Escolar Documentos
Profissional Documentos
Cultura Documentos
A security analyst may contribute to activities during the audit process which includes the
following task.
During this phase, the auditors determine the main area/s of focus for the audit and any areas that
are explicitly out-of-scope, based normally on an initial risk-based assessment plus discussion
with those who commissioned the audit. Information sources include general research on the
industry and the organization, previous and perhaps other audit reports, and documents such as
the Statement of Applicability, Risk Treatment Plan and Security Policy.
The auditors should ensure that the scope makes sense in relation to the organization. The audit
scope should normally match the scope of the ISMS being certified. For example, large
organizations with multiple divisions or business units may have separate ISMSs, an all-
encompassing enterprise-wide ISMS, or some combination of local and centralized ISMS. If the
ISMS certification is for the entire organization, the auditors may need to review the
ISMSinoperation at all or at least a representative sample of business locations, such
astheheadquarters and a selection of discrete business units chosen by the auditors.
The auditors should pay particular attention to information security risks and controls associated
with information conduits to other entities (organizations, business units etc.) that fall outside the
scope of the ISMS, for example checking the adequacy of information security-related clauses in
Service Level Agree- ments or contracts with IT service suppliers. This process should be easier
where the out- of-scope entities have been certified compliant with ISO/IEC 27001. During the
pre-audit survey, the ISMS auditors identify and ideally make contact with the main stakeholders
in the ISMS such as the ISM manager/s, security architects, ISMS develop- ers,ISMS
implementers and other influential figures such as the CIO and CEO, taking the opportunity to
request pertinent document- tation etc. that will be reviewed during the audit. The organization
normally nominates one or more audit escorts, individuals who are responsible for ensuring
that the auditors can move freely about the organization and rapidly find the people, information
etc. necessary to conduct their work, and act as management liaison points.
The primary output of this phase is an agreed ISMS audit scope, charter, engagement letter or
similar. Contact lists and other preliminary documents are also obtained and the audit files are
opened to contain documentation (audit working papers, evidence, reports etc.) arising from the
audit. The pre-audit questionnaire is used to assist the audit manager in gathering pertinent in-
formation prior to the on-site visit. Information gathered from the pre-audit questionnaire is used
to formulate additional questions to be answered during the on-site visit and to assist in
determining policy compliance. Additionally, the pre-audit questionnaire is used as a tool
by audit managers to prepare information sheets for local auditors, outlining/summariz- ing the
CSAs audit program and procedures.
Information gathering is essentially using the Internet to find all the information you can about
the target (company and/or person) using both technical (DNS/WHOIS) and non- technical
(search engines, news groups, mail- ing lists etc.) methods.
Information gathering does not require that the assessor establishes contact with the tar-get
system. Information is collected (mainly) from public sources on the Internet and organizations
that hold public information (e.g. tax agencies, libraries, etc.) Information gathering section of
the penetration test is important for the penetration tester. Assessments are gener-ally limited in
time and resources. Therefore, it is critical to identify points that will be most likely vulnerable,
and to focus on them. Even the best tools are useless if not used appropriately and in the right
place and time. Thats the reason why experienced tes- ters invest an important amount of time in
in- formation gathering.
Information Gathering is a necessary step of a penetration test. This task can be carried out in
many different ways. By using public tools (search engines), scanners, sending simple HTTP
requests, or specially crafted requests, it is possible to force the application to leak information,
e.g., disclosing error messages or revealing the versions and technologies used. And it includes
the following steps:
This phase of the Information Gathering process consists of browsing and capturing
resources related to the application being tested.
Search engines, such as Google, can be used to discover issues related to the web
application structure or error pages produced by the application that have been publicly
exposed.
Enumerating the application and its attack surface is a key precursor before any attack
should commence. This section will help you identify and map out every area within the
application that should be investigated once your enumeration and mapping phase has
been completed.
4 Testing Web Application Fingerprint:
Application fingerprint is the first step of the Information Gathering process; knowing
the version and type of a running web server allows testers to determine known
vulnerabilities and the appropriate exploits to use during testing.
5 Application Discovery:
During a penetration test, web applications may divulge information that is not intended
to be seen by an end user. Information such as error codes can inform the tester about
technologies and products being used by the application. In many cases, error codes can
be easily invoked without the need for specialist skills or tools, due to bad exception
handling design and cod- ing. Clearly, focusing only on the web application will not be
an exhaustive test. It cannot be as comprehensive as the information possibly gathered by
performing
Phase One Network survey: A network survey is like an in-troduction to the system that is
tested. By do- ing that, you will have a network map, using which you will find the number of
reachable systems to be tested without exceeding the legal limits of what you may test. But
usually
more hosts are detected during the testing, so they should be properly added to the net- work
map. The results that the tester might get using network surveying are: - Domain Names -
Server Names - IP Addresses - Network Maps / ASP information - System and Service Owners
Network surveying can be done using TTL modulation(traceroute), and record route (e.g. ping
-R), although classical sniffing is sometimes as effective method
Phase Two
Phase Three
Port scanning: Port scanning is the invasive probing of system ports on the transport and
network level. Included here is also the vali- dation of system reception to tunnelled, en-
capsulated, or routing protocols. Testing for different protocols will depend on the system type
and services it offers. However, it is not always necessary to test every port for every system.
