chapter 7: security assessment, analysis, and assurance computer network security

Chapter 7: Security Assessment, Chapter 7: Security Assessment, Analysis, and AssuranceAnalysis, and Assurance

Computer Network SecurityComputer Network Security

Kizza - Computer Network SecurityKizza - Computer Network Security 22

Security Assessment, Analysis, and Assurance

The rapid development in both computer and The rapid development in both computer and telecommunication technologies has resulted in telecommunication technologies has resulted in massive interconnectivity and interoperability of massive interconnectivity and interoperability of systems systems The bigger the networks, the bigger the security The bigger the networks, the bigger the security problems involving system resources on these problems involving system resources on these networks. Many companies, businesses, and networks. Many companies, businesses, and institutions whose systems work in coordination and institutions whose systems work in coordination and collaboration with other systems as they share each collaboration with other systems as they share each others’ resources and communicate with each others’ resources and communicate with each other, face a constant security threat to these other, face a constant security threat to these systems, yet the collaboration must go on. systems, yet the collaboration must go on.


For security assurance of networked systems, For security assurance of networked systems, such risks must be assessed to determine the such risks must be assessed to determine the adequacy of existing security measures and adequacy of existing security measures and safeguards and also to determine if safeguards and also to determine if improvement in the existing measures is needed. improvement in the existing measures is needed. The security assessment process consists of a The security assessment process consists of a comprehensive and continuous analysis of the comprehensive and continuous analysis of the security threat risk to the system that involves security threat risk to the system that involves an auditing of the system, assessing the an auditing of the system, assessing the vulnerabilities of the system, and maintaining a vulnerabilities of the system, and maintaining a creditable security policy and a vigorous regime creditable security policy and a vigorous regime for the installation of patches and security for the installation of patches and security updates. updates. In addition, there must also be a standard In addition, there must also be a standard process to minimize the risks associated with process to minimize the risks associated with non-standard security implementations across non-standard security implementations across shared infrastructures and end systems shared infrastructures and end systems


The process to achieve all these and The process to achieve all these and more consists of several tasks more consists of several tasks including:including:– A security policy A security policy – Security requirements specificationSecurity requirements specification– Identification of and threat analysisIdentification of and threat analysis– Vulnerability assessment,Vulnerability assessment,– Security certification, Security certification, – Monitoring of vulnerabilities and Monitoring of vulnerabilities and

auditing. auditing.


Vulnerability Assessment lets Vulnerability Assessment lets you:you:

– Understand the state of vulnerability Understand the state of vulnerability within your network. within your network.

– Better evaluate the risks from new Better evaluate the risks from new vulnerabilities. vulnerabilities.

– Learn about new fixes and work-arounds Learn about new fixes and work-arounds from a single source. from a single source.

– Avoid unplanned downtime and lost Avoid unplanned downtime and lost productivity. productivity.

– Minimize the costs that are associated Minimize the costs that are associated with security incidents.with security incidents.


Vulnerability Assessment Vulnerability Assessment TechniquesTechniques

Active Assessments– Any use of a network scanner to find hosts, services and

vulnerabilities– is a form of active assessment. Regardless if the scan is

sending one ICMP packet, or a full fledged DOS attack, any assessment invoking placing packets on the wire to interrogate a host for unknown services or vulnerabilities is an active assessment.

– Many network scanners have controls on how aggressive they pursue their interrogation of the network and the servers they encounter. For example, Nessus (http://www.nessus.org), has a concept of ‘safe checks’ which causes it to be less intrusive when performing security audits of network services.

– Other commercial scanners have a similar mode which is deceptively called ‘passive scanning’.


Passive Assessments– Sniffing network traffic to deduce a list of active

systems, active services, active applications and even active vulnerabilities is referred to as a passive assessment.

– Passive assessment is a continuous effort such that the sniffer performing the analysis can see the network 24x7. An active assessment is really a picture of the network at a point in time. Passive assessments offer a more accurate listing of who is actually using the network.

– There are a lot of ‘gotchas’ with passive assessment. For example, how does one know if an IP address is active or not? Consider a DHCP network (Dynamic Host Configuration Protocol - a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.) . Through the course of a week, many hosts will boot up and receive an IP each day. If the host gets a different IP each day, by the end of the week, it will look like many hosts are active on the network.


