EB
Uploaded byEmmanuel Udeagha B.
818 views

Network Vulnerability and Patching

This document discusses network vulnerability scanning and patching. It begins by introducing network penetration testing and vulnerability scanning as important ways to identify weaknesses before hackers can exploit them. It then covers different types of scanning like network scanning, port scanning, web application scanning and database security scanning. The document focuses on using the GFI LanGuard software to conduct network scanning and vulnerability checks on a company's network to block backdoors, close loopholes and implement patching to reduce hacking risks.

Embed presentation

Download to read offline
Technology: INFORMATION SECURITY AND ETHICAL HACKING. December 2012 Project Title To Find Out Network Vulnerabilities and To Patch Them. (Network Scanner). Submitted By Emmanuel Udeagha Guided By Mr. RAVIKANT SHRIVAS (Faculty) Submitted To:- Appin Technology Lab Ikeja, Lagos Nigeria.
2 ACKNOWLEDGEMENT Apart from the efforts of myself, the success of any project depends largely on the encouragement and guidelines of many people who in one way or another contributed to the completion of the work. I take this opportunity to express my gratitude to the people who have been instrumental in the successful completion of this project work. I would like to show my unreserved gratitude to Mr. Ravikant Shrivas who from the beginning of my class, all through the duration of this piece of work have been wonderful in terms of support and guidance. My appreciation goes to all friends, colleagues and Staff members of Appin Technology who in one way contributed to the success of this work. Emmanuel Udeagha
3 DEDICATION This piece of work is dedicated to everyone who rendered unreserved assistance all through my training period and up till the time this research work.
4 About the Company Appin Technology Appin Technologies is a global Information Security company focused on training, consulting and outsourcing services. The company was formed as a merger of two entities, XIRS Ventures Inc based in Austin Texas and XIRS Appin incubated inside IIT, Delhi India. Later the name XIRS was dropped from the company and the merged entity is known as Appin Technologies. From USA & India, the company has now expanded its operations to Europe, Africa and South East Asia as well. Appin Knowledge Solutions Appin Knowledge Solutions, education & training arm of Appin Technologies, runs over 75 training centres globally focused on imparting instructor led training in Information Security, Ethical hacking, Secured Programming, Embedded systems & related IT domains. It also sells distance learning courses in over 71 countries across 6 continents. It has trained over 83000 candidates via training products and services. The company is among top 5 Training providers in India according to the Week magazine. Visit the website: www.appinonline.com
5 TABLE OF CONTEENT Introduction…………………………………………6 Chapter one Scanning……………………………………………………………………………..7 Types of Vulnerability scanning……………………………………………7 Network scanning…………………………………………………………………8 IP Scanning…………………………………………………………………..………9 Web Application Scanning ……………………………………………….….9 Database Security Scanning………………………………………………..10 Port Scanning………………………………………………………………………11 Types of Port Scanning…………………………………………………………11 TCp vs Port Scans…………………………………………………………………12 Vulnerability Assessment……………………………………………………..13 Chapter Two Vulnerability Identification and Patch Acquisition……………………….15 Product vendor websites and mailing lists ………………………………...15 Third-party security advisory websites…………………………………………15 Security advisory websites run by CERTs ……………………………………..15 Security advisory websites / resources run by security vendors……16 Risk Assessment and Prioritisation………………………………………………..16 Threats…………………………………………………………………………………………16 Vulnerability………………………………………………………………………………….17 Criticality……………………………………………………………………………………….17 Patch Testing…………………………………………………………………………………17 Deployment and Verification…………………………………………………………18 Patch Distribution and Application Tools……………………………………….18 Cross-platform patch management systems………………………………….18 Platform specific patch management solutions……………………………..19 Patch Management Governance…………………………………………………...19 Security Considerations………………………………………………………………….20 Criteria for Choosing a Patch Management Solution……………………..21 Fewer Vulnerabilities……………………………………………………………………..22 System compatibility……………………………………………………………………….21 Vendor Responsiveness to New Vulnerabilities……………………………….21 Ease of Deployment and Maintenance……………………………………………21 Audit Trail……………………………………………………………………………………….21 Summary…………………………………………………………….……………………22 Nmap Commands…………………………………………………………………………….23 Reference ………………………………………………………………………………………27
6 Introduction As electronic commerce, online business-to-business operations, and global connectivity have become vital components of a successful business strategy, enterprises have adopted security processes and practices to protect information assets. Most companies work diligently to maintain an efficient, effective security policy, implementing the latest products and services to prevent fraud, vandalism, sabotage, and denial of service attacks. However, many enterprises overlook a key ingredient of a successful security policy: They do not test the network and security systems to ensure that they are working as expected and there are no vulnerabilities so that an attacker will not take advantage to steal confidential information. Network penetration testing—using tools and processes to scan the network environment for vulnerabilities—helps refine an enterprise’s security policy, identify vulnerabilities, and ensure that the security implementation actually provides the protection that the enterprise requires and expects. Regularly performing penetration tests or vulnerability check helps enterprises uncover network security weaknesses that can lead to data or equipment being compromised or destroyed by exploits (attacks on a network, usually by ―exploiting‖ a vulnerability of the system), Trojans (viruses), denial of service attacks, and other intrusions. Testing also exposes vulnerabilities that may be introduced by patches and updates or by misconfigurations on servers, routers, and firewalls. SecureTEST, a security scanning service of VeriSign Consulting, uses proven methodologies and tools to detect vulnerabilities in the enterprise’s network, and to then recommend repairs or corrections if necessary. SecureTEST services can be tailored to an enterprise’s specific needs and include three levels of assessment. As the industry leader in trust services, VeriSign has the expertise, experience, and technology to recognize and detect security vulnerabilities and to provide effective, enterprise-wide solutions for them. GFI LanGuard is another security scanning software that smaller enterprises use in checking for vulnerabilities and possible loop holes intruders might take advantage of to compromise company’s network, creating back doors in other to have permanent access. In this project work, GFI Languard will be solely used as a Network scanning and vulnerability checking tool to ensure that all backdoors(undocumented access to network),loop holes are blocked and a proper patching method is applied to reduce the risk of the network been exploited by attackers.
7 Chapter One: Scanning In other for a security administrator to discover vulnerability on a Network before hackers exploit such loop holes to compromise the network and steal confidential information, there are key steps or must do to ensure Network vulnerabilities and backdoors are constantly put on check, and those steps are discussed Messer: Scanning is the process of examining carefully. In this context, a process where Security administrators examine carefully a Computer Network with a focus on finding vulnerabilities with the aid of tools and softwares such as Nmap,GFI LanGuard, firewall and anti virus etc. Whereas, Network is a collection of computers, software, and hardwares that are all connected to help their users work together. A Network connects computers by means of cabling systems, specialized software, and devices that manage data traffic. A Network enables users to share files and resources, such as printers, as well as send messages electronically (e-mail) to each other. Types of Vulnerability Scanning Below are types of vulnerability scanning, but a few of them listed below will be discussed in this piece. ď‚· Network scanning ď‚· Port Scanning ď‚· Web application security scanning ď‚· Database security scanning ď‚· ERP security scanning ď‚· Computer worm We need to understand that Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are active on the Internet and what services they offer. Another scanning method, inverse mapping, returns information about what IP addresses do not map to live hosts; this enables an attacker to make assumptions about viable addresses. Scanning is one of three components of intelligence gathering for an attacker. In the foot printing phase, the attacker creates a profile of the target organization, with information such as its domain name system (DNS) and e-mail servers, and its IP address range. Most of this information is available online. In the scanning phase, the attacker finds information about the specific IP addresses that can be accessed over the Internet,
8 their operating systems, the system architecture, and the services running on each computer. Network Scanning In the enumeration phase, the attacker gathers information such as network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. It is however imperative to understand that Network exploitation is 90% information gathering and 10% attack. This means that an attacker spends most his time gathering information about a target Network and understanding more of its strength and weaknesses.
9 IP Scanning IP scanning is a type of scan on your local area Network to determine the identity of all active machine and internet devices on the LAN. During the period of IP scanning with the aid of Softwares, one can customize his results once a device is identified. IP Scanning Web Application scanning A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black- box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
