UNIT-II

Information Security Audit Tasks Reports an Post Auditing Actions:

A security analyst may contribute to activities during the audit process which includes the
following task.

6.1 Pre-audit tasks

During this phase, the auditors determine the main area/s of focus for the audit and any areas that
are explicitly out-of-scope, based normally on an initial risk-based assessment plus discussion
with those who commissioned the audit. Information sources include general research on the
industry and the organization, previous and perhaps other audit reports, and documents such as
the Statement of Applicability, Risk Treatment Plan and Security Policy.

The auditors should ensure that the scope makes sense in relation to the organization. The audit
scope should normally match the scope of the ISMS being certified. For example, large
organizations with multiple divisions or business units may have separate ISMSs, an all-
encompassing enterprise-wide ISMS, or some combination of local and centralized ISMS. If the
ISMS certification is for the entire organization, the auditors may need to review the
ISMSinoperation at all or at least a representative sample of business locations, such
astheheadquarters and a selection of discrete business units chosen by the auditors.

The auditors should pay particular attention to information security risks and controls associated
with information conduits to other entities (organizations, business units etc.) that fall outside the
scope of the ISMS, for example checking the adequacy of information security-related clauses in
Service Level Agree- ments or contracts with IT service suppliers. This process should be easier
where the out- of-scope entities have been certified compliant with ISO/IEC 27001. During the
pre-audit survey, the ISMS auditors identify and ideally make contact with the main stakeholders
in the ISMS such as the ISM manager/s, security architects, ISMS develop- ers,ISMS
implementers and other influential figures such as the CIO and CEO, taking the opportunity to
request pertinent document- tation etc. that will be reviewed during the audit. The organization
normally nominates one or more audit escorts, individuals who are responsible for ensuring
that the auditors can move freely about the organization and rapidly find the people, information
etc. necessary to conduct their work, and act as management liaison points.

The primary output of this phase is an agreed ISMS audit scope, charter, engagement letter or
similar. Contact lists and other preliminary documents are also obtained and the audit files are
opened to contain documentation (audit working papers, evidence, reports etc.) arising from the
audit. The pre-audit questionnaire is used to assist the audit manager in gathering pertinent in-
formation prior to the on-site visit. Information gathered from the pre-audit questionnaire is used
to formulate additional questions to be answered during the on-site visit and to assist in
determining policy compliance. Additionally, the pre-audit questionnaire is used as a tool
by audit managers to prepare information sheets for local auditors, outlining/summariz- ing the
CSAs audit program and procedures.

6.2 Information Gathering

a. What Is Information Gathering?

Information gathering is essentially using the Internet to find all the information you can about
the target (company and/or person) using both technical (DNS/WHOIS) and non- technical
(search engines, news groups, mail- ing lists etc.) methods.

Information gathering does not require that the assessor establishes contact with the tar-get
system. Information is collected (mainly) from public sources on the Internet and organizations
that hold public information (e.g. tax agencies, libraries, etc.) Information gathering section of
the penetration test is important for the penetration tester. Assessments are gener-ally limited in
time and resources. Therefore, it is critical to identify points that will be most likely vulnerable,
and to focus on them. Even the best tools are useless if not used appropriately and in the right
place and time. Thats the reason why experienced tes- ters invest an important amount of time in
in- formation gathering.

Information Gathering is a necessary step of a penetration test. This task can be carried out in
many different ways. By using public tools (search engines), scanners, sending simple HTTP
requests, or specially crafted requests, it is possible to force the application to leak information,
e.g., disclosing error messages or revealing the versions and technologies used. And it includes
the following steps:

1 Spiders, Robots and Crawlers:

This phase of the Information Gathering process consists of browsing and capturing
resources related to the application being tested.

2 Search Engine Discovery/Reconnaissance:

Search engines, such as Google, can be used to discover issues related to the web
application structure or error pages produced by the application that have been publicly
exposed.

3 Identify application entry points:

Enumerating the application and its attack surface is a key precursor before any attack
should commence. This section will help you identify and map out every area within the
application that should be investigated once your enumeration and mapping phase has
been completed.
 4 Testing Web Application Fingerprint:

Application fingerprint is the first step of the Information Gathering process; knowing
the version and type of a running web server allows testers to determine known
vulnerabilities and the appropriate exploits to use during testing.

5 Application Discovery:

Application discovery is an activity oriented to the identification of the web applications

hosted on a web server/application server. This analysis is important because often there
is not a direct link connecting the main application backend. Discovery analysis can be
useful to reveal details such as web applications used for administrative purposes. In
addition, it can reveal old versions of files or artifacts such as undeleted, obsolete scripts,
crafted during the test/development phase or as the result of maintenance.

6 Analysis of Error Codes:

During a penetration test, web applications may divulge information that is not intended
to be seen by an end user. Information such as error codes can inform the tester about
technologies and products being used by the application. In many cases, error codes can
be easily invoked without the need for specialist skills or tools, due to bad exception
handling design and cod- ing. Clearly, focusing only on the web application will not be
an exhaustive test. It cannot be as comprehensive as the information possibly gathered by
performing

a broader infrastructure analysis

b. Information Gathering Methodology

Phase One Network survey: A network survey is like an in-troduction to the system that is
tested. By do- ing that, you will have a network map, using which you will find the number of
reachable systems to be tested without exceeding the legal limits of what you may test. But
usually

more hosts are detected during the testing, so they should be properly added to the net- work
map. The results that the tester might get using network surveying are: - Domain Names -
Server Names - IP Addresses - Network Maps / ASP information - System and Service Owners
Network surveying can be done using TTL modulation(traceroute), and record route (e.g. ping
-R), although classical sniffing is sometimes as effective method
Phase Two

OS Identification (sometimes referred as TCP/ IP stack fingerprinting): The determination of a

remote OS type by comparison of variations in OS TCP/IP stack implementation behavior. In
other words, it is active probing of a system for responses that can distinguish its operating
system and version level. The results are: - OS Type - System Type - Internal system network
addressing.

