Effectiveness of Reactive
Solutions
Because just a small percentage of all attacks isreported, this indicates a serious growing systemsecurity problem.Urgent action is needed to find an effective
solution to this monstrous problem.The security community, including scrupulousvendors, have come up with various solutions,some good and others not. In fact, in anunexpected reversal of fortunes one of the newsecurity problems is to find a good solution fromamong thousands of solutions and to find anexpert security option from the many differentviews.Are we reaching the limits of our efforts, as acommunity, to come up with a few good and
effective solutions to this security problem? Thereare man si ns to su ort an affirmative answer
7/31/2019 network vulnerabilities
21/27
Kizza - Computer Network Security 21
It is clear that we are reaching the limits ofeffectiveness of our reactive solutions. Richard D.Pethia gives the following reasons: The number of vulnerabilities in commercial off-the-shelf
software is now at the level that it is virtually impossiblefor any but the best resourced organizations to keep upwith the vulnerability fixes.
The Internet now connects more than 109,000,000computers and continues to grow at a rapid pace. At anypoint in time, there are hundreds of thousands of
connected computers that are vulnerable to one form ofattack or another. Attack technology has now advanced to the point where it
is easy for attackers to take advantage of these vulnerablemachines and harness them together to launch high-powered attacks.
Many attacks are now fully automated, thus reducing theturnaround time even further as they spread aroundcyberspace.
The attack technology has become increasingly complexand in some cases intentionally stealthy, thus reducing theturnaround time and increasing the time it takes todiscover and analyze the attack mechanisms in order toproduce antidotes.
7/31/2019 network vulnerabilities
22/27
Kizza - Computer Network Security 22
Social Engineering
Social engineering is an outside hacker'suse of psychological tricks on legitimateusers of a computer system, in order togain the information (usernames and
passwords) one needs to gain access to thesystem.Social engineering is a diversion, in theprocess of system attack, on peoples
intelligence to utilize two humanweaknesses: first no one wants to beconsidered ignorant and second is humantrust. Ironically these are two weaknessesthat have made social engineering difficult
to fight because no one wants to admit
7/31/2019 network vulnerabilities
23/27
Kizza - Computer Network Security 23
Vulnerability Assessment
Vulnerability assessment is a process that workson a system to identify, track, and manage therepair of vulnerabilities on the system.
The assortment of items that are checked by thisprocess in a system under review varies depending
on the organization. It may include all desktops,servers, routers, and firewalls.
Most vulnerability assessment services will providesystem administrators with: network mapping and system finger printing of all known
vulnerabilities a complete vulnerability analysis and ranking of all
exploitable weaknesses based on potential impact andlikelihood of occurrence for all services on each host
prioritized list of misconfigurations.
7/31/2019 network vulnerabilities
24/27
Kizza - Computer Network Security 24
A final report is always produceddetailing the findings and the best way
to go about overcoming suchvulnerabilities.
This report consists of:
prioritized recommendations formitigating or eliminating weaknesses,
based on an organizations operationalschedule, it also contains
recommendations of furtherreassessments of the system within giventime intervals or on a regular basis.
7/31/2019 network vulnerabilities
25/27
Kizza - Computer Network Security 25
Vulnerability Assessment Services
Due to the massive growth of the number ofcompanies and organizations owning their ownnetworks, the growth of vulnerability monitoringtechnologies, the increase in network intrusionsand attacks with viruses, and world-wide publicityof such attacks, there is a growing number ofcompanies offering system vulnerability services
Among the services are: Vulnerability Scanning - to provide a comprehensive
security review of the system including both the perimeterand system internals. The aim of this kind of scanning isto spot critical vulnerabilities and gaps in the systemssecurity practices. Comprehensive system scanning usuallyresults in a number of both false positives and negatives.It is the job of the system administrator to find ways ofdealing with these false positives and negatives. The final
report produced after each scan consists of strategicadvice and prioritized recommendations to ensure critical
7/31/2019 network vulnerabilities
26/27
Kizza - Computer Network Security 26
Vulnerability Assessment andPenetration Testing - a hands-on
testing of a system for identified andunidentified vulnerabilities. All knownhacking techniques and tools are
tested during this phase to reproducereal-world attack scenarios. One of theoutcomes of these real-life testings isthat new and sometimes obscure
vulnerabilities are found, processesand procedures of attack areidentified, and sources and severity
of vulnerabilities are categorized and
7/31/2019 network vulnerabilities
27/27
Kizza - Computer Network Security 27
Assessment Services
They can, and actually always do, provideand develop signatures and updates for newvulnerabilities and automatically includethem in the next scan. This eliminates theneed for the system administrator to
schedule periodic updates.Probably the best advantage to anoverworked and many times resourcestrapped system administrator is theautomated and regularly scheduled scan ofall network resources. They provide, inaddition, a badly needed third-party
security eye. thus helping theadministrator to provide an objective yet
independent security evaluation of the
Recommended