10 Web Vulnerability Scanning Web applications have been highly popular since 2000 because they allow users to have an interactive experience on the Internet. Rather than just view static web pages, users are able to create personal accounts, add content, query databases and complete transactions. In the process of providing an interactive experience web applications frequently collect, store and use sensitive personal data to deliver their service. Customers benefit from the convenience of these applications, while tacitly taking on risk that private information stored in web applications will be compromised through hacker attacks, insider leaks etc. Database Security Scanning Database scanning is process of scanning Database for vulnerabilities, configuration issues, weak passwords, missing patches, access control concerns and other issues that can lead to user privilege escalation with the aid of softwares. Testing systems for the occurrence of these flaws and generating a report of the findings will help a Security administrator protect an enterprise’s Database from been exploited by attackers.
11 Checking Risk Level Port scanning When live systems are discovered, an attacker will usually attempt to discover which services are available for exploitation. This is accomplished by a technique commonly known as Port Scanning. However, every application has a specific port number associated with that identifies that application. Through the use of port numbers, intruders can gain access to information on which applications and network services are available to be exploited. Nmap was the first general purpose port scanning tool available. The intruder may follow these steps to gain unauthorized access to a web server. a. DNS query to figure out which web servers are available b. Ping sweep to see which servers are alive and accessible c. Port scan to see which services are available for exploitation. Considering the possible steps a hacker would follow to gain information from a web server about a target, A Network engineer must ensure the safety of his organization’s Network is periodically checked to ascertain if it stands at risk of been compromised by intruders. However, understanding the types of Port scanning will help the IT department know when a Hacker is carrying out a Scan (Remote or Local) on its Network territory.
12 Types of Port Scans: ď‚· Vanilla: the scanner attempts to connect to all 65,535 ports ď‚· Strobe: a more focused scan looking only for known services to exploit ď‚· Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall ď‚· UDP: the scanner looks for open UDP ports ď‚· Sweep: the scanner connects to the same port on more than one machine ď‚· FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan ď‚· Stealth scan: the scanner blocks the scanned computer from recording the port scan activities. Port scanning is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system. Port Scanning. TCP vs. Port-Scanning TCP Receiver acks packets. Timeouts are error conditions Sequence numbers are used Port-Scanning Packets my not produce answers. Timeouts are not error-conditions No sequence numbers
13 Vulnerability Assessment Proper methodology is essential to the success of the penetration test. It involves gathering information and then testing the target environment. The testing process begins with gathering as much information as possible about the network architecture, topology, hardware, and software in order to find all security vulnerabilities. Researching public information such as Whois records, SEC filings, business news articles, patents, and trademarks not only provides security administrators with background information, but also gives insight into what information hackers can use to find vulnerabilities. Tools such as ping, traceroute, and nslookup can be used to retrieve information from the target environment and help determine network topology, Internet provider, and architecture. Tools such as port scanners, NMAP, SNMPC, and NAT help determine hardware, operating systems, patch levels, and services running on each target device.Also, Open-source or shareware assessment tools are available online and can be used to supplement commercial scanners. The Increasing rate of daily vulnerability assessment is alarming; this means that Security administrators must be on guard because Over 50,000 vulnerability assessments are carried out across your network, including your virtual environments. GFI LanGuard checks your operating system, virtual environments and installed applications using vulnerability check databases such as OVAL and SANS Top 20. It allows you to analyze the state of your network security, what the risks are, how exposed your network is and how to take action before it is compromised. Vulnerability assessment using GFI LanGuard is represented below with fig 1.2 and fig 1.3 respectively.
14 Fig1.3 Scanning complete, Vulnerability discovered. After scanning your network and vulnerabilities discovered as represented in figures above, one thing is left, to ensure an effective and secured Network. Patching the discovered loop holes from disaster is a Security administrator’s last resort.
15 Chapter Two Vulnerability Identification and Patch Acquisition There are a number of information resources available to system administrators in order to monitor vulnerabilities and patches that may be applicable to their installed hardware and software systems. As each type of resource has its own specialised area, system administrators need to be able to refer to more than one source for accurate and timely information on new vulnerabilities and patch releases. Some common resources are: 1. Product vendor websites and mailing lists Product vendor websites are probably the most direct and reliable resources for system administrators on vulnerability and patch related information for specific products. Many large vendors also maintain support mailing lists that enable them to broadcast notifications of vulnerabilities, patches and updates to subscribers via email. However, it should be noted that vendors sometimes do not report new vulnerabilities straight away, as they may not wish to report a specific vulnerability until a patch is available. It is therefore necessary to track other IT security resources for timely vulnerability and patch information. 2. Third-party security advisory websites A third-party security advisory website is one that is not affiliated with any one vendor, and may sometimes provide more detailed information about vulnerabilities that have been discovered. These websites may cover a large number of products and report new vulnerabilities ahead of the product vendors because, as mentioned, some vendors may choose to hold a vulnerability notification until a patch is available. These third-party vulnerability advisory websites can be divided into two categories: websites run by Computer Emergency Response Teams (CERTs) and websites run by security vendors. a) Security advisory websites run by CERTs One of the most popular vulnerability advisory websites is the US CERT/CC site. It
16 provides technical information about any newly uncovered vulnerability that can assist system administrators and security professionals in assessing the threat from the vulnerability. These advisories are updated as soon as new information is available from the product vendors. b) Security advisory websites / resources run by security vendors A number of third party mailing lists, such as NTBugTraq 4 maintained by CyberTrust, and BugTraq 5 maintained by SecurityFocus, are popular with IT professionals. However, system administrators should verify the information released in these websites with product vendors to confirm the accuracy of any newly discovered vulnerabilities. These websites may also offer newsgroups that system administrators can use to communicate with other users in the same field. System administrators should be careful not to release sensitive information through joining and using these mailing lists and newsgroups. To assist in the task of keeping up to date with patch releases and vulnerability reports, a number of vulnerability alert services have been developed that allow system administrators to receive automated and customised notification on any vulnerabilities in and across the specific systems they are responsible for. Some services are free to use, while others require a subscription fee. The Talisker website maintains a list of currently available vulnerability alert services6 . An RSS feed is also available that system administrators can subscribe to and keep abreast of newly discovered vulnerabilities. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In larger operating systems, a special program is provided to manage and keep track of the installation of patches. Risk Assessment and Prioritisation Timely response is critical to effective patch management. With limited resources, system administrators may need to prioritise the deployment of new patches, performing a risk assessment to determine which systems should be patched first. In general, this prioritisation should be based on the following criteria: 1. Threat – A threat is any potential direct danger to information systems. Examples of systems facing high threat levels are web servers, email servers and servers containing sensitive information.
17 2. Vulnerability – A vulnerability signifies the absence of, or a weakness in, a safeguard which could be exploited by an attacker. It could be a flawed software service running on a server, or unrestricted modem dial-in access, and so on. 3. Criticality – This is a measure of how important or valuable a system is to business operations. Systems that are frequently considered as mission critical include mail servers, database servers and network infrastructure. In general, systems facing more threats, or that are more vulnerable, or are mission critical should be accorded a higher priority in the patch management process. System administrators should identify the associated risks and actions that need to be taken once a security vulnerability has been confirmed (for example, scheduling system down time for reboot after installing a patch), and assess any impact associated with installing a security patch once that patch becomes available. Before applying a patch, system administrators need to ensure that the new patch is not going to affect the overall functionality of the system and its applications (see next section). Patch Testing Patch testing is vital to ascertain whether or not a new patch will affect the normal operation of any existing software. It is important that this testing is performed on a mirror system that has an identical or very similar configuration to the target production system. This is to ensure that the patch installation does not lead to any unintended consequences on the production system. In addition to identifying any unintended problems, patches themselves should be tested to ensure that they have fully patched the vulnerability in question or corrected the performance issue as intended. This can be accomplished by: 1. Checking that the files or configuration settings that the patch is intended to correct have been changed as outlined in the vendor’s documentation. 2. Scanning the host system with a vulnerability scanner that is capable of detecting known vulnerabilities. This technique however may not always be effective because vulnerability scanners may not check for the actual presence of the vulnerability in question. Many vulnerability scanners only check software version numbers or patch levels to determine whether vulnerabilities exist or not.