This is left to the discretion of the test team. Port numbers that are important for testing
according to the service are listed with the task. Additional port numbers for scanning should be
taken from the Consensus Intrusion Database Project Site. The results that the tes- ter might get
using Port scanning are: - List of all Open, closed or filtered ports - IP addresses of live systems -
Internal system network ad- dressing - List of discovered tunnelled and encapsulated protocols -
List of discovered routing protocols supported. Methods include SYN and FIN scanning, and
variations thereof
Phase Four
Services identification: This is the active examination of the application listening behind the
service. In certain cases more than one application exists behind a service where one application
is the listener and the others are considered components of the listening application. The results
of service identification are: - Service Types - Service Application Type and
The methods in service identification are same as in Port scanning. There are two ways using
which one can perform information gathering:
1. 1st method of information gathering is to perform information gathering tech- niques with a
one to one or one to many model; i.e. a tester performs tech- niques in a linear way against
either one target host or a logical grouping of target hosts (e.g. a subnet). This method is used to
achieve immediacy of the result and is often optimized for speed, and often executed in parallel
2. Another method is to perform information gathering using a many to one or many to many
model. The tester utilizes multiple hosts to execute information gathering techniques in a
random, rate-limited, and in non-linear way. This method is used to achieve stealth. (Distributed
information gathering)
8. Search the internet, newsgroups, bulletin boards and negative websites for infor- mation about
the company
18. Investigate key personnel searching in Google, look up their resumes and cross reference
information
20. Search for web pages posting patterns and revision numbers
24. Use web investigation tools to extract sensitive data targeting the company
27. Use the Domain Research Tool to investigate the companys domain
29. Use Google/Yahoo! Finance to search for press releases issued by the company
31. Search for telephone numbers using di-rectories and other services
32. Retrieve the DNS record of the organisa-tion from publicly available servers
External Intrusion Audit and Analysis An External Intrusion Audit and Analysis identi- fies
strengths and weaknesses of a client sys- tem and network as they appear from the outside the
clients security perimeter, usually from the internet.
Why Is It Done? This is done to demonstrate the existence of known vulnerabilities in the client
system and network that could be exploited by an external hacker.
Client Benefits :
The client benefits by anticipating external attacks, that might cause security breaches and to
proactively reduce risks to information, system and networks. It also improves the security of the
clients networked resources. This provides improved e-commerce and e-business operations
with increased confidence in their ability to protect data, information and resources.
Scan client Internet servers for ports and ser- vices vulnerable to attack
Attempt intrusion of vulnerable internal sys-tems
Inventory the companys external infra-structure and create a topological map of the network
Lookup domain registry for IP information, find IP block information about the target
Use SYN scan and connect scan on the tar- get and see the response
Use XMAS scan, FIN scan and NULL scan on the target and see the response
Download applications from the companys website and reverse engineer the bi-nary code
List programming languages used and application software to create various programs from the
target server
Brute force URL injections and session tokensCheck for directory consistency and page
Record and replay the traffic to the target web server and note the response
Grab the banner of HTTP servers, SMTP servers, POP3 servers, FTP Servers
Check for ICMP responses (type 3, port un- reachable), (type 8, echo request), (type 13,
timestamp request), (type 15, informa-tion request), (type 17, subnet address mask request)
What if a casual guest visitor walks by the company and steals data from one of the isolated
machines? Internal network penetration test process will test and validate the level of internal
security on the client network. Based on statistics maintained by the Federal Bureau
of Investigations (FBI), fifty percent of companies reporting break-ins to their networks and/ or
business applications state they were com- promised by internal attacks. Internal network
security is, more often than not, underestimated by administrators. Very often, such security does
not even exist, allowing one user to easily access another users machine us- ing well-known
exploits, trust relationships and default settings. Most of these attacks require little or no skill,
putting the integrity of a network at stake.
Most employees do not need and should not have access to each others machines, administrative
functions, network devices and soon. However, because of the amount of flexibility needed for
normal operation, internal networks cannot afford maximum security.
