finding network vulnerabilities
DESCRIPTION
Finding Network Vulnerabilities. Objectives. Define vulnerabilities Name the common categories of vulnerabilities Discuss common system and network vulnerabilities Locate and access sources of information about emerging vulnerabilities - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/1.jpg)
Finding Network Vulnerabilities
![Page 2: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/2.jpg)
2
Objectives• Define vulnerabilities• Name the common categories of
vulnerabilities• Discuss common system and network
vulnerabilities• Locate and access sources of information
about emerging vulnerabilities• Identify the names and functions of the widely
available scanning and analysis tools
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 2
![Page 3: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/3.jpg)
3
Introduction• To maintain secure networks, information security
professionals must be prepared to identify system vulnerabilities, whether by hiring system assessment experts or by conducting self-assessments using scanning and penetration tools
• Network security vulnerability is defect in product, process, or procedure that, if exploited, may result in violation of security policy, which in turn might lead to loss of revenue, loss of information, or loss of value to the organization
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 3
![Page 4: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/4.jpg)
4
Common VulnerabilitiesCommon vulnerabilities fall into two broad
classes:
• Defects in software or firmware
• Weaknesses in processes and procedures
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 4
![Page 5: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/5.jpg)
5
Defects in Software or Firmware• Buffer overruns (or buffer overflows) arise when
quantity of input data exceeds size of available data area (buffer)
• Injection attacks can occur when programmer does not properly validate user input and allows an attacker to include input that, when passed to a database, can give rise to SQL injection vulnerabilities
• Network traffic is vulnerable to eavesdropping because a network medium is essentially an open channel
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 5
![Page 6: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/6.jpg)
6
Defects in Software or Firmware (continued)
• How can security professionals remain abreast of all the vulnerabilities?
• First and perhaps foremost, they must know:– Organization’s security policies– Software and hardware the organization uses
• Information security professionals should regularly consult these public disclosure lists:– Vendor announcements – Full disclosure mailing lists – CVE: the common vulnerabilities and exposures
database http://cve.mitre.org/cve/index.html Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 6
![Page 7: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/7.jpg)
7
Vendor Announcements
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 7
![Page 8: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/8.jpg)
8
BugTraqhttp://www.securityfocus.com/archive/1/description
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 8
![Page 9: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/9.jpg)
9
Weaknesses in Processes and Procedures
• Just as hazardous as software vulnerabilities• More difficult to detect and fix because they
typically involve the human element• Often arise when policy is violated or processes
and procedures that implement policy are inadequate or fail
• To ensure security policy is implemented, organizations should hold regular security awareness training and regularly review policies and their implementation
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 9
![Page 10: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/10.jpg)
10
Scanning and Analysis Tools• To truly assess risk within computing
environment, technical controls must be deployed using strategy of defense in depth
• Scanners and analysis tools can find vulnerabilities in systems, holes in security components, and unsecured aspects of the network
• Scanners, sniffers, and other such vulnerability analysis tools are invaluable because they enable administrators to see what attackers see
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 10
![Page 11: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/11.jpg)
11
Scanning and Analysis Tools (continued)
• Scanning tools are typically used as part of an attack protocol
• Attack protocol is a series of steps or processes used by attacker, in logical sequence, to launch attack against target system or network
• This may begin with a collection of publicly available information about a potential target, a process known as footprinting
• Attacker uses public Internet data sources to perform searches to identify network addresses of the organization
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 11
![Page 12: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/12.jpg)
12
Footprinting• Most important information for footprinting
purposes is IP address range• Another piece of useful information is name,
phone number, and e-mail address of the technical contact
• This research is augmented by browsing the organization’s Web pages since Web pages usually contain information about internal systems, individuals developing Web pages, and other tidbits, which can be used for social engineering attacks
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 12
![Page 13: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/13.jpg)
13
Footprinting (continued)• To assist in footprint intelligence collection
process, an enhanced Web scanner can be used that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses
• Sam Spade– http://www.samspade.org/
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 13
![Page 14: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/14.jpg)
14
Sam Spade
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 14
![Page 15: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/15.jpg)
15
Fingerprinting• Next phase of attack protocol is data-
gathering process called fingerprinting, a systematic survey of all of the target organization’s Internet addresses that is conducted to identify network services offered by hosts in that range
• Fingerprinting reveals useful information about internal structure and operational nature of the target system or network
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 15
![Page 16: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/16.jpg)
16
Port Scannershttp://insecure.org/ Nmap, most popular port scanner
• Port scanning utilities (port scanners) are tools used by both attackers and defenders to identify computers that are active on a network, as well as ports and services active on those computers, functions and roles the machines are fulfilling, and other useful information
• The more specific the scanner is, the better and more useful the information it provides is, but a generic, broad-based scanner can help locate and identify rogue nodes on the network
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 16
![Page 17: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/17.jpg)
17
Port Scanners (continued)• Port is a network channel or connection point in a
data communications system• Within TCP/IP, TCP and UDP port numbers
differentiate multiple communication channels used to connect to network services being offered on same device
• In all, there are 65,536 port numbers in use for TCP and another 65,536 port numbers for UDP
