Chapter 7: Security Assessment,

Analysis, and Assurance

Guide to Computer Network Security

Security Assessment, Analysis,

and Assurance

The rapid development in both computer and

telecommunication technologies has resulted in
massive interconnectivity and interoperability of
systems
The bigger the networks, the bigger the security
problems involving system resources on these
networks. Many companies, businesses, and
institutions whose systems work in coordination and
collaboration with other systems as they share each
others resources and communicate with each other,
face a constant security threat to these systems,
yet the collaboration must go on.

Kizza - Guide to Computer

Network Security

For security assurance of networked systems,

such risks must be assessed to determine the
adequacy of existing security measures and
safeguards and also to determine if
improvement in the existing measures is needed.
The security assessment process consists of a
comprehensive and continuous analysis of the
security threat risk to the system that involves
an auditing of the system, assessing the
vulnerabilities of the system, and maintaining a
creditable security policy and a vigorous regime
for the installation of patches and security
updates.
In addition, there must also be a standard
process to minimize the risks associated with
non-standard security implementations across
shared infrastructures and end systems

Kizza - Guide to Computer

Network Security

The process to achieve all these and

more consists of several tasks
including:
A security policy
Security requirements specification
Identification of and threat analysis
Vulnerability assessment,
Security certification,
Monitoring of vulnerabilities and
auditing.

Kizza - Guide to Computer

Network Security

Vulnerability Assessment lets you:

Understand the state of vulnerability
within your network.
Better evaluate the risks from new
vulnerabilities.
Learn about new fixes and work-arounds
from a single source.
Avoid unplanned downtime and lost
productivity.
Minimize the costs that are associated
with security incidents.
Kizza - Guide to Computer
Network Security

Vulnerability Assessment
Techniques
Active Assessments
Any use of a network scanner to find hosts, services and
vulnerabilities
is a form of active assessment. Regardless if the scan is
sending one ICMP packet, or a full fledged DOS attack,
any assessment invoking placing packets on the wire to
interrogate a host for unknown services or
vulnerabilities is an active assessment.
Many network scanners have controls on how aggressive
they pursue their interrogation of the network and the
servers they encounter. For example, Nessus
(http://www.nessus.org), has a concept of safe checks
which causes it to be less intrusive when performing
security audits of network services.
Other commercial scanners have a similar mode which is
deceptively called passive scanning.
Kizza - Guide to Computer
Network Security

Passive Assessments
Sniffing network traffic to deduce a list of active systems,
active services, active applications and even active
vulnerabilities is referred to as a passive assessment.
Passive assessment is a continuous effort such that the
sniffer performing the analysis can see the network 24x7.
An active assessment is really a picture of the network at
a point in time. Passive assessments offer a more
accurate listing of who is actually using the network.
There are a lot of gotchas with passive assessment. For
example, how does one know if an IP address is active or
not? Consider a DHCP network (Dynamic Host
Configuration Protocol - a client/server protocol that
automatically provides an Internet Protocol (IP) host with
its IP address and other related configuration information
such as the subnet mask and default gateway.) . Through
the course of a week, many hosts will boot up and
receive an IP each day. If the host gets a different IP
each day, by the end of the week, it will look like many
hosts are active on the network.
Kizza - Guide to Computer
Network Security

Host-based audits
Host-based audits are conducted on
individual computers. The
advantages of host-based
assessment are:
Greatly reduced numbers of false
positive and false negative reports when
compared with network-based products.
Superior scalability over network-based
products.
Increased security over agent-less
assessments that require administrative
privileges. Kizza - Guide to Computer
8
Network Security

Network-based audits
Network-based audits are conducted from
central locations on the network The
advantages of network-based assessment
are:
Immediate network-wide vulnerability information
Immediate vulnerability information about
network resources that cannot install monitoring
agents; for example, network routers or firewalls.
Discovery of unknown computers and other
resources on the network.
Ability to audit the vulnerability of computers to
attacks from inside or outside the network.

Kizza - Guide to Computer

Network Security

Blended Assessments
A blended form of security assessment
utilizes a combination of active, passive
and host-based techniques. Each
method in the combo has several
advantages and disadvantages which
can be used to offset a variety of
technical and political limitations
imposed by large enterprise networks.