18 If it is not feasible to install the patch because, for example, testing results show that the patch will crash or seriously disrupt the production system, alternate security controls should be implemented. Patch Deployment and Verification Patching vulnerabilities in a system may be as simple as modifying a configuration setting, or it may require the installation of a completely new version of the software. No single patch method can apply across all software applications and operating systems. Product or application vendors may provide specific instructions for applying security patches and updating their products, and it is recommended that system administrators read all the relevant documentation provided by vendors before proceeding with patch installation. In addition, security patches should be deployed through an established change control process. Before applying a new patch, administrators may want to conduct a full backup of the system to be patched. This enables a quick and easy restoration of the system to a previous state if the patch has an unintended or unexpected impact on the system. After the patch is deployed, system administrators and users should verify that all systems and applications are functioning normally, and that they comply with laid down security policies and guidelines. Patch Distribution and Application Tools Organisations may want to consider using automated patch management tools to speed up the distribution and installation of patches. There are a number of patch management systems in the market that can help automate the entire patch management process. There is also a website run by patchmanagement.org that maintains a list of patch management vendors who offer solutions performing both patch assessment and remediation. They also maintain a page linking to patch management product comparisons previously published in industry magazines. Patch management systems can be broadly categorised into two areas: 1. Cross-platform patch management systems
19 This category of products can handle patches from more than one operating system, or products from different vendors. 2. Platform specific patch management solutions This category of products will only support patches from a specific vendor or platform. A well-known example is the patch management tools provided by Microsoft. Microsoft Windows Server Update Services (WSUS) is a free tool from Microsoft designed to help system administrators deploy the latest Microsoft product updates and patches to computers running the Windows operating system. Patch Management Governance All organisations need to protect information systems from known vulnerabilities and security risks by applying the latest patches recommended by product vendors, or implement other compensatory security measures. Patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches. Before security patches are applied, proper risk evaluation and testing should be conducted to minimise any undesirable effects to the normal running of information systems. A clear operational process that enables rapid testing and deployment should be established. Depending on the nature of information systems in question, risk levels may be different. For example, an information system that is only used internally faces fewer threats than an information system that directly interfaces with the Internet, serving customers or the general public. Depending on the risk level, organisations should determine the appropriate patch management strategy for each of their systems, including patch checking and patching frequency. In short, high-risk information systems should be addressed first. When evaluating whether to apply a security patch or not, the risks associated with installing the patch should be assessed. Compare the risk posed by the vulnerability with the risk of installing the patch. If an administrator decides not to apply a patch, or if no patch is available, there should be other compensating controls. These may include: 1. turning off services or capabilities related to the vulnerability
20 2. adapting or adding access controls 3. Increased monitoring of systems to detect and prevent actual attacks. Security Considerations When deploying a patch management solution, the following security issues should be considered: 1. The patch management system itself is a software application, and it might have its own set of security vulnerabilities. Patches to the patch management system and its components should be applied as soon as possible. 2. The servers that are running a patch management solution should be properly protected because this will be a central distribution point, sending updates to virtually all machines in the organisation. It could prove disastrous if the files in the patch management servers were to become infected with a virus. Any anti-virus software running on the server should have auto-protection enabled with the latest virus signatures and malicious code definitions installed in order to protect against any virus outbreak. 3. Access control to the patch management system should be secured, both physically, by limiting physical access to the central console to authorised personnel only, and logically, by restricting access to the central console to pre-registered IP addresses only. 4. Communication channels into the patch management system should be properly secured and protected. An attacker may be able to sniff network communications for sensitive information such as authentication credentials or patching statuses to determine which patches have been installed on particular systems, and hence locate vulnerable attack targets. Security measures such as data encryption should therefore be put in Place to protect sensitive information passing through the management system from leakage. 5. Regular IT security risk assessments and audits should be conducted on the patch management system.
21 Criteria For Choosing A Patch Management Solution Besides matching the specific user and business requirements, including product functionality and budget constraints, organisations should also take the following factors into consideration when considering a robust and secure patch management solution: 1. Fewer Vulnerabilities: Some patch management products have more vulnerabilities than the others. Organisations should choose an appropriate solution that looks less likely to be vulnerable itself, which in turn will reduce the need to patch the software regularly. Research should be conducted first to independently verify the product concerned. A complex product may mean more code and services that in turn might introduce more vulnerabilities. It may be wise to select a less complicated and more mature product; 2. System Compatibility: Some patch management solutions are agent-based and some are agent-less. Organisations should evaluate any impact to their systems (such as performance, stability and compatibility), if agents are to be deployed across a large number of machines; 3. Vendor Responsiveness to New Vulnerabilities: Organisations should also take note of the speed with which the solution vendor responds to new vulnerabilities with patches and updates; 4. Ease of Deployment and Maintenance: The easier the patch management solution is to deploy and maintain, the lower the implementation and ongoing maintenance costs to the organisation; 5. Audit Trail: A good patch management solution should provide comprehensive logging facilities that help system administrators easily keep track of the status of software fixes and patches on individual systems.
22 Summary In order to combat the constantly increasing number of threats, organizations must become proactive to identify risks in their network security. Regular vulnerability scanning is a critical component to all security architectures. Vulnerability scanning uses a variety of techniques to examine your external network over the Internet. Your external network likely consists of perimeter devices, such as routers and firewalls, as well as Internet accessible servers, like your email and web servers. When vulnerabilities are detected, the results are categorized in several ways, allowing customers to target the data they find most useful. Results and corrective recommendations are risk ranked based on priority and provided in executive summary and technically detailed formats, appropriate for business executives and technical administrators. This constant and early identification of security flaws allows your company the ability to react quickly and appropriately to close security holes and help prevent attacks and data compromises.
23 Nmap commands -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. -sU (UDP scans) While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. -sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi- homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly,
24 scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states. -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that ―if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.‖ Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: ―you are unlikely to get here, but if you do, drop the segment, and return.‖ When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) -sA (TCP ACK scan) This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
25 -sW (TCP Window scan) Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed if the TCP Window value in that reset is positive or zero, respectively. -sM (TCP Maimon scan) The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. --scanflags (Custom TCP scan) Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scan flags option allows you to design your own scan by specifying arbitrary. -sZ (SCTP COOKIE ECHO scan) SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. -sI <zombie host>[:<probeport>] (idle scan)
26 This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). Full details of this fascinating scan type are in the section called ―TCP Idle Scan (-sI)‖. -sO (IP protocol scan) IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. b <FTP relay host> (FTP bounce scan) An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server.
27 Reference www.nmap.org www.lynjonic .com www.wikipedia.org www.whatsmyip.org/port-scanner/ www.gfi.com www.searchsecurity.techtarget.com www.networkworld.com www.dslreports.com www.technlator.com www.esecurityplanet.com www.windowsecurity.com www.ocio.usda.gov www.features.techworld.com www.tenable.com www.autonomio-software.com