On the other hand, with no security at all, internal users can be a major threat to many corporate
internal networks. A user within the company already has access to many inter- nal resources and
does not need to bypass firewalls or other security mechanisms which prevent non-trusted
sources, such as Internet users, to access the internal network. Poor network security also means
that, should an ex- ternal hacker break into a computer on your network, he/she can then access
the rest of the internal network more easily. This would enable a sophisticated attacker to read
and possibly leak confidential emails and documents; trash computers, leading to loss of
information; and more. Not to mention that they could then use your network and net- work
resources to start attacking other sites, that when discovered will lead back to you and your
company, not the hacker. Most attacks, against known exploits, could be easily fixed and,
therefore, stopped by administrators if they knew about the vulnerability in the first place.
During an Internal Network Security Assessment, security experts scan the entire internal local-
area and wide-area net- works for known vulnerabilities. These scans include all servers,
workstations, and network devices.
Steps for Internal Network Security Auditing Internal Network Review includes:
Examining the internal configuration and setup of the organizations computing resources.
Audit logs
Backup methodology & disaster recovery plans Internal testing involves testing computers
and devices within the company. The internal penetration testing involves:
Performing port scanning on individual machines and establishing null sessions. Attempting
replay attacks, ARP poisoning,
MAC flooding.
Attempting to plant key logger, Trojan, and Root kit on target machine.
Capture the communications between the FTP client and FTP server
Continue to compromise every machine in the network and perform the previous steps.
Make sure you can undo your actions based on the pen-test process you had conducted.
Core Impact
Metasploit
Canvas
b. Scanning tools
CyberCop (www.nai.com)
Nesses (www.nessus.org)
Retina (www.eeye.com)
A firewall is a set of related programs, located at a network gateway server that protects the
resources of a private network from users from other networks. A firewall sits at the junction
point or gateway between the two networks, usually a private network and a public net- work,
such as the Internet. Firewalls protect against hackers and malicious intruders. It is a combination
of hardware and software that separates a LAN into two or more parts for security purposes
Firewalls are top on the list of critical security devices that businesses use to protect their assets.
Firewalls come in all shapes and sizes, they operate on the same basic principle that you should
limit the exposure of computer systems to only those protocols and ports necessary to provide
services, thus reducing the size of the attack surface of the system. The auditing of a firewall
primarily revolves around inspecting the firewall rules to make sure that they are accurately
enforcing security policy, and providing as high a degree of protection as feasible.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria.
It routes packets between the networks. It filters both inbound and outbound traffic. It manages
public access to private networked resources such as host applications. It logs all attempts to
enter the private network andtriggers alarms when hostile or unauthorized entry is attempted.
Firewalls block unauthorized traffic, but if an organization wants to follow good practices, then it
needs to layer on other security countermeasures to defend against attacks that firewalls are not
designed to prevent.
Address filtering:
Firewalls can filter packets based on their source and destination addresses and port numbers.
Network filtering:
Firewalls can also filter specific types of network traffic. The decision to forward or reject
traffic is dependent upon the protocol used, for example HTTP, FTP, or Telnet.
If you have an attack against an authorized port and service, and your server is compromised, it
isnt the firewall that failed but the lack of defense in depth. Of course the concept of what a
firewall is just isnt as clear as it used to be in the days of single purpose firewalls. We live in a
unified threat management world, and todays firewalls perform a great many security tasks. IPS
and VPN has been integrated into the firewall line. Unified Threat Management (UTM) devices
operate as a combined threat management device, but the foundational elements of the firewall
are central to how the device operates. A firewall may allow all traffic through unless it meets
certain criteria, or it may deny all traffic unless it meets certain criteria. The type of criteria used
to determine whether traffic should be allowed through varies from one type of firewall to
another. Firewalls may be concerned with the type of traffic, or with source or destination
addresses and ports. They may also use complex rule bases that analyze the application data to
determine if the traffic should be allowed through.
Types of firewall
Packet filters
They are usually part of a router. In a packet filtering firewall, each packet is compared to
a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can:
Rules can include source and destination IP address, source and destination port number and
protocol used. The advantage of packet filtering firewalls is their low cost and low impact on
network performance. Most routers support packet filtering. Circuit level gateways work at the
session layer of the OSI model, or the TCP layer of TCP/ IP. They monitor TCP handshaking
between packets to determine whether a requested session is legitimate. Information passed to re-
mote computer through a circuit level gateway appears to have originated from the gateway.
Circuit level gateways are relatively inexpensive. They have the advantage of hiding information
about the private network they protect. Circuit level gateways do not fil- ter individual packet
Application level gateways are also called proxies. They can filter packets at the appli- cation
layer of the OSI model. Incoming or outgoing packets cannot access services for which there is
no proxy. In plain terms, an application level gateway that is configured to be a web proxy will
not allow any FTP, gopher,Telnet or other traffic through. Because they examine packets at
application layer, they can filter application specific commands such as http:post and get.
Stateful multilayer inspection firewalls com- bine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets are
legitimate and evaluate contents of packets at the application layer. They are expensive and
require competent personal to administer the device.