Host-based auditsHost-based auditsHost-based audits are conducted on Host-based audits are conducted on individual computers. The individual computers. The advantages of host-based advantages of host-based assessment are: assessment are: – Greatly reduced numbers of false Greatly reduced numbers of false

positive and false negative reports when positive and false negative reports when compared with network-based products. compared with network-based products.

– Superior scalability over network-based Superior scalability over network-based products. products.

– Increased security over agent-less Increased security over agent-less assessments that require administrative assessments that require administrative privileges.privileges.


NNetwork-based auditsetwork-based auditsNetwork-based audits are conducted from Network-based audits are conducted from central locations on the network The central locations on the network The advantages of network-based assessment advantages of network-based assessment are: are: – Immediate network-wide vulnerability Immediate network-wide vulnerability

information information – Immediate vulnerability information about Immediate vulnerability information about

network resources that cannot install monitoring network resources that cannot install monitoring agents; for example, network routers or firewalls. agents; for example, network routers or firewalls.

– Discovery of unknown computers and other Discovery of unknown computers and other resources on the network. resources on the network.

– Ability to audit the vulnerability of computers to Ability to audit the vulnerability of computers to attacks from inside or outside the network.attacks from inside or outside the network.


Blended Assessments– A “blended” form of security

assessment utilizes a combination of active, passive and host-based techniques. Each method in the combo has several advantages and disadvantages which can be used to offset a variety of technical and political limitations imposed by large enterprise networks.


Additional featuresAdditional features – Centralized reporting and management Centralized reporting and management

of vulnerabilities. of vulnerabilities. – Comprehensive "health check" of the Comprehensive "health check" of the

network is available from a central network is available from a central location with a consistent, automated, location with a consistent, automated, repeatable, and on-demand system. repeatable, and on-demand system.

– Identifies vulnerabilities in mission Identifies vulnerabilities in mission critical systems and applications, not critical systems and applications, not just the operating system. just the operating system.

– Can be scalable to provide coverage Can be scalable to provide coverage for the entire enterprise that can extend for the entire enterprise that can extend across the Internet. across the Internet.


Design and Implementation of an Design and Implementation of an Enterprise Security Policy Enterprise Security Policy

The design of a security policy must The design of a security policy must take into account the following take into account the following issues:issues:


Physical Security Controls:Physical Security Controls:– This includes the physical infrastructure, This includes the physical infrastructure,

device security and physical access. The device security and physical access. The physical infrastructure involves appropriate physical infrastructure involves appropriate media and path of physical cabling. Make sure media and path of physical cabling. Make sure that intruders cannot eavesdrop between lines that intruders cannot eavesdrop between lines by using detectors like time domain by using detectors like time domain reflectometer for coaxial cable and optical reflectometer for coaxial cable and optical splitter using an optical time domain splitter using an optical time domain reflectometer for fiber optics.reflectometer for fiber optics.

– Physical cabling network topology to ensure Physical cabling network topology to ensure the availability of the network to all attached the availability of the network to all attached devices. The cabling should be well secured to devices. The cabling should be well secured to prevent access to any part prevent access to any part


Physical Device SecurityPhysical Device Security– The location of the critical network resources is The location of the critical network resources is

very important. All network resources very important. All network resources ( network hosts, switches, routers, firewalls, ( network hosts, switches, routers, firewalls, access servers) should be located in very access servers) should be located in very restricted areas. Physical access restrictions restricted areas. Physical access restrictions and requirements are determined from the and requirements are determined from the results of the risk analysis or physical security results of the risk analysis or physical security surveys.surveys.

– Environment safeguards – all the following are Environment safeguards – all the following are important:important:

Fire (prevention/protection/detection)Fire (prevention/protection/detection)WaterWaterElectric powerElectric powerTemperature/humidityTemperature/humidityNatural disastersNatural disastersMagnetic fieldsMagnetic fieldsGood housekeeping proceduresGood housekeeping procedures


Logical Security ControlsLogical Security Controls– Create boundaries between network segments:Create boundaries between network segments:

To control the flow of traffic between different cabled To control the flow of traffic between different cabled segments – subnets by using IP-address filters to segments – subnets by using IP-address filters to deny access of specific subnets by IP addresses from deny access of specific subnets by IP addresses from non-trusted hosts.non-trusted hosts.Permit or deny access based on subnet addresses – if Permit or deny access based on subnet addresses – if possible.possible.But keep in mind that IP addresses are very easy to But keep in mind that IP addresses are very easy to spoof.spoof.

