A presentation by: BK Mondal, Director, STQC IT Services, Kolkata

Information Security- Product & System Assurance

Date: 26-27 August 2008,
Venue: Hotel Katriya, Hyderabad
 At the core of Information Security is the
protection of information assets through the
mitigation of vulnerabilities.
 Vulnerabilities can be found in people (i.e.
social engineering), process (e.g. lack of
change management) and technology (e.g.
buffer overflows).
 Technical Vulnerability Managements tends
to focus on technology.
STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 2
A.12.6 Technical Vulnerability Management
Objective:
To reduce risks resulting from exploitation of
published technical vulnerabilities.
A.12.6.1 Control of technical vulnerabilities
Control:
Timely information about technical vulnerabilities of
information
systems being used shall be obtained, the organization's
exposure
to such vulnerabilities evaluated, and appropriate
measures taken to
address the associated risk.

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 3

 Security Efficiency
 Minimise the time and costs to deploy secure builds
 Minimise the effort spent on patching vulnerabilities
 Security Effectiveness
 Reduce the likelihood of downtime caused by
vulnerabilities
 Demonstrate control by reducing the number of
vulnerabilities
 Business Enablement
 Allow business to continue during malicious code
outbreaks
 Provide auditors, clients and partners with
confidence

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 4

 CERT /
Vendor
Advisories
Hardening

Vulnerability
Database
Secured
Patching System
System/IDS
Logs
Security Testing

Incident
Reports

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 5

 Penetration Testing is just one part of
Vulnerability Management and provides
assurance of immunity to potential
attacks. It can be internal or external.
 Vulnerability Analysis is done to
unearth vulnerabilities, weaknesses and
configuration mistakes of the OS,
Network and Applications.
 Application Security Testing is done to
discover security bugs in the
applications by using software testing
techniques.

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 6

 Network Scanning
 Vulnerability Scanning
 Password Cracking
 War Dialing
 War Driving

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 7

 Network scanning involves using a port
scanner to identify all hosts potentially
connected to an organization's network, the
network services operating on those hosts,
such as the file transfer protocol (FTP), and the
specific application running the identified
service, such as WU-FTPD.
 Network scanning helps to:
 Check for unauthorized hosts connected to the
organization’s network,
 Identify vulnerable services,
 Identify deviations from the allowed services
defined in the organization’s security policy,
 Prepare for penetration testing.

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 8

 Vulnerability scanners take the concept of a port scanner
to the next level. Like a port scanner, a vulnerability
scanner identifies hosts and open ports, but it also
provides information on the associated vulnerabilities (as
opposed to relying on human interpretation of the
results). Most vulnerability scanners also attempt to
provide information on mitigating discovered
vulnerabilities.
 Vulnerability scanners provide the following capabilities:
 Identifying active hosts on network
 Identifying active and vulnerable services (ports) on hosts
 Identifying applications with versions and banner grabbing
 Identifying operating systems with versions
 Identifying missing patches, hotf-fixes, service packs
 Identifying configuration weaknesses, mistakes

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 9

 Password cracking programs can
be used to identify weak
passwords. Password cracking
verifies that users are employing
sufficiently strong passwords.
 It helps to
 Identify weak passwords
 Demonstrate password strength or
weakness
 Discover weak password policies
 Detect lack of user awareness

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 10

  War dialing is a process to dial large
blocks of phone numbers to find out
modems connected to the phone
lines.
 In a well-configured network,
unauthorized modems are often an
overlooked vulnerability.
 These unauthorized modems provide
a means to bypass most or all of the
security measures in place.
 It is an effective way to identify
unauthorized modems
STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 11
 Wireless LANs, which may provide attackers the
means to bypass Firewalls and IDS, are rapidly
replacing unauthorized modems as the most popular
back door into networks.
 Attackers and other malicious parties now regularly
drive around office parks and neighbourhoods with
laptops equipped with wireless network cards
attempting to connect to open access-points. This
practice is called war driving.
 War driving is an effective way to identify
unauthorized wireless access points.
 As a general guideline, organizations with high risks
and threats should test for unauthorized and/or
misconfigured wireless LANs regularly.

