Conducting Security Assessments PDF
Document Details
Uploaded by Deleted User
Tags
Related
Summary
This document provides an overview of security assessments, focusing on various types of vulnerabilities such as host, software, and network vulnerabilities. It also includes guidelines for conducting assessments and examples of different activities.
Full Transcript
Conducting Security Assessments Identify Vulnerabilities Assess Vulnerabilities Implement Penetration Testing 1 Host Vulnerabilities The underlying OS/platform directly affects host vulnerabilities. How the OS/platform is configured is cruc...
Conducting Security Assessments Identify Vulnerabilities Assess Vulnerabilities Implement Penetration Testing 1 Host Vulnerabilities The underlying OS/platform directly affects host vulnerabilities. How the OS/platform is configured is crucial. OSs come with default configurations. What services are running, programs installed, security settings enabled, etc. Configurations comprise the state of the host. Leaving a host with default configurations is often insufficient. Custom configurations are necessary. If not evaluated, they can leave weaknesses in the host. Attackers will exploit these weaknesses. Example: Failing to disable Telnet can lead to man-in-the-middle attack. 2 Software Vulnerabilities Software Description Vulnerability Exploited before vulnerability is publicly known. Zero-day Effects are often magnified and longer-lasting. Improper input Software fails to anticipate unusual input. handling Can lead to unauthorized access, privilege escalation, DoS, etc. Improper error Verbose errors can provide attackers with actionable info. handling Errors not handled gracefully can cause instability. Resource Software does not restrict access to resources. exhaustion Too much resource consumption leads to crashes. Events fail to execute in order and timing intended. Race condition Software may crash. Memory leak. Buffer overflow. Memory Integer overflow. vulnerabilities Pointer dereference. DLL injection. 3 Encryption Vulnerabilities Some encryption solutions are insecure or become insecure over time. Organizations use cipher suites now considered weak. Poor implementation also reveals weaknesses. Example: Improperly configured digital certificates. Addresses don't match, certificate has expired, signer not trusted, etc. Improper key management also leads to vulnerabilities. Private keys not secure can fall into the wrong hands. Attackers can impersonate the organization and perform man-in-the-middle attack. 4 Network Architecture Vulnerabilities Network's design may reveal weaknesses. Attackers attempt to gain entry through these weaknesses. Example: Web server not isolated from offline databases. Attacker can move from the web server to the databases. Example: Wireless network range not controlled for. Signal leaks beyond premises where attacker can more easily gain access. Attackers also attempt to initiate DoS. Example: Web server traffic isn't balanced. Attackers congest network with excess traffic, leading to delays and service outages. 5 Account Vulnerabilities Weak password complexity/length requirements. Passwords that don't expire. Lack of multi-factor authentication. Accounts placed in wrong groups. Accounts granted more privileges than necessary. Unused accounts that haven't been disabled. Guest accounts that haven't been disabled. 6 Operations Vulnerabilities Untrained users. Human element is largest target. Users not equipped to spot social engineering or practice good computer security habits. Lack of planning for critical business processes. Without EOL processes, obsolete systems may be vulnerable. Lack of vendor support makes fixing issues more difficult. Embedded systems may be difficult to understand. System sprawl. Difficult for limited personnel to oversee large number of systems. Inability to manage these systems can lead to compromise. Undocumented assets are difficult to manage consistently. 7 Activity: Identifying Vulnerabilities You've been asked to assess Develetech's vulnerabilities. To begin, you'll identify common vulnerabilities that could affect the business. 8 Security Assessment Security assessment: The process of testing security controls to expose any weaknesses or gaps in your tools, technologies, services, and operations. Provides you with info needed to mitigate vulnerabilities timely and efficiently. Methods used vary widely. Influences active vs. passive assessment type. Influences other characteristics as well. Vulnerability assessment: An evaluation of a system's security based on the configuration state of the system. Determines if current configuration matches baseline. Often accomplished through automated tools. Identifies misconfigurations, lack of security controls, and other vulnerabilities. 9 Security Assessment Techniques Technique Description Baseline is a collection of configurations to use as a benchmark for other systems in the organization. Review baseline Baseline should include industry-recommended security configurations and should fulfill a function in the organization. Code reviews should be conducted for all apps in development. Review code Can be done manually or with automated tools. Attack surface is a combination of all areas that are exposed to an Determine attack attacker. surface Reducing attack surface reduces the risk of successful attacks. Review security Evaluation of security infrastructure model. architecture Determines if assets are properly secured and vulnerabilities addressed. Review security Determines if security solution fulfills organization's needs. design Done before the solution is implemented. 