Phase Three

Port scanning: Port scanning is the invasive probing of system ports on the transport and
network level. Included here is also the vali- dation of system reception to tunnelled, en-
capsulated, or routing protocols. Testing for different protocols will depend on the system type
and services it offers. However, it is not always necessary to test every port for every system.
This is left to the discretion of the test team. Port numbers that are important for testing
according to the service are listed with the task. Additional port numbers for scanning should be
taken from the Consensus Intrusion Database Project Site. The results that the tes- ter might get
using Port scanning are: - List of all Open, closed or filtered ports - IP addresses of live systems -
Internal system network ad- dressing - List of discovered tunnelled and encapsulated protocols -
List of discovered routing protocols supported. Methods include SYN and FIN scanning, and
variations thereof

e.g. fragmentation scanning

Phase Four

Services identification: This is the active examination of the application listening behind the
service. In certain cases more than one application exists behind a service where one application
is the listener and the others are considered components of the listening application. The results
of service identification are: - Service Types - Service Application Type and

Patch Level - Network Map

The methods in service identification are same as in Port scanning. There are two ways using
which one can perform information gathering:

1. 1st method of information gathering is to perform information gathering tech- niques with a
one to one or one to many model; i.e. a tester performs tech- niques in a linear way against
either one target host or a logical grouping of target hosts (e.g. a subnet). This method is used to
achieve immediacy of the result and is often optimized for speed, and often executed in parallel

2. Another method is to perform information gathering using a many to one or many to many
model. The tester utilizes multiple hosts to execute information gathering techniques in a
random, rate-limited, and in non-linear way. This method is used to achieve stealth. (Distributed
information gathering)

c. Information Gathering Steps

1. Crawl the website and mirror the pages on your PC

2. Crawl the FTP website and mirror the pages on your PC

3. Lookup registered information in WHOIS database

4. List the products sold by the company

5. List the contact information, email ad-dresses, and telephone numbers

6. List the companys distributors

7. List the companys partners

8. Search the internet, newsgroups, bulletin boards and negative websites for infor- mation about
the company

9. Search for trade association directories

10. Search for link popularity of the company website

11. Compare price of product or service with competition

12. Find the geographical location

13. Search the internet archive pages about the company

14. Search similar or parallel domain name listings

15. Search job postings sites about the com- pany

16. Browse social network websites

17. Write down key employees

18. Investigate key personnel searching in Google, look up their resumes and cross reference
information

19. List employee company and personal email address

20. Search for web pages posting patterns and revision numbers

21. Email the employee disguised as cus-tomer asking for quotation

22. Visit the company as inquirer and extract privileged information

23. Visit the company locality

24. Use web investigation tools to extract sensitive data targeting the company

25. Conduct background check on key company personnel

26. Search on Ebay for company presence

27. Use the Domain Research Tool to investigate the companys domain

28. Use various public Database to research company information

29. Use Google/Yahoo! Finance to search for press releases issued by the company

30. Search company business reports and profiles at various databases

31. Search for telephone numbers using di-rectories and other services

32. Retrieve the DNS record of the organisa-tion from publicly available servers

6.3 External Security Audit

External Intrusion Audit and Analysis An External Intrusion Audit and Analysis identi- fies
strengths and weaknesses of a client sys- tem and network as they appear from the outside the
clients security perimeter, usually from the internet.

Why Is It Done? This is done to demonstrate the existence of known vulnerabilities in the client
system and network that could be exploited by an external hacker.

Client Benefits :

The client benefits by anticipating external attacks, that might cause security breaches and to
proactively reduce risks to information, system and networks. It also improves the security of the
clients networked resources. This provides improved e-commerce and e-business operations
with increased confidence in their ability to protect data, information and resources.

External Security Auditing How is it done?

Gather externally accessible configuration information

Scan client external network gateways to identify services and topology

Scan client Internet servers for ports and ser- vices vulnerable to attack
 Attempt intrusion of vulnerable internal sys-tems

Steps for Conducting External Security Auditing

Inventory the companys external infra-structure and create a topological map of the network

Identify the IP address of the targets

Locate the traffic route that goes to the web servers

Locate TCP and UDP traffic path to the destination

Identify the physical location of the target servers

Examine the use IPV6 at the remote location

Lookup domain registry for IP information, find IP block information about the target

Locate the ISP servicing the client

List open and closed ports

List suspicious ports that are half open/close

Port scan every port on the targets network

Use SYN scan and connect scan on the tar- get and see the response

Use XMAS scan, FIN scan and NULL scan on the target and see the response

Firewalk on the routers gateway and guess the access-list

Examine TCP sequence number prediction

Examine the use standard and non-stan-dard protocols

Examine IPID sequence number prediction

Examine the system uptime of target

Examine the operating system used for dif- ferent targets

Examine the applied patch to the operat- ing system

Locate DNS record of the domain and attempt DNS hijacking

Download applications from the companys website and reverse engineer the bi-nary code
 List programming languages used and application software to create various programs from the
target server

Look for error and custom web pages

Guess different sub domain names and analyse different responses

Examine the session variables

Examine cookies generated by the server

Examine the access controls used in the web applications

Brute force URL injections and session tokensCheck for directory consistency and page

naming syntax of the web pages

Look for sensitive information in web page source code

Attempt URL encodings on the web pages

Try buffer overflow attempts at input fields

Try Cross Site Scripting (XSS) techniques

Record and replay the traffic to the target web server and note the response

Try various SQL injection techniques

Examine hidden fields

Examine e-commerce and payment gateways handled by the web server

Examine welcome messages, error messages, and debug messages

Probe the service by SMTP mail bouncing

Grab the banner of HTTP servers, SMTP servers, POP3 servers, FTP Servers

Identify the web extensions used at the server

Try to use an HTTPS tunnel to encapsulate traffic

OS fingerprint target servers

Check for ICMP responses (type 3, port un- reachable), (type 8, echo request), (type 13,
timestamp request), (type 15, informa-tion request), (type 17, subnet address mask request)

Check for ICMP responses from broadcast address

 Port scan DNS servers (TCP/UDP 53)

Port scan TFTP servers (Port 69)

Test for NTP ports (Port 123)

Test for SNMP ports (Port 161)

Test for Telnet ports (Port 23)

Test for LDAP ports ( Port 389)

Test for NetBIOS ports ( Ports 135-139, 445)

Test for SQL server ports (Port 1433, 1434)

Test for Citrix ports (Port 1495)

Test for Oracle ports (Port 1521)

Test for NFS ports (Port 2049)

Test for Compaq, HP Inside Manager ports (Port 2301, 2381)

Test for Remote Desktop ports (Port 3389)

Test for Sybase ports (Port 5000)

Test for SIP ports (Port 5060)

Test for VNC ports (Port 5900/5800)

Test for X11 ports (Port 6000)

Test for Jet Direct ports (Port 9100)

Port scan FTP data (Port 20)

Port scan web servers (Port 80)

Port scan SSL servers (Port 443)

Port scan Kerberos-Active directory (Port TCP/UDP 88)

Port scan SSH servers (Port 22)

6.4 Internal Network Security Auditing

Internal testing involves testing computers and devices within the company. It is more like white-
box testing. What if an employee of the company penetrates the network with the amount of IT
knowledge he knows? What if a hacker breaks-in to the internal network that houses employees
PC and databases and steals sensitive information?

What if a casual guest visitor walks by the company and steals data from one of the isolated
machines? Internal network penetration test process will test and validate the level of internal
security on the client network. Based on statistics maintained by the Federal Bureau

of Investigations (FBI), fifty percent of companies reporting break-ins to their networks and/ or
business applications state they were com- promised by internal attacks. Internal network

security is, more often than not, underestimated by administrators. Very often, such security does
not even exist, allowing one user to easily access another users machine us- ing well-known
exploits, trust relationships and default settings. Most of these attacks require little or no skill,
putting the integrity of a network at stake.

