Embed Size (px)
Citation preview
Network Vulnerability Assessment Methodology
Lesson 6
Review of Some Definitions
Risk: the probability that a threat will exploit a vulnerability to adversely affect an information asset.Threat: an event, the occurrence of which could have an undesired impactThreat impact: a measure of the magnitude of loss or harm on the value of an asset.Threat probability: the chance that an event will occur or that a specific loss value may be attained should the event occur.Safeguard: a risk-reducing measure that acts to detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats.Vulnerability: the absence or weakness of a risk-reducing safeguard.
Definitions from Peltier Text
Philosophy of an NVA
“The NVA examines the network systems from both a policy and a practice point of view” – the top-down and bottom-up assessments mentioned in a previous lesson.Top-Down concentrates on the extent to which policies and procedures promote a secure computing environment. Team examines procedural framework upon which corporate security rests.Bottom-up concentrates on the hardware and software implementations of network security.
Exhibit 1, page 50 from Peltier
NVA Methodology
Page 51 from Peltier text
NVA Methodology
Page 52 from Peltier Text
NVA Team Members and Skills
Major RolesNVA LeadPolicy examiner(s)Technical examiner(s)
May need experts in several OS’s and programs
Page 58 from Peltier Text
Project Initiation
Develop detailed project planAssemble teams and make tentative assignmentsHold a kick-off meeting with the sponsor (client)
Earlier meeting may be needed to complete Pre-NVA checklist (before detailed plan is completed)
Obtain approval of detailed project plan by sponsor (before kick-off meeting)
Phase I Data Collection
Obtain documents that client has from list in Pre-NVA checklist.Review applicable state and federal laws affecting the client.Review documentation and list of equipment.
Create list of known bugs and security vulnerabilities to test for in the client environment.
Phase II, Interviews, Information Reviews, Hands-on Investigation
InterviewsDetermine what interviews you might want to conductProvide list of requested interviews to POCConduct Interviews
Request for additional documents that may not have been considered during Phase IRequest facility and network clearance and passwords for team members from the POC
We will differ from this slightly
Take tour of facility and conduct tests of HW and SW as well a physical inspection.
Phase II, our version
What text has is good, we will be adding to it We need the onsite evaluation of HW/SW and the look at the physical facilities. We will want to conduct:
Public Presence analysisExternal Penetration Test
ReconnaissanceFocused ReconnaissanceVulnerability ScanningWeb Page Inspection/AlterationPasswordsSocial Engineering
Reconnaissance
ReconnaissancePort scanning Single portsPort scanning multiple ports
Focused ReconnaissancePort scans and connection programs to grab banner information from all open services, sometimes integrated into vulnerability scannersBasic configuration information
Password protectionSite content
Vulnerability Scanning
Automated scanning of known vulnerabilities based upon server typeMany different scanners exist, open source as well as commercial
WhiskerCISNetsonarISSNmapNessus
Web Page ExaminationRaw HTML Examination
Path NamesDirectory ListingClues to directory structure
Database commandsHard coded IP addressesOther extraneous information
Editing HTMLSaving local copy, then making key edits to attempt unauthorized data accessSQL injection
Form entryOverly long inputs, inputs with invalid charactersSQL injection
Passwords and Social Engineering
Attempt to guess passwordsDefault and Common passwordsIntelligent guesses based on obtained infoBrute force(later we may ask for password file to crack)
Social EngineeringAttempt to obtain information through SE
Names of individuals, positions, phone numbers, email addresses (this gives login ID generally)Attempt to social engineer a password/userid (for small company may not be able to do this)
Physical attack on facilityDumpster divingShoulder surf, piggyback
Phase III AnalysisSpans most of the NVA process as it is being conducted at multiple levelsOngoing analysis may shape and direct further activities.Need to identify threats and vulnerabilities
Also need to take a look at possible ways to mitigate the risks.Need to consider most cost effective mechanisms
Analysis of Security PoliciesDo policies explicitly state what is and is not permissible?Do they cover all security-related factors (network to physical)?
Security HandbookIt has been recommended by several sources that every organization have a security handbook for all employees. This book translates the company’s policies into specific practices for the employeesExamine the handbook (if they have one) and ensure:
Users can implement the security policy correctlyBook provides specific examples as opposed to generalized statements.Consequences for failure to follow policies are clearly delineated.Users are provided an understanding of their responsibilities and expectationsIt covers all situations (e.g. telecommuting)It has a procedure to report violations of policies
Additional Phase III itemsExamination of
Standards and PracticesDocument handlingIncident Handling
Do they have procedures?Do they have an established IRT
Asset protection Management and AwarenessOrganizational suitability
E.g. is senior management openly supportive of security program?
Personnel issues (enough people to do the job?, good HR and security related policies?)After-Hours proceduresAuditingApplication Design and development proceduresTechnical safeguards (and their operation)
Phase IV & V: ReportsPhase IV, draft report (sample sections covered in text).
Provides sponsor opportunity to review and for you to re-evaluate areas that might be in question (if necessary) or to clarify points.Provides sponsor opportunity to provide comments
Phase V: Final Report and PresentationCan include comments from sponsor obtained after draft report was reviewedFormal presentation signals formal conclusion of project.
Provided to senior management if possible
Several final reportsSenior ManagementTechie Summary report and Techie detailed report
Text Book Timeline - Laredo
Exhibit 4, page 58 from Peltier
Lesson 10 14 16 18 20 22 24 26 28 Final
Interviews, analysis, tests
Textbook Timeline - Austin
Exhibit 4, page 58 from Peltier
Lesson 10 14 16 18 20 22 24 26 28 Final
Interviews, analysis, tests
Summary
What is the importance and significance of this material?
How does this topic fit into the subject of “Security Risk Analysis”?