• Ports greater than 1023 typically referred to as ephemeral ports and may be randomly allocated to server and client processes
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 17
![Page 18: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/18.jpg)
18
Port Scanners (continued)• Why secure open ports?• Open port is an open door and can be used
by attacker to send commands to a computer, potentially gain access to a server, and possibly exert control over a networking device
• The general policy statement is to remove from service or secure any port not absolutely necessary to conducting business
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 18
![Page 19: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/19.jpg)
19
Firewall Analysis Tools• Understanding exactly where organization’s
firewall is located and what existing rule sets do are very important steps for any security administrator
• Several tools that automate remote discovery of firewall rules and assist administrator (or attacker) in analyzing rules to determine exactly what they allow and what they reject– http://packetstormsecurity.org/UNIX/audit/firewalk/ Firwalk– http://www.hping.org/ hping
Slide 19
![Page 20: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/20.jpg)
20
Firewall Analysis Tools (continued)
• Administrators wary of using same tools attackers use should remember:– Regardless of the nature of the tool used to
validate or analyze firewall’s configuration, it is the intent of the user that dictates how information gathered will be used
– To defend a computer or network, it is necessary to understand ways it can be attacked; thus, a tool that can help close up an open or poorly configured firewall helps network defender minimize risk from attack
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 20
![Page 21: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/21.jpg)
21
Operating System Detection Tools
• Identifying target computer’s operating system is very valuable to attacker
• Once the operating system is known, it is easy to determine all vulnerabilities to which it might be susceptible
• http://sourceforge.net/projects/xprobe XProbe
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 21
![Page 22: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/22.jpg)
22
Vulnerability Scanners• Passive vulnerability scanner listens in on
the network and identifies vulnerable versions of both server and client software– http://windowsitpro.com/article/articleid/40422/
passive-vulnerability-scanning.html NeVO– http://blog.tenablesecurity.com/2006/07/
network_world_r.html RNA
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 22
![Page 23: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/23.jpg)
23
Vulnerability Scanners (continued)
• Active vulnerability scanners scan networks for highly detailed information by initiating network traffic in order to identify security holes– These scanners identify exposed usernames and
groups, show open network shares, and expose configuration problems and other vulnerabilities in servers
– http://www.gfi.com/lannetscan/ GFI LANguard– http://www.darknet.org.uk/2006/08/spikesource-spike-php-
security-audit-tool/ SPIKE – http://www.immunitysec.com/ SIKE-SPIKE Proxy – http://www.nessus.org/nessus/ Nessus
![Page 24: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/24.jpg)
24
Vulnerability Scanners (continued)
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 24
![Page 25: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/25.jpg)
25
Vulnerability Validation• Often, an organization requires proof that system
is actually vulnerable to certain attacks• May require such proof to avoid having system
administrators attempt to repair systems that are not broken or because they have not yet built satisfactory relationship with vulnerability assessment team
• Class of scanners exists that exploit remote machine and allow vulnerability analyst (penetration tester) to create accounts, modify Web pages, or view data
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 25
![Page 26: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/26.jpg)
26
Packet Sniffershttp://www.wireshark.org/news/20060607.html
• Network tool that collects copies of packets from network and analyzes them
• Sometimes called a network protocol analyzer
• Can provide network administrator with valuable information for diagnosing and resolving networking issues
• In the wrong hands, sniffer can be used to eavesdrop on network traffic
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 26
![Page 27: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/27.jpg)
27
Wireless Security Toolshttp://www.netstumbler.org/
• Wireless connection, while convenient, has many potential security holes
• Security professional must assess risk of wireless networks
• Wireless security toolkit should include ability to sniff wireless traffic, scan wireless hosts, and assess level of privacy or confidentiality afforded on wireless network
Firewalls & Network Security, 2nd ed. - Chapter 4
![Page 28: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/28.jpg)
28
Penetration Testing• Penetration test involves using all techniques and
tools available to attacker in order to attempt to compromise or penetrate an organization’s defenses
• Penetration testing can be performed by internal group (so called “red teams”) or outsourced to external organization
• A variable of the penetration test, whether performed internally or outsourced, is amount of information provided to the red team
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 28
![Page 29: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/29.jpg)
29
Penetration Testing (continued)• Three categories of testing:
– Black box: red team is given no information whatsoever about the organization and approaches the organization as external attacker
– Gray box: red team is given some general information about the organization such as general structure, network address ranges, software and versions
– White box: red team has full information on the organization and its structure
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 29
![Page 30: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/30.jpg)
30
Chapter Summary• To maintain secure networks, information
security professionals must be prepared to systematically identify system vulnerabilities
• Often done by performing self-assessment using scanning and penetration tools testing
• Common vulnerabilities fall into two classes:– Defects in software or firmware– Weaknesses in processes and procedures
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 30
![Page 31: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/31.jpg)
31
Chapter Summary (continued)
• Information security professionals should regularly consult vendor announcements, full disclosure mailing lists, and the common vulnerabilities and exposures (CVE) database
• To assess risk within a computing environment, network professionals must use tools such as intrusion detection systems (IDPS), active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers (sniffers)
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 31
![Page 32: Finding Network Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022081421/568159df550346895dc72a28/html5/thumbnails/32.jpg)
32
Chapter Summary (continued)
• Many organizations use penetration test to assess their security posture on a regular basis
• Penetration test team (red team) uses all techniques and tools available to attackers in order to attempt to compromise or penetrate an organization’s defenses
Firewalls & Network Security, 2nd ed. - Chapter 4 Slide 32