Most employees do not need and should not have access to each others machines, administrative
functions, network devices and soon. However, because of the amount of flexibility needed for
normal operation, internal networks cannot afford maximum security.

On the other hand, with no security at all, internal users can be a major threat to many corporate
internal networks. A user within the company already has access to many inter- nal resources and
does not need to bypass firewalls or other security mechanisms which prevent non-trusted
sources, such as Internet users, to access the internal network. Poor network security also means
that, should an ex- ternal hacker break into a computer on your network, he/she can then access
the rest of the internal network more easily. This would enable a sophisticated attacker to read
and possibly leak confidential emails and documents; trash computers, leading to loss of
information; and more. Not to mention that they could then use your network and net- work
resources to start attacking other sites, that when discovered will lead back to you and your
company, not the hacker. Most attacks, against known exploits, could be easily fixed and,
therefore, stopped by administrators if they knew about the vulnerability in the first place.
During an Internal Network Security Assessment, security experts scan the entire internal local-
area and wide-area net- works for known vulnerabilities. These scans include all servers,
workstations, and network devices.

Steps for Internal Network Security Auditing Internal Network Review includes:

Examining the internal configuration and setup of the organizations computing resources.

Users accounts & password policies and practices

Access privileges and levels

 File, directory, event log and registry permissions

Audit logs

Software Patch management

Physical network cabling

Backup methodology & disaster recovery plans Internal testing involves testing computers

and devices within the company. The internal penetration testing involves:

Performing port scanning on individual machines and establishing null sessions. Attempting
replay attacks, ARP poisoning,

MAC flooding.

Conducting man-in-the-middle attack and trying to login to a console machine.

Attempting to plant key logger, Trojan, and Root kit on target machine.

Attempting to send virus using target machine.

Hiding sensitive data and hacking tools in target machine.

Escalating user privileges. Internal testing which is a critical part of this

includes the following steps:

Map the internal network

Scan the network for live hosts

Port scan individual machines

Try to gain access using known vulnerabilities

Attempt to establish null sessions

Enumerate users/identify domains on the network

Sniff the network using Wireshark

Sniff POP3/FTP/Telnet passwords

Sniff email messages

 Attempt replay attacks

Attempt ARP poisoning

Attempt MAC flooding

Conduct a man-in-the middle attack

Attempt DNS poisoning

Try a login to a console machine

Boot the PC using alternate OS and steal the SAM file

Attempt to plant a software key logger to steal passwords

Attempt to plant a hardware key logger to steal passwords

Attempt a plant a spyware on the target machine

Attempt to plant a Trojan on the target machine

Attempt to create a backdoor account on the target machine

Attempt to bypass anti-virus software installed on the target machine

Attempt to send virus using the target machine

Attempt to plant root kits on the target machine

Hide sensitive data on target machines

Hide hacking tools and other data on target machines

Use various Steganography techniques to hide files on target machine

Escalate user privileges

Capture POP3/SMTP/IMAP email traffic

Capture the communications between the FTP client and FTP server

Capture HTTP/HTTPS/RDP/VoIP traffic

Run Wireshark with the filter -ip.src == ip_address

Run Wireshark with this filter - ip.dst == ip_address

Run Wireshark with this filter - tcp.dstport =port_no

 Run Wireshark with this filter - ip.addr == ip_ address

Spoof the MAC address

Poison the victims IE proxy server

Attempt session hijacking on Telnet/FTP/ HTTP traffic

Continue to compromise every machine in the network and perform the previous steps.

Make sure you can undo your actions based on the pen-test process you had conducted.

Internal Security Auditing Tools

a. Automated penetration tools

Core Impact

Metasploit

Canvas

b. Scanning tools

Internet Scanner (www.iss.net)

Net Recon (www.symantec.com)

CyberCop (www.nai.com)

Nesses (www.nessus.org)

Cisco Secure Scanner (www.cisco.com)

Retina (www.eeye.com)

6.5 Firewall Security Auditing:

A firewall is a set of related programs, located at a network gateway server that protects the
resources of a private network from users from other networks. A firewall sits at the junction
point or gateway between the two networks, usually a private network and a public net- work,
such as the Internet. Firewalls protect against hackers and malicious intruders. It is a combination
of hardware and software that separates a LAN into two or more parts for security purposes
Firewalls are top on the list of critical security devices that businesses use to protect their assets.
Firewalls come in all shapes and sizes, they operate on the same basic principle that you should
limit the exposure of computer systems to only those protocols and ports necessary to provide
services, thus reducing the size of the attack surface of the system. The auditing of a firewall
primarily revolves around inspecting the firewall rules to make sure that they are accurately
enforcing security policy, and providing as high a degree of protection as feasible.

A firewall examines all traffic routed between the two networks to see if it meets certain criteria.
It routes packets between the networks. It filters both inbound and outbound traffic. It manages
public access to private networked resources such as host applications. It logs all attempts to
enter the private network andtriggers alarms when hostile or unauthorized entry is attempted.
Firewalls block unauthorized traffic, but if an organization wants to follow good practices, then it
needs to layer on other security countermeasures to defend against attacks that firewalls are not
designed to prevent.

Address filtering:

Firewalls can filter packets based on their source and destination addresses and port numbers.

Network filtering:

Firewalls can also filter specific types of network traffic. The decision to forward or reject
traffic is dependent upon the protocol used, for example HTTP, FTP, or Telnet.

Firewalls can also filter traffic by packet attribute or state.

If you have an attack against an authorized port and service, and your server is compromised, it
isnt the firewall that failed but the lack of defense in depth. Of course the concept of what a
firewall is just isnt as clear as it used to be in the days of single purpose firewalls. We live in a
unified threat management world, and todays firewalls perform a great many security tasks. IPS
and VPN has been integrated into the firewall line. Unified Threat Management (UTM) devices
operate as a combined threat management device, but the foundational elements of the firewall
are central to how the device operates. A firewall may allow all traffic through unless it meets
certain criteria, or it may deny all traffic unless it meets certain criteria. The type of criteria used
to determine whether traffic should be allowed through varies from one type of firewall to
another. Firewalls may be concerned with the type of traffic, or with source or destination
addresses and ports. They may also use complex rule bases that analyze the application data to
determine if the traffic should be allowed through.

Types of firewall

Firewalls fall into four broad categories:

Packet filters

Circuit level gateways

Application level gateways

 Stateful multilayer inspection firewalls Packet filtering firewalls work at the network

level of the OSI model (or the IP layer of TCP/ IP).

They are usually part of a router. In a packet filtering firewall, each packet is compared to

a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can:

Drop the packet.

