3. Where We Are
To-Date
Lab 1 and 2 Complete
Threaded Discussion Complete
Midterm Complete
Project Completed
Final Event – Project Presentations
Design Under Fire
Grades out Prior to Last Asynch
Next Week!
Wish me luck…..
3
4. NS-680 Tenets of CND
Defense in Depth
Pull the Application Developers into
the Inner Circle
Complacency Could Easily be your
Most Insidious Enemy
Implement Disciplined Configuration
Management
Test Your Own Defenses
It is 10-Fold Easier to Attack than to
Defend
No Detail is too Small to Look at Once
(Auditing)
Systems Administrators are Key to
Organizational Success
Make the Entire Workforce Part
Owners in the Process
Effectively Train Providers and Users
No one Individual Holds All the Keys
Automate Where Possible – But Verify!
A Risk to One, is a Risk to All
Trust but Verify (Hold Trust Close)
Implicitly Deny Unless Specifically
Allowed
Balance Between Risk and Operations
Eliminate Unneeded Services
Least Privilege
Policy is the Keystone
Security is a Journey
Do the Basics Aggressively and Consistently!
Do the Basics Aggressively and Consistently!
Simpler May Be Better!
Simpler May Be Better!
4
6. Why Vulnerability Assessment?
Threat X Vulnerability X Asset Value =
Total Risk
Generally, “Threat” and “Asset Value” are constants
Generally, “Threat” and “Asset Value” are constants
in this equation. Therefore, IOT reduce total risk you must
in this equation. Therefore, IOT reduce total risk you must
reduce your vulnerability by implementing countermeasures
reduce your vulnerability by implementing countermeasures
or safeguards.
or safeguards.
[ Threat X Vulnerability X Asset Value ] X Controls Gap =
Residual Risk
Theoretically, ififyou can drive the controls gap to zero,
Theoretically, you can drive the controls gap to zero,
the Residual Risk is eliminated.
the Residual Risk is eliminated.
6
7. External Assessment
Conducted as an Outsider
No Prior Knowledge of Architecture or Policies
Conducted in Phases
Planning
Initial Reconnaissance
System Enumeration
Service Enumeration
Vulnerability Enumeration
Get Written Permission!
7
8. Planning
Purpose of Assessment
Red Team or Blue Team
Red Team – Trusted Agent
Blue Team – We’re here to help!
When to Assess
Authority for Both Red and Blue
Develop and Refine Tool Kit
Assessment Team Training
8
9. Initial Reconnaissance
Footprinting - Gather Publicly Available
Information
Organizational Web Sites
Other Web Sites
Business Information – Non-Technical
IP Address Range
Public Service IP Addresses
DNS, Web, Mail
9
15. System Enumeration
Traceroute or Tracert
Networks and systems enroute
Outer Router? Firewall?
Leaked Addresses
Network Scanners (following slide)
Hosts Responding
Prepares for Service Enumeration
Tools Are Many!
15
24. Internal Assessment
Testing From the Insider’s Perspective
Assumes Knowledge of Security Policy
Testing for Compliance – Audit
Are Rules Having Desired Effect?
Recall our Discussion of the Permit Any
Eligible Receiver 02
Effective Audit Program?
24
25. Preparing for Internal Assessment
Awareness of Your Policies
Develop Testing Methodology
Tools
Procedures
Frequency
Periodic and/or as needed
Test Against Policy
Test All Aspects of the Perimeter
Internet to screened subnet
Screened subnet to internet
Screened subnet to inside
Inside to screened subnet
Inside to internet
Others as appropriate
25
26. Verifying Policies
Use Assessment Workstation
May require separate “commercial” internet
connectivity
Assess Each Policy
Explicit Permit
Explicit Deny
Implicit Deny
Both Directions!
Track Using Various Methods
Scanning Tool Results
Sniffer Traces
Router/Firewall Logs
IDS Sensors
Server Logs
26
27. Suggested Looks
Blade Software
IDS Informer – Uses Simulated Attacks for
Evaluation – real, but harmless attacks
against IDSs.
Firewall Informer – Test current loaded
policy of a firewall or boundary with live
traffic to and from a single system.
27
33. Presentation – Session 16
For Extra Credit
Can handle 2-4
more Volunteers
Develop PowerPoint
Slides
Not more than 10
Provide Slides to me
NLT Session 15
I Will Include in
Session 16
Presentation
33
35. Course Evaluations
Please Participate in Course Evaluations
Online through Learn
This is anonymous
The results are used to improve the curriculum
35