10 Vulnerability Assessment Tools Tool Type Implement To Vulnerability scanner Assess systems, networks, and apps for weaknesses. Port scanner Assess current state of all ports on a network. Protocol/packet analyzer Assess traffic and what it reveals about contents and protocols being used. Fingerprinting tools Identify a target's OS information and running services. Network enumerator Map logical structure of network and identify rogue systems. Password cracker Recover secret passwords from stored or transmitted data. Backup utilities Create copies of scanned data. Honeypot Redirect suspicious activity to isolated systems for safe monitoring. 11 Types of Vulnerability Scans Tools to scan weak points in wireless networks. Tools to scan for configuration compliance. Credentialed scans. Scanner authenticates with the system it's scanning. Has elevated privileges to test all of a system's configuration. More intrusive, consumes more resources. Non-credentialed scans. Scans from a normal user perspective. Allows you to focus on the most glaring flaws that anyone can exploit. Less intrusive, consumes less resources. 12 False Positives Something incorrectly identified as a vulnerability. Port 5424 is open and may be used by malware. Close? 1 2 3 13 Guidelines for Assessing Vulnerabilities Consider how host OSes are configured. Don't rely on default config. Create custom configs to reflect security needs. Consider the impact of zero-day vulnerabilities. Consider software flaws like improper input handling and memory management. Consider the impact of using outdated cipher suites. Assess digital certificates for misconfigurations. Assess encryption key management systems for weaknesses. Consider the impact of weaknesses in the network architecture. Consider the impact of misconfigured accounts. Identify users who require training. Identify critical business processes that lack a solid plan. Consider the impact of system sprawl and undocumented assets. 14 Activity: Capturing Network Data with Wireshark You want to capture a baseline of normal network traffic conditions. You can compare future traffic captures to this baseline. You'll use Wireshark to capture and analyze traffic. You'll filter on SSL/TLS packets. 15 Activity: Scanning for General Vulnerabilities You'll use MBSA to conduct a vulnerability scan of Windows Server. This will help you detect changes in vulnerability information over time. You can also keep track of any changes made to your systems. 16 Penetration Testing Using active tools and techniques to evaluate security by simulating attacks on those systems. Verifies that a threat exists, and exploits any vulnerabilities. Less common and more intrusive than vulnerability assessments. Information gleaned from pen tests is more thorough. There is a risk of systems suffering actual damage. Tight restrictions often placed on pen tests. 17 Penetration Testing Techniques Phase Technique Description Tester gathers as much info about targets as possible. 1 Reconnaissance Helps tester craft their simulated attack. Tester begins exploitation after reconnaissance. 2 Initial exploitation Gain access to network or hosts, obtain credentials, etc. Tester tries to gain greater control over systems. 3 Escalation of privilege Can do more damage with higher privileges. Tester compromises a central host. 4 Pivoting Tester can spread to other hosts and network segments. Tester maintains access to the network. 5 Persistence Evaluate ease of gaining a covert foothold in the network. 18 Box Testing Methods Full reconnaissance Some reconnaissance No reconnaissance Black Box Grey Box White Box Test Test Test 19 Penetration Testing Tools Tool Type Implement To Exploitation frameworks Create and deploy code to exploit systems. Data sanitization tools Securely erase data from a storage medium. Steganography tools Hide data within other data to avoid detection. Social engineering tools Test your users' susceptibility to social engineering tactics. Test your systems' ability to respond to increased computing Stress testers overhead and network bandwidth. 20 Guidelines for Implementing Penetration Testing Consider conducting a penetration test in addition to or instead of a vulnerability assessment. Be aware of the risks involved in conducting a pen test. Consider implementing pen test techniques as different phases in a simulated attack. Consider conducting pen tests using different types of box testing methods. Understand the different reconnaissance requirements for each box testing method. Become familiar with the different tools used in active exploitation of systems. 21 Activity: Implementing Penetration Testing You want to conduct a pen test to see how attackers can exploit your systems. You already cracked a weak password used by domain admin Jane Emerson. You'll used these credentials in a simulated attack on your Windows Server. The attack will enable remote desktop access. 22 1. What sort of vulnerability assessment tools have you used or do you plan on using to evaluate security in your organization? 2. Do you believe there's value in conducting a penetration test in your organization? Why or why not? 23