Assessing firewall design requires that the auditor understand the various ways in which a
firewall can be deployed. There are many factors that cause an organization to choose one design
over another, and technical requirements sometimes are shaped by politics and budget as well.
The firewall is a policy enforcement tool that should be placed at key network zone boundaries.
It is ultimately up to the business to determine its tolerance for risk and deploy the
countermeasures that make sense. The following examples illustrate common firewall designs
that an auditor might find.
Simple Firewall
The simple firewall design is common for small or branch networks and involves a firewall or
router (configured as a firewall) between theInternet and the internal network. NAT is typically
used, and providing Internet access is the primary function of the firewall. There might be port
forwarding configured to internal servers for e-mail delivery or limited web hosting.
These designs typically suffer from minimal layered security, but are by far the least expen- sive
deployment method to connect a very small remote office or mobile worker situation.
A screening router provides frontline defense at the network edge. Not only does this router act
as a basic firewall, but can also performservices such as routing, Netflow collection, quality of
service, and anti-spoofing. The point of a screening router is to provide defense in depth and
another place where access rules can be applied.
A better design for an organization that hosts its own websites, e-mail, or other Internet fac- ing
services is the firewall with DMZ design. This design provides segmentation of Internet- facing
services to their own dedicated subnet where policies and access control can be better enforced.
Typically the firewall provides NAT services to the web applications, and also conducts
application layer inspection to en- force RFC compliance and application use policies. Layering
in an IPS via an SSM module inside the firewall or through a dedicated appliance can give full
IPS protection for all traffic passing through the device. Firewall with DMZ and Services
Network As the criticality of web services increases, a single DMZ can sometimes become
crowded with applications and services.
The more applications, the more complicated the access rules can become, and before
long policies become difficult to implement on a single DMZ. Creating service networks on
separate firewall interfaces addresses this, by group- ing like services together to simplify policy
en- forcement. Web servers can go into the DMZ, and internal servers can go into the services
network. The amount of configuration starts to increase as the number of interfaces in- creases,
but the capability to be able to create more effective policies is vastly improved.
High availability firewall designs are common in organizations that rely on the Internet as both a
source of revenue and an important mechanism for reaching customers. For these types of
organizations, downtime can create significant monetary loss, so the expense ofa redundant
architecture is well worth it. An- other high availability option is active/active where both
firewalls enforce policy and pass traffic at the same time, and in the event of a failure of one
device all traffic flows through the single remaining firewall. The benefits of active/active over
active/standby are that both firewalls are being utilized and can sup- port higher data rates than a
single firewall.
The downside to active/active is that both firewalls must be able to support their own traffic
loads in addition to the other firewall if one fails or the organization must be able to accept
Firewall testing
Locate the firewall and traceroute to iden- tify the network range
Test firewall specific vulnerabilities After the testing the following is documented:
Firewall logs.
Tools output
The analysis
Host-based: A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity.
Network-based: A network-based IDS uses a sensor to monitor packets on the network to which
it is attached. A network intrusion detection system (NIDS) is a system that tries to detect
malicious activity such as denial of service attacks, port-scans or even attempts to crack into
computers by monitoring network traffic. A host-based IDS monitors individual hosts on the
network for malicious activity; for example, Cisco Security Agent. Host systems are more
accurate than network-based IDS because they analyse the servers log files and not just network
traffic patterns. The host monitors the system and reports its activities to a central- ized server.
They are expensive and resource intensive.
An application-based IDS is like a host-based IDS designed to monitor a specific applica- tion
(similar to antivirus software designed specifically to monitor your mail server). An application-
based IDS is extremely accurate in detecting malicious activity for the applica- tions it protects.
Multi-Layer Intrusion Detection Systems mIDS integrates many layers of IDS tech- nologies into
a single monitoring and analysis engine. It aggregates integrity monitoring software logs, system
logs, IDS logs, and fire- wall logs into a single monitoring and analysis source.
Benefits:
WIDS monitor and evaluate user and system activities, identify known attacks, determine
abnormal network activity, and detect policy
violations for WLANs.
Man-in-the-middle attacks.
DoS attacks.
MAC spoofing.
RF interference.
IDS Informer
Firewall informer
Traffic IQ professional
OSSEC HIDS
Evasion tools:
EVADE IDS
Evasion Gateway
Examples:
Customer profiles
Attempt social engineering techniques using phone, wishing, telephone, email, traditional mail,
in person, dumpster diving, insider accomplice, shoulder surfing, desk- top information,
extortion and blackmail, websites, theft and phishing attacks, satellite imagery and building blue
prints, details of an employee from social networks sites, telephone monitoring device to capture
conversation, video recording tools to capture images, vehicle/asset tracking system to monitor
motor vehicles, identified disgruntled employees and engage in conversation to extract
sensitive information
Web application vulnerabilities generally stem from improper handling of client requests and/ or
a lack of input validation checking on the part of the developer.A web application is an
application, generally comprising a collection of scripts that resides on a web server and interacts
with databases or other sources of dynamic content.