Kizza - Guide to Computer

Network Security

10

Additional features
Centralized reporting and management
of vulnerabilities.
Comprehensive "health check" of the
network is available from a central
location with a consistent, automated,
repeatable, and on-demand system.
Identifies vulnerabilities in mission
critical systems and applications, not
just the operating system.
Can be scalable to provide coverage
for the entire enterprise that can extend
across the Internet.
Kizza - Guide to Computer
Network Security

11

Design and Implementation of an

Enterprise Security Policy
The design of a security policy must
take into account the following
issues:

Kizza - Guide to Computer

Network Security

12

Physical Security Controls:

This includes the physical infrastructure, device
security and physical access. The physical
infrastructure involves appropriate media and
path of physical cabling. Make sure that
intruders cannot eavesdrop between lines by
using detectors like time domain reflectometer
for coaxial cable and optical splitter using an
optical time domain reflectometer for fiber
optics.
Physical cabling network topology to ensure
the availability of the network to all attached
devices. The cabling should be well secured to
prevent access to any part
Kizza - Guide to Computer
Network Security

13

Physical Device Security

The location of the critical network resources is

very important. All network resources
( network hosts, switches, routers, firewalls,
access servers) should be located in very
restricted areas. Physical access restrictions
and requirements are determined from the
results of the risk analysis or physical security
surveys.
Environment safeguards all the following are
important:
Fire (prevention/protection/detection)
Water
Electric power
Temperature/humidity
Natural disasters
Magnetic fields
Good housekeeping procedures
Kizza - Guide to Computer
Network Security

14

Logical Security Controls

Create boundaries between network segments:
To control the flow of traffic between different cabled
segments subnets by using IP-address filters to
deny access of specific subnets by IP addresses from
non-trusted hosts.
Permit or deny access based on subnet addresses if
possible.
But keep in mind that IP addresses are very easy to
spoof.
The logical infrastructure of a network depends largely
on how a network is logically separated and how traffic
is controlled between those subnets.
Routing (layer-3 switching) is how traffic is controlled
between subnets.
Determining optional routing path
Transporting packets through the subnets.
A security plan must include a detailed routing policy.
Fully understand the routing protocols used in the
corporate environment.
Kizza - Guide to Computer
Network Security

15

Logical Access Control access to equipment and

network segments should be restricted to
individuals who require access.
Two types of control on access to network
resources should be implemented:
Preventive controls uniquely identifies
every authorized user and denies others
Detective controls logs and reports
activities of users also logs and reports un
authorized users.
Remember the human factor
Any security implemented is as good as the
weakest link.

Kizza - Guide to Computer

Network Security

16

Infrastructure and Data Integrity

Ensure as best as you can that your traffic on the
network is valid. It may be any of the following
Supported services like firewalls. Firewalls are very
essential in the control of traffic. It relies solely on
the TCP, UDP, ICMP, and IP headers of individual
packets to allow or deny the packet. It may also use
TCP and UDP source and destination port numbers.
Unspoofed traffic
Unaltered traffic
Most of the traffic control is based on the following
characteristics of the traffic:
Direction
Origin
IP address
Port numbers
Authentication
Application content
Kizza - Guide to Computer
Network Security

17

Network Services
Choosing what type of network services and protocols the
network will use is a daunting job. A few policies to choose
from
Permit all and deny as needed. It is easy to implement. Turn
on all services and protocols and turn them off selectively as
security holes become apparent. It is simple however, it is
prone to attacks.
Deny all mode is generally more secure but more complex to
implement.

Security complexity can grow exponentially

Services most commonly needed include:
SNMP
DNS
NTP
WWW
Telnet
FTP
NNTP
SMTP

To determine which services to filter follow guidelines i.e.

CERT
18
Kizza - Guide to Computer
Network Security

Authenticated Data
To ensure a reasonable amount of data
integrity, you should authenticate most of the
traffic traversing the network. Traffic specific
to the operations of a secure network
infrastructure ( such as updating of routing
tables) should be authenticated.
Checksum protects against the injection of
spurious packets from an intruder. Combined
with sequence number techniques, checksum
can also protect against replay attacks.
Most security is always provided by complete
encryption routing tables. However encryption
has an overhead.

Kizza - Guide to Computer

Network Security

19

Common Attack Deterrents

In many cases attacks against a host behind a
firewall can be stopped. Develop a policy to
insulate internal hosts.
Web servers, FTP servers, mail servers, even
behind a firewall, are among the network
service provider resources at most risk
because any host, in the inside network can
play bad to it. You are generally better of
putting those exposed service providers on a
demilitarized zone (DMZ) network.
Install a honeypot.

Kizza - Guide to Computer

Network Security

20

 The following list provides an example of some

items in an infrastructure and data integrity
security policy:
Infrastructure Security:
Access to switch LAN ports and router interfaces will be
disabled when not in use
Firewall functionality will be used at all engress access
points any connection that provides access anywhere
outside the Enterprise
Only necessary network services will be supported. These
services will be defined by the Network Operations Group.

Data Integrity:
Software not related to work will not be used on any
computer that is part of the network.
All software images and operating systems should use
checksum verification scheme before installation to confirm
their integrity.