– The logical infrastructure of a network depends largely The logical infrastructure of a network depends largely on how a network is logically separated and how traffic on how a network is logically separated and how traffic is controlled between those subnets.is controlled between those subnets.

– Routing (layer-3 switching) is how traffic is controlled Routing (layer-3 switching) is how traffic is controlled between subnets.between subnets.

Determining optional routing pathDetermining optional routing pathTransporting packets through the subnets.Transporting packets through the subnets.

– A security plan must include a detailed routing policy.A security plan must include a detailed routing policy.– Fully understand the routing protocols used in the Fully understand the routing protocols used in the

corporate environment.corporate environment.


Logical Access Control – access to equipment and Logical Access Control – access to equipment and network segments should be restricted to network segments should be restricted to individuals who require access.individuals who require access.– Two types of control on access to network Two types of control on access to network

resources should be implemented:resources should be implemented:

Preventive controls – uniquely identifies Preventive controls – uniquely identifies every authorized user and denies othersevery authorized user and denies others

Detective controls – logs and reports Detective controls – logs and reports activities of users – also logs and reports un activities of users – also logs and reports un authorized users.authorized users.

– Remember the human factor Remember the human factor

Any security implemented is as good as the Any security implemented is as good as the weakest link.weakest link.


Infrastructure and Data IntegrityInfrastructure and Data Integrity– Ensure as best as you can that your traffic on the Ensure as best as you can that your traffic on the

network is valid. It may be any of the following network is valid. It may be any of the following Supported services – like firewalls. Firewalls are very Supported services – like firewalls. Firewalls are very essential in the control of traffic. It relies solely on the essential in the control of traffic. It relies solely on the TCP, UDP, ICMP, and IP headers of individual packets TCP, UDP, ICMP, and IP headers of individual packets to allow or deny the packet. It may also use TCP and to allow or deny the packet. It may also use TCP and UDP source and destination port numbers.UDP source and destination port numbers.Unspoofed trafficUnspoofed trafficUnaltered trafficUnaltered traffic

– Most of the traffic control is based on the following Most of the traffic control is based on the following characteristics of the traffic:characteristics of the traffic:

DirectionDirectionOriginOriginIP addressIP addressPort numbersPort numbersAuthenticationAuthenticationApplication contentApplication content


Network Services Network Services – Choosing what type of network services and protocols Choosing what type of network services and protocols

the network will use is a daunting job. A few policies to the network will use is a daunting job. A few policies to choose fromchoose from

Permit all and deny as needed. It is easy to implement. Permit all and deny as needed. It is easy to implement. Turn on all services and protocols and turn them off Turn on all services and protocols and turn them off selectively as security holes become apparent. It is simple selectively as security holes become apparent. It is simple however, it is prone to attacks.however, it is prone to attacks.Deny all mode is generally more secure but more complex Deny all mode is generally more secure but more complex to implement.to implement.

– Security complexity can grow exponentiallySecurity complexity can grow exponentially– Services most commonly needed include:Services most commonly needed include:

SNMPSNMPDNSDNSNTPNTPWWWWWWTelnetTelnetFTPFTPNNTPNNTPSMTPSMTP

– To determine which services to filter follow guidelines To determine which services to filter follow guidelines i.e. CERTi.e. CERT


Authenticated DataAuthenticated Data– To ensure a reasonable amount of data To ensure a reasonable amount of data

integrity, you should authenticate most of the integrity, you should authenticate most of the traffic traversing the network. Traffic specific traffic traversing the network. Traffic specific to the operations of a secure network to the operations of a secure network infrastructure ( such as updating of routing infrastructure ( such as updating of routing tables) should be authenticated.tables) should be authenticated.

– Checksum protects against the injection of Checksum protects against the injection of spurious packets from an intruder. Combined spurious packets from an intruder. Combined with sequence number techniques, checksum with sequence number techniques, checksum can also protect against replay attacks.can also protect against replay attacks.

