Tel: 020 8456 3550

Home » Training » CISSP » Security Assessment and Testing

Security Assessment and Testing

CISSP: CHAPTER 6

Security Assessment and Testing

6 SECURITY ASSESSMENT AND TESTING OBJECTIVES

Introduction to Security Assessments
Vulnerability Assessments
Penetration Testing
Remediation
Intrusion Detection
Audit Logs
Common Vulnerabilities

 

VULNERABILITY ASSESSMENTS AND PENETRATION TESTING

Vulnerability Assessment
Physical / Administrative/ Logical
Identify weaknesses

 

Penetration Testing
Ethical hacking to validate discovered weaknesses
Red Teams (Attack)/Blue Teams (Defend)

 

NIST SP 800-42 Guideline on Security Testing

DEGREE OF KNOWLEDGE

Zero Knowledge (Black Box Testing): Team has no knowledge of the target and must start with only information that is publically available. This simulates an external attack
Partial Knowledge: The team has limited knowledge of the organization
Full Knowledge: This simulates an internal attack. The team has full knowledge of network operations

VULNERABILITY SCANNING

Identifying:
Active hosts on network
Active and vulnerable services (ports) on hosts
Applications
Operating systems
Vulnerabilities associated with discovered OS & applications Misconfigured settings
Testing compliance with host application usage/security policies
Establishing a foundation for penetration testing

ATTACK METHODOLOGY

* Test Attacks 1 of 2 Reconnaissance
Who Is Database, Company Website, Job Search Engines, Social Networking
Footprinting
Mapping the network (Nmap)
ICMP ping sweeps
DNS zone transfers
Fingerprinting Identifying host information
Port scanning
Vulnerability assessment
Identifying weaknesses in system configurations
Discovering unpatched software

ATTACK METHODOLOGY
CONTINUED
Test Attacks 2 of 2
The “attack”
Penetration
Privilege escalation
Run As, SU
Root kits
Collection of tools to allow continued access. Includes
Back Door software
Can update the kernel of the operating system
Very difficult to detect
Cover tracks
Trojaned Programs: The Attacker replaces default utilities with ones that masquerade as system utilities that provide normal services, with the exception of helping identify the backdoor software
Log Scrubbers

TESTING GUIDELINES
Why Test?
Risk analysis
Certification
Accreditation
Security architectures
Policy development
Develop a cohesive, well-planned, and operational security testing program

PENETRATION TESTING CONSIDERATIONS

Three basic requirements:
Meet with Senior management to determine the goal of the Assessment
Document Rules of Engagement
Get sign off from Senior Management
Issue: it could disrupt productivity and systems

Overall purpose is to determine subject’s ability to withstand an attack and determine effectiveness of current security measures

Tester should determine effectiveness of safeguards and identify areas of improvement. ****TESTER SHOULD NOT BE THE ONE SUGGESTING REMEDIATION. THIS VIOLATES SEPARATION OF DUTIES*****

RULES OF ENGAGEMENT

 

Specific IP addresses/ranges to be tested
Any restricted hosts
A list of acceptable testing techniques
Times when testing is to be conducted
Points of contact for the penetration testing team, the targeted systems, and the networks
Measures to prevent law enforcement being called with false alarms
Handling of information collected by penetration testing team

 

TYPES OF PENETRATION TESTS

Physical Security
Access into building or department
Wiring closets, locked file cabinets, offices, server room, sensitive areas
Remove materials from building

 

Administrative Security
Help desk giving out sensitive information, data on disposed disks

 

Logical Security
Attacks on systems, networks, communication

APPROACHES TO TESTING

Do not rely on single method of attack
Get creative
Path of least resistance
Start with users—social engineering is often the easiest way to gain access
Break the rules
Even if a company follows its own policy, standards and procedures, it does not mean that there are not vulnerabilities Attempt things not expected

APPROACHES TO TESTING

Do not rely exclusively on high-tech tools
Dumpster diving

Stealth methods may be required

Do not damage systems or data

Do not overlook small weakness in search for the big ones

Have a toolkit of techniques

NETWORK SCANNING

List of all active hosts
Network services:
ICMP
UDP & TCP
Port scanner:
Nmap
Finger Printing
Banner Grabbing

