Security Risk Management and Ethics Chapter 4 PDF

Security Risk Management and Ehics Chapter Four: Identifying and Analyzing Threats, Vulnerabilities, and Exploits Mohammed Amin Almaiah Associate Professor, Dep. Of Computer Science University of Jordan Chapter4: Topics This chapter covers the following topics and concepts: What threat assessments are What vulnerability assessments are What exploit assessments are Chapter4: Goals When you complete this chapter, you will be able to: Describe techniques used to identify threats List best practices for threat assessments within the seven domains of a typical IT infrastructure Describe the value of reviewing documentation for a vulnerability assessment Describe the value of reviewing system logs, audit trails, and intrusion detection system outputs for a vulnerability assessment Chapter4: Goals Identify tools used to perform vulnerability scans List best practices for vulnerabilities assessments within the seven domains of a typical IT infrastructure Identify exploits throughout the seven domains of a typical IT infrastructure Threat Assessments A threat assessment identifies and evaluates potential threats. The goal is to identify as many potential threats as possible. You then evaluate the threats. One important element is an estimate of a threat’s frequency. In previous Chapter, we covered risk assessments. As a reminder, a risk assessment is performed for a specific time. Risks that exist today may not exist in a year. Similarly, a threat assessment is performed at a specific time. The threat assessment evaluates current threats in the existing environment. Threat Assessments Cont., Threats were presented in Chapter 1. A threat is any activity that represents a possible danger. This includes any circumstances or events with the potential to adversely cause an: (1) Impact on confidentiality—Any unauthorized disclosure of data. You can apply access controls to ensure only specific users have access to data. Encryption techniques also help to protect confidentiality. Threat Assessments Cont., (2) Impact on integrity—The modification or destruction of data. Access controls protect data from malicious attackers who want to modify or destroy data. Hashing techniques verify integrity by detecting if the data has been modified. (3) Impact on availability—The availability of any service or system. Different fault tolerance strategies ensure that systems and services continue to operate even if an outage occurs. Data is backed up to ensure it can be restored even if data is lost or becomes corrupt. Threat Assessments Cont., Figure 8-1 shows the different threats to an organization. They are generically categorized as either human or natural. Human threats can be internal or external. They can also be intentional or unintentional. Internal threats are by far the biggest threats to a company. Natural threats occur from weather or other non-manmade events. External attackers can be hackers launching denial of service (DoS) attacks on your network. They can be malware writers trying to access, modify, or corrupt your organization’s data. They can even be terrorists launching attacks on buildings or entire cities. Threat Assessments Cont., Internal users can also cause damage. A disgruntled employee may be able to access, modify, or corrupt the organization’s data. If proper access controls aren’t used, other employees may also access, modify, or corrupt data. Although the disgruntled employee’s actions will be purposeful, regular employees’ actions are accidental. Natural threats include weather events such as floods, earthquakes, tornados, and electrical storms. Fires can also be a natural threat. The Top Threats Are Internal It’s not always apparent, but the top threats are internal. Some are accidental, and some are malicious. However, if you can train employees and control their actions, you’ll reduce a significant number of threats. Some of the common threats from internal sources are: (1) unintentional access—Access controls take a lot of effort to implement and maintain. This includes ensuring authentication processes are secure. It also includes enforcement of least- privilege and need-to-know policies. When users have access to data they don’t need, the data is at risk. Users can accidentally delete the data. They can also share the data with someone else who shouldn’t have access to it. The Top Threats Are Internal (2) Disgruntled ex-employees—When an employee is terminated, the user account should be either deleted or disabled. If not, the ex-employee may be able to access the same data or systems. The ex-employee could also pass on his or her credentials to someone else in-house to act as a proxy. The unauthorized access could result in data corruption or system sabotage. (3) Responding to phishing attempts—Many users don’t understand the risks with computers. More sophisticated phishing attempts target specific companies and fool the users. Spear-phishing is a targeted phishing attempt that looks as if it’s coming from someone in the company. The Top Threats Are Internal (4) Forwarding viruses—Users can open infected e-mails and forward them to coworkers without realizing the danger. Users can bring viruses from home on universal serial bus (USB) flash drives. (5) Lack of laptop control—Laptops are easily stolen. When users don’t exercise physical control over laptops, the computers often disappear. The organization loses the hardware and software. What’s more, data on the laptop is compromised. Threat Assessments Cont., Threat Assessments Cont., The goal of a threat assessment is to identify threats. You can identify threats by reviewing historical data. You can also identify threats using threat modeling. After you’ve identified threats, you’ll try to determine the likelihood of the threat. Some threats are more likely to occur, while others are less likely. Next, you prioritize the threats. There are times when you’ll be able to match threats with vulnerabilities to determine costs. However, other times you won’t be able to identify