Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
2. Agenda
2
About Me
Topic Introduction
The Process
The Best Practices/Challenges
Conclusion
www.SecurityOrb.com
3. About Me
3
Kellep Charles but you can call me K.C.
Government contractor in the DC area
Served as an adjunct professor
Doctoral Student
Research area:
Human Computer Interaction-Security HCI-Sec
Honeypot & Artificial Neural Networks
Operate SecurityOrb.com
www.SecurityOrb.com
4. Introduction
4
Security vulnerability assessments have become an
imperative part of any organization’s computer and
network security posture.
Many organizations consist of:
Heterogeneous computing environments
Windows, Mac OS X, Linux/Unix
Multiple Applications
Distributed computing
Internet-enabled information access systems.
The need to understand the state of an organization’s
overall information system is ever more important now.
www.SecurityOrb.com
5. Introduction
5
Best practices in information security acknowledge
a defensive only approach to securing an enterprise does
not suffice
at times is considered inadequate.
Frequently these defensive security devices such as
firewalls and intrusion detection systems (IDS)
often not configured properly
not capable of locating all the vulnerabilities and threats on
the network, especially at the node level.
www.SecurityOrb.com
6. Introduction
6
Performing regular security vulnerability assessment
helps bridge that gap
Allows an organization to take a proactive stance
towards protecting their information computing
environment.
The bottom line objective is to safeguard the core
intellectual and electronic assets of the organization,
and to ensure compliance with appropriate
regulations
www.SecurityOrb.com
7. Why Is It So Vital?
7
Most Systems are unpatched
Lazy, overworked or misinformed system administrators
Most compromises are from unpatched systems with
patches or work around available
Some systems cannot be patched (allow for alternate
defense)
Proactive and offensive posture towards security
Compliance
www.SecurityOrb.com
8. Assessment Levels
8
Basic Security Assessment - The objective for this assessment
is to give the responsible party a basic understanding of the
security of the business as a whole in three key areas:
Administrative, Physical and Technical Safeguards. It is
meant to point out possible areas of weakness with a walk
through of the facility and a Q&A session. It is not an in-depth
study, rather, a basic first step in protecting information.
In-depth Security Assessment - This is a comprehensive study
of the security of your business. We will analyze all policies
and procedures, router access lists, Firewall configurations
and policies, PC and server configurations, complete Website
review, complete mail server review. We will then present the
client with a written report of our findings. This type of
assessment will give you a thorough understanding of how
your company measures up to "Industry Best Practices".
www.SecurityOrb.com
9. Assessment Levels
9
External Vulnerability Testing - We will test your network
from the outside from a "hacker's point-of-view". We will use
the same tools criminals use to try and compromise your
network and servers.
Internal Vulnerability Testing - These are the same tools
used in the External test. This type of assessment is essential
in understanding how and why hackers, viruses and worms
spread so quickly through an organization.
www.SecurityOrb.com
10. Assessment Process
10
To effectively conduct a security assessment so it is beneficial to an
organization
a proven methodology must be followed so the assessors and
assesses are on the same page.
Using a proven security assessment methodology supplies a
blueprint of events from start-to-finish that can be examined,
tracked and replicated.
Reports that are constructed from the security assessments are used
to provide a snap shot view of information system deficiencies for
short-term analysis as well as trending data for long-term evaluation
Allowing the organization to understand their vulnerabilities so they
can better protect themselves from current and future threats.
www.SecurityOrb.com
11. Security Assessment Process
11
The process includes the following 6 phases
Pre Security Assessment Process
Security Assessment In-Brief
Security Assessment Field Work
Security Assessment Report Analysis & Preparation
Security Assessment Out-Brief
Post Security Assessment Process
www.SecurityOrb.com
12. Security Assessment Process
12
Pre-Security Assessment Process
The pre-security assessment process entails one of the most
important aspects of conducting a security assessment.
Obtaining an engagement letter grants the assessment
team the authority to commence with the formal processes
of creating documentation to support the security
assessment, permission for the onsite visit and the overall
authority to conduct the security assessment.
www.SecurityOrb.com
13. Security Assessment Process
13
Security Assessment In-Brief
Once the team has arrived at the assessment location, a
security assessment in-brief is required. In the in-brief, both
the security assessment team and the organizational staff
members will introduce themselves and the roles they will have
during the security assessment process.
www.SecurityOrb.com
14. Security Assessment Process
14
Security Assessment Field Work (Scanning,
Interview, Walk-Thru and Doc Review)
Once the in brief has been review, discussed, completed and
agreed upon, the security assessment fieldwork can
commence. The security assessment field-work process consist
of conducting vulnerability scans, facility walkthrough, manual
system checks, staff interview and various document reviews.
www.SecurityOrb.com
15. Security Assessment Process
15
Security Assessment Report Analysis &
Preparation
Towards the end of the security assessment, once all of the
security assessment fieldwork has been completed, the
security assessment team will review and process the
information in preparation of the final report. During this
phase, the security assessment team will address any false
positive, document any variances and findings that will be
included in the final report.
www.SecurityOrb.com
18. Security Assessment Process
18
Security Assessment Out-Brief
The security assessment team will provide
recommendations as well.