PASSWORD CRACKING
Goal is to identify weak passwords
Passwords are generally stored and transmitted in an encrypted form called a hash
Password cracking requires captured password hashes
Hashes can be intercepted
Can be retrieved from the targeted system

 

PASSWORD CRACKING TECHNIQUES

 

Dictionary attack
Brute force
Hybrid attack
LanMan password hashes
Theoretically all passwords are “crackable”
Rainbow tables

 

ROGUE INFRASTRUCTURES

Unauthorized DHCP Servers can be used to redirect hosts to rogue DNS servers
Rogue DNS Servers can direct traffic to spoofed hosts
DNS zone transfer information contains MUCH information about a network and its configuration
Secure physical access to the network, require DHCP servers to require authorization, User DHCP reservations and MAC addressing to control assignment of IPs, Secure DNS zone transfers only to specific hosts

 

WAR DIALING

 

Goal is to discover unauthorized modems
Provide a means to bypass most or all of the security measures in place

Dial large blocks of phone numbers in search of available modems
Should be conducted at least annually
Should be performed after-hours

Include all numbers that belong to an organization, except those that could be impacted negatively
If removal is not possible, block inbound calls to the modem

CORRECTIVE ACTIONS – 1 OF 2

Investigate and disconnect unauthorized hosts
Disable or remove unnecessary and vulnerable services
Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts
(i.e., host-level firewall or TCP wrappers)
Modify enterprise firewalls to restrict outside access to known vulnerable services
Ingress Filtering: No inbound traffic allowed with internal addresses (spoofing)
Egress Filtering : No outbound traffic allowed with external addressing (DDoS)

CORRECTIVE ACTIONS – 2 OF 2

 

Upgrade or patch vulnerable systems
Deploy mitigating countermeasures
Improve configuration management program and procedures
Assign a staff member to:
Monitor vulnerability alerts/mailing lists
Examine applicability to environment
Initiate appropriate system changes
Modify the organization’s security policies and architecture
All of the above require going through proper change management procedures

 

WATCHING NETWORK TRAFFIC

 

Traffic Analysis—Side Channel Analysis
Watching traffic and its patterns to try and determine if something special is taking place. For example:
A lot of traffic between two military units may indicate that an attack is being planned
Traffic between human resources and headquarters may indicate layoffs are around the corner
Traffic Padding
Generating spurious data in traffic to make traffic analysis more difficult
Sending out decoy attacks
The amount and nature of traffic may be masked
Attempt to keep traffic constant so no information can be gained

 

PROTOCOL ANALYZERS (SNIFFERS) AND PRIVACY

Promiscuous mode
Bridging / Switching can affect the Packet Capture

 

IDS
IDS are a tool in a layered security model. The purpose of an IDS is to
identify suspicious activity
log activity
Respond (alert people)
Needs an interface in “Promiscuous” Mode
Port Mirroring/Span needs to be enabled to view traffic on a switch

IDS CATEGORIES
IDS systems we are about to discuss.
HIDS – Host Based Intrusion Detection System
NIDS – Network Intrusion Detection System

 

IDS COMPONENTS

 

Both type of IDS have several components that make up the product Sensor – Data Collector
On network segments (NIDS)
Or on Hosts (HIDS)
Analysis Engine – Analyzes data collected by the sensor, determines if there is suspicious activity
Signature Database – Used by the AE, defines signatures of previously known attacks
User Interface and Reporting – the way the system interacts with users
(visualization next)

 

IDS COMPONENTS

HIDS

Hosts Based Intrusion Detection Systems – Examine the operation of a SINGLE system independently to determine of anything “of note” is going on.

Some things a HIDS will looks at
Logins
System Log files / audit files
Application Log Files / audit files
File Activity / Changes to software
Configuration Files changes
Processes being launched or stopped
Use of certain programs
CPU usage
Network Traffic to/from Computer

ADVANTAGES OF HIDS
Can be operating system and application specific – might understand the latest attack against a certain service on a host.
They can look at data after it’s been decrypted (network traffic is often encrypted)*

DISADVANTAGES OF HIDS

Only protect one machine (or must be loaded on every machine you want to protect)
Use local system resources (CPU/memory)
They don’t see what’s going on, on other machines.
Scalability
The HIDS could be disabled if machine is hacked

 

NETWORK BASED IDS
A concept focused on watching an entire network and all associated machines. Focuses specifically on network traffic, in this case the “sensor” is sometimes called a “traffic collector”

 

Looks at SRC IP
DEST IP
Protocol
Port Numbers
Data Content

NETWORK BASED IDS

A NIDS system will often look for
DoS Attacks
Port Scans
Malicious content
Vulnerability tests
Tunneling
Brute Force Attacks

 

NETWORK BASED IDS

In Addition to looking for attacks a NIDS can watch the internal network for policy violations.

