Maximum Assurance: Key Decision Points for Network Vulnerability Assessments<br />from the Maximum Assurance Series<br />P...
The Maximum Assurance presentations are intended to provide guidance to organizations seeking information assurance by cle...
NETWORK <br />VULNERABILITY <br />ASSESSMENT (NVA)<br />Quick Overview<br />Master Assurance Series<br />Pivot Point Secur...
What IsNetwork Vulnerability Assessment  (NVA)<br />Systematic examination of network attached devices  (e.g., computer, r...
Discrete Components of an NVA<br />An NVA actually incorporates a number of discrete steps:<br />Scoping - What are our ob...
For<br />NETWORK <br />VULNERABILITY <br />ASSESSMENT (NVA)<br />Key Decision Points<br />Master Assurance Series<br />Piv...
Key Decision Points: SCOPING<br />SCOPING & RIGOR …<br />should be aligned with the assessment objectives and  proportiona...
For audit & compliance there is a significant benefit to representative sampling across system types, function, and locati...
Leverage the information gained in the statistical sampling across the entire environment during the mitigation phase
If warranted, post mitigation run a secondary “confirmatory” scan across  a different or wider sampling to confirm the eff...
Key Decision Points: OBJECTIVES <br />Vulnerability Assessments are also a good way to gauge the effectiveness <br />of an...
Key Decision Points: THE DISCOVERY PHASE<br />Black/Grey/White Hat:<br />Black Hat is worthwhile if you are trying to vali...
Key Decision Points: PORT SCANNING<br />Ports are “addresses” that different services (applications) listen (process input...
Key Decision Points: VULNERABILITY DETECTION<br />Operating Systems and applications/versions are inferred by the answers ...
Key Decision Points: ADVANCED TECHNIQUES <br />Key new capabilities introduced in ‘08 & ‘09<br />Credentialed <br />Scans<...
Key Decision Points: CREDENTIALED SCANNING  <br />Much more accurate as the application & version can be exactly determine...
Key Decision Points: CONTENT SCANNING  <br />Credentialed scans can be extended to look at the “content” on systems<br />D...
Upcoming SlideShare
Loading in …5
×

Network Vulnerability Assessment: Key Decision Points

2,163
-1

Published on

The ins and outs of network vulnerability assessments. A veritable how-to-use this valuable tool in the information security arsenal.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,163
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
164
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Network Vulnerability Assessment: Key Decision Points