More Related Content

PDF
Intrusion Detection and Prevention System in an Enterprise Network
byOkehie Collins
 
PPSX
Intrusion detection system
bygaurav koriya
 
PPTX
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
byJowin John Chemban
 
PDF
call for papers, research paper publishing, where to publish research paper, ...
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
PDF
NSA and PT
byRahmat Suhatman
 
PDF
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
byJowin John Chemban
 
PPTX
Advanced persistent threat (apt)
bymmubashirkhan
 
PPTX
Intrusion Detection with Neural Networks
byantoniomorancardenas
 
Intrusion Detection and Prevention System in an Enterprise Network
byOkehie Collins
 
Intrusion detection system
bygaurav koriya
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
byJowin John Chemban
 
call for papers, research paper publishing, where to publish research paper, ...
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
NSA and PT
byRahmat Suhatman
 
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...
byJowin John Chemban
 
Advanced persistent threat (apt)
bymmubashirkhan
 
Intrusion Detection with Neural Networks
byantoniomorancardenas
 

What's hot

PDF
Deep Learning based Threat / Intrusion detection system
byAffine Analytics
 
PDF
A hybrid intrusion detection system for cloud computing environments
byMohamed Jelidi
 
PPSX
Practical real-time intrusion detection using machine learning approaches
byFull Stack Developer at Electro Mizan Andisheh
 
PPTX
Advanced Persistent Threat: come muoversi tra il marketing e la realtĂ ?
byfestival ICT 2016
 
PDF
Introduction to the advanced persistent threat and hactivism
byGlobal Micro Solutions
 
PPTX
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 
PDF
Optimized Intrusion Detection System using Deep Learning Algorithm
byijtsrd
 
PPTX
Intrusion detection system
byNikhil Singh
 
PDF
Combating Advanced Persistent Threats with Flow-based Security Monitoring
byLancope, Inc.
 
PPTX
Common Techniques To Identify Advanced Persistent Threat (APT)
byYuval Sinay, CISSP, C|CISO
 
PPTX
Understanding advanced persistent threats (APT)
byDan Morrill
 
PPT
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 
PPTX
Security Attack Analysis for Finding and Stopping Network Attacks
bySavvius, Inc
 
PPTX
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
byOllie Whitehouse
 
PDF
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
byijp2p
 
DOCX
Network and web security
byNitesh Saitwal
 
PDF
IRJET - IDS for Wifi Security
byIRJET Journal
 
PDF
RSA Anatomy of an Attack
byintegritysolutions
 
PPTX
Network Security Risk
byDedi Dwianto
 
PDF
An Approach to for Improving the Efficiency of IDS System Using Honeypot
byEditor Jacotech
 
Deep Learning based Threat / Intrusion detection system
byAffine Analytics
 
A hybrid intrusion detection system for cloud computing environments
byMohamed Jelidi
 
Practical real-time intrusion detection using machine learning approaches
byFull Stack Developer at Electro Mizan Andisheh
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtĂ ?
byfestival ICT 2016
 
Introduction to the advanced persistent threat and hactivism
byGlobal Micro Solutions
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 
Optimized Intrusion Detection System using Deep Learning Algorithm
byijtsrd
 
Intrusion detection system
byNikhil Singh
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
byLancope, Inc.
 