costs without also completing a vulnerability assessment. Threat Assessments Cont., The last step in a threat assessment is to provide a report. This report lists the findings. It includes the threats, the likelihood, and any identified costs. This section on threat assessments includes: - Techniques for identifying threats - Best practices for threat assessments within the seven domains of a typical IT infrastructure Techniques for Identifying Threats There are two primary techniques you can use to identify threats. (1) You can review historical data. (2) You can also perform threat modeling. The techniques you choose depend largely on your environment and available materials. It’s possible to use both techniques. If you have historical data available, this is often the easier approach. Historical data provide specific information on past threats. Techniques for Identifying Threats Cont.., However, there is no guarantee that past threats will repeat. Additionally, there is no guarantee that a new threat won’t appear. Threat modeling is more complex. It requires you to examine systems and services from a broader perspective. The process can be very time consuming. (1) Review Historical Data One of the best ways to determine what threats exist is to analyze past incidents. This includes past incidents at the organization, at similar organizations, and in the local area: Organization—A review of past incidents will reveal threats that have resulted in losses. Similar organizations—Incidents with organizations in the same business will reveal possible threats in your organization. Local area—Natural and weather events are likely to repeat in the same area. (1) Review Historical Data Cont.., You can gather this data by compiling records and conducting interviews. Data can be compiled from any existing records. These can be security records. They can be insurance claims. You can also review troubleshooting records to determine outages and their causes. You can conduct interviews with management and other employees. Employees often know exactly what the problems are and where the threats exist. Management knows the particular threats that have resulted in significant losses. (1) Review Historical Data Cont.., Organization Historical Data. You can review an organization’s historical data to identify past incidents from threats. Past incidents can take many forms. They can result from users accidentally or maliciously causing problems. They can come from external attackers. They can come from natural events. Here are a few possible examples: (1) Internal users—Users were granted access to data they didn’t need. They stumbled upon it and shared it with coworkers. This resulted in unauthorized disclosure of confidential data. (1) Review Historical Data Cont.., (2) Disgruntled employee—An employee was terminated for cause on a Monday. His account was not disabled or deleted. The employee accessed his account on Wednesday and deleted a significant amount of data. Some of the data was not backed up and was lost permanently. (3) Equipment failure—A server crashed after a power spike. The server remained down for several hours until a power supply was replaced. (1) Review Historical Data Cont.., (4) Software failure—An ordering database application crashed on a database server. The server had to be rebuilt from scratch. Administrators reinstalled the operating system. They reinstalled the database application. They then restored the data from backups. This process took over 10 hours and customers could not place online orders during this time. (5) Data loss—All users are required to store their data on a central file server. The data is backed up once a week on Sunday. The file server crashed on a Wednesday and many users lost over two days of work. (6) Attacks—An e-mail server became infected with a virus. This virus spread to all the e-mail users’ mailboxes. It took approximately two days to clean the system and return e-mail services to users. (1) Review Historical Data Cont.., Similar Organization’s Historical Data. Many threats are common to similar organizations. By identifying the threats against similar organizations, you can identify possible threats against your organization. For example, attackers get a kick out of defacing any law enforcement Web site. Years ago, there were many instances of such Web sites being defaced. However, most law enforcement agencies recognize the threat today. They take additional steps to protect their Web sites. This is not to say they are immune to the threat. They have simply taken extra steps to protect themselves. Any organization with public-facing servers faces similar threats. Apache is a popular Web server product that can run on UNIX, Linux, and Microsoft platforms. It serves Web pages over the Internet. Any company that hosts Apache faces the same threats. (1) Review Historical Data Cont.., Local Area Data. Primary considerations for the local area are weather conditions and natural disasters. If a location is on the coast, and the coast has had hurricanes in the past, it will likely have hurricanes in the future. If a location is in a flood zone, it will likely flood in the future. (2) Threat Modeling Threat modeling is more complex than just researching historical data for threats. It is a process used to assess and document an application or system’s security risks. Ideally, you perform threat modeling before writing an application or deploying a system. This is done when security is considered throughout the full life cycle of a product or service. In other words, if security is only considered at the end of the project, it frequently falls short. (2) Threat Modeling Cont.., When threat modeling is used, you first need to identify the assets you want to evaluate. In previous chapters covered the importance of asset management. Asset management helps you to identify the assets that are important to an organization, including their value. You can then take steps to identify the threats against the valuable assets. An excellent starting point