  1. 1. Maximum Assurance: Key Decision Points for Network Vulnerability Assessments<br />from the Maximum Assurance Series<br />Pivot Point Security <br />Hamilton Square, NJ<br />
  2. 2. The Maximum Assurance presentations are intended to provide guidance to organizations seeking information assurance by clearly defining Security Assessment activities and their critical decision points<br />Terms Used to Communicate Activities<br />Methodology (actions/steps/rationale)<br />Scope (matching activity to objective)<br />Key Decision Points <br />Value Proposition (Assurance level)<br />Objective <br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  3. 3. NETWORK <br />VULNERABILITY <br />ASSESSMENT (NVA)<br />Quick Overview<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  4. 4. What IsNetwork Vulnerability Assessment (NVA)<br />Systematic examination of network attached devices (e.g., computer, router) to identify vulnerabilities (weaknesses) in design/configuration that can result in a negative impact <br />Vulnerabilities generally result from default configurations, configuration errors, security holes in applications, and missing patches<br />NVAs are conducted by a network scanner (a purpose built computer) and generally include very little human involvement<br />NVAs provide significant value for both public and private networks/systems<br />NVAs are a good way to rapidly assess your security posture and the efficacy of your vulnerability management program (e.g., patch/configuration management) <br />NVAs can be stand-alone and/or the first step in a Penetration Test <br />Be cautious<br />NVAs can (Do!) generate false positives<br />NVAs run with default settings can often miss critical vulnerabilities<br />NVAs can provide a staggeringly large amount of information in a moderate or larger environment<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  5. 5. Discrete Components of an NVA<br />An NVA actually incorporates a number of discrete steps:<br />Scoping - What are our objectives? Which network segments? What is an appropriate sampling?<br />Discovery - What devices are out there? How will we go about discovering them?<br />Port Scanning - What ports will be scanned? What “ports” are “open”?<br />Vulnerability Detection - For each service discovered on a port, are there problems with the configuration or version that indicate a vulnerability?<br />Advanced Techniques - What advanced techniques (e.g., Credentialed/Content/Passive Scanning) should we leverage?<br />Reporting – Communicating the results of the NVA, preferably in a manner that is readily understood by management and technical resources, easily interpreted, and actionable<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  6. 6. For<br />NETWORK <br />VULNERABILITY <br />ASSESSMENT (NVA)<br />Key Decision Points<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  7. 7. Key Decision Points: SCOPING<br />SCOPING & RIGOR …<br />should be aligned with the assessment objectives and proportional to the risk being measured<br /><ul><li>Choose subnets and system coverage to provide desired assurance
  8. 8. For audit & compliance there is a significant benefit to representative sampling across system types, function, and location to reduce data overload
  9. 9. Leverage the information gained in the statistical sampling across the entire environment during the mitigation phase
  10. 10. If warranted, post mitigation run a secondary “confirmatory” scan across a different or wider sampling to confirm the efficacy of the mitigation efforts and provide a higher level of assurance</li></ul>Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  11. 11. Key Decision Points: OBJECTIVES <br />Vulnerability Assessments are also a good way to gauge the effectiveness <br />of an organization’s Incident Detection and Incident Response Programs <br />or Intrusion Prevention systems<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  12. 12. Key Decision Points: THE DISCOVERY PHASE<br />Black/Grey/White Hat:<br />Black Hat is worthwhile if you are trying to validate the effectiveness of obfuscation efforts (or if you are looking to assess Incident Response)<br />Else … there are significant benefits to White Hat (full disclosure)<br />It is less time consuming/expensive <br />It results in fewer false positives <br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  13. 13. Key Decision Points: PORT SCANNING<br />Ports are “addresses” that different services (applications) listen (process input) on<br />By default, many Vulnerability Scans will only be run on those ports that are commonly used or assigned ports (0 thru 1024)<br />This approach saves time but will miss vulnerabilities on high numbered ports (1024 to 65535), possibly missing malware or back-doors<br />By default, many Vulnerability Scans will only be run on TCP ports<br />This approach saves time but will miss vulnerabilities for any UDP services (e.g., DNS)<br />If you run a high risk environment, will be scanning through a firewall, or are testing your incident response – you may want to incorporate more advanced port scanning methods (e.g., TCP FIN scans) to maximize the level of assurance that you achieve from your testing<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  14. 14. Key Decision Points: VULNERABILITY DETECTION<br />Operating Systems and applications/versions are inferred by the answers the host gives to the scanner<br />By default, most scanners attempt to optimize the scan to run as quickly as possible<br />The optimizations can potentially reduce assurance as the scanner may make erroneous assumptions based on the presented host data<br />Generally, running in a “Paranoid mode” increases time, accuracy, and assurance for an NVA<br />Vulnerability scanners are only as good as the library of OS, application, and vulnerability signatures it is loaded with <br />Use a well regarded scanner and ensure that it is updated immediately before the scan takes place<br />Some vulnerability checks have a higher probability of negatively impacting systems so defining if these checks should be run is critical<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  15. 15. Key Decision Points: ADVANCED TECHNIQUES <br />Key new capabilities introduced in ‘08 & ‘09<br />Credentialed <br />Scans<br />Content<br />Scans<br />Passive<br />Scans<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  16. 16. Key Decision Points: CREDENTIALED SCANNING <br />Much more accurate as the application & version can be exactly determined<br />Much greater “depth” (patch history, system logging settings, full password settings)<br />Benchmark compliance against a standard (e.g., CIS, PCI, or corporate)<br />Greater time/cost to run generally offset by the reduction in false positives and simplified remediation<br />Credentialed Scans <br />run with Administrative level privilege<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  17. 17. Key Decision Points: CONTENT SCANNING <br />Credentialed scans can be extended to look at the “content” on systems<br />Does the machine contain?<br />Credit Card Data, Pornography, Medical Records, Social Security Numbers, Customer Records, Intellectual Property<br />Benchmark compliance against relevant standards <br />HIPAA, PCI, Sarbanes Oxley, Identify Theft Regulations<br /> Greater time/cost to run generally offset by risk reduction and simplified compliance reporting <br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  18. 18. Key Decision Points: PassiveScanning<br />Standard NVAs are “active” in that they are based on inquiry and response<br /><ul><li>NVAs can crash services or systems
  19. 19. In “mission critical” environments (e.g., a power plant or bank trading floor) this risk may not be acceptable</li></ul>Passive Scanning just “sniffs” already existing traffic<br /><ul><li>Provides assurance in an environment without any risk of disrupting service
  20. 20. Only identifies vulnerabilities for services that are actively communicating
  21. 21. Greater time/cost to run generally offset by gathering assurance where it was previously not feasible </li></ul>Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  22. 22. Summary: Network Vulnerability Assessments<br />Key is ensuring that it is the right tool <br />to meet your objectives,<br />scoped appropriately & optimallyconfigured<br />Critical Tool <br />in the Security Assessment Arsenal<br />Where compliance (or risk) is critical, leverage credentialed and contentscans for a higher level of assurance<br />Intelligent sampling and confirmatory re-scans can save significant time and money<br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  23. 23. For a copy of this presentation please send an email to maxassure@PivotPointSecurity.com or call us at (609) 581-4600 ext. 300<br />THANK YOU FOR YOUR TIME … <br />Master Assurance Series<br />Pivot Point Security - Balancing Security, Building Trust<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×