UNIT_III
Information Assets and Threats
The foundation for security is assets that need to be protected. Assets in the area of information
security are often labelled as information assets, and enclose not only the information itself but
also resources that are in use to facilitate the management of information. Security concerning IT
and information is normally categorised in three categories
1. confidentiality
2. integrity
3. availability
The concepts can be seen as the objectives with security regarding IT and information and are
often referred to as the CIA triad (Harris, 2002).
Availability: Ensuring of authorized access of information assets when enquired, for the du-
ration required
The above concerns are materialized in the event of a breach caused by exploitation of
a vulnerability.
Vulnerabilities
Vulnerability is a flaw or weakness in a process, design, implementation, control, system, or
organization that could be triggered or intentionally exploited, resulting in a security incident or
breach. In other words, a vulnerability is a weakness in an information system, system security
procedures, internal controls, or implementation that could be exploited or triggered by a threat
source These vulnerabilities are susceptible to threats auctioned by threat agents. A threat is a
natural, human, or environmental source with the intent or opportunity to trigger the exploitation
of a vulnerability
Threat Agent or Actor refers to the intent and method targeted at the intentional exploitation of a
vulnerability or a situation and method that may accidentally trigger a vul-nerability.
A Threat Vector is a path or a tool that a Threat Actor uses to attack the target. Threat targets are
anything of value to the Threat Actor. It can be a PC, laptop, PDA, Tablet, Mo-bile phone, online
bank account or identity. If vulnerabilities are the entry points, then at-tack vectors are the ways
attackers can launch their assaults or try to infiltrate the sys-tem.
Broadly, the purpose of the attack vectors is to implant a piece of code that exploits a
vulnerability. This code is called the payload, and attack vectors vary in how a payload is
implanted.
Threat classification
Microsoft has proposed a threat classification called STRIDE, from the initials of threat
categories:
Spoofing of user identity
Tampering
Repudiation
Information disclosure (privacy breach or Data leak)
Denial of Service (D.o.S.)
Elevation of privilege
Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms, Trojans
and logic bombs.
Employees: Staff, contractors, operational/maintenance personnel, or security guards
who are annoyed with the company.
Organized Crime and Criminals: Criminals target information that is of value to them, such as
bank accounts, credit cards or intellectual property that can be converted into money. Criminals
will often make use of insiders to help them.
Corporations: Corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
Human, Unintentional: Accidents, carelessness.
Human, Intentional: Insider, outsider.
Natural: Flood, fire, lightning, meteor, earth-quakes
Other security threats
Malware:- malicious software. This general term is often used to refer viruses, spyware, adware,
worms, Trojans, ransom ware etc. Malware is designed to cause damage to a targeted computer
or cause a certain degree of operational disruption. Malware often exploits security
vulnerabilities in both operating systems and applications.
Rootkit
Spyware
- software that monitors and collects information about particular user, his computer or his
organization without his knowledge. Very often spyware applications are bundled with free
packages of freeware or shareware and downloaded without any cost by users from internet.
Spy-ware is usually installed unwillingly. Spyware can be generally classified into following
types: system monitors, Trojans (keyloggers, banker Trojans, inforstealers), adware, tracking
cookies.
Tracking Cookies
- are a specific type of cookie that is distributed, shared, and read across two or more unrelated
Web sites for the purpose of gathering information or po-tentially to present customized data to
you. Tracking cookies are not harmful like mal-ware, worms, or viruses, but they can be a
privacy concern.
Risk ware
- term used to describe a potentially dangerous software whose installation
may pose a risk to the computer. Risk ware is not necessarily a spyware or malware pro-gram, it
may be as well a legitimate pro-gram containing loopholes or vulnerabilities that can be
exploited by malicious code.
Adware
- in general term adware is a soft-ware generating or displaying certain advertisements to the
user. The advertisements may be displayed either directly in the user interface while the software
is being used or during the installation process. This kind of adware is very common for freeware
and shareware software and is on itself more annoying than malicious - in such scenario it is
merely a mean for the software producer to gain some revenue while releasing applications that
are free of change or at a re-
duced price. Adware may be as well used to analyze end user internet habits and then tailor the
advertisements directly to users interests. Term adware is on occasions used interchangeably with
malware to describe the pop-up or display of unwanted advertisements.
Scareware
- class of malware that includes both Ransom ware (Trojan. Ransom) and Fake software .