Forward it or send a message to the originator.

Rules can include source and destination IP address, source and destination port number and
protocol used. The advantage of packet filtering firewalls is their low cost and low impact on
network performance. Most routers support packet filtering. Circuit level gateways work at the
session layer of the OSI model, or the TCP layer of TCP/ IP. They monitor TCP handshaking
between packets to determine whether a requested session is legitimate. Information passed to re-
mote computer through a circuit level gateway appears to have originated from the gateway.
Circuit level gateways are relatively inexpensive. They have the advantage of hiding information
about the private network they protect. Circuit level gateways do not fil- ter individual packet

Application level gateways are also called proxies. They can filter packets at the appli- cation
layer of the OSI model. Incoming or outgoing packets cannot access services for which there is
no proxy. In plain terms, an application level gateway that is configured to be a web proxy will
not allow any FTP, gopher,Telnet or other traffic through. Because they examine packets at
application layer, they can filter application specific commands such as http:post and get.
Stateful multilayer inspection firewalls com- bine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets are
legitimate and evaluate contents of packets at the application layer. They are expensive and
require competent personal to administer the device.

Review Firewall Design

Assessing firewall design requires that the auditor understand the various ways in which a
firewall can be deployed. There are many factors that cause an organization to choose one design
over another, and technical requirements sometimes are shaped by politics and budget as well.
The firewall is a policy enforcement tool that should be placed at key network zone boundaries.
It is ultimately up to the business to determine its tolerance for risk and deploy the
countermeasures that make sense. The following examples illustrate common firewall designs
that an auditor might find.

Simple Firewall

The simple firewall design is common for small or branch networks and involves a firewall or
router (configured as a firewall) between theInternet and the internal network. NAT is typically
used, and providing Internet access is the primary function of the firewall. There might be port
forwarding configured to internal servers for e-mail delivery or limited web hosting.

These designs typically suffer from minimal layered security, but are by far the least expen- sive
deployment method to connect a very small remote office or mobile worker situation.

Screening Router and Firewall

A screening router provides frontline defense at the network edge. Not only does this router act
as a basic firewall, but can also performservices such as routing, Netflow collection, quality of
service, and anti-spoofing. The point of a screening router is to provide defense in depth and
another place where access rules can be applied.

Firewall with DMZ

A better design for an organization that hosts its own websites, e-mail, or other Internet fac- ing
services is the firewall with DMZ design. This design provides segmentation of Internet- facing
services to their own dedicated subnet where policies and access control can be better enforced.
Typically the firewall provides NAT services to the web applications, and also conducts
application layer inspection to en- force RFC compliance and application use policies. Layering
in an IPS via an SSM module inside the firewall or through a dedicated appliance can give full
IPS protection for all traffic passing through the device. Firewall with DMZ and Services
Network As the criticality of web services increases, a single DMZ can sometimes become
crowded with applications and services.

The more applications, the more complicated the access rules can become, and before
long policies become difficult to implement on a single DMZ. Creating service networks on
separate firewall interfaces addresses this, by group- ing like services together to simplify policy
en- forcement. Web servers can go into the DMZ, and internal servers can go into the services
network. The amount of configuration starts to increase as the number of interfaces in- creases,
but the capability to be able to create more effective policies is vastly improved.

High Availability Firewall

High availability firewall designs are common in organizations that rely on the Internet as both a
source of revenue and an important mechanism for reaching customers. For these types of
organizations, downtime can create significant monetary loss, so the expense ofa redundant
architecture is well worth it. An- other high availability option is active/active where both
firewalls enforce policy and pass traffic at the same time, and in the event of a failure of one
device all traffic flows through the single remaining firewall. The benefits of active/active over
active/standby are that both firewalls are being utilized and can sup- port higher data rates than a
single firewall.
The downside to active/active is that both firewalls must be able to support their own traffic
loads in addition to the other firewall if one fails or the organization must be able to accept

Firewall testing

The steps involved in firewall penetration testing include:

Locate the firewall and traceroute to iden- tify the network range

Port scan the router

Grab the banner

Create custom packets and look for firewall responses

Test access control enumeration

Test to identify firewall architecture

Test the firewall policy

Test firewall using firewalking tool

Test for port redirection

Testing the firewall from both sides

Overt firewall test from outside

Test covert channels

Covert firewall test from outside

Test HTTP tunnelling

Test firewall specific vulnerabilities After the testing the following is documented:

Firewall logs.

Tools output

The analysis

Recommendations (if any).

Firewall Security Auditing Tools

6.6 IDS Security Auditing

IDS is a software/hardware that detects and logs inappropriate, incorrect, or anomalous activity.
IDSes are typically characterized based on the source of the data they monitor.

There are 2 types of IDS:

Host-based: A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.

Network-based: A network-based IDS uses a sensor to monitor packets on the network to which
it is attached. A network intrusion detection system (NIDS) is a system that tries to detect
malicious activity such as denial of service attacks, port-scans or even attempts to crack into
computers by monitoring network traffic. A host-based IDS monitors individual hosts on the
network for malicious activity; for example, Cisco Security Agent. Host systems are more
accurate than network-based IDS because they analyse the servers log files and not just network
traffic patterns. The host monitors the system and reports its activities to a central- ized server.
They are expensive and resource intensive.

An application-based IDS is like a host-based IDS designed to monitor a specific applica- tion
(similar to antivirus software designed specifically to monitor your mail server). An application-
based IDS is extremely accurate in detecting malicious activity for the applica- tions it protects.
Multi-Layer Intrusion Detection Systems mIDS integrates many layers of IDS tech- nologies into
a single monitoring and analysis engine. It aggregates integrity monitoring software logs, system
logs, IDS logs, and fire- wall logs into a single monitoring and analysis source.

Benefits:

Improves detection time

Increases situational awareness

Incident handling and analysis

Shortens response time

Decreases detection and reaction time

Decreases consumed employee time and

increases in systems uptime

Provides a clear picture of what happened during an incident

Wireless Intrusion Detection Systems

WIDS monitor and evaluate user and system activities, identify known attacks, determine
abnormal network activity, and detect policy
violations for WLANs.

Check for potential weakness that damage

the WLAN security.

Rough wireless APs.

Man-in-the-middle attacks.

A WIDS detects the following:

DoS attacks.

MAC spoofing.

RF interference.

Isolates an attackers physical location

Identifies non-encrypted traffic.