All routing updates and VLAN updates must be

authenticated between sending and receiving
devices.
Kizza - Guide to Computer
Network Security

21

Data Confidentiality
This calls for encryption. The hardest part is to decide
which data to encrypt. The decision should be based on
the outcome of the Risk Assessment procedure in which
data is classified according to its security sensitivity.
Encrypt the data that will take the greatest risk without.
For example in an enterprise:
All data dealing with employee salary and benefits.
All data on product development
All data on sales, etc..
Pay attention to the local Network Address Translation
(NAT) a system used to help Network administrators
with large pools of hosts from renumbering them when
they all come on the Internet.

Kizza - Guide to Computer

Network Security

22

Policies and Procedures for Staff

These are guidelines to help people working on the
network infrastructure.
Secure Backup of all network service servers, and that
of configurations and images of networking
infrastructure equipment is critical
Ensure that the system creates backups for all
network infrastructure equipment configurations and
software images
Ensure that backups of all servers that provide
network services
Ensure that an offsite storage of the backups is used
selected for both security and availability
Encrypt the backups making sure that the will be a
key to decrypt the backups when needed.

Kizza - Guide to Computer

Network Security

23

Periodically verify the correctness and completeness

of the backups
Keep the original and backup safe. It is important to
keep the backup copies in separate and secure
locations ( Recall World Trade Center backups in
Colorado and Utah)
The following are good guidelines:
Key positions must be identified and potential
successors should be identified
Recruiting employees for positions in the
implementation and operation of the network
infrastructure requires a thorough background
check
All personnel involved in the implementation and
supporting the network infrastructure must
attend a security seminar for awareness
All backups will be stored in a dedicated locked
area.
Kizza - Guide to Computer
Network Security

24

 Equipment Certification
All new equipment to be added to the infrastructure
should adhere to specified security requirements.
Each site of the infrastructure should decide which
security features and functionalities are necessary to
support the security policy.
The following are good guidelines:
All infrastructure equipment must pass the acquisition
certification process before purchase
All new images and configurations must be modeled in
a test facility before deployment
All major scheduled network outages and interruptions
of services must announced to those to be affected
well ahead of time.

Use of Portable Tools

Note that portable tools like laptops always pose
some security risks.
Develop guidelines for the kinds of data allowed to
reside on hard drives of portable tools and how that
data should be protected.
Kizza - Guide to Computer
Network Security

25

 Audit Trails
Keep logs of traffic patterns and noting any deviations from
normal behavior found. Such deviations are the first clues to
security problems.
The data to be collected in the logs should include the following:
User name
Host name
Source and destination IP addresses
Source and destination port numbers
Timestamp
This collected data should be kept local to the resource until an
event is finished upon which it may be taken to a secure location.
Make sure that the paths (Channels) from the collection points to
the storage location are secure.
Audit data should be one of the most secured data on location and
in back ups.
Legal Considerations
Because of the content of the audit trail, a number of legal
questions arise that may need attention.
One area of concern is the privacy issue of the users and data
content because it may contain personal information.
Second area of concern is the knowledge of an intrusive behavior.
For example having knowledge of the intrusive behavior of others
including organization.

Kizza - Guide to Computer

Network Security

26

Security Awareness Training

Users of computers and computer networks are not usually
aware of the security ramifications caused by certain actions .
It is imperative for employees to be aware of the importance
of security through security training
The training should provided to all personnel
Training should contain the following:
Types of security
Internal control techniques
Maintenance
For those employees with network security responsibilities,
they must be taught the following:
Security techniques
Methodologies for evaluating threats and vulnerabilities
Selection criteria and implementation of controls
The importance of what is at risk if security is not
maintained

Kizza - Guide to Computer

Network Security

27

 Make the following rules abided to before connecting a

LAN to the corporate backbone:
Provide documentation on network infrastructure
layout
Provide controlled software downloads
Provide adequate user training
Provide training to personnel in charge of issuing
passwords.
Social Engineering
Train employees not to believe anyone who
calls/emails them to do something that might
compromise security.
Before giving any information they must positively
identify they are dealing with

Kizza - Guide to Computer

Network Security

28

Incident Handling
A security bleach is an incident resulting from an external intruder,
unintentional damage, an employee testing some new program and
inadvertently exploiting a software vulnerability, or a disgruntled
employee causing intentional damage.
Build an Incident Response Team
This is centralized group which is the primary focus when an
incident occurs
It is a small core group with the following responsibilities:
Keeping up-to-date with the latest threats and incidents
Being the main point of contact for incident reporting
Notifying others of the incident
Assessing the damage and impact of the incident
Finding out how to avoid further exploitation of the same
vulnerability
Recovering from the incident
Core team members must be knowledgeable, all rounded with a
correct mix of technical, communication, and political skills.