– Most security is always provided by complete Most security is always provided by complete encryption routing tables. However encryption encryption routing tables. However encryption has an overhead. has an overhead.


Common Attack DeterrentsCommon Attack Deterrents– In many cases attacks against a host behind a In many cases attacks against a host behind a

firewall can be stopped. Develop a policy to firewall can be stopped. Develop a policy to insulate internal hosts.insulate internal hosts.

– Web servers, FTP servers, mail servers, even Web servers, FTP servers, mail servers, even behind a firewall, are among the network behind a firewall, are among the network service provider resources at most risk service provider resources at most risk because any host, in the inside network can because any host, in the inside network can play bad to it. You are generally better of play bad to it. You are generally better of putting those exposed service providers on a putting those exposed service providers on a demilitarized zone (DMZ) network.demilitarized zone (DMZ) network.

– Install a honeypot.Install a honeypot.


– The following list provides an example of some The following list provides an example of some items in an infrastructure and data integrity items in an infrastructure and data integrity security policy:security policy:

Infrastructure Security:Infrastructure Security:– Access to switch LAN ports and router interfaces will be Access to switch LAN ports and router interfaces will be

disabled when not in usedisabled when not in use– Firewall functionality will be used at all engress access Firewall functionality will be used at all engress access

points – any connection that provides access anywhere points – any connection that provides access anywhere outside the Enterpriseoutside the Enterprise

– Only necessary network services will be supported. These Only necessary network services will be supported. These services will be defined by the Network Operations Group.services will be defined by the Network Operations Group.

Data Integrity:Data Integrity:– Software not related to work will not be used on any Software not related to work will not be used on any

computer that is part of the network.computer that is part of the network.– All software images and operating systems should use All software images and operating systems should use

checksum verification scheme before installation to checksum verification scheme before installation to confirm their integrity.confirm their integrity.

– All routing updates and VLAN updates must be All routing updates and VLAN updates must be authenticated between sending and receiving authenticated between sending and receiving devices. devices.


Data ConfidentialityData Confidentiality– This calls for encryption. The hardest part is to decide This calls for encryption. The hardest part is to decide

which data to encrypt. The decision should be based on which data to encrypt. The decision should be based on the outcome of the Risk Assessment procedure in which the outcome of the Risk Assessment procedure in which data is classified according to its security sensitivity. data is classified according to its security sensitivity. Encrypt the data that will take the greatest risk without.Encrypt the data that will take the greatest risk without.

– For example in an enterprise:For example in an enterprise:

All data dealing with employee salary and benefits.All data dealing with employee salary and benefits.

All data on product developmentAll data on product development

All data on sales, etc..All data on sales, etc..– Pay attention to the local Network Address Translation Pay attention to the local Network Address Translation

(NAT) – a system used to help Network administrators (NAT) – a system used to help Network administrators with large pools of hosts from renumbering them when with large pools of hosts from renumbering them when they all come on the Internet.they all come on the Internet.


Policies and Procedures for StaffPolicies and Procedures for Staff– These are guidelines to help people working on the These are guidelines to help people working on the

network infrastructure.network infrastructure.– Secure Backup – of all network service servers, and that Secure Backup – of all network service servers, and that

of configurations and images of networking of configurations and images of networking infrastructure equipment is criticalinfrastructure equipment is critical

Ensure that the system creates backups for all Ensure that the system creates backups for all network infrastructure equipment configurations and network infrastructure equipment configurations and software imagessoftware imagesEnsure that backups of all servers that provide Ensure that backups of all servers that provide network servicesnetwork servicesEnsure that an offsite storage of the backups is used Ensure that an offsite storage of the backups is used – selected for both security and availability– selected for both security and availabilityEncrypt the backups – making sure that the will be a Encrypt the backups – making sure that the will be a key to decrypt the backups when needed.key to decrypt the backups when needed.


Periodically verify the correctness and completeness Periodically verify the correctness and completeness of the backupsof the backups

Keep the original and backup safe. It is important to Keep the original and backup safe. It is important to keep the backup copies in separate and secure keep the backup copies in separate and secure locations ( Recall World Trade Center backups in locations ( Recall World Trade Center backups in Colorado and Utah)Colorado and Utah)

The following are good guidelines:The following are good guidelines:– Key positions must be identified and potential Key positions must be identified and potential

successors should be identifiedsuccessors should be identified– Recruiting employees for positions in the Recruiting employees for positions in the

implementation and operation of the network implementation and operation of the network infrastructure requires a thorough background infrastructure requires a thorough background checkcheck

– All personnel involved in the implementation and All personnel involved in the implementation and supporting the network infrastructure must attend supporting the network infrastructure must attend a security seminar for awareness a security seminar for awareness

– All backups will be stored in a dedicated locked All backups will be stored in a dedicated locked area.area.