Scareware is known as well under the names Rogue Security Soft-ware or Misleading
Software. This kind of software tricks user into belief that the computer has been infected and
offers paid solutions to clean the fake infection. Scareware can advertise as well system or
software security updates luring users into fraudalent transactions by buying for ex-ample fake
Antivirus Software that is either non-functional or malware itself.
Spam
- the term is used to describe unsolicited or unwanted electronic messages - especially
advertisements. The most widely recognized form of spam is email Spam, but there are many
different forms of it in al-most any available communication media - Instant messaging (called
SPIM), over VOIP (called SPIT), internet forums, newsgroups,
blogs, online gaming, etc. Spam may be a medium for phishing or social engineering
attacks. It is estimated that between 70% and 80% of total email traffic worldwide is
spam.
Creepware
- term used to describe ac-tivities like spying others through webcams (very often combined with
capturing pic-tures), tracking online activities of others and listening conversation over the com-
puters microphone, stealing passwords and other data. The information, data, pic-tures gained
with use of creepware may be later on used to extort money or blackmail the victims of this
threat. Creepware is other term to RAT (Remote Access Trojan) de-scribed before.
Blended threat
- defines an exploit that com-bines elements of multiple types of malware components. Usage of
multiple attack vec-tors and payload types targets to increase the severity of the damage causes
and as well the speed of spreading. Blended threat usually attempts to exploit multiple vulner-
abilities at the same time
Network attack is usually defined as an intru-sion on the network infrastructure that will first
analyse the environment and collect informa-tion in order to exploit the existing open ports or
vulnerabilities - this may include as well un-authorized access to organization resources. Cases
where the purpose of attack is only to learn and get some information from the sys-tem but the
system resources are not altered
or disabled in any way, are known as passive attacks. Active attack occurs where the per-petrator
accesses and either alters, disables or destroys resources or data. Attack can be performed either
from outside of the organization by unauthorized entity (Outside Attack) or from within the
company by an insider that already has certain access to the net-work (Inside Attack). Very
often the network attack itself is combined with an introduction of a malware components to the
targeted systems.
Some of the attacks described in this article will be attacks targeting the end-users (like
Phishing or Social Engineering) - those are usually not directly referenced as network attacks but
are included here for complete-ness purposes and because those kind of at-tacks are widely
widespread. Depending on the procedures used during the attack or the type of vulnerabilities
exploited the network attacks can be classified in following way (the provided list isnt by any
means complete - it introduces and describes only the most known and widespread attack types
that you should be aware of)
Phishing attack
- this type of attack use so-cial engineering techniques to steal confidential information - the
most common purpose of such attack targets victims banking account details and credentials.
Phishing attacks tend to use schemes involving spoofed emails send to users that lead them to
malware infected websites designed to appear as real on-line banking websites. Emails received
by users in most cases will look authentic sent from sources known to the user (very often with
appropriate company logo and localised information) - those emails will contain a direct request
to verify some account information, credentials or credit card numbers by fol-lowing the
provided link and confirming the information on-line. The request will be ac-companied by a
threat that the account may become disabled or suspended if the mentioned details are not being
verified by the user.
Social Phishing
- in the recent years Phishing techniques evolved much to include as well social media like Face
book or Tweeter - this type of Phishing is often called Social Phishing. The purpose remains the
same - to obtain confidential information and gain access to personal files. The means of the
attack are bit different though and include special links or posts posted on the social media sites
that attract the user with their content and convince him to click on them. The link redirects then
to malicious website or similar harmful content. The websites can mirror the legitimate Face
book pages so that unsuspecting user does not notice the difference. The website will require
user to login with his real information - at this point the attacker collects the credentials gaining
access to compromised account and all data on it. Other scenario includes fake apps - users are
encouraged to download the apps and install them - apps that contain malware used to steal the
confidential information.
Face book Phishing attacks are often much more labored - consider the following scenario - link
posted by an attacker can include some pictures or phrase that will attract the user to click on it.
The user does the click upon which he is redirected to mirror website that ask him to like the post
first before even viewing it - user not suspecting any harm in this clicks on like button but
doesnt realise that the like button has been spoofed and in reality is accept button for the
fake app to access users personal information. At this point data is collected and account be-
comes compromised.
The recommendations to protect your com-pany against Phishing and Spear Phishing include:
1.Never open or download a file from an unsolicited email, even from someone
you know (you can call or email the per-son to double check that it really came
from them)
2.Keep your operating system updated
3.Use a reputable anti-virus program
4.Enable two factor authentication when-
ever available
5.Confirm the authenticity of a website prior to entering login credentials by looking for
a reputable security trust mark
6.Look for HTTPS in the address bar when you enter any sensitive personal information on a
website to make sure your data will be encrypted
In next step attacker uses that knowledge to inspect the specific legitimate public websites for
vulnerabilities. If any are vulner-abilities or loopholes are found the attacker compromises the
website with its own mali-cious code. The compromised website then awaits for the targeted
victim to come back and then infects them with exploits (often zero-day vulnerabilities) or
malware. This is an analogy to a lion waiting at the watering hole for his prey.