IDS Security Auditing Steps

Test for resource exhaustion/ IDS by sending ARP flood

Test the IDS by MAC spoofing/ IP spoofing

Test by sending a packet to the broadcast address/ inconsistent packets

Test IP packet fragmentation/duplicate fragments

Test for overlapping fragments/ping of death

Test for odd sized packets/ TTL evasion

Test by sending a packet to port 0/UDP checksum

Test for TCP retransmissions/ TCP flag manipulation

Test TCP flags

Test the IDS by sending SYN floods/sequence number prediction

Test for backscatter

Test the IDS with ICMP packets/IDS using covert channels

Test using TCP replay

 Test using TCP opera

Test using method matching

Test the IDS using URL encoding

Test the IDS using double slashes

Test the IDS for reverse traversal

Test for self-reference directories

Test for premature request ending

Test for IDS parameter hiding

Test for HTTP-mis-formatting

Test for long URLs

Test for DOS/Win directory syntax

Test for null method processing

Test for case sensitivity

Test session splicing

IDS Security Auditing Tools:

IDS Informer

Firewall informer

Traffic IQ professional

OSSEC HIDS

Evasion tools:

EVADE IDS

Evasion Gateway

6.7 Social Engineering Audit

What is Social Engineering?

The term social engineering is used to describe the various tricks usedto fool people (employ-
ees, business partners, or customers) intovol- untarily giving away information that would not
normally be knownto the general public.

Examples:

Names and contact information for key personnel

System user IDs and passwords

Proprietary operating procedures

Customer profiles

Steps in conducting Social Engineering

Attempt social engineering techniques using phone, wishing, telephone, email, traditional mail,
in person, dumpster diving, insider accomplice, shoulder surfing, desk- top information,
extortion and blackmail, websites, theft and phishing attacks, satellite imagery and building blue
prints, details of an employee from social networks sites, telephone monitoring device to capture
conversation, video recording tools to capture images, vehicle/asset tracking system to monitor
motor vehicles, identified disgruntled employees and engage in conversation to extract
sensitive information

Document everything including approach, response, information sought and retrieved

Web Application Security Auditing

Web application vulnerabilities generally stem from improper handling of client requests and/ or
a lack of input validation checking on the part of the developer.A web application is an
application, generally comprising a collection of scripts that resides on a web server and interacts
with databases or other sources of dynamic content.

Steps for Web Application Testing

Fingerprinting the web application environment

Investigate the output From HEAD and OPTIONS HTTP requests

Investigate the format and wording of 404/ other error pages

Test for recognized file types/extensions/directories

Examine source of available pages

Manipulate inputs in order to elicit a scripting error

 Test inner working of a web application

Test database connectivity

Test the application code

Testing the use of GET and POST in web application

Test for parameter-tampering attacks onwebsite

Test for URL manipulation

Test for cross site scripting

Test for hidden fields

Test cookie attacks

Test for buffer overflows

Test for bad data

Test client-side scripting

Test for known vulnerabilities

Test for race conditions

Test with user protection via browser settings

Test for command execution vulnerability

Test for SQL injection attacks

Test for blind SQL injection

Test for session fixation attack

Test for session hijacking

Test for XPath injection attack

Test for server side include injection attack

Test for logic flaws

Test for binary attacks y

Test for XML structural

Test for XML content-level

Test for WS HTTP GET parameters/REST attacks

Test for naughty SOAP attachments

Test for WS replay

Web Application Testing Tools

At Stake Web Proxy

SPIKE Proxy
WebserverFP
KSES
Mieliekoek.pl
Sleuth
Webgoat
AppScan

UNIT_III
Information Assets and Threats

The foundation for security is assets that need to be protected. Assets in the area of information
security are often labelled as information assets, and enclose not only the information itself but
also resources that are in use to facilitate the management of information. Security concerning IT
and information is normally categorised in three categories

1. confidentiality
2. integrity
3. availability

The concepts can be seen as the objectives with security regarding IT and information and are
often referred to as the CIA triad (Harris, 2002).

Confidentiality: Prevention of unauthorized disclosure or use of information assets

Integrity: Prevention of unauthorized modification of information assets

Availability: Ensuring of authorized access of information assets when enquired, for the du-
ration required

Threats to information assets

Risk is the potential harm that may arise from some current process or from some future event.
From the IT security perspective, risk management is the process of understanding and re-
spending to factors that may lead to a failure in the confidentiality, integrity or availability of an
information system. IT security risk is the harm to a process or the related information resulting
from some purposeful or accidental event that negatively impacts the process or the related
information.

Risk is a function of the likelihood of a given threat-sources exercising a particular potential

vulnerability, and the resulting impact of that adverse event on the organization.

The key concerns therefore in Information As-sets Security are:

Theft
Fraud/forgery
Unauthorized information access
Interception or modification of data and data management systems

The above concerns are materialized in the event of a breach caused by exploitation of
a vulnerability.

Vulnerabilities
Vulnerability is a flaw or weakness in a process, design, implementation, control, system, or
organization that could be triggered or intentionally exploited, resulting in a security incident or
breach. In other words, a vulnerability is a weakness in an information system, system security
procedures, internal controls, or implementation that could be exploited or triggered by a threat
source These vulnerabilities are susceptible to threats auctioned by threat agents. A threat is a
natural, human, or environmental source with the intent or opportunity to trigger the exploitation
of a vulnerability

Threat Agent or Actor refers to the intent and method targeted at the intentional exploitation of a
vulnerability or a situation and method that may accidentally trigger a vul-nerability.

A Threat Vector is a path or a tool that a Threat Actor uses to attack the target. Threat targets are
anything of value to the Threat Actor. It can be a PC, laptop, PDA, Tablet, Mo-bile phone, online
bank account or identity. If vulnerabilities are the entry points, then at-tack vectors are the ways
attackers can launch their assaults or try to infiltrate the sys-tem.

Broadly, the purpose of the attack vectors is to implant a piece of code that exploits a
vulnerability. This code is called the payload, and attack vectors vary in how a payload is
implanted.

Threat classification

Microsoft has proposed a threat classification called STRIDE, from the initials of threat
categories:
 Spoofing of user identity
Tampering
Repudiation
Information disclosure (privacy breach or Data leak)
Denial of Service (D.o.S.)
Elevation of privilege

Threat agents (individuals and groups) can be classified as follows:

Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms, Trojans
and logic bombs.
Employees: Staff, contractors, operational/maintenance personnel, or security guards
who are annoyed with the company.
Organized Crime and Criminals: Criminals target information that is of value to them, such as
bank accounts, credit cards or intellectual property that can be converted into money. Criminals
will often make use of insiders to help them.
Corporations: Corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
Human, Unintentional: Accidents, carelessness.
Human, Intentional: Insider, outsider.
Natural: Flood, fire, lightning, meteor, earth-quakes
Other security threats

Malware:- malicious software. This general term is often used to refer viruses, spyware, adware,
worms, Trojans, ransom ware etc. Malware is designed to cause damage to a targeted computer
or cause a certain degree of operational disruption. Malware often exploits security
vulnerabilities in both operating systems and applications.