when performing threat modeling is to use the seven domains of a typical IT infrastructure. As a reminder, the seven domains were covered in Chapter 1. They are presented later in this section with some best practices. (2) Threat Modeling Cont.., When threat modeling is used, you first need to identify the assets you want to evaluate. In previous chapters covered the importance of asset management. Asset management helps you to identify the assets that are important to an organization, including their value. You can then take steps to identify the threats against the valuable assets. An excellent starting point when performing threat modeling is to use the seven domains of a typical IT infrastructure. As a reminder, the seven domains were covered in Chapter 1. They are presented later in this section with some best practices. (2) Threat Modeling Cont.., Some of the key questions you can ask yourself when performing threat modeling are: What system are you trying to protect? Is the system susceptible to attacks? Who are the potential adversaries? How might a potential adversary attack? Is the system susceptible to hardware or software failure? Who are the users? How might an internal user misuse the system? (2) Threat Modeling Cont.., Threat modeling for complex systems can become quite extensive. Depending on the system you’re evaluating, you may need to define specific objectives to limit the scope of the evaluation. When performing threat assessments, it’s important to ensure you understand the system or application you’re evaluating. This includes what systems are involved. It also includes an understanding of how data flows in and out of systems. Without a full understanding of a system, it’s difficult to shift your perspective to an attacker. Understanding a system often requires you to interview the experts and review the documentation on the system. Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure One method of ensuring that you have addressed all threats is to use the seven domains of a typical IT infrastructure. As a reminder, the seven domains are the User Domain, Workstation Domain, LAN Domain, LAN-to-WAN Domain, WAN Domain, Remote Access Domain, and System/Application Domain. Figure 8-2 shows the seven domains. You can methodically go through each of these domains and evaluate the threats. Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure Cont.., Some best practices you can use when evaluating these threats include: Verify that systems operate and are controlled as expected. Limit the scope of the assessment to a single domain at a time. Use documentation and flow diagrams to understand the system you’re evaluating. Identify all possible entry points for the domain you’re evaluating. Consider threats to confidentiality, integrity, and availability. Consider internal and external human threats. Consider natural threats. Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure Cont.., Vulnerability Assessments A vulnerability assessment (VA) is performed to identify vulnerabilities within an organization. Vulnerabilities are any weaknesses in your IT infrastructure. They can exist for a specific server. They can exist for entire networks. They can also exist with personnel. For example, a single Web server could be vulnerable to a buffer overflow attack. Imagine that a buffer overflow bug has been discovered in May. If it’s not patched until July, it remains vulnerable between May and July. Vulnerability Assessments Cont.., Entire networks can be vulnerable if access controls aren’t implemented. For example, if all users are granted the same rights and permissions for a network, there is no access control. All data on the network could be vulnerable to unauthorized disclosure. However, administrative models can be used to implement access controls. The principles of least privilege and need to know ensure that users have the access they need, but no more. Vulnerabilities exist with personnel if they don’t understand the value of security. Social engineering tactics trick people into revealing sensitive information or taking unsafe actions. If users don’t understand the value of security practices, they are less likely to take specific actions. For example, an employee may receive a phone call that goes like this: Vulnerability Assessments Cont.., “Hi. This is Joe in IT. We’re doing a system upgrade and discovered a problem with your user account. In order to fi x it and ensure you don’t lose any data, we’ll need to log onto your account from the server. Can you give me your user name and password?” Of course, Joe doesn’t work in the IT shop, but instead is trying to get a user to reveal a user name and password. If users frequently give out their password to administrators, this will easily succeed. If users are told to never give out their passwords, it may not succeed. Vulnerability Assessments Cont.., You perform vulnerability assessments to check for any of these types of vulnerabilities. You will perform some assessments more often than others. Automated vulnerability scans of systems are usually performed more frequently. You can do them with assessment tools on a weekly basis. You can perform audits on an annual basis to see if security controls are being used as expected. For example, an annual audit can detect if access controls are still being used as expected. Additionally, you can do tests to see if personnel respond to social engineering tactics on annual basis. Vulnerability Assessments Cont.., You can perform vulnerability assessment testing internally or externally: Internal assessments—Security professionals try to exploit the internal system to see what they can learn about vulnerabilities. Some large companies have dedicated staff that regularly perform assessments. A smaller company could assign this as an extra task for an IT administrator. External assessments—Personnel outside the company try to exploit the system to see what they can learn. These are consultants hired to assess the security. Outside consultants provide a fresh look