Whaling
- type of Phishing attack specifically targeted at senior executives or other
high profile targets within a company.
Port scanning
- an attack type where the attacker sends several requests to a range of ports to a targeted host in
order to find out what ports are active and open - which
allows him them to exploit known service vulnerabilities related to specific ports. Port
scanning can be used by the malicious at-tackers to compromise the security as well by the IT
Professionals to verify the network security.
Spoofing
- technique used to masquerade a person, program or an address as another
by falsifying the data with purpose of un-authorized access. A few of the common
spoofing types include:
1. IP Address spoofing
- process of creating IP packets with forged source IP address to impersonate legitimate system.
This kind of spoofing is often used in DoS at-tacks (Smurf Attack).
2. ARP spoofing (ARP Poisoning)
- process of sending faked ARP messages in the net-work. The purpose of this spoofing is to
associate the MAC address with the IP address of another legitimate host causing traffic
redirection to the attacker host. This kind of spoofing is often used in man-in-the-middle attacks.
4. Email spoofing
- process of faking the emails sender From field in order to hide real origin of the email. This
type of spoofing is often used in spam mail or dur-ing Phishing attack.
Preventive Controls
Preventive controls are the first controls met by the adversary. Preventive controls try to prevent
security violations and enforce ac-cess control. Like other controls, preventive
controls may be physical, administrative, or technical: doors, security procedures, and
authentication requirements are examples of physical, administrative, and technical preventive
controls, respectively.
Detective Controls
Detective controls are in place to detect security violations and alert the defenders. They come
into play when preventive controls have failed or have been circumvented and are no less crucial
than detective controls. Detective controls include cryptographic checksums, file integrity
checkers, audit trails and logs, and similar mechanisms.
Corrective Controls
Corrective controls try to correct the situation after a security violation has occurred.
Although a violation occurred, not all is lost, so it makes sense to try and fix the situation.
Corrective controls vary widely, depending on the area being targeted, and they may be technical
or administrative in nature.
Deterrent Controls
Deterrent controls are intended to discourage potential attackers and send the message that it is
better not to attack, but even if you decide to attack we are able to defend our-selves. Examples
of deterrent controls include notices of monitoring and logging as well as the visible practice of
sound information secu-rity management.
Recovery Controls
Recovery controls are somewhat like correc-tive controls, but they are applied in more serious
situations to recover from security vio-lations and restore information and informa-tion
processing resources. Recovery controls may include disaster recovery and business continuity
mechanisms, backup systems and data, emergency key management arrange-ments, and similar
controls.
Compensating Controls
Compensating controls are intended to be alternative arrangements for other controls when the
original controls have failed or cannot be used. When a second set of con-trols addresses the
same threats that are ad-dressed by another set of controls, the second set of controls are
compensating controls.
The discretionary access control model is the most widely used of the three models.
In the DAC model, the owner (creator) of information (file or directory) has the discretion to
decide about and set access control restrictions on the object in questionwhich may, for
example, be a file or a directory. The advantage of DAC is its flexibility: users may decide who
can access information and what they can do with itread, write, delete,rename, execute, and so
on. At the same time, this flexibility is also a disadvantage of DAC because users may make
wrong decisions regarding access control restrictions or maliciously set insecure or inappropriate
permissions. Nevertheless, the DAC model re-mains the model of choice for the absolute
majority of operating systems today, includ-ing Solaris.
MAC-based systems use data classification levels (such as public, confidential, secret, and top
secret) and security clearance labels corre-sponding to data classification levels to decide, in
accordance with the security policy set by the system administrator, what access control
restrictions to enforce. Additionally, per-group and/or per-domain access control restrictions may
be imposedthat is, in addition to having the required security clearance level, subjects (users
or applications) must also belong to the appropriate group or domain. For example, a file with a
confidential label belonging only to
the research group may not be accessed by a user from the marketing group, even if that user has
a security clearance level higher than confidential (for example, secret or top secret). This
concept is known as compartmentalization or need to know.
Although MAC-based systems, when used appropriately, are thought to be more secure
than DAC-based systems, they are also much more difficult to use and administer because of the
additional restrictions and limitations im-posed by the operating system. MAC-based systems are
typically used in government, mili-tary, and financial environments, where higher than usual
security is required and where the added complexity and costs are tolerated.MAC is implemented
in Trusted Solaris, a version of the Solaris operating environment in-tended for high-security
environments.