Rootkit

malicious software designed to hide certain processes or programs from detec-

tion. Root kit usually acquires and maintains privileged system access, while hiding its presence
in the same time. The privileged access can allow root kit to provide the attacker with a backdoor
to a system; it can as well conceal malicious payload bundled with the root kit - like viruses or
Trojans.

Spyware
- software that monitors and collects information about particular user, his computer or his
organization without his knowledge. Very often spyware applications are bundled with free
packages of freeware or shareware and downloaded without any cost by users from internet.
Spy-ware is usually installed unwillingly. Spyware can be generally classified into following
types: system monitors, Trojans (keyloggers, banker Trojans, inforstealers), adware, tracking
cookies.

Tracking Cookies
- are a specific type of cookie that is distributed, shared, and read across two or more unrelated
Web sites for the purpose of gathering information or po-tentially to present customized data to
you. Tracking cookies are not harmful like mal-ware, worms, or viruses, but they can be a
privacy concern.

Risk ware
- term used to describe a potentially dangerous software whose installation
may pose a risk to the computer. Risk ware is not necessarily a spyware or malware pro-gram, it
may be as well a legitimate pro-gram containing loopholes or vulnerabilities that can be
exploited by malicious code.
Adware
- in general term adware is a soft-ware generating or displaying certain advertisements to the
user. The advertisements may be displayed either directly in the user interface while the software
is being used or during the installation process. This kind of adware is very common for freeware
and shareware software and is on itself more annoying than malicious - in such scenario it is
merely a mean for the software producer to gain some revenue while releasing applications that
are free of change or at a re-
duced price. Adware may be as well used to analyze end user internet habits and then tailor the
advertisements directly to users interests. Term adware is on occasions used interchangeably with
malware to describe the pop-up or display of unwanted advertisements.

Scareware
- class of malware that includes both Ransom ware (Trojan. Ransom) and Fake software .
Scareware is known as well under the names Rogue Security Soft-ware or Misleading
Software. This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the fake infection. Scareware can advertise as well system or
software security updates luring users into fraudalent transactions by buying for ex-ample fake
Antivirus Software that is either non-functional or malware itself.

Spam
- the term is used to describe unsolicited or unwanted electronic messages - especially
advertisements. The most widely recognized form of spam is email Spam, but there are many
different forms of it in al-most any available communication media - Instant messaging (called
SPIM), over VOIP (called SPIT), internet forums, newsgroups,
blogs, online gaming, etc. Spam may be a medium for phishing or social engineering
attacks. It is estimated that between 70% and 80% of total email traffic worldwide is
spam.

Creepware
- term used to describe ac-tivities like spying others through webcams (very often combined with
capturing pic-tures), tracking online activities of others and listening conversation over the com-
puters microphone, stealing passwords and other data. The information, data, pic-tures gained
with use of creepware may be later on used to extort money or blackmail the victims of this
threat. Creepware is other term to RAT (Remote Access Trojan) de-scribed before.

Blended threat
- defines an exploit that com-bines elements of multiple types of malware components. Usage of
multiple attack vec-tors and payload types targets to increase the severity of the damage causes
and as well the speed of spreading. Blended threat usually attempts to exploit multiple vulner-
abilities at the same time

Network attack is usually defined as an intru-sion on the network infrastructure that will first
analyse the environment and collect informa-tion in order to exploit the existing open ports or
vulnerabilities - this may include as well un-authorized access to organization resources. Cases
where the purpose of attack is only to learn and get some information from the sys-tem but the
system resources are not altered
or disabled in any way, are known as passive attacks. Active attack occurs where the per-petrator
accesses and either alters, disables or destroys resources or data. Attack can be performed either
from outside of the organization by unauthorized entity (Outside Attack) or from within the
company by an insider that already has certain access to the net-work (Inside Attack). Very
often the network attack itself is combined with an introduction of a malware components to the
targeted systems.

Some of the attacks described in this article will be attacks targeting the end-users (like
Phishing or Social Engineering) - those are usually not directly referenced as network attacks but
are included here for complete-ness purposes and because those kind of at-tacks are widely
widespread. Depending on the procedures used during the attack or the type of vulnerabilities
exploited the network attacks can be classified in following way (the provided list isnt by any
means complete - it introduces and describes only the most known and widespread attack types
that you should be aware of)

What types of attack are there?

Social Engineering
- refers to a psychological manipulation of people (here employ-ees of the company) to perform
actions that potentially lead to leak of companys proprietary or confidential information or
otherwise can cause damage to company resources, personnel or company image.
Social engineers use various strategies to trick users into disclosing confidential information,
data or both. One of the very common technique used by social engineers is to pretend to be
someone else - IT professional, member of the management team, co-worker, insurance
investigator or even member of governmental authorities. The mere fact that the addressed party
is some-one from the mentioned should convince the victim that the person has right to know of
any confidential or in any other way se- cure information. The purpose of social engineering
remains the same as purpose of hacking - unauthorized access gain to confidential information,
data theft, industrial espionage or environment/service disruption

Phishing attack
- this type of attack use so-cial engineering techniques to steal confidential information - the
most common purpose of such attack targets victims banking account details and credentials.
Phishing attacks tend to use schemes involving spoofed emails send to users that lead them to
malware infected websites designed to appear as real on-line banking websites. Emails received
by users in most cases will look authentic sent from sources known to the user (very often with
appropriate company logo and localised information) - those emails will contain a direct request
to verify some account information, credentials or credit card numbers by fol-lowing the
provided link and confirming the information on-line. The request will be ac-companied by a
threat that the account may become disabled or suspended if the mentioned details are not being
verified by the user.

Social Phishing
- in the recent years Phishing techniques evolved much to include as well social media like Face
book or Tweeter - this type of Phishing is often called Social Phishing. The purpose remains the
same - to obtain confidential information and gain access to personal files. The means of the
attack are bit different though and include special links or posts posted on the social media sites
that attract the user with their content and convince him to click on them. The link redirects then
to malicious website or similar harmful content. The websites can mirror the legitimate Face
book pages so that unsuspecting user does not notice the difference. The website will require
user to login with his real information - at this point the attacker collects the credentials gaining
access to compromised account and all data on it. Other scenario includes fake apps - users are
encouraged to download the apps and install them - apps that contain malware used to steal the
confidential information.

Face book Phishing attacks are often much more labored - consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user does the click upon which he is redirected to mirror website that ask him to like the post
first before even viewing it - user not suspecting any harm in this clicks on like button but
doesnt realise that the like button has been spoofed and in reality is accept button for the
fake app to access users personal information. At this point data is collected and account be-
comes compromised.

Spear Phishing Attack

this is a type of Phishing attack targeted at specific individuals, groups of individuals or
companies. Spear Phishing attacks are performed mostly with primary purpose of industrial
espionage and theft of sensitive information while ordinary Phishing attacks are directed against
wide public with intent of financial fraud. It has been estimated that in last couple of years
targeted Spear Phishing attacks are more widespread than ever before.