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 12

 Keep your systems up-to-date from
the latest threats through the
implementation of a patching plan and
systematic process that includes
testing, change control, automated
deployment and post-implementation
review
 Rely on compensatory controls such as
network or host-based intrusion
systems to help mitigate zero day
attacks and provide protection until
patches can be tested and rolled out
on your own schedule
STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 13
 Prevention is better than cure so reduce
your exposed surface error by undertaking
the appropriate level of system hardening
 e.g. removing unnecessary software, file shares
and accounts
 e.g. disable unnecessary features of required
software
 e.g. rename required accounts and establish
strong passwords
 e.g. install endpoint security (intrusion
detection/prevention)
 e.g. implement appropriate access controls
 e.g. configure auditing and enable remote
logging

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 14

  Receive Computer Emergency Response
Team (CERT) and Vendor (e.g. Microsoft,
Cisco, IBM, Sun, HP) Advisories.
 Analyze system logs, IDS alerts and
provide feedback to the TVM process.
 Incident Management Process should
record and analyze security incidents and
must provide feedback into the TVM
process.
 Feedback identified weaknesses to
vendors and when appropriate into your
own application development process.

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 15

Area Vulnerabilities
Network •Weak architecture e.g. unsegregated network.
•Weak policy e.g. password usage, use of weak protocols like telnet, ftp.
•Mis-configuration e.g. mistake in firewall access rules.
•Remote access without proper authentication e.g. only password
based single factor authentication.
•Uncontrolled use of Modems
•Unauthorized or mis-configured Wireless LAN
•Lack of traffic monitoring e.g. no log analysis, absence of IDS
OS •Lack of or no OS hardening e.g. default installation
•Weak policy, e,g. allowing blank password
•Mis-configuration
•Missing patches
•Unnecessary services, unauthorized software

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 16

Area Vulnerabilities
Application •Unvalidated parameters
•Broken access control
•Broken account and session management
•Cross site scripting (XSS) flaws
•Buffer overflows
•Command injection flaws
•Improper error handling
•Remote administration flaws
•Web and application server misconfiguration

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 17

Security Testing Common Tools
Network Scanning Nmap, SuperScan, Solarwinds Tools, Dumpsec,
LANguard Scanner, Firewalk, hping, Angry IP
Scanner
Vulnerability Scanning Nessus, Retina, ISS, MBSA
Password Cracking L0phtCrack(LC), John The Ripper, Cain and Abel
War Dialing THC, ToneLoc, PhoneSweep, TeleSweep
Wireless LAN Testing Kismet, NetStumbler, AirSnort, WEPCrack
Network Sniffing Wireshark (Ethereal), Ettercap, Tcpdump, Dsniff,
Snort
Penetration Testing Metasploit, Core Impact, Canvas
(Exploitation)
Application Security Testing Appscan, N-Stalker, Cenzic Hailstorm, Paros,
WebInspect, Acunetix, WebScarab, Nikto
STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 18
Vulnerability Databases
 CVE – Common Vulnerabilities and Exposures : http://cve.mitre.org/
 Open Source - Open Source Vulnerability Database (OSVDB): http://osvdb.org/
 US National Institute for Standard and Technology (NIST) - National Vulnerability Database
(NVD): http://nvd.nist.gov/
 SecurityFocus – Vulnerabilities: http://www.securityfocus.com/vulnerabilities
 SecurityFocus – BugTraq: http://www.securityfocus.com/archive/1
Hardening Standards
 Centre for Internet Security (CIS) - Benchmark Standards: http://www.cisecurity.org/
 US National Security Agency (NSA) - Security Configuration Guidelines (SNAC):
http://www.nsa.gov/SNAC/
 Microsoft - Security and Compliance Solution Accelerators:
https://partner.microsoft.com/40011132
 SANS - Cisco Router Hardening:
http://www.sans.org/reading_room/whitepapers/firewalls/794.php
Computer Emergency Response Teams
 Carnegie Mellon University (CERT): http://www.cert.org/
 United States Emergency Readiness Team (US-CERT): http://www.us-cert.gov/
 United Kingdom Computer Emergency Response Team (UKCERT): http://www.ukcert.org.uk/
 Australian Computer Emergency Response Team (AUSCERT) http://www.auscert.org.au/
 Indian Computer Emergency Response Team (CERTIN): http://cert-in.org.in/
 Forum for Incident Response and Security Teams (FIRST): http://www.first.org
STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 19
 Thank You

STQC IT Services, ERTL(E), Block-DN, Sector-V, Salt Lake, Kolkata-700091 20