Further distinction should be made between centralized and decentralized (distributed) access
control models. In environments with centralized access control, a single, central entity makes
access control decisions and manages the access control system; whereas in distributed access
control environments, these decisions are made and enforced in a decentralized manner. Both
approaches have their pros and cons, and it is generally inappropriate to say that one is better
than the other. The selection of a particular access control approach should be made only after
careful consideration of an organizations re-quirements and associated risks.
Security Vulnerability Management
A vulnerability can occur anywhere in the IT environment, and can be the result of many
different root causes. Security vulnerability management solutions gather comprehensive
endpoint and network intelligence and apply advanced analytics to identify and prioritize the
vulnerabilities that pose the most risk to critical systems. The result is actionable data that
enables IT security teams to focus on the tasks that will most quickly and effectively reduce
overall network risk with the few-est possible resources.
Persistent Threats
Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to
dominate headlines.
Regulation
Many government and industry regulations, mandate rigorous vulnerability management
practices
Risk Management
Mature organizations treat it as a key risk man-agement component. Organizations that follow
mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a
key element in an organizations information security program, providing an approach to risk and
threat mitigation that is proactive and business-aligned, not just reac-tive and technology-
focused.
Vulnerability Assessment
Includes assessment the environment for known vulnerabilities, and to assess IT compo-nents
using the security configuration policies (by device role) that have been defined for the
environment. This is accomplished through scheduled vulnerability and configuration
assessments of the environment.
Network-based vulnerability assessment (VA) has been the primary method employed to baseline
networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and
accurate vulnerability assessments can be accomplished for managed systems via credentialed
access. Unman-aged systems can be discovered and a basic assessment can be completed. The
ability to evaluate databases and Web applications for security weaknesses is crucial, con-
sidering the rise of attacks that target these components.
Database scanners check database configuration and properties to verify whether they comply
with database security best practices. Web application scanners test an applications logic for
abuse cases that can break or exploit the application. Additional tools
can be leveraged to perform more in-depth testing and analysis. All three scanning technologies
(network, application and database) assess a different class of security weaknesses, and most
organizations need to implement all three
Risk Assessment
Larger issues should be expressed in the language of risk (e.g., ISO 27005), specifically ex-
pressing impact in terms of business impact. The business case for any remedial action should
incorporate considerations relating to the reduction of risk and compliance with pol-icy. This
incorporates the basis of the action to be agreed on between the relevant line of business and the
security team
Risk Analysis
Fixing the issue may involve acceptance of the risk, shifting of the risk to another party or
reducing the risk by applying remedial action, which could be anything from a configuration
change to implementing a new infrastructure (e.g., data loss prevention, firewalls, host intrusion
prevention software).
Elimination of the root cause of security weak-nesses may require changes to user administration
and system provisioning processes. Many processes and often several teams may come into play
(e.g., configuration manage-ment, change management, patch management). Monitoring and
incident management processes are also required to maintain the environment.
For more details on threat and risk assessment best-practices see the blogs: Risk-Aware Security
Architecture as well as Risk Assessment and Roadmap.
Remediation Planning
Prioritization
Vulnerability and security configuration assessments typically generate very long reme-diation
work lists, and this remediation work needs to be prioritized. When organizations initially
implement vulnerability assessment and security configuration baselines, they typically discover
that a large number of systems contain multiple vulnerabilities and security configuration errors.
There is typically more mitigation work to do than the resources avail-able to accomplish it.
It is important to analyze security and vulnerability assessments in order to determine the root
cause. In many cases, the root cause of a set of vulnerabilities lies within the provisioning,
administration and maintenance processes of IT operations or within their development or the
procurement processes of applications.
Elimination of the root cause of security weak-nesses may require changes to user administration
and system provisioning processes. What makes a good root-cause analysis? An RCA is an
analysis of a failure to determine the first (or root) failure that cause the ultimate condition in
which the system finds itself, for example: In an application crash one should be thinking, why
did it crash this way?
A security analysts job in performing an RCA is to keep asking the inquisitive Why? until one
runs out of room for questions, and then they are faced with the problem at the root of the
situation.
Example: an application that had its data-base pilfered by hackers, where the ultimate failure the
analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isnt
what caused the failure. Why did the SQL Injection happen? Was the root of the problem that the
developer responsible simply didnt follow the corporate policy for building SQL queries? Or
was the issue a fail-ure to implement something like the OWASP ESAPI (ESAPI - The OWASP
Enterprise Security API is a free, open source, web application security control library that
makes it easier for programmers to write lower-risk applications.) in the appropriate manner? Or
maybe the cause was a vulnerable open-source piece of code that was incorporated into the
corpo-rate application without passing it through the full source code lifecycle process?
Your job when youre performing an RCA is to figure this out. Root cause analysis is super-crit-
ical in the software security world. A number of automated solutions are also available for
various types of RCA. For example, HPs web application security testing technology which can
link XSS issues to a single line of code in the application input handler.