Example:
• Detecting Instant Messaging, or streaming video.

NIDS ADVANTAGES

A single NIDS sensor can cover a whole network. What happens if I want to cover multiple networks?
Deployment is usually easier
A NIDS can see things that are happening on multiple machine, it gets a bigger picture and may see distributed attacks that a HIDS would miss

NIDS PROBLEMS

Data must be UNENCRYPTED for a NIDS to analyze. So many protocols are now encrypted, it’s hard for the NIDS to see what’s going on.*
Switches cause problems for NIDS—port span should be implemented on the switch port
If only on the perimeter, it can miss things on the inside.
It must be able to handle LOTS of data to be effective! (should be able to handle wire speed+)
It does not see what’s going on a server directly

IDS VS. IPS

An IDS is generally a passive device.

An IPS is an IDS that takes an active approach. Examples: Activate Firewall rules dynamically
Shuts down TCP traffic

ANALYSIS ENGINES

Pattern Matching
Profile Matching

SIGNATURE BASED (PATTERN MATCHING)

 

Most network attacks have distinct “signatures” that is data that is passed between attacker and victim. A Signature Based NIDS has a database of known attack signatures, and compares network traffic against this database.
Concerns for Signature Based systems. Pay for a signature subscription from vendor*
Keep signatures updated*
Does not protect against 0day attacks!

 

ANOMALY/BEHAVIOR/HEURISTICS
(PROFILE MATCHING)

Anomaly based systems, look for changes in “normal” behavior.
To do this generally you let a anomaly based system learn what normal behavior is over a few days or weeks, creating a baseline. The anomaly based system will then look for traffic types and volume that is outside of the normal behavior.

Anomaly/Behavior/Heuristics
Advantages
Can possibly detect 0days*
Can detect behavioral changes that might not be technical attacks (like employees preparing to commit fraud)*
Disadvantages
Lots of false positives*
Often ignored due to reason above
Requires a much more skilled analyst

BYPASSING AN IDS

Evasion Attack “Flying under the RADAR”. Many small attacks from different directions
Insertion attack (geared toward signature based systems) Adding meaningless information (without modifying the payload) to a known attack

RULES BASED

Uses expert system/knowledge based systems.
These use a database of knowledge and an “inference engine”) to try to mimic human knowledge. It’s like of a person was watching data in real time and had knowledge of how attacks work.

 

Promiscuous mode
Network interfaces generally only look at packets specifically intended for their MAC address. TO accomplish sniffing, network analysis, or IDS functionality, you have to put network interfaces into promiscuous mode

 

HONEYPOT
Deployment:
Pseudo Flaw: Loophole purposely added to operating system or application to trap intruders
Sacrificial lamb system on the network
Administrators hope that intruders will attack this system instead of their production systems
It is enticing because many ports are open and services are running Be careful of Enticement vs. Entrapment

PADDED CELL AND VULNERABILITY TOOLS
Concept used in software programming where a “safe” environment is created for applications and processes to run in
Similar to a virtual machine

Concept used in IDS where identified intruder is moved to a “safe” environment without their knowing
Simulated environment to keep the intruder happy and busy
Hopefully leave production systems alone

aka: Self Mutating Honeypot, Tarpit

CHAPTER 6 SECURITY ASSESSMENT AND TESTING OBJECTIVES

Introduction to Security Assessments
Vulnerability Assessments
Penetration Testing
Remediation
Intrusion Detection

 

Cloud Security Best Practices
Cloud Security Posts
Supporting
Find Us
By using this site you agree that we can place cookies on your device. See below:
Search SCS
E:enquiries@securecloudservices.io
logo

    Copyright © SecureCloudServices.io