Embed Size (px)
Citation preview
Life Cycles and Project Scoping
Lesson 4
First Steps
Find the WorkClient approaches youSalesperson approaches clientRequest for Proposal (RFP)
Competitive situationSeveral to many responsesClient evaluates responses and picks a vendorAsk questions and get clarifications
What is the point
Helps your client conduct business in a safer mannerHelps protect against fraud, loss, or theftAnswers the “what if” questionsHelps ensure integrity, availability, and confidentiality of client dataHelps prevent your client from becoming the next headline
Building the Proposal
Address the Client’s NeedsFigure out what they wantTell them what you are going to doTell them how long it is going to take Tell them what they are going to getTell them why they should pick youTell them how much it is going to costDon’t be afraid to give them options
Things to do
PlanningOutline proposed activitiesRequest information from the client
CoordinationLet the client POC know when and where testing occursTell the client all the possible impacts before testing starts
Things to do
InvolvementKeep the client POC in the loop during testingDepending on arrangement, major findings may be discussed immediately upon discovery
Minimize SurprisesPrepare your client for the unexpectedAssessment teams usually find somethingSometimes the extent of discovery is troubling
Be prepared for follow-up actionsReport should contain next steps and recommendations
Information Security Life Cycle
A Vulnerability Assessment really should be considered part of an organization’s information security life cycle.
Cycle starts with a risk analysisCost benefit analysis is next step to determine what countermeasures might be cost-effectively employed to address identified risks.Once safeguards are in place, it makes sense to periodically test them to ensure they are working correctly.
Textbook’s life cycle similar to our operational process.
• Intrusion detection
•Firewalls
•Encryption
•Authentication
•Security Design Review
•Security Integration Services
•24 Hr Monitoring Services•Remote Firewall Monitoring
•Vulnerability Assessment Services•Vulnerability Scanners
Security Operational Process
Evaluate
Monitor
Secure
Test
METRICS
Goals of a Network Vulnerability Assessment (NVA)
Test everything possibleTest entire domain
Intruder only needs one hole to gain access, you need to plug them all (or at least as many as possible)
Two factors will affect your NVATime – this will be time away from other jobsMoney – may limit the tools at your disposal
Generate a report that will be read, and understood, by your management (or your client’s) so that the organization’s security posture can be improved.
Don’t be tempted to use a tool’s default report and turn that in as your final result. Not all items may be applicable for your environment.What constitutes a useful report will vary
Vulnerabilities
Documented problems or errors that can be exploited by individuals with malicious intent to gain access to your network or systems or to disrupt their operations.
There are actually undocumented vulnerabilities, but those are harder to test for, since you don’t know they exist to test for them!While unknown vulnerabilities can certainly cause a problem if discovered by malicious individuals, the majority of attackers will be spending time seeing if you have properly addressed the known problems.
Vulnerability Life CycleVulnerability Discovered
Somebody finds the vulnerability. May be an accident or a deliberate attempt to discover holes. A variety of individuals may discover them too (user, “hacker”, software developer, …)
Vulnerability AnnouncedNumerous web sites exist where folks will post word of a new vulnerability. Chat rooms as well.
Vulnerability PopularizedSomebody takes the announced vulnerability and creates a script or exploit tool to take advantage of it. Other individuals (including “script kiddies”) download and use the tool.
Patch ReleasedThe vendor, having learned of the vulnerability too, determines a method to fix the problem and releases a patch to do so.
Vulnerability Life Cycle -- discussion
Not all vulnerabilities follow the cycle outlined in the text.
Frequently a vulnerability may be discovered and the individual does NOT release word of it until after the vendor is contacted and has an opportunity to create a patch. Patch and vulnerability may be announced at the same time
So, in these cases the net result is a vulnerability that causes no problem – right???
Some Vulnerability Examples
Code Red Worm (2001)Exploited a vulnerability discovered in MS IIS web servers (a buffer overflow).Worm struck July, 2001MS had announced vulnerability and released a patch in June, 2001.