Common Techniques To Identify Advanced Persistent Threat (APT)
byYuval Sinay, CISSP, C|CISO
 
Understanding advanced persistent threats (APT)
byDan Morrill
 
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 
Security Attack Analysis for Finding and Stopping Network Attacks
bySavvius, Inc
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
byOllie Whitehouse
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
byijp2p
 
Network and web security
byNitesh Saitwal
 
IRJET - IDS for Wifi Security
byIRJET Journal
 
RSA Anatomy of an Attack
byintegritysolutions
 
Network Security Risk
byDedi Dwianto
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
byEditor Jacotech
 

Similar to Network Vulnerability and Patching

PPTX
Assessing network security
byAbhinit Kumar Sharma
 
PPTX
What is a Port Scan in data visualization
byKomal Khanna
 
PPTX
Network scan
bypenetration Tester
 
PPTX
Introduction to cyber security
byGeevarghese Titus
 
PDF
5 howtomitigate
byricharddxd
 
PPTX
Penetration Testing vs. Vulnerability Scanning
bySecurityMetrics
 
PDF
The Security Of Information Security
byRachel Phillips
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
PPTX
Cyber Security Penetration Testing Tools
byAvinashAvuthu2
 
PPTX
Cyber Security Hacking and Attack Tree Analysis
byAvinashAvuthu2
 
PPTX
Webinar On Ethical Hacking & Cybersecurity - Day2
byMohammed Adam
 
PPTX
An Toan Thong Tin.pptx
byVuongPhm
 
PPSX
Security measures for networking
byShyam Kumar Singh
 
PDF
Response time optimization for vulnerability management system by combining ...
byIJECEIAES
 
PDF
Nt2580 Unit 7 Chapter 12
byLaura Arrigo
 
PDF
Infrastructure & Network Vulnerability Assessment and Penetration Testing
byElanusTechnologies
 
PPTX
Web hacking 1.0
byQ Fadlan
 
PPTX
scanning and analysis tools Fuzz testing
bymaryjanebataluna19
 
PPT
Chapter 2
byshahhardik27
 
PDF
Computer security
byMohamed Abdo
 
Assessing network security
byAbhinit Kumar Sharma
 
What is a Port Scan in data visualization
byKomal Khanna
 
Network scan
bypenetration Tester
 
Introduction to cyber security
byGeevarghese Titus
 
5 howtomitigate
byricharddxd
 
Penetration Testing vs. Vulnerability Scanning
bySecurityMetrics
 
The Security Of Information Security
byRachel Phillips
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
Cyber Security Penetration Testing Tools
byAvinashAvuthu2
 
Cyber Security Hacking and Attack Tree Analysis
byAvinashAvuthu2
 
Webinar On Ethical Hacking & Cybersecurity - Day2
byMohammed Adam
 
An Toan Thong Tin.pptx
byVuongPhm
 
Security measures for networking
byShyam Kumar Singh
 
Response time optimization for vulnerability management system by combining ...
byIJECEIAES
 
Nt2580 Unit 7 Chapter 12
byLaura Arrigo
 
Infrastructure & Network Vulnerability Assessment and Penetration Testing
byElanusTechnologies
 