The recommendations to protect your com-pany against Phishing and Spear Phishing include:

1.Never open or download a file from an unsolicited email, even from someone
you know (you can call or email the per-son to double check that it really came
from them)
2.Keep your operating system updated
3.Use a reputable anti-virus program
4.Enable two factor authentication when-
ever available
5.Confirm the authenticity of a website prior to entering login credentials by looking for
a reputable security trust mark
6.Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted

Watering Hole Attack

- is a more complex type of a Phishing attack. Instead of the usual way of sending spoofed
emails to end users in order to trick them into reveal-ing confidential information, attackers use
multiple-staged approach to gain access to the targeted information. In first steps attacker is
profiling the potential victim, collecting information about his or hers internet habits, history of
visited websites etc.

In next step attacker uses that knowledge to inspect the specific legitimate public websites for
vulnerabilities. If any are vulner-abilities or loopholes are found the attacker compromises the
website with its own mali-cious code. The compromised website then awaits for the targeted
victim to come back and then infects them with exploits (often zero-day vulnerabilities) or
malware. This is an analogy to a lion waiting at the watering hole for his prey.

Whaling
- type of Phishing attack specifically targeted at senior executives or other
high profile targets within a company.

Vishing (Voice Phishing or VoIP Phishing)

-
use of social engineering techniques over telephone system to gain access to con-
fidential information from users. This Phish-ing attack is often combined with caller ID
spoofing that masks the real source phone number and instead of it displays the number familiar
to the Phishing victim or number known to be of a real banking institution.
General practices of Vishing includes pre-recorded automated instructions for users requesting
them to provide bank account or credit card information for verification over the phone.

Port scanning
- an attack type where the attacker sends several requests to a range of ports to a targeted host in
order to find out what ports are active and open - which
allows him them to exploit known service vulnerabilities related to specific ports. Port
scanning can be used by the malicious at-tackers to compromise the security as well by the IT
Professionals to verify the network security.

Spoofing
- technique used to masquerade a person, program or an address as another
by falsifying the data with purpose of un-authorized access. A few of the common
spoofing types include:

1. IP Address spoofing

- process of creating IP packets with forged source IP address to impersonate legitimate system.
This kind of spoofing is often used in DoS at-tacks (Smurf Attack).
2. ARP spoofing (ARP Poisoning)
- process of sending faked ARP messages in the net-work. The purpose of this spoofing is to
associate the MAC address with the IP address of another legitimate host causing traffic
redirection to the attacker host. This kind of spoofing is often used in man-in-the-middle attacks.

DNS spoofing (DNS Cache Poisoning)

- at-tack where the wrong data is inserted into DNS Server cache, causing the DNS server to
divert the traffic by returning wrong IP addresses as results for client queries.

4. Email spoofing
- process of faking the emails sender From field in order to hide real origin of the email. This
type of spoofing is often used in spam mail or dur-ing Phishing attack.

5. Search engine poisoning

- attackers take here advantage of high profile news items or popular events that may be of
specific interest for certain group of peo-ple to spread malware and viruses. This is performed by
various methods that have in purpose achieving highest possible
search ranking on known search portals by the malicious sites and links introduced
by the hackers. Search engine poisoning techniques are often used to distribute
rogue security products (scareware) to users searching for legitimate security so-lutions for
download.

Types of Controls (Counter measures)

Central to information security is the con-cept of controls, which may be categorized by their
functionality (preventive, detective, corrective, deterrent, recovery, and compensating, in this
order) and plane of application (physical, administrative, or technical). Physical controls include
doors, secure facilities, fire extinguishers, flood protection, and air conditioning. Administrative
controls are the organizations policies, procedures, and guidelines intended to facilitate
information security. Technical controls are the various technical measures, such as firewalls,
authentication systems, intrusion detection systems, and file encryption, among others.

Preventive Controls
Preventive controls are the first controls met by the adversary. Preventive controls try to prevent
security violations and enforce ac-cess control. Like other controls, preventive
controls may be physical, administrative, or technical: doors, security procedures, and
authentication requirements are examples of physical, administrative, and technical preventive
controls, respectively.
Detective Controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs, and similar mechanisms.

Corrective Controls
Corrective controls try to correct the situation after a security violation has occurred.
Although a violation occurred, not all is lost, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.

Deterrent Controls

Deterrent controls are intended to discourage potential attackers and send the message that it is
better not to attack, but even if you decide to attack we are able to defend our-selves. Examples
of deterrent controls include notices of monitoring and logging as well as the visible practice of
sound information secu-rity management.

Recovery Controls

Recovery controls are somewhat like correc-tive controls, but they are applied in more serious
situations to recover from security vio-lations and restore information and informa-tion
processing resources. Recovery controls may include disaster recovery and business continuity
mechanisms, backup systems and data, emergency key management arrange-ments, and similar
controls.

Compensating Controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of con-trols addresses the
same threats that are ad-dressed by another set of controls, the second set of controls are
compensating controls.

Access Control Models

Logical access control models are the abstract foundations upon which actual access control
mechanisms and systems are built. Access control is among the most important concepts in
computer security. Access control models define how computers enforce access of subjects (such
as users, other computers, applications, and so on) to objects (such as computers, files,
directories, applications, servers, and devices). Three main access control models exist: the
discretionary access control model, the mandatory access control model, and the role-based
access control model.
Discretionary Access Control (DAC)

The discretionary access control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to
decide about and set access control restrictions on the object in questionwhich may, for
example, be a file or a directory. The advantage of DAC is its flexibility: users may decide who
can access information and what they can do with itread, write, delete,rename, execute, and so
on. At the same time, this flexibility is also a disadvantage of DAC because users may make
wrong decisions regarding access control restrictions or maliciously set insecure or inappropriate
permissions. Nevertheless, the DAC model re-mains the model of choice for the absolute
majority of operating systems today, includ-ing Solaris.

Mandatory Access Control (MAC)

Mandatory access control, as its name suggests, takes a stricter approach to access control. In
systems utilizing MAC, users have little or no dis-cretion as to what access permissions they can
set on their information. Instead, mandatory ac-cess controls specified in a system-wide security
policy are enforced by the operating system
and applied to all operations on that system.

MAC-based systems use data classification levels (such as public, confidential, secret, and top
secret) and security clearance labels corre-sponding to data classification levels to decide, in
accordance with the security policy set by the system administrator, what access control
restrictions to enforce. Additionally, per-group and/or per-domain access control restrictions may
be imposedthat is, in addition to having the required security clearance level, subjects (users
or applications) must also belong to the appropriate group or domain. For example, a file with a
confidential label belonging only to
the research group may not be accessed by a user from the marketing group, even if that user has
a security clearance level higher than confidential (for example, secret or top secret). This
concept is known as compartmentalization or need to know.