Kizza - Guide to Computer

Network Security

29

 Detecting an Incident
when looking for signs of a security bleach focus on the following:
Accounting discrepancies
Data modification and deletion
Users complaining of poor system performance
Atypical traffic patterns
Atypical time of system use
Large numbers of failed login attempts
Detecting anomalies of normal behavior requires having knowledge
of normal systems functions. Use audit trails to learn historical
behavior of the system.
You must follow certain steps when handling an incident whose
goals are defined by management and legal counsel.
But the most fundament goal is to restore the affected system and
to limit the impact and damage. In the worst-case scenario it is
better to shut down the system.
It is better to prioritize actions to be taken during an incident
handling

Kizza - Guide to Computer

Network Security

30

Priorities should correspond to the organizations security policy

and they should include the following:
Protecting human life and peoples safety
Protecting sensitive and/or classified data
Protecting data that is costly in terms of resources
Preventing damage to systems
Minimizing the disruption of computing resources
It is always important to assess the damage by doing some or all
of the following:
Check and analyze all traffic logs for abnormal behavior ,
especially on network perimeter access points like internet
access or dial-in access
Verify infrastructure device checksum or operating systems
checksum on critical servers to see whether operating system
software has been compromised.
Verify configuration changes on infrastructure devices like
servers to ensure that no one has tempered with them
Check the sensitive data to see whether it is assessed or
changed
Check traffic logs for unusually large traffic streams from a
single source or streams going to a single destination
Run a check on the network on any new or unknown devices
Check passwords on critical systems to ensure that they have
not been modified

Kizza - Guide to Computer

Network Security

31

 Reporting and Alerting Procedures

Establish a systematic approach for reporting incidents and
subsequently notifying affected areas
Essential communication mechanisms include:
A monitored central phone, email, pager , or other quick
communication device
Establish clearly who to alert first and who should be on the list of
people to alert next.
Decide on how much information to give each member on the list
Find ways to minimize negative exposure ( Read RFC 2196 on
guidelines for level of details to provide) including:
Keeping technical level of details low
Working with law enforcement agents to protect evidence
Delegating all handling of the public to in-house PR people
keeping speculation out of public comments

Kizza - Guide to Computer

Network Security

32

 Responding to the Incident

Control must be restored and normalcy must be
restored
If it requires shutting down the system to stop the
intruder, do so.
Keep accurate documentation so that it can be used
later to analyze any causes and effects
Keep a log book of all activities during the incident.

Recovering from an Incident

Make a post-mortem analysis of what happened, how
it happened, and what steps need to be taken to
prevent similar incidents in the future.
Develop a formal report with proper chronological
sequence of events to be presented to management.
Make sure not to over react by turning your system
into a fortress.
Kizza - Guide to Computer
Network Security

33

Strengths and Weaknesses of

Assessment Technologies
Active Scanning
Strengths
All active scans can be independent of any network management
or system administration information. This makes for a much more
honest security audit of any system or network.
Active scans can provide extremely accurate information about
what services are running, what hosts are active and if there are
any vulnerabilities present.
Weaknesses
Unfortunately, the information discovered by an active scan may
be out of date as soon as the scan is completed.
Many small changes to the network topology such as the addition
of new hosts will go unnoticed until the next active scan.
To compensate for speed and potential adverse impact:
minimize the ports and the vulnerabilities scanned
Active scans can also generate an excessive amount of firewall and
intrusion detection logs.

Kizza - Guide to Computer

Network Security

34

Passive Scanning
Strengths
The greatest strength of a passive scan is the lack of
any impact to the network and the minimal time it
takes to find real results.
A passive scanner operates 24x7 and when you want
to know what vulnerabilities it has seen, a report can
be immediately generated.
Passive scanning also has an advantage of
discovering client side vulnerabilities and
vulnerabilities in Intranet networks we dont have
permission to scan.
Weaknesses
Unfortunately, for a passive scan to work, a
detectable host must elicit or respond to a packet. If
a server never communicates on the network, the
console will never see it.

Kizza - Guide to Computer

Network Security

35

Host-based Scanning
Strengths
The greatest strengths that host-based scanning has
going for it are speed and accuracy. It takes a few
seconds in most cases to complete an audit of all
patches for a RedHat or Windows 2000 server if
credentials have been provided. This audit consists of
well-known APIs and patch management tools
provided by the underlying operating system.
Weaknesses
The biggest weakness for host-based scanning with
many scanners like Nessus and NeWT is that
credentials need to be supplied. Often, obtaining
these credentials is takes time. In many cases, an
IT group may not appreciate giving a security group
the ability to audit it at any time.

Kizza - Guide to Computer

Network Security

36