– Equipment Certification Equipment Certification All new equipment to be added to the infrastructure All new equipment to be added to the infrastructure should adhere to specified security requirements. should adhere to specified security requirements. Each site of the infrastructure should decide which Each site of the infrastructure should decide which security features and functionalities are necessary to security features and functionalities are necessary to support the security policy.support the security policy.The following are good guidelines:The following are good guidelines:

– All infrastructure equipment must pass the acquisition All infrastructure equipment must pass the acquisition certification process before purchasecertification process before purchase

– All new images and configurations must be modeled in All new images and configurations must be modeled in a test facility before deploymenta test facility before deployment

– All major scheduled network outages and interruptions All major scheduled network outages and interruptions of services must announced to those to be affected of services must announced to those to be affected well ahead of time.well ahead of time.

– Use of Portable ToolsUse of Portable ToolsNote that portable tools like laptops always pose Note that portable tools like laptops always pose some security risks. some security risks. Develop guidelines for the kinds of data allowed to Develop guidelines for the kinds of data allowed to reside on hard drives of portable tools and how that reside on hard drives of portable tools and how that data should be protected.data should be protected.


– Audit TrailsAudit Trails Keep logs of traffic patterns and noting any deviations from Keep logs of traffic patterns and noting any deviations from normal behavior found. Such deviations are the first clues to normal behavior found. Such deviations are the first clues to security problems.security problems.The data to be collected in the logs should include the following:The data to be collected in the logs should include the following:

– User nameUser name– Host nameHost name– Source and destination IP addressesSource and destination IP addresses– Source and destination port numbersSource and destination port numbers– TimestampTimestamp

This collected data should be kept local to the resource until an This collected data should be kept local to the resource until an event is finished upon which it may be taken to a secure location.event is finished upon which it may be taken to a secure location.Make sure that the paths (Channels) from the collection points to Make sure that the paths (Channels) from the collection points to the storage location are secure. the storage location are secure. Audit data should be one of the most secured data on location and Audit data should be one of the most secured data on location and in back ups.in back ups.

– Legal ConsiderationsLegal ConsiderationsBecause of the content of the audit trail, a number of legal Because of the content of the audit trail, a number of legal questions arise that may need attention. questions arise that may need attention. One area of concern is the privacy issue of the users and data One area of concern is the privacy issue of the users and data content – because it may contain personal information.content – because it may contain personal information.Second area of concern is the knowledge of an intrusive behavior. Second area of concern is the knowledge of an intrusive behavior. For example having knowledge of the intrusive behavior of others For example having knowledge of the intrusive behavior of others including organization.including organization.


Security Awareness TrainingSecurity Awareness Training– Users of computers and computer networks are not usually Users of computers and computer networks are not usually

aware of the security ramifications caused by certain actions . aware of the security ramifications caused by certain actions . It is imperative for employees to be aware of the importance of It is imperative for employees to be aware of the importance of security through security trainingsecurity through security training

– The training should provided to all personnel The training should provided to all personnel – Training should contain the following:Training should contain the following:

Types of security Types of security Internal control techniquesInternal control techniquesMaintenanceMaintenance

– For those employees with network security responsibilities, For those employees with network security responsibilities, they must be taught the following:they must be taught the following:

Security techniquesSecurity techniquesMethodologies for evaluating threats and vulnerabilitiesMethodologies for evaluating threats and vulnerabilitiesSelection criteria and implementation of controlsSelection criteria and implementation of controlsThe importance of what is at risk if security is not The importance of what is at risk if security is not maintainedmaintained


– Make the following rules abided to before connecting a Make the following rules abided to before connecting a LAN to the corporate backbone:LAN to the corporate backbone:

Provide documentation on network infrastructure Provide documentation on network infrastructure layoutlayout

Provide controlled software downloadsProvide controlled software downloads

Provide adequate user trainingProvide adequate user training

Provide training to personnel in charge of issuing Provide training to personnel in charge of issuing passwords.passwords.