at your system. They are usually very good at quickly identifying weaknesses. Vulnerability Assessments Cont.., This section on vulnerability assessments includes the following topics: Documentation review Review of system logs, audit trails, and intrusion detection system outputs Vulnerability scans and other assessment tools Audits and personnel interviews Process analysis and output analysis System testing Best practices for performing vulnerability assessments within the seven domains of a typical IT infrastructure Documentation Review One of the steps you can take when performing a VA is to review the available documentation. The documentation can be from multiple sources, including: (1) Incidents—If any security incidents have occurred, you should review the documentation from the incident. Often, the cause of an incident is directly related to a vulnerability. For example, a successful buffer overflow attack on an Internet facing server may have resulted in a malware infection. This may indicate that the system is not being updated often enough. (2) Outage reports—You can investigate any outage that has affected the mission of the business. If the outage affected the bottom line, you can probably identify a vulnerability. Documentation Review Cont.., (3) Assessment reports—Past assessment reports should be reviewed. This helps identify common problems. It also helps identify problems that have not been corrected. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs In addition to reviewing past assessment reports, there is a lot of additional information you can review to determine vulnerabilities. The three common sources of information are system logs, audit trails, and intrusion detection systems. (1) System Logs Any computer system has some type of system logs. These logs have different names for different operating systems, but overall have the same purpose. They log data based on what the system is doing. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs For example, Microsoft Windows systems have a log called System. You view this log using the Windows Event Viewer. The System log records system events such as when systems and services start or stop. The log records errors, warning, and information events. You can determine what is happening to a system by reviewing the system logs. Some events such as warnings and errors will jump right out, indicating obvious problems. Others need a little more analysis to identify trends. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs (2) Audit Trails An audit trail is a series of events recorded in one or more logs. These logs are referred to as audit logs, but an audit trail can be recorded in many types of logs. For example, Microsoft Windows includes a Security log that records auditable events. Additionally, security applications like firewalls record auditable events. Any type of audit log attempts to log at least who, what, when, and where. If a user is logged on, the credentials are used to identify who accessed the data. For some logs such as firewall logs, the “who” may be the source’s Internet Protocol (IP) address instead of a user name. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs Auditable events are any events that you want to track. For example, you may want to know if anyone accessed a folder. You could enable auditing on the folder, and each time someone accessed any files within the folder, the access would be recorded. The event would include the user name, what file was accessed, when it was accessed, and the server or computer where it was accessed. Many organizations have automated systems that can review audit trails. An automated system has the capability of examining logs from multiple sources. These are sometimes combined with intrusion detection systems that can review the events to detect intrusions. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs Auditable events are any events that you want to track. For example, you may want to know if anyone accessed a folder. You could enable auditing on the folder, and each time someone accessed any files within the folder, the access would be recorded. The event would include the user name, what file was accessed, when it was accessed, and the server or computer where it was accessed. Many organizations have automated systems that can review audit trails. An automated system has the capability of examining logs from multiple sources. These are sometimes combined with intrusion detection systems that can review the events to detect intrusions. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs (3) Intrusion Detection System Outputs Intrusion detection system (IDS) is able to monitor a network or system and send an alert when an intrusion is detected. A host-based IDS is installed on a single system. A network-based IDS has several monitoring agents installed throughout the network that report to a central server. Figure 8-3 shows an example of a network-based IDS with three monitoring agents installed on the network. Notice the location of the three monitoring agents. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs Review of System Logs, Audit Trails, and Intrusion Detection System Outputs One is on the Internet side. One is in the demilitarized zone (DMZ). One is on the internal network. If you examine the output of the IDS, it will reveal several key points. These three agents work together to identify what type of attacks are launched against the network. They also give you insight into the success of different mitigation techniques. Events from agent 1 show how many attacks are launched against your network from the Internet. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs Events from agent 2 identify the attacks that are able to get through the external firewall. This shows you the effectiveness of the firewall against specific types of attacks. It also helps reveal the vulnerabilities for any public-facing servers in the DMZ. Agent 3 shows the attacks that are able to get through the second firewall of the DMZ. These attacks on your internal network can be very damaging if not addressed. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs Although the focus of Figure 8-3 is on attacks from the Internet, it’s also possible to have internal attacks. The network agent on the internal network monitors for internal attacks. It’s common for a network to have several internal agents installed to monitor an internal network. Internal attacks aren’t necessarily from malicious users. Instead, internal attacks are often from malware that has infected one or more systems on the network. However, the benefit of a network-based IDS is early detection of an infection. Vulnerability Scans and Other Assessment Tools (4) Vulnerability Scans and Other Assessment Tools Many tools are available to perform vulnerability scans within a network. There are several commonly used tools, such as Nmap, Nessus, SATAN, and SAINT. These tools provide several benefits. Some of the benefits include: Identify vulnerabilities—They provide a fast and easy method to identify vulnerabilities. You simply run the scan and then analyze the report. Vulnerability Scans and Other Assessment Tools Scan systems and network—Vulnerability scanners can inspect and detect problems on the network and on individual hosts. They can detect vulnerabilities based on the operating system, applications, and services installed on the host. They can detect open ports and access points on the network. Provide metrics—A key part of management is measurement. If you can measure something, you can identify progress. This is also true with vulnerabilities. If you are just starting to run regular vulnerability scans, the scans will likely discover many vulnerabilities. Vulnerability Scans and Other Assessment Tools Six months later, if you analyze the metrics, you’ll notice that the issues are significantly reduced. If not, you may have other problems. For example, if you have all of the same vulnerabilities six months after the first scan, the vulnerabilities are not getting fixed. Document results—The resulting documentation provides input for internal reports. It also provides documentation for compliance. You can use scanner reports to prove compliance with different laws and regulations. Vulnerability Scans and Other Assessment Tools (5) Audits and Personnel Interviews An audit is performed to check compliance with rules and guidelines. A VA audit checks compliance with internal policies. In other words, an audit will check to see if an organization is following the policies that are in place. For example, an organization may have a policy in place related to employees who leave the company. The policy may state that user accounts should be disabled if an employee leaves. Six months later, the account should be deleted. Vulnerability Scans and Other Assessment Tools An audit determines if the policy is being followed. The audit can be quick and automated if the auditor has some scripting skills. An auditor could write a script to check for enabled accounts that haven’t been used in the past 15 days. The output is then checked with the human resources department to determine if any of these users are still employed. A similar script could be used to determine if any accounts exist that haven’t been used in the past six months. Vulnerability Scans and Other Assessment Tools In addition, you can conduct personnel interviews to identify the security knowledge of personnel. For example, employees could be asked when it is acceptable to give out their password. A secure organization will have a policy in place stating that users should never give out their password to anyone. Vulnerability Scans and Other Assessment Tools (6) Process Analysis and Output Analysis Process analysis is performed in some systems to determine if vulnerabilities exist in the process. In other words, instead of just looking at the output, you evaluate the processes used to determine the output. Output analysis, on the other hand, is performed by examining the output to determine if a vulnerability exists. Neither analysis is superior to the other. However, there are times when one will be preferable over the other. Vulnerability Scans and Other Assessment Tools For example, you may be concerned about the effectiveness of a firewall. Firewalls use rules to determine if traffic is allowed. You can use either process analysis or output analysis to determine the effectiveness of the firewall. Consider Figure 8-4. The firewall is blocking and allowing traffic into and out of the network. Process analysis requires you to review all the rules to determine if the rules provide the desired security. Output analysis will examine the input and output of the firewall to determine if only desired traffic is allowed through the firewall. If the firewall has only five rules, process analysis would be completed rather easily. Vulnerability Scans and Other Assessment Tools Vulnerability Scans and Other Assessment Tools For example, you may be concerned about the effectiveness of a firewall. Firewalls use rules to determine if traffic is allowed. You can use either process analysis or output analysis to determine the effectiveness of the firewall. Consider Figure 8-4. The firewall is blocking and allowing traffic into and out of the network. Process analysis requires you to review all the rules to determine if the rules provide the desired security. Output analysis will examine the input and output of the firewall to determine if only desired traffic is allowed through the firewall. If the firewall has only five rules, process analysis would be completed rather easily. Vulnerability Scans and Other Assessment Tools (7) System Testing System testing is used to test individual systems for vulnerabilities. This includes individual servers and individual end-user systems. The primary testing performed on systems is related to patches and updates. This is because the majority of vulnerabilities occur because of bugs that are resolved by patching. For example, you could have a bank of servers that are running