Web hacking 1.0
byQ Fadlan
 
scanning and analysis tools Fuzz testing
bymaryjanebataluna19
 
Chapter 2
byshahhardik27
 
Computer security
byMohamed Abdo
 

Network Vulnerability and Patching

  • 1.
    Technology: INFORMATION SECURITYAND ETHICAL HACKING. December 2012 Project Title To Find Out Network Vulnerabilities and To Patch Them. (Network Scanner). Submitted By Emmanuel Udeagha Guided By Mr. RAVIKANT SHRIVAS (Faculty) Submitted To:- Appin Technology Lab Ikeja, Lagos Nigeria.
  • 2.
    2 ACKNOWLEDGEMENT Apart from theefforts of myself, the success of any project depends largely on the encouragement and guidelines of many people who in one way or another contributed to the completion of the work. I take this opportunity to express my gratitude to the people who have been instrumental in the successful completion of this project work. I would like to show my unreserved gratitude to Mr. Ravikant Shrivas who from the beginning of my class, all through the duration of this piece of work have been wonderful in terms of support and guidance. My appreciation goes to all friends, colleagues and Staff members of Appin Technology who in one way contributed to the success of this work. Emmanuel Udeagha
  • 3.
    3 DEDICATION This piece ofwork is dedicated to everyone who rendered unreserved assistance all through my training period and up till the time this research work.
  • 4.
    4 About the Company AppinTechnology Appin Technologies is a global Information Security company focused on training, consulting and outsourcing services. The company was formed as a merger of two entities, XIRS Ventures Inc based in Austin Texas and XIRS Appin incubated inside IIT, Delhi India. Later the name XIRS was dropped from the company and the merged entity is known as Appin Technologies. From USA & India, the company has now expanded its operations to Europe, Africa and South East Asia as well. Appin Knowledge Solutions Appin Knowledge Solutions, education & training arm of Appin Technologies, runs over 75 training centres globally focused on imparting instructor led training in Information Security, Ethical hacking, Secured Programming, Embedded systems & related IT domains. It also sells distance learning courses in over 71 countries across 6 continents. It has trained over 83000 candidates via training products and services. The company is among top 5 Training providers in India according to the Week magazine. Visit the website: www.appinonline.com
  • 5.
    5 TABLE OF CONTEENT Introduction…………………………………………6 Chapterone Scanning……………………………………………………………………………..7 Types of Vulnerability scanning……………………………………………7 Network scanning…………………………………………………………………8 IP Scanning…………………………………………………………………..………9 Web Application Scanning ……………………………………………….….9 Database Security Scanning………………………………………………..10 Port Scanning………………………………………………………………………11 Types of Port Scanning…………………………………………………………11 TCp vs Port Scans…………………………………………………………………12 Vulnerability Assessment……………………………………………………..13 Chapter Two Vulnerability Identification and Patch Acquisition……………………….15 Product vendor websites and mailing lists ………………………………...15 Third-party security advisory websites…………………………………………15 Security advisory websites run by CERTs ……………………………………..15 Security advisory websites / resources run by security vendors……16 Risk Assessment and Prioritisation………………………………………………..16 Threats…………………………………………………………………………………………16 Vulnerability………………………………………………………………………………….17 Criticality……………………………………………………………………………………….17 Patch Testing…………………………………………………………………………………17 Deployment and Verification…………………………………………………………18 Patch Distribution and Application Tools……………………………………….18 Cross-platform patch management systems………………………………….18 Platform specific patch management solutions……………………………..19 Patch Management Governance…………………………………………………...19 Security Considerations………………………………………………………………….20 Criteria for Choosing a Patch Management Solution……………………..21 Fewer Vulnerabilities……………………………………………………………………..22 System compatibility……………………………………………………………………….21 Vendor Responsiveness to New Vulnerabilities……………………………….21 Ease of Deployment and Maintenance……………………………………………21 Audit Trail……………………………………………………………………………………….21 Summary…………………………………………………………….……………………22 Nmap Commands…………………………………………………………………………….23 Reference ………………………………………………………………………………………27
  • 6.
    6 Introduction As electronic commerce,online business-to-business operations, and global connectivity have become vital components of a successful business strategy, enterprises have adopted security processes and practices to protect information assets. Most companies work diligently to maintain an efficient, effective security policy, implementing the latest products and services to prevent fraud, vandalism, sabotage, and denial of service attacks. However, many enterprises overlook a key ingredient of a successful security policy: They do not test the network and security systems to ensure that they are working as expected and there are no vulnerabilities so that an attacker will not take advantage to steal confidential information. Network penetration testing—using tools and processes to scan the network environment for vulnerabilities—helps refine an enterprise’s security policy, identify vulnerabilities, and ensure that the security implementation actually provides the protection that the enterprise requires and expects. Regularly performing penetration tests or vulnerability check helps enterprises uncover network security weaknesses that can lead to data or equipment being compromised or destroyed by exploits (attacks on a network, usually by ―exploiting‖ a vulnerability of the system), Trojans (viruses), denial of service attacks, and other intrusions. Testing also exposes vulnerabilities that may be introduced by patches and updates or by misconfigurations on servers, routers, and firewalls. SecureTEST, a security scanning service of VeriSign Consulting, uses proven methodologies and tools to detect vulnerabilities in the enterprise’s network, and to then recommend repairs or corrections if necessary. SecureTEST services can be tailored to an enterprise’s specific needs and include three levels of assessment. As the industry leader in trust services, VeriSign has the expertise, experience, and technology to recognize and detect security vulnerabilities and to provide effective, enterprise-wide solutions for them. GFI LanGuard is another security scanning software that smaller enterprises use in checking for vulnerabilities and possible loop holes intruders might take advantage of to compromise company’s network, creating back doors in other to have permanent access. In this project work, GFI Languard will be solely used as a Network scanning and vulnerability checking tool to ensure that all backdoors(undocumented access to network),loop holes are blocked and a proper patching method is applied to reduce the risk of the network been exploited by attackers.
  • 7.
    7 Chapter One: Scanning Inother for a security administrator to discover vulnerability on a Network before hackers exploit such loop holes to compromise the network and steal confidential information, there are key steps or must do to ensure Network vulnerabilities and backdoors are constantly put on check, and those steps are discussed Messer: Scanning is the process of examining carefully. In this context, a process where Security administrators examine carefully a Computer Network with a focus on finding vulnerabilities with the aid of tools and softwares such as Nmap,GFI LanGuard, firewall and anti virus etc. Whereas, Network is a collection of computers, software, and hardwares that are all connected to help their users work together. A Network connects computers by means of cabling systems, specialized software, and devices that manage data traffic. A Network enables users to share files and resources, such as printers, as well as send messages electronically (e-mail) to each other. Types of Vulnerability Scanning Below are types of vulnerability scanning, but a few of them listed below will be discussed in this piece. ď‚· Network scanning ď‚· Port Scanning ď‚· Web application security scanning ď‚· Database security scanning ď‚· ERP security scanning ď‚· Computer worm We need to understand that Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are active on the Internet and what services they offer. Another scanning method, inverse mapping, returns information about what IP addresses do not map to live hosts; this enables an attacker to make assumptions about viable addresses. Scanning is one of three components of intelligence gathering for an attacker. In the foot printing phase, the attacker creates a profile of the target organization, with information such as its domain name system (DNS) and e-mail servers, and its IP address range. Most of this information is available online. In the scanning phase, the attacker finds information about the specific IP addresses that can be accessed over the Internet,
  • 8.
    8 their operating systems,the system architecture, and the services running on each computer. Network Scanning In the enumeration phase, the attacker gathers information such as network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data. It is however imperative to understand that Network exploitation is 90% information gathering and 10% attack. This means that an attacker spends most his time gathering information about a target Network and understanding more of its strength and weaknesses.
  • 9.
    9 IP Scanning IP scanningis a type of scan on your local area Network to determine the identity of all active machine and internet devices on the LAN. During the period of IP scanning with the aid of Softwares, one can customize his results once a device is identified. IP Scanning Web Application scanning A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black- box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
  • 10.
    10 Web Vulnerability Scanning Webapplications have been highly popular since 2000 because they allow users to have an interactive experience on the Internet. Rather than just view static web pages, users are able to create personal accounts, add content, query databases and complete transactions. In the process of providing an interactive experience web applications frequently collect, store and use sensitive personal data to deliver their service. Customers benefit from the convenience of these applications, while tacitly taking on risk that private information stored in web applications will be compromised through hacker attacks, insider leaks etc. Database Security Scanning Database scanning is process of scanning Database for vulnerabilities, configuration issues, weak passwords, missing patches, access control concerns and other issues that can lead to user privilege escalation with the aid of softwares. Testing systems for the occurrence of these flaws and generating a report of the findings will help a Security administrator protect an enterprise’s Database from been exploited by attackers.
