Your SlideShare is downloading. ×
Network Vulnerability Assessment: Key Decision Points
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Network Vulnerability Assessment: Key Decision Points

2,049
views

Published on

The ins and outs of network vulnerability assessments. A veritable how-to-use this valuable tool in the information security arsenal.

The ins and outs of network vulnerability assessments. A veritable how-to-use this valuable tool in the information security arsenal.

Published in: Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,049
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
160
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Maximum Assurance: Key Decision Points for Network Vulnerability Assessments
    from the Maximum Assurance Series
    Pivot Point Security
    Hamilton Square, NJ
  • 2. The Maximum Assurance presentations are intended to provide guidance to organizations seeking information assurance by clearly defining Security Assessment activities and their critical decision points
    Terms Used to Communicate Activities
    Methodology (actions/steps/rationale)
    Scope (matching activity to objective)
    Key Decision Points
    Value Proposition (Assurance level)
    Objective
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 3. NETWORK
    VULNERABILITY
    ASSESSMENT (NVA)
    Quick Overview
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 4. What IsNetwork Vulnerability Assessment (NVA)
    Systematic examination of network attached devices (e.g., computer, router) to identify vulnerabilities (weaknesses) in design/configuration that can result in a negative impact
    Vulnerabilities generally result from default configurations, configuration errors, security holes in applications, and missing patches
    NVAs are conducted by a network scanner (a purpose built computer) and generally include very little human involvement
    NVAs provide significant value for both public and private networks/systems
    NVAs are a good way to rapidly assess your security posture and the efficacy of your vulnerability management program (e.g., patch/configuration management)
    NVAs can be stand-alone and/or the first step in a Penetration Test
    Be cautious
    NVAs can (Do!) generate false positives
    NVAs run with default settings can often miss critical vulnerabilities
    NVAs can provide a staggeringly large amount of information in a moderate or larger environment
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 5. Discrete Components of an NVA
    An NVA actually incorporates a number of discrete steps:
    Scoping - What are our objectives? Which network segments? What is an appropriate sampling?
    Discovery - What devices are out there? How will we go about discovering them?
    Port Scanning - What ports will be scanned? What “ports” are “open”?
    Vulnerability Detection - For each service discovered on a port, are there problems with the configuration or version that indicate a vulnerability?
    Advanced Techniques - What advanced techniques (e.g., Credentialed/Content/Passive Scanning) should we leverage?
    Reporting – Communicating the results of the NVA, preferably in a manner that is readily understood by management and technical resources, easily interpreted, and actionable
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 6. For
    NETWORK
    VULNERABILITY
    ASSESSMENT (NVA)
    Key Decision Points
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 7. Key Decision Points: SCOPING
    SCOPING & RIGOR …
    should be aligned with the assessment objectives and proportional to the risk being measured
    • Choose subnets and system coverage to provide desired assurance
    • 8. For audit & compliance there is a significant benefit to representative sampling across system types, function, and location to reduce data overload
    • 9. Leverage the information gained in the statistical sampling across the entire environment during the mitigation phase
    • 10. If warranted, post mitigation run a secondary “confirmatory” scan across a different or wider sampling to confirm the efficacy of the mitigation efforts and provide a higher level of assurance
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 11. Key Decision Points: OBJECTIVES
    Vulnerability Assessments are also a good way to gauge the effectiveness
    of an organization’s Incident Detection and Incident Response Programs
    or Intrusion Prevention systems
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 12. Key Decision Points: THE DISCOVERY PHASE
    Black/Grey/White Hat:
    Black Hat is worthwhile if you are trying to validate the effectiveness of obfuscation efforts (or if you are looking to assess Incident Response)
    Else … there are significant benefits to White Hat (full disclosure)
    It is less time consuming/expensive
    It results in fewer false positives
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 13. Key Decision Points: PORT SCANNING
    Ports are “addresses” that different services (applications) listen (process input) on
    By default, many Vulnerability Scans will only be run on those ports that are commonly used or assigned ports (0 thru 1024)
    This approach saves time but will miss vulnerabilities on high numbered ports (1024 to 65535), possibly missing malware or back-doors
    By default, many Vulnerability Scans will only be run on TCP ports
    This approach saves time but will miss vulnerabilities for any UDP services (e.g., DNS)
    If you run a high risk environment, will be scanning through a firewall, or are testing your incident response – you may want to incorporate more advanced port scanning methods (e.g., TCP FIN scans) to maximize the level of assurance that you achieve from your testing
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 14. Key Decision Points: VULNERABILITY DETECTION
    Operating Systems and applications/versions are inferred by the answers the host gives to the scanner
    By default, most scanners attempt to optimize the scan to run as quickly as possible
    The optimizations can potentially reduce assurance as the scanner may make erroneous assumptions based on the presented host data
    Generally, running in a “Paranoid mode” increases time, accuracy, and assurance for an NVA
    Vulnerability scanners are only as good as the library of OS, application, and vulnerability signatures it is loaded with
    Use a well regarded scanner and ensure that it is updated immediately before the scan takes place
    Some vulnerability checks have a higher probability of negatively impacting systems so defining if these checks should be run is critical
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 15. Key Decision Points: ADVANCED TECHNIQUES
    Key new capabilities introduced in ‘08 & ‘09
    Credentialed
    Scans
    Content
    Scans
    Passive
    Scans
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 16. Key Decision Points: CREDENTIALED SCANNING
    Much more accurate as the application & version can be exactly determined
    Much greater “depth” (patch history, system logging settings, full password settings)
    Benchmark compliance against a standard (e.g., CIS, PCI, or corporate)
    Greater time/cost to run generally offset by the reduction in false positives and simplified remediation
    Credentialed Scans
    run with Administrative level privilege
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 17. Key Decision Points: CONTENT SCANNING
    Credentialed scans can be extended to look at the “content” on systems
    Does the machine contain?
    Credit Card Data, Pornography, Medical Records, Social Security Numbers, Customer Records, Intellectual Property
    Benchmark compliance against relevant standards
    HIPAA, PCI, Sarbanes Oxley, Identify Theft Regulations
    Greater time/cost to run generally offset by risk reduction and simplified compliance reporting
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 18. Key Decision Points: PassiveScanning
    Standard NVAs are “active” in that they are based on inquiry and response
    • NVAs can crash services or systems
    • 19. In “mission critical” environments (e.g., a power plant or bank trading floor) this risk may not be acceptable
    Passive Scanning just “sniffs” already existing traffic
    • Provides assurance in an environment without any risk of disrupting service
    • 20. Only identifies vulnerabilities for services that are actively communicating
    • 21. Greater time/cost to run generally offset by gathering assurance where it was previously not feasible
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 22. Summary: Network Vulnerability Assessments
    Key is ensuring that it is the right tool
    to meet your objectives,
    scoped appropriately & optimallyconfigured
    Critical Tool
    in the Security Assessment Arsenal
    Where compliance (or risk) is critical, leverage credentialed and contentscans for a higher level of assurance
    Intelligent sampling and confirmatory re-scans can save significant time and money
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust
  • 23. For a copy of this presentation please send an email to maxassure@PivotPointSecurity.com or call us at (609) 581-4600 ext. 300
    THANK YOU FOR YOUR TIME …
    Master Assurance Series
    Pivot Point Security - Balancing Security, Building Trust

×