Microsoft Windows Server 2008. Several patches and updates have been released for the servers since they’ve been installed. System testing queries the servers to determine if they are up-to-date. Vulnerability Scans and Other Assessment Tools For example, Microsoft includes traditional tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM). Each of these server products can query systems in the network and ensure they have all the appropriate updates. If a system doesn’t have an update, WSUS or SCCM can push the update to the system and double check to ensure it has been installed.. Vulnerability Scans and Other Assessment Tools For example, Microsoft Security Bulletin MS08-067 identified a critical vulnerability in the Server service for almost any Windows systems from Windows 2000 to Windows 2008. This vulnerability allows attackers to send specially crafted requests to the systems that can then run arbitrary code. The arbitrary code can install malware. You can read about this vulnerability at http://www.microsoft.com/technet/security/Bulletin/MS08- 067.mspx. Vulnerability Scans and Other Assessment Tools (8) Functionality Testing Functionality testing is primarily used with software development. It helps ensure that a product meets the functional requirements or specifications defined for the product. One of the problems that can occur with software development is scope creep. This occurs when additional capabilities are added that weren’t originally planned. In other words, the add-ons are outside the scope of the original product specifications. While this looks good on the surface, it adds additional security issues. Vulnerability Scans and Other Assessment Tools (8) Functionality Testing Functionality testing is primarily used with software development. It helps ensure that a product meets the functional requirements or specifications defined for the product. One of the problems that can occur with software development is scope creep. This occurs when additional capabilities are added that weren’t originally planned. In other words, the add-ons are outside the scope of the original product specifications. While this looks good on the surface, it adds additional security issues. Vulnerability Scans and Other Assessment Tools (9) Access Controls Testing Access controls testing verifies user rights and permissions. A “right” grants the authority to perform an action on a system, such as to restart it. A “permission” grants access to a resource, such as a file or printer. Most organizations have administrative models in place that specify what rights and permissions regular users are granted. These models ensure that users have what they need to perform their job, but no more. They help support security principles of least privilege and need to know. Vulnerability Scans and Other Assessment Tools Consider Figure 8-5. A company has some resources that only sales personnel should access. It has other resources that only IT department personnel should access. Access restrictions are enforced by putting employees into the appropriate groups and assigning permissions to the group. Vulnerability Scans and Other Assessment Tools Vulnerability Scans and Other Assessment Tools Any member of the IT group automatically has access to the IT resources. Members of the Sales group do not have access to IT department resources. Members of the IT group do not have access to Sales department resources. Access controls testing verifies that the users are granted the rights and permissions needed to perform their jobs, and no more. It ensures that an administrative model is used as it was designed. Vulnerability Scans and Other Assessment Tools (10) Penetration Testing Penetration testing attempts to exploit vulnerabilities. In other words, you’ll often complete a VA to discover vulnerabilities. You’ll then perform a penetration test to see if a vulnerability can be exploited. A penetration test can be much more invasive than VA tests. Specifically, if a penetration test is successful, it may actually take a system down. With this in mind, you need to be cautious when performing penetration tests. Vulnerability Scans and Other Assessment Tools Penetration testing verifies the effectiveness of countermeasures or controls. In other words, you’ve discovered a vulnerability and implemented a control to protect against the vulnerability. You can now perform a penetration test to see if the control works. If the penetration test is successful, you know the controls aren’t adequate. You’ll need to take additional steps to protect against an attack. Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure Identify assets first—Asset management helps you identify what resources to protect. There is no need to perform VAs on all assets. You only want to take these steps on the valuable assets. Ensure scanners are kept up to date—Vulnerability scanners need to be updated regularly. This is similar to how antivirus (AV) software needs to be updated with malware definitions. An AV program that isn’t kept up to date is only marginally better than no AV program at all. This is the same for a vulnerability scanner. A scanner that isn’t kept up date is only marginally better than no scanner at all. Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure Perform internal and external checks—Attacks can come from internal and external sources. You should perform VAs from internal and external locations. Check within the firewall. Check from outside the firewall. If you have a DMZ, check for vulnerabilities from outside the network. Document the results—Document the results of every VA. You can use this documentation in several ways. Older results can be compared against current results to track progress. Some VAs can be used to document compliance with laws and regulations. Provide reports—Provide reports to management. These reports will summarize the important findings and provide recommendations. End

Security Risk Management and Ethics Chapter 4 PDF

Document Details

Tags

Related

Summary

Full Transcript