  • 11.
    11 Checking Risk Level Portscanning When live systems are discovered, an attacker will usually attempt to discover which services are available for exploitation. This is accomplished by a technique commonly known as Port Scanning. However, every application has a specific port number associated with that identifies that application. Through the use of port numbers, intruders can gain access to information on which applications and network services are available to be exploited. Nmap was the first general purpose port scanning tool available. The intruder may follow these steps to gain unauthorized access to a web server. a. DNS query to figure out which web servers are available b. Ping sweep to see which servers are alive and accessible c. Port scan to see which services are available for exploitation. Considering the possible steps a hacker would follow to gain information from a web server about a target, A Network engineer must ensure the safety of his organization’s Network is periodically checked to ascertain if it stands at risk of been compromised by intruders. However, understanding the types of Port scanning will help the IT department know when a Hacker is carrying out a Scan (Remote or Local) on its Network territory.
  • 12.
    12 Types of PortScans: ď‚· Vanilla: the scanner attempts to connect to all 65,535 ports ď‚· Strobe: a more focused scan looking only for known services to exploit ď‚· Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall ď‚· UDP: the scanner looks for open UDP ports ď‚· Sweep: the scanner connects to the same port on more than one machine ď‚· FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan ď‚· Stealth scan: the scanner blocks the scanned computer from recording the port scan activities. Port scanning is not a crime. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. There are, however, software products that can stop a port scanner from doing any damage to your system. Port Scanning. TCP vs. Port-Scanning TCP Receiver acks packets. Timeouts are error conditions Sequence numbers are used Port-Scanning Packets my not produce answers. Timeouts are not error-conditions No sequence numbers
  • 13.
    13 Vulnerability Assessment Proper methodologyis essential to the success of the penetration test. It involves gathering information and then testing the target environment. The testing process begins with gathering as much information as possible about the network architecture, topology, hardware, and software in order to find all security vulnerabilities. Researching public information such as Whois records, SEC filings, business news articles, patents, and trademarks not only provides security administrators with background information, but also gives insight into what information hackers can use to find vulnerabilities. Tools such as ping, traceroute, and nslookup can be used to retrieve information from the target environment and help determine network topology, Internet provider, and architecture. Tools such as port scanners, NMAP, SNMPC, and NAT help determine hardware, operating systems, patch levels, and services running on each target device.Also, Open-source or shareware assessment tools are available online and can be used to supplement commercial scanners. The Increasing rate of daily vulnerability assessment is alarming; this means that Security administrators must be on guard because Over 50,000 vulnerability assessments are carried out across your network, including your virtual environments. GFI LanGuard checks your operating system, virtual environments and installed applications using vulnerability check databases such as OVAL and SANS Top 20. It allows you to analyze the state of your network security, what the risks are, how exposed your network is and how to take action before it is compromised. Vulnerability assessment using GFI LanGuard is represented below with fig 1.2 and fig 1.3 respectively.
  • 14.
    14 Fig1.3 Scanning complete,Vulnerability discovered. After scanning your network and vulnerabilities discovered as represented in figures above, one thing is left, to ensure an effective and secured Network. Patching the discovered loop holes from disaster is a Security administrator’s last resort.
  • 15.
    15 Chapter Two Vulnerability Identificationand Patch Acquisition There are a number of information resources available to system administrators in order to monitor vulnerabilities and patches that may be applicable to their installed hardware and software systems. As each type of resource has its own specialised area, system administrators need to be able to refer to more than one source for accurate and timely information on new vulnerabilities and patch releases. Some common resources are: 1. Product vendor websites and mailing lists Product vendor websites are probably the most direct and reliable resources for system administrators on vulnerability and patch related information for specific products. Many large vendors also maintain support mailing lists that enable them to broadcast notifications of vulnerabilities, patches and updates to subscribers via email. However, it should be noted that vendors sometimes do not report new vulnerabilities straight away, as they may not wish to report a specific vulnerability until a patch is available. It is therefore necessary to track other IT security resources for timely vulnerability and patch information. 2. Third-party security advisory websites A third-party security advisory website is one that is not affiliated with any one vendor, and may sometimes provide more detailed information about vulnerabilities that have been discovered. These websites may cover a large number of products and report new vulnerabilities ahead of the product vendors because, as mentioned, some vendors may choose to hold a vulnerability notification until a patch is available. These third-party vulnerability advisory websites can be divided into two categories: websites run by Computer Emergency Response Teams (CERTs) and websites run by security vendors. a) Security advisory websites run by CERTs One of the most popular vulnerability advisory websites is the US CERT/CC site. It
  • 16.
    16 provides technical informationabout any newly uncovered vulnerability that can assist system administrators and security professionals in assessing the threat from the vulnerability. These advisories are updated as soon as new information is available from the product vendors. b) Security advisory websites / resources run by security vendors A number of third party mailing lists, such as NTBugTraq 4 maintained by CyberTrust, and BugTraq 5 maintained by SecurityFocus, are popular with IT professionals. However, system administrators should verify the information released in these websites with product vendors to confirm the accuracy of any newly discovered vulnerabilities. These websites may also offer newsgroups that system administrators can use to communicate with other users in the same field. System administrators should be careful not to release sensitive information through joining and using these mailing lists and newsgroups. To assist in the task of keeping up to date with patch releases and vulnerability reports, a number of vulnerability alert services have been developed that allow system administrators to receive automated and customised notification on any vulnerabilities in and across the specific systems they are responsible for. Some services are free to use, while others require a subscription fee. The Talisker website maintains a list of currently available vulnerability alert services6 . An RSS feed is also available that system administrators can subscribe to and keep abreast of newly discovered vulnerabilities. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In larger operating systems, a special program is provided to manage and keep track of the installation of patches. Risk Assessment and Prioritisation Timely response is critical to effective patch management. With limited resources, system administrators may need to prioritise the deployment of new patches, performing a risk assessment to determine which systems should be patched first. In general, this prioritisation should be based on the following criteria: 1. Threat – A threat is any potential direct danger to information systems. Examples of systems facing high threat levels are web servers, email servers and servers containing sensitive information.
  • 17.
    17 2. Vulnerability –A vulnerability signifies the absence of, or a weakness in, a safeguard which could be exploited by an attacker. It could be a flawed software service running on a server, or unrestricted modem dial-in access, and so on. 3. Criticality – This is a measure of how important or valuable a system is to business operations. Systems that are frequently considered as mission critical include mail servers, database servers and network infrastructure. In general, systems facing more threats, or that are more vulnerable, or are mission critical should be accorded a higher priority in the patch management process. System administrators should identify the associated risks and actions that need to be taken once a security vulnerability has been confirmed (for example, scheduling system down time for reboot after installing a patch), and assess any impact associated with installing a security patch once that patch becomes available. Before applying a patch, system administrators need to ensure that the new patch is not going to affect the overall functionality of the system and its applications (see next section). Patch Testing Patch testing is vital to ascertain whether or not a new patch will affect the normal operation of any existing software. It is important that this testing is performed on a mirror system that has an identical or very similar configuration to the target production system. This is to ensure that the patch installation does not lead to any unintended consequences on the production system. In addition to identifying any unintended problems, patches themselves should be tested to ensure that they have fully patched the vulnerability in question or corrected the performance issue as intended. This can be accomplished by: 1. Checking that the files or configuration settings that the patch is intended to correct have been changed as outlined in the vendor’s documentation. 2. Scanning the host system with a vulnerability scanner that is capable of detecting known vulnerabilities. This technique however may not always be effective because vulnerability scanners may not check for the actual presence of the vulnerability in question. Many vulnerability scanners only check software version numbers or patch levels to determine whether vulnerabilities exist or not.
