9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA

What is most valuable in a computer system? Hardware? Software? Data?

Risk Likelihood of losing the data, hardware or software Likelihood of altered data (falsified data) Risk cannot be entirely eliminated. If you are not tolerant to risk you would not be driving the car (probably won’t get out of the bed). Risk Management is a systematic and structured approach to managing the potential for loss. –Asset identification, threat identification, vulnerability appraisal, risk assessment, and risk mitigation.

Asset Identification Data, Hardware, Personnel, Physical assets, Software, etc. Keep record of all. See example on table 9-1. p 305, next slide.

Security+ Guide to Network Security Fundamentals, Third Edition5

Threat Identification A threat agent is any person with the power to carry out a threat against an asset. See common threats on next slide. Threat modeling constructs scenarios of types of threats. Create an attack tree

Security+ Guide to Network Security Fundamentals, Third Edition7

Steps in Risk Management (continued) 8

Vulnerability appraisal Each threat will reveal a vulnerability. But anticipate it. A team composed of diverse members should be responsible for vlunerability appraisal. Vulnerability scanners and penetration testers are tools that are downloadble.

Security+ Guide to Network Security Fundamentals, Third Edition10

Risk Assessment Determining damage that would result from an attack. Assesment from a global perspective of the entire organization down to local. Impact can range from none to catastrophic.

Risk Mitigation Diminish risk –Take proactive steps to reduce risk Transfer risk – make someone else responsible, outside agency, insurance. Accept risk

Security+ Guide to Network Security Fundamentals, Third Edition Steps in Risk Management (continued) 13

Identifying Vulnerabilities Vulnerability scanning –Port scanners – to search the state of a port: open, closed, blocked. TCP connect scanning, SYN scanning, FIN scanning and stealth scans. Network Mappers –Uses ICMP Ping Protocol Analyzers –Sniff each packet to decode and anlyze its contents. Good for network troubleshooting, traffic characterization, and security analysis. General purpose Vulnerability scanners

Security+ Guide to Network Security Fundamentals, Third Edition15 Port Scanners (continued)

Security+ Guide to Network Security Fundamentals, Third Edition16

Security+ Guide to Network Security Fundamentals, Third Edition17

Security+ Guide to Network Security Fundamentals, Third Edition18

Security+ Guide to Network Security Fundamentals, Third Edition19

Vulnerability scanners Range of products that look for vulnerabilities in networks or systems: –Alert when new systems are added to the network –Detect when an application is compromised or subverted –Detect when an internal system begins to port scan other systems –Identify which applications and servers host or transmit sensitive data –Maintain a log of all interactive network sessions –Track all client and server application vulnerabilities –Track with system communicate with other internal systems

Open vulnerability and Assessment Language (OVAL) Designed promote open and publicly available security content. Standardizes the transfer information across different security tools and services. A common language for exchange of information regarding security. XML based.

Password crackers Available free for download Gets a copy of the hashed password file and crack it offline. You can use it to check the strength of your passoword.

Penetration testing