Although MAC-based systems, when used appropriately, are thought to be more secure
than DAC-based systems, they are also much more difficult to use and administer because of the
additional restrictions and limitations im-posed by the operating system. MAC-based systems are
typically used in government, mili-tary, and financial environments, where higher than usual
security is required and where the added complexity and costs are tolerated.MAC is implemented
in Trusted Solaris, a version of the Solaris operating environment in-tended for high-security
environments.

Role-Based Access Control (RBAC)

In the role-based access control model, rights and permissions are assigned to roles instead of
individual users. This added layer of abstrac-tion permits easier and more flexible administration
and enforcement of access controls. For example, access to marketing files may be restricted to
the marketing manager role only, and users Ann, David, and Joe may be as-signed the role of
marketing manager. Later, when David moves from the marketing de-partment elsewhere, it is
enough to revoke his
role of marketing manager; no other changes would be necessary. When you apply this approach
to an organization with thousands of employees and hundreds of roles, you can see the added
security and convenience of using RBAC. Solaris has supported RBAC since release 8.

Centralized vs. Decentralized Access Control

Further distinction should be made between centralized and decentralized (distributed) access
control models. In environments with centralized access control, a single, central entity makes
access control decisions and manages the access control system; whereas in distributed access
control environments, these decisions are made and enforced in a decentralized manner. Both
approaches have their pros and cons, and it is generally inappropriate to say that one is better
than the other. The selection of a particular access control approach should be made only after
careful consideration of an organizations re-quirements and associated risks.
Security Vulnerability Management

Security vulnerability management is the cur-rent evolutionary step of vulnerability assessment

systems that began in the early 1990s with the advent of the network security scanner
S.A.T.A.N. (Security Administrators Tool for Analyzing Networks) followed by the 1st
commercial vulnerability scanner from ISS. While early tools mainly found vulnerabilities and
produced lengthy reports, todays best in class solutions deliver comprehensive discovery and
support the entire security vulnerability management lifecycle.

A vulnerability can occur anywhere in the IT environment, and can be the result of many
different root causes. Security vulnerability management solutions gather comprehensive
endpoint and network intelligence and apply advanced analytics to identify and prioritize the
vulnerabilities that pose the most risk to critical systems. The result is actionable data that
enables IT security teams to focus on the tasks that will most quickly and effectively reduce
overall network risk with the few-est possible resources.

Security vulnerability management is a closed-loop workflow that generally includes identifying

networked systems and associated applications, auditing (scanning) the systems and applications
for vulnerabilities, and reme-
diating the vulnerabilities. Any IT infrastructure components may present existing or new
security concerns and weaknesses i.e. vulner-abilities. It may be product/component faults or it
may be inadequate configuration. Ma-
licious code or unauthorized individuals may exploit those vulnerabilities to cause dam-age, such
as disclosure of credit card data.

Vulnerability management is the process of identifying those vulnerabilities and reacting

appropriately to mitigate the risk.

Vulnerability assessment and management is an essential piece for managing overall IT

risk, because:

Persistent Threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.

Regulation
Many government and industry regulations, mandate rigorous vulnerability management
practices

Risk Management

Mature organizations treat it as a key risk man-agement component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a
key element in an organizations information security program, providing an approach to risk and
threat mitigation that is proactive and business-aligned, not just reac-tive and technology-
focused.

Vulnerability Assessment

Includes assessment the environment for known vulnerabilities, and to assess IT compo-nents
using the security configuration policies (by device role) that have been defined for the
environment. This is accomplished through scheduled vulnerability and configuration
assessments of the environment.

Network-based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed
access. Unman-aged systems can be discovered and a basic assessment can be completed. The
ability to evaluate databases and Web applications for security weaknesses is crucial, con-
sidering the rise of attacks that target these components.

Database scanners check database configuration and properties to verify whether they comply
with database security best practices. Web application scanners test an applications logic for
abuse cases that can break or exploit the application. Additional tools
can be leveraged to perform more in-depth testing and analysis. All three scanning technologies
(network, application and database) assess a different class of security weaknesses, and most
organizations need to implement all three
Risk Assessment
Larger issues should be expressed in the language of risk (e.g., ISO 27005), specifically ex-
pressing impact in terms of business impact. The business case for any remedial action should
incorporate considerations relating to the reduction of risk and compliance with pol-icy. This
incorporates the basis of the action to be agreed on between the relevant line of business and the
security team

Risk Analysis

Fixing the issue may involve acceptance of the risk, shifting of the risk to another party or
reducing the risk by applying remedial action, which could be anything from a configuration
change to implementing a new infrastructure (e.g., data loss prevention, firewalls, host intrusion
prevention software).

Elimination of the root cause of security weak-nesses may require changes to user administration
and system provisioning processes. Many processes and often several teams may come into play
(e.g., configuration manage-ment, change management, patch management). Monitoring and
incident management processes are also required to maintain the environment.
For more details on threat and risk assessment best-practices see the blogs: Risk-Aware Security
Architecture as well as Risk Assessment and Roadmap.
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long reme-diation
work lists, and this remediation work needs to be prioritized. When organizations initially
implement vulnerability assessment and security configuration baselines, they typically discover
that a large number of systems contain multiple vulnerabilities and security configuration errors.
There is typically more mitigation work to do than the resources avail-able to accomplish it.

Root Cause Analysis

It is important to analyze security and vulnerability assessments in order to determine the root
cause. In many cases, the root cause of a set of vulnerabilities lies within the provisioning,
administration and maintenance processes of IT operations or within their development or the
procurement processes of applications.

Elimination of the root cause of security weak-nesses may require changes to user administration
and system provisioning processes. What makes a good root-cause analysis? An RCA is an
analysis of a failure to determine the first (or root) failure that cause the ultimate condition in
which the system finds itself, for example: In an application crash one should be thinking, why
did it crash this way?
A security analysts job in performing an RCA is to keep asking the inquisitive Why? until one
runs out of room for questions, and then they are faced with the problem at the root of the
situation.

Example: an application that had its data-base pilfered by hackers, where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isnt
what caused the failure. Why did the SQL Injection happen? Was the root of the problem that the
developer responsible simply didnt follow the corporate policy for building SQL queries? Or
was the issue a fail-ure to implement something like the OWASP ESAPI (ESAPI - The OWASP
Enterprise Security API is a free, open source, web application security control library that
makes it easier for programmers to write lower-risk applications.) in the appropriate manner? Or
maybe the cause was a vulnerable open-source piece of code that was incorporated into the
corpo-rate application without passing it through the full source code lifecycle process?
Your job when youre performing an RCA is to figure this out. Root cause analysis is super-crit-
ical in the software security world. A number of automated solutions are also available for
various types of RCA. For example, HPs web application security testing technology which can
link XSS issues to a single line of code in the application input handler.