Network Vulnerability Assessment: Key Decision Points

Maximum Assurance: Key Decision Points for Network Vulnerability Assessments
from the Maximum Assurance Series
Pivot Point Security
Hamilton Square, NJ

The Maximum Assurance presentations are intended to provide guidance to organizations seeking information assurance by clearly defining Security Assessment activities and their critical decision points
Terms Used to Communicate Activities
Methodology (actions/steps/rationale)
Scope (matching activity to objective)
Key Decision Points
Value Proposition (Assurance level)
Objective
Master Assurance Series
Pivot Point Security - Balancing Security, Building Trust

NETWORK
VULNERABILITY
ASSESSMENT (NVA)
Quick Overview

What IsNetwork Vulnerability Assessment (NVA)
Systematic examination of network attached devices (e.g., computer, router) to identify vulnerabilities (weaknesses) in design/configuration that can result in a negative impact
Vulnerabilities generally result from default configurations, configuration errors, security holes in applications, and missing patches
NVAs are conducted by a network scanner (a purpose built computer) and generally include very little human involvement
NVAs provide significant value for both public and private networks/systems
NVAs are a good way to rapidly assess your security posture and the efficacy of your vulnerability management program (e.g., patch/configuration management)
NVAs can be stand-alone and/or the first step in a Penetration Test
Be cautious
NVAs can (Do!) generate false positives
NVAs run with default settings can often miss critical vulnerabilities
NVAs can provide a staggeringly large amount of information in a moderate or larger environment

Discrete Components of an NVA
An NVA actually incorporates a number of discrete steps:
Scoping - What are our objectives? Which network segments? What is an appropriate sampling?
Discovery - What devices are out there? How will we go about discovering them?
Port Scanning - What ports will be scanned? What “ports” are “open”?
Vulnerability Detection - For each service discovered on a port, are there problems with the configuration or version that indicate a vulnerability?
Advanced Techniques - What advanced techniques (e.g., Credentialed/Content/Passive Scanning) should we leverage?
Reporting – Communicating the results of the NVA, preferably in a manner that is readily understood by management and technical resources, easily interpreted, and actionable

For
NETWORK
VULNERABILITY
ASSESSMENT (NVA)
Key Decision Points

Key Decision Points: SCOPING
SCOPING & RIGOR …
should be aligned with the assessment objectives and proportional to the risk being measured

Choose subnets and system coverage to provide desired assurance
For audit & compliance there is a significant benefit to representative sampling across system types, function, and location to reduce data overload
Leverage the information gained in the statistical sampling across the entire environment during the mitigation phase
If warranted, post mitigation run a secondary “confirmatory” scan across a different or wider sampling to confirm the efficacy of the mitigation efforts and provide a higher level of assurance

Key Decision Points: OBJECTIVES
Vulnerability Assessments are also a good way to gauge the effectiveness
of an organization’s Incident Detection and Incident Response Programs
or Intrusion Prevention systems

Key Decision Points: THE DISCOVERY PHASE
Black/Grey/White Hat:
Black Hat is worthwhile if you are trying to validate the effectiveness of obfuscation efforts (or if you are looking to assess Incident Response)
Else … there are significant benefits to White Hat (full disclosure)
It is less time consuming/expensive
It results in fewer false positives

Key Decision Points: PORT SCANNING
Ports are “addresses” that different services (applications) listen (process input) on
By default, many Vulnerability Scans will only be run on those ports that are commonly used or assigned ports (0 thru 1024)
This approach saves time but will miss vulnerabilities on high numbered ports (1024 to 65535), possibly missing malware or back-doors
By default, many Vulnerability Scans will only be run on TCP ports
This approach saves time but will miss vulnerabilities for any UDP services (e.g., DNS)
If you run a high risk environment, will be scanning through a firewall, or are testing your incident response – you may want to incorporate more advanced port scanning methods (e.g., TCP FIN scans) to maximize the level of assurance that you achieve from your testing

Key Decision Points: VULNERABILITY DETECTION
Operating Systems and applications/versions are inferred by the answers the host gives to the scanner
By default, most scanners attempt to optimize the scan to run as quickly as possible
The optimizations can potentially reduce assurance as the scanner may make erroneous assumptions based on the presented host data
Generally, running in a “Paranoid mode” increases time, accuracy, and assurance for an NVA
Vulnerability scanners are only as good as the library of OS, application, and vulnerability signatures it is loaded with
Use a well regarded scanner and ensure that it is updated immediately before the scan takes place
Some vulnerability checks have a higher probability of negatively impacting systems so defining if these checks should be run is critical

Key Decision Points: ADVANCED TECHNIQUES
Key new capabilities introduced in ‘08 & ‘09
Credentialed
Scans
Content
Scans
Passive
Scans

Key Decision Points: CREDENTIALED SCANNING
Much more accurate as the application & version can be exactly determined
Much greater “depth” (patch history, system logging settings, full password settings)
Benchmark compliance against a standard (e.g., CIS, PCI, or corporate)
Greater time/cost to run generally offset by the reduction in false positives and simplified remediation
Credentialed Scans
run with Administrative level privilege

Key Decision Points: CONTENT SCANNING
Credentialed scans can be extended to look at the “content” on systems
Does the machine contain?
Credit Card Data, Pornography, Medical Records, Social Security Numbers, Customer Records, Intellectual Property
Benchmark compliance against relevant standards
HIPAA, PCI, Sarbanes Oxley, Identify Theft Regulations
Greater time/cost to run generally offset by risk reduction and simplified compliance reporting

Key Decision Points: PassiveScanning
Standard NVAs are “active” in that they are based on inquiry and response

NVAs can crash services or systems
In “mission critical” environments (e.g., a power plant or bank trading floor) this risk may not be acceptable

Passive Scanning just “sniffs” already existing traffic

Provides assurance in an environment without any risk of disrupting service
Only identifies vulnerabilities for services that are actively communicating
Greater time/cost to run generally offset by gathering assurance where it was previously not feasible

Summary: Network Vulnerability Assessments
Key is ensuring that it is the right tool
to meet your objectives,
scoped appropriately & optimallyconfigured
Critical Tool
in the Security Assessment Arsenal
Where compliance (or risk) is critical, leverage credentialed and contentscans for a higher level of assurance
Intelligent sampling and confirmatory re-scans can save significant time and money

For a copy of this presentation please send an email to maxassure@PivotPointSecurity.com or call us at (609) 581-4600 ext. 300
THANK YOU FOR YOUR TIME …