  • 18.
    18 If it isnot feasible to install the patch because, for example, testing results show that the patch will crash or seriously disrupt the production system, alternate security controls should be implemented. Patch Deployment and Verification Patching vulnerabilities in a system may be as simple as modifying a configuration setting, or it may require the installation of a completely new version of the software. No single patch method can apply across all software applications and operating systems. Product or application vendors may provide specific instructions for applying security patches and updating their products, and it is recommended that system administrators read all the relevant documentation provided by vendors before proceeding with patch installation. In addition, security patches should be deployed through an established change control process. Before applying a new patch, administrators may want to conduct a full backup of the system to be patched. This enables a quick and easy restoration of the system to a previous state if the patch has an unintended or unexpected impact on the system. After the patch is deployed, system administrators and users should verify that all systems and applications are functioning normally, and that they comply with laid down security policies and guidelines. Patch Distribution and Application Tools Organisations may want to consider using automated patch management tools to speed up the distribution and installation of patches. There are a number of patch management systems in the market that can help automate the entire patch management process. There is also a website run by patchmanagement.org that maintains a list of patch management vendors who offer solutions performing both patch assessment and remediation. They also maintain a page linking to patch management product comparisons previously published in industry magazines. Patch management systems can be broadly categorised into two areas: 1. Cross-platform patch management systems
  • 19.
    19 This category ofproducts can handle patches from more than one operating system, or products from different vendors. 2. Platform specific patch management solutions This category of products will only support patches from a specific vendor or platform. A well-known example is the patch management tools provided by Microsoft. Microsoft Windows Server Update Services (WSUS) is a free tool from Microsoft designed to help system administrators deploy the latest Microsoft product updates and patches to computers running the Windows operating system. Patch Management Governance All organisations need to protect information systems from known vulnerabilities and security risks by applying the latest patches recommended by product vendors, or implement other compensatory security measures. Patch management should be based on an assessment that balances the security and down time risk of a security breach with the cost, disruption and availability risks associated with frequent and rapid deployment of software patches. Before security patches are applied, proper risk evaluation and testing should be conducted to minimise any undesirable effects to the normal running of information systems. A clear operational process that enables rapid testing and deployment should be established. Depending on the nature of information systems in question, risk levels may be different. For example, an information system that is only used internally faces fewer threats than an information system that directly interfaces with the Internet, serving customers or the general public. Depending on the risk level, organisations should determine the appropriate patch management strategy for each of their systems, including patch checking and patching frequency. In short, high-risk information systems should be addressed first. When evaluating whether to apply a security patch or not, the risks associated with installing the patch should be assessed. Compare the risk posed by the vulnerability with the risk of installing the patch. If an administrator decides not to apply a patch, or if no patch is available, there should be other compensating controls. These may include: 1. turning off services or capabilities related to the vulnerability
  • 20.
    20 2. adapting oradding access controls 3. Increased monitoring of systems to detect and prevent actual attacks. Security Considerations When deploying a patch management solution, the following security issues should be considered: 1. The patch management system itself is a software application, and it might have its own set of security vulnerabilities. Patches to the patch management system and its components should be applied as soon as possible. 2. The servers that are running a patch management solution should be properly protected because this will be a central distribution point, sending updates to virtually all machines in the organisation. It could prove disastrous if the files in the patch management servers were to become infected with a virus. Any anti-virus software running on the server should have auto-protection enabled with the latest virus signatures and malicious code definitions installed in order to protect against any virus outbreak. 3. Access control to the patch management system should be secured, both physically, by limiting physical access to the central console to authorised personnel only, and logically, by restricting access to the central console to pre-registered IP addresses only. 4. Communication channels into the patch management system should be properly secured and protected. An attacker may be able to sniff network communications for sensitive information such as authentication credentials or patching statuses to determine which patches have been installed on particular systems, and hence locate vulnerable attack targets. Security measures such as data encryption should therefore be put in Place to protect sensitive information passing through the management system from leakage. 5. Regular IT security risk assessments and audits should be conducted on the patch management system.
  • 21.
    21 Criteria For ChoosingA Patch Management Solution Besides matching the specific user and business requirements, including product functionality and budget constraints, organisations should also take the following factors into consideration when considering a robust and secure patch management solution: 1. Fewer Vulnerabilities: Some patch management products have more vulnerabilities than the others. Organisations should choose an appropriate solution that looks less likely to be vulnerable itself, which in turn will reduce the need to patch the software regularly. Research should be conducted first to independently verify the product concerned. A complex product may mean more code and services that in turn might introduce more vulnerabilities. It may be wise to select a less complicated and more mature product; 2. System Compatibility: Some patch management solutions are agent-based and some are agent-less. Organisations should evaluate any impact to their systems (such as performance, stability and compatibility), if agents are to be deployed across a large number of machines; 3. Vendor Responsiveness to New Vulnerabilities: Organisations should also take note of the speed with which the solution vendor responds to new vulnerabilities with patches and updates; 4. Ease of Deployment and Maintenance: The easier the patch management solution is to deploy and maintain, the lower the implementation and ongoing maintenance costs to the organisation; 5. Audit Trail: A good patch management solution should provide comprehensive logging facilities that help system administrators easily keep track of the status of software fixes and patches on individual systems.
  • 22.
    22 Summary In order tocombat the constantly increasing number of threats, organizations must become proactive to identify risks in their network security. Regular vulnerability scanning is a critical component to all security architectures. Vulnerability scanning uses a variety of techniques to examine your external network over the Internet. Your external network likely consists of perimeter devices, such as routers and firewalls, as well as Internet accessible servers, like your email and web servers. When vulnerabilities are detected, the results are categorized in several ways, allowing customers to target the data they find most useful. Results and corrective recommendations are risk ranked based on priority and provided in executive summary and technically detailed formats, appropriate for business executives and technical administrators. This constant and early identification of security flaws allows your company the ability to react quickly and appropriately to close security holes and help prevent attacks and data compromises.
  • 23.
    23 Nmap commands -sS (TCPSYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. -sU (UDP scans) While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. -sY (SCTP INIT scan) SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi- homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly,
  • 24.
    24 scanning thousands ofports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states. -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that ―if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.‖ Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: ―you are unlikely to get here, but if you do, drop the segment, and return.‖ When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) -sA (TCP ACK scan) This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
  • 25.
    25 -sW (TCP Windowscan) Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed if the TCP Window value in that reset is positive or zero, respectively. -sM (TCP Maimon scan) The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. --scanflags (Custom TCP scan) Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scan flags option allows you to design your own scan by specifying arbitrary. -sZ (SCTP COOKIE ECHO scan) SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. -sI <zombie host>[:<probeport>] (idle scan)
  • 26.
    26 This advanced scanmethod allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). Full details of this fascinating scan type are in the section called ―TCP Idle Scan (-sI)‖. -sO (IP protocol scan) IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. b <FTP relay host> (FTP bounce scan) An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server.
  • 27.