– Social EngineeringSocial Engineering

Train employees not to believe anyone who Train employees not to believe anyone who calls/emails them to do something that might calls/emails them to do something that might compromise security.compromise security.

Before giving any information they must positively Before giving any information they must positively identify they are dealing with identify they are dealing with


Incident HandlingIncident Handling– A security bleach is an incident resulting from an external intruder, A security bleach is an incident resulting from an external intruder,

unintentional damage, an employee testing some new program and unintentional damage, an employee testing some new program and inadvertently exploiting a software vulnerability, or a disgruntled inadvertently exploiting a software vulnerability, or a disgruntled employee causing intentional damage. employee causing intentional damage.

– Build an Incident Response TeamBuild an Incident Response TeamThis is centralized group which is the primary focus when an This is centralized group which is the primary focus when an incident occursincident occursIt is a small core group with the following responsibilities:It is a small core group with the following responsibilities:

– Keeping up-to-date with the latest threats and incidentsKeeping up-to-date with the latest threats and incidents– Being the main point of contact for incident reportingBeing the main point of contact for incident reporting– Notifying others of the incidentNotifying others of the incident– Assessing the damage and impact of the incidentAssessing the damage and impact of the incident– Finding out how to avoid further exploitation of the same Finding out how to avoid further exploitation of the same

vulnerabilityvulnerability– Recovering from the incidentRecovering from the incident

Core team members must be knowledgeable, all rounded with a Core team members must be knowledgeable, all rounded with a correct mix of technical, communication, and political skills.correct mix of technical, communication, and political skills.


– Detecting an Incident – Detecting an Incident – when looking for signs of a security bleach focus on the following:when looking for signs of a security bleach focus on the following:

– Accounting discrepanciesAccounting discrepancies– Data modification and deletionData modification and deletion– Users complaining of poor system performanceUsers complaining of poor system performance– Atypical traffic patternsAtypical traffic patterns– Atypical time of system useAtypical time of system use– Large numbers of failed login attemptsLarge numbers of failed login attempts

Detecting anomalies of normal behavior requires having knowledge Detecting anomalies of normal behavior requires having knowledge of “normal” systems functions. Use audit trails to learn historical of “normal” systems functions. Use audit trails to learn historical behavior of the system.behavior of the system.You must follow certain steps when handling an incident whose You must follow certain steps when handling an incident whose goals are defined by management and legal counsel.goals are defined by management and legal counsel.But the most fundament goal is to restore the affected system and But the most fundament goal is to restore the affected system and to limit the impact and damage. In the worst-case scenario it is to limit the impact and damage. In the worst-case scenario it is better to shut down the system.better to shut down the system.It is better to prioritize actions to be taken during an incident It is better to prioritize actions to be taken during an incident handlinghandling


Priorities should correspond to the organizations security policy and Priorities should correspond to the organizations security policy and they should include the following:they should include the following:

– Protecting human life and peoples’ safetyProtecting human life and peoples’ safety– Protecting sensitive and/or classified dataProtecting sensitive and/or classified data– Protecting data that is costly in terms of resourcesProtecting data that is costly in terms of resources– Preventing damage to systemsPreventing damage to systems– Minimizing the disruption of computing resourcesMinimizing the disruption of computing resources

It is always important to assess the damage by doing some or all of It is always important to assess the damage by doing some or all of the following:the following:

– Check and analyze all traffic logs for abnormal behavior , Check and analyze all traffic logs for abnormal behavior , especially on network perimeter access points like internet especially on network perimeter access points like internet access or dial-in accessaccess or dial-in access

– Verify infrastructure device checksum or operating systems Verify infrastructure device checksum or operating systems checksum on critical servers to see whether operating system checksum on critical servers to see whether operating system software has been compromised.software has been compromised.