Contact information will be on the out-brief.
This process should be interactive were questions are
taken through out the security assessment out-brief.
At the end of the security assessment out-brief, both
parties will have to sign the pages of the out-brief and
discuss what will be occurring in the post security
assessment process.
www.SecurityOrb.com
19. Security Assessment Process
19
Security Assessment Out-Brief
The security assessment team will provide recommendations as well.
Contact information will be on the out-brief.
This process should be interactive were questions are taken through
out the security assessment out-brief.
At the end of the security assessment out-brief, both parties will have
to sign the pages of the out-brief and discuss what will be occurring
in the post security assessment process.
www.SecurityOrb.com
20. Security Assessment Process
20
Post Security Assessment Process
The post security assessment process is where the security
assessment team securely files all documentation and
electronic data pertaining to the organization in which the
security assessment was conducted on.
In addition, a team meeting with all members of the
assessment team should be conducted to review and lessons
learned to add any improvements or deficiencies to the
process.
www.SecurityOrb.com
21. Vulnerability Assessment, Penetration Test &
Security Audit
21
A vulnerability assessment is a practice used to identify all potential
vulnerabilities that could be exploited in an environment.
The assessment can be used to evaluate physical security, personnel (testing
through social engineering and such), or system and network security.
While a vulnerability assessment's goal is to identify all vulnerabilities in an
environment, a penetration test has the goal of "breaking into the network."
only needs to exploit one or two vulnerabilities to actually penetrate the
environment.
Penetration testing is also referred to as ethical hacking
A security audit is basically someone going around with a criteria checklist of
things that should be done or in place to ensure that the company is in
compliance with its security policy, regulations and legal responsibilities.
www.SecurityOrb.com
22. Credential Scans vs Un-credential Scans
22
Credentialed scanning allows for a much more
accurate and thorough picture of the system.
Mechanic and doctor example
Part of vulnerability scanning is to identify missing
patches that leave a machine open to compromise.
Test of a Windows 7 system
The results speak for themselves: first scan without
credentials, then with credentials – What do you think you will
see?
www.SecurityOrb.com
23. Credential Scans vs Un-credential Scans
23
Test of a Windows 7 system
The results speak for themselves: without credentials, the scan identified
highs=0; meds=0; lows=1. With credentials: highs=7; meds=8; lows=5
Guess which one is more accurate.
www.SecurityOrb.com
26. System Hardening
26
Center for Internet Security (CIS) Benchmarks
provides standards and metrics that dramatically raise the level of security to ensure
the integrity of the public and private Internet-based functions on which society
increasingly depends.
Federal Desktop Core Configuration (FDCC)
A list of security settings recommended by the National Institute of Standards and
Technology for general-purpose microcomputers that are connected directly to the
network of a United States government agency.
Security Technical Implementation Guide (STIG)
DISA’s methodology for standardized secure installation and maintenance of
computer software and hardware.
Security Content Automation Protocol (SCAP)
a method for using specific standards to enable automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA compliance). The
National Vulnerability Database (NVD) is the U.S. government content repository for
SCAP.
Some items may have to be changed to obtain credential scans
www.SecurityOrb.com
27. Vulnerability Management
27
The repeated practice of identifying, classifying, remediating, and
mitigating
Prioritize
Mitigate Vulnerabilities - Ultimately, the root causes of
vulnerabilities must be addressed. This is often done via patching
vulnerable services, changing vulnerable configurations or
making application updates to remove vulnerable code.
Maintain and Monitor - Organizations' computing
environments are dynamic and evolve over time, vulnerability
management is an ongoing process rather than a point-in-time
event.
www.SecurityOrb.com
29. Other Things to Consider
29
Virtualization
Cloud Computing
Politics
Reoccurring Scans
Distributed Scanning
Patch Management
Penetration Testing
www.SecurityOrb.com
30. What Vulnerability Scanning Can’t Do
30
Find Zero-Days and malware
Eliminates the most obvious and known security
threats.
Can’t Patch
Determine the difference between False
Positive/Negative
www.SecurityOrb.com
31. Conclusion
The art of defending an organizational network takes
many approaches to be done successfully.
No one control can assure that the network is safe.
Firewalls are great for prevention, IDS offer the
ability for detection, Security Awareness briefing
provides for user knowledge and Security
Assessments assist with a proactive posture towards
security.
It also helps prove you've done "due diligence" in
performing basic system patches and fixing the well-
known problems in case a security breach causes
financial, legal or regulatory problems.