Slammer Worm(2003)Exploited a vulnerability discovered in MS SQL servers.Struck January, 2003MS had released a patch to take car of this vulnerability before it was even announced – in July of 2002!
So, do we detect a common theme???
Classes of VulnerabilitiesHard
Mistakes made by the manufacturer of the software that has created a hole that can be exploited (once discovered).
Often referred to as “bugs” (or “features” )Fixed with service pack and hotfixes
With the volume of patches, this is a REAL problem! Do you always install patches???
SoftMisconfigurations by users or administrators, not generally the fault of developers/vendors
Default configurations, however, sometimes include problemsMay be as a result of
Lack of training or knowledgeInadequate or missing security plans/procedures/policiesProblems with management of changes
Elements of a Good Vulnerability Assessment
ComprehensiveSet by scope statement, what will you include?
ExperienceBottom line, you need to practice with the tools
Reproducible resultsHard to convince folks there is a problem unless you can demonstrate it.At least insure you obtain screen captures from items that may be as a result of a temporary problem
Multi-Test Environment (MTE)Best to use multiple tools, don’t rely on just one because if it is missing something important, so will your assessment.
Project Scoping
Determines what the boundaries will be for the project.
What physical limits might exist?What parts of the organization will be included?How much (if not all) of the network will be reviewed?How many people will be consulted?How many people will be working on the project?
Project Overview Statement
One page at mostContains:
Project definition: short description of the purpose of the project and its benefit.Project goal: State (in at most two sentences) what problems or weaknesses you hope to address.Objectives: Short list of objectives that have to be met to reach the goal.Success factors: delineate the benefits of accomplishing the project.Assumptions: describe weaknesses, known omissions, problems, etc…
Work Breakdown Structure or Task List
Breaking down the work into the various components.Must keep in mind that:
Task status must be measurableEach task must be a clearly defined event with a clear start and stop pointEvery task must have a deliverable
Exhibit 2
Page 21 from Peltier
Exhibit 2 (cont)
Page 21 from Peltier
Top Down Assessment Tasks
“Higher Level View” tasksNeed to know
Type of documents availableBusiness objectives, security policies, standards…
Number of staff to be interviewedTrying to find folks we can talk to that will give us a feel for the current security posture.Will want variety, managers, techies, normal users
Number and location of offices to be visitedRemote locations may frequently have “relaxed” standards.Traveling to remote locations may be necessary but will increase time to complete and costs.
Bottom-up Assessment Tasks
Concentrates on “lower level” issues – hardware, software, specific applications and implementations…Need to know what components will be involved in the test
Allows us to determine what types of tests (e.g. is there a web server? Will we test it? If so, need to find appropriate scanner)
Information needed for scoping can be acquired using a questionnaire:
Exhibit 7
Page 25 from Peltier
Exhibit 7 (cont)
Page 26 from Peltier
Exhibit 7 (cont)
Page 27 from Peltier
Exhibit 7, some commentsFew other security devices you might want to ask about
IDS, Special access control or authentication devices, …
Mention Social Engineering, but many levels/forms, need to be a bit more specificPhysical was mentioned, but need more info if answer is “yes”War dialing mentioned, what about war driving?
Remember, goal of this phase is to scope the assessment, need enough info to do this (but don’t need precise details)
And another offering…
A useful exercise some may want you to conduct is to examine their public presence.
What info can you find out about the organization?
IP addressesPhone numbersHW/SW they useOther useful info…
Needs to be conducted BEFORE you tell the test team the IP addresses from Exhibit 7.
If not before, at least other individuals
Project Scope Document
Exhibit 8 from Peltier, page 28
Project Scope Change
It will happen, somebody is going to want to change the scope of the assessment.Need process to approve proposed changes.Peltier offers “Project Scope Change Request” document – on smaller assessments you do for your own organization this may not be needed. For larger organizations, or for contracted efforts, need a well thought out process.
Another term you may hear is “Statement of Work” (SOW). This often used to identify what will be accomplished in a contract.
Summary
What is the importance and significance of this material?
How does this topic fit into the subject of “Security Risk Analysis”?