– Verify configuration changes on infrastructure devices like Verify configuration changes on infrastructure devices like servers to ensure that no one has tempered with themservers to ensure that no one has tempered with them

– Check the sensitive data to see whether it is assessed or Check the sensitive data to see whether it is assessed or changedchanged

– Check traffic logs for unusually large traffic streams from a Check traffic logs for unusually large traffic streams from a single source or streams going to a single destinationsingle source or streams going to a single destination

– Run a check on the network on any new or unknown devicesRun a check on the network on any new or unknown devices– Check passwords on critical systems to ensure that they have Check passwords on critical systems to ensure that they have

not been modifiednot been modified


– Reporting and Alerting ProceduresReporting and Alerting Procedures

Establish a systematic approach for reporting incidents and Establish a systematic approach for reporting incidents and subsequently notifying affected areassubsequently notifying affected areas

Essential communication mechanisms include:Essential communication mechanisms include:– A monitored central phone, email, pager , or other quick A monitored central phone, email, pager , or other quick

communication devicecommunication device

Establish clearly who to alert first and who should be on the list of Establish clearly who to alert first and who should be on the list of people to alert next.people to alert next.

Decide on how much information to give each member on the listDecide on how much information to give each member on the list

Find ways to minimize negative exposure ( Read RFC 2196 on Find ways to minimize negative exposure ( Read RFC 2196 on guidelines for level of details to provide) including:guidelines for level of details to provide) including:

– Keeping technical level of details lowKeeping technical level of details low– Working with law enforcement agents to protect evidenceWorking with law enforcement agents to protect evidence– Delegating all handling of the public to in-house PR peopleDelegating all handling of the public to in-house PR people– keeping speculation out of public commentskeeping speculation out of public comments


– Responding to the IncidentResponding to the IncidentControl must be restored and normalcy must be Control must be restored and normalcy must be restoredrestored

If it requires shutting down the system to stop the If it requires shutting down the system to stop the intruder, do so.intruder, do so.

Keep accurate documentation so that it can be used Keep accurate documentation so that it can be used later to analyze any causes and effectslater to analyze any causes and effects

Keep a log book of all activities during the incident.Keep a log book of all activities during the incident.

– Recovering from an IncidentRecovering from an IncidentMake a post-mortem analysis of what happened, how Make a post-mortem analysis of what happened, how it happened, and what steps need to be taken to it happened, and what steps need to be taken to prevent similar incidents in the future.prevent similar incidents in the future.

Develop a formal report with proper chronological Develop a formal report with proper chronological sequence of events to be presented to management.sequence of events to be presented to management.

Make sure not to over react by turning your system Make sure not to over react by turning your system into a fortress.into a fortress.


Strengths and Weaknesses of Strengths and Weaknesses of Assessment TechnologiesAssessment Technologies

Active Scanning – Strengths

All active scans can be independent of any network management or system administration information. This makes for a much more ‘honest’ security audit of any system or network. Active scans can provide extremely accurate information about what services are running, what hosts are active and if there are any vulnerabilities present.

– WeaknessesUnfortunately, the information discovered by an active scan may be out of date as soon as the scan is completed. Many small changes to the network topology such as the addition of new hosts will go unnoticed until the next active scan. To compensate for speed and potential adverse impact:

– minimize the ports and the vulnerabilities scanned Active scans can also generate an excessive amount of firewall and intrusion detection logs.


Passive Scanning – Strengths

The greatest strength of a passive scan is the lack of any impact to the network and the minimal time it takes to find real results. A passive scanner operates 24x7 and when you want to know what vulnerabilities it has seen, a report can be immediately generated.Passive scanning also has an advantage of discovering client side vulnerabilities and vulnerabilities in Intranet networks we don’t have permission to scan.

– WeaknessesUnfortunately, for a passive scan to work, a detectable host must elicit or respond to a packet. If a server never communicates on the network, the console will never see it.


Host-based Scanning – Strengths

The greatest strengths that host-based scanning has going for it are speed and accuracy. It takes a few seconds in most cases to complete an audit of all patches for a RedHat or Windows 2000 server if credentials have been provided. This audit consists of well-known APIs and patch management tools provided by the underlying operating system.

– WeaknessesThe biggest weakness for host-based scanning with many scanners like Nessus and NeWT is that credentials need to be supplied. Often, obtaining these credentials is takes time. In many cases, an IT group may not appreciate giving a security group the ability to audit it at any time.

chapter 7: security assessment, analysis, and assurance computer network security

Documents

security certification

security problems

security updates

security incidents

security assessment

security threat risk

constant security threat

creditable security