Performing a Security Assessment for the Entire IT Infrastructure and Individual Domains

Various tools are used to perform a security assessment. The assessment may target the entire IT infrastructure, a single domain of the IT infrastructure, or anything in between. All assessments should follow a plan and be performed with a disciplined approach. There are different approaches to identify security weaknesses within an organization. Some of the approaches include the following:

  • Network scan—This provides an automated method for discovering host systems on a network. Although a network scan doesn’t necessarily discover all vulnerabilities, it does determine which systems are active on the network and what services they offer or what ports are available. A network scan provides valuable information pertaining to the environment. A network scan can also provide an adversary with a footprint from which he or she can later conduct a more targeted attack. For this reason, network scans are an important part of defining the assessment process and understanding what an attacker might discover and target.

  • Vulnerability scan—This provides the fundamental process for managing vulnerabilities. A vulnerability scan is an automated method for testing a system’s services and applications for known security holes. Most vulnerability scans also provide reports on the identified holes along with additional information for improving security. Unlike a network scan, which looks more broadly for available systems, a vulnerability scan is targeted to specific systems. Vulnerability scans can be conducted across the entire infrastructure or specific components within the individual domains, such as the following:

    • Operating systems

    • Web servers

    • Mail servers

    • Databases

    • File Transfer Protocol (FTP) servers

    • Firewalls

    • Load-balancing servers

    • Switches and hubs

    • Wireless access points

  • Penetration test—A penetration test is most often associated with a security assessment. A penetration test, also known as a pen test, is an active, hands-on assessment that uses methods similar to what a real-world attacker might use. A penetration test goes beyond simply looking for vulnerabilities. When vulnerabilities are identified, a penetration test attempts to actually exploit the vulnerability. The test helps determine how practical or viable specific attacks might be. This includes understanding what the impact might be of a successful attack.

The technical skill set required to conduct a security assessment depends on the scope of the assessment and the types of tools or techniques used. Knowledge of basic security principles and technical fundamentals, such as understanding Transmission Control Protocol/Internet Protocol (TCP/IP), is helpful. TCP/IP is the basic protocol, or language, of modern networks and the Internet.

All three of the preceding methods may be used independently or may be used together as part of the overall plan. It is common, for example, for a network scan to precede a penetration test. Both network scans and vulnerability scans are more easily automated on a regular basis than a penetration test. Penetration tests require more planning and coordination.

There are several popular frameworks for conducting comprehensive security assessments. Three examples are as follows:

  • Open Source Security Testing Methodology Manual (OSSTMM)—A method that takes a scientific approach to security testing, the Open Source Security Testing Methodology Manual (OSSTMM) is made up of five sections called channels, and each channel includes various modules.

  • Information Systems Security Assessment Framework (ISSAF)—A method for evaluating networks, systems, and applications, the Information Systems Security Assessment Framework (ISSAF) is divided into a three-phase approach, which includes a nine-step assessment process.

  • NIST 800-115—A guide to the basic technical testing and examination functions of conducting an information security assessment, NIST 800-115 is composed of seven major sections and several appendixes.

Regardless of the method chosen, each uses similar techniques for conducting a security assessment. The remainder of this section uses the NIST methodology as a guide. NIST breaks the assessment down across three different types of primary techniques:

  • Review techniques

  • Target identification and analysis techniques

  • Target vulnerability validation techniques

Review techniques involve examining the components across the domains of IT infrastructure. Reviewing is a passive process, using noninvasive techniques, and has minimal impact on the systems. Table 6-1 provides examples of specific review techniques, along with the capabilities of the technique and the specific skill set required to use the technique.

TABLE 6-1 Summary of major capabilities of review techniques.

TechniqueCapabilitiesSkill Set
Document reviewExamines policies and procedures for accuracy and completenessGeneral knowledge of information security and information policies
Log reviewProvides data on system use, changes, and configuration
Might reveal potential problems and deviations from policies and standards
Knowledge of log events and ability to interpret log data
Ability to use automated logging and log correlation tools
Ruleset reviewExposes holes in security controls based on rulesetsKnowledge of ruleset formats
Ability to correlate and analyze rulesets from different devices and different vendors
Network sniffingMonitors network traffic to capture information such as active systems, operating systems, communication protocols, and services
Exposes unencrypted communications
Knowledge of TCP/IP and networking
Ability to interpret and analyze network traffic
Ability to deploy and use network-sniffing tools
File integrity checkingIdentifies changes to important files and can identify unwanted files that might be maliciousGeneral file system knowledge
Ability to use file integrity checking tools and interpret the results

After performing a document review, the next step involves the use of target identification and analysis techniques. The goal is to identify active devices along with their available ports and services and look for possible vulnerabilities. The information collected sets the stage for the next step of trying to exploit and validate the vulnerabilities. Table 6-2 provides examples of the techniques involved, along with the capabilities of the technique and the specific skill set required to use the technique.

TABLE 6-2 Summary of major capabilities of target identification and analysis techniques.

TechniqueCapabilitiesSkill Set
Network discoveryDiscovers active devices on the network
Identifies communication paths and facilitates determination of network architectures
General TCP/IP and networking knowledge
Ability to use both passive and active network discovery tools
Network port and service identificationDiscovers active devices on the network
Discovers open ports and associated service/applications
General TCP/IP and networking knowledge
Knowledge of ports and protocols
Ability to use port-scanning tools
Ability to interpret results from tools
Vulnerability scanningIdentifies hosts and open ports
Identifies known vulnerabilities
Provides advice on mitigating discovered vulnerabilities
General TCP/IP and networking knowledge
Knowledge of ports, protocols, services, and vulnerabilities
Ability to use automated vulnerability-scanning tools and interpret the results
Wireless scanningIdentifies unauthorized wireless devices on the network
Discovers wireless signals outside an organization
Detects potential backdoors and other security violations
General knowledge of computing and wireless transmissions, protocols, services, and architecture
Ability to use automated wireless scanning and sniffing tools

Finally, with the information from the previous phase, potential vulnerabilities are probed further. The techniques shown in Table 6-3 are used to exploit the vulnerability.

TABLE 6-3 Summary of major capabilities of target vulnerability validation techniques.

TechniqueCapabilitiesSkill Set
Password crackingIdentifies weak passwords and password settingsKnowledge of secure password composition and how operating systems maintain passwords
Ability to use automated cracking tools
Penetration testingTests security using the same methods and tools that attackers use
Verifies vulnerabilities
Demonstrates how vulnerabilities can be exploited iteratively to gain access to internal systems
Extensive knowledge of TCP/IP, networking, and operating systems knowledge
Advanced knowledge of network and system vulnerabilities and exploits
Knowledge of techniques to evade security detection
Social engineeringAllows testing user awareness and if proper procedures are followedAbility to influence and persuade people
Ability to remain calm under pressure

An organization may use all the preceding techniques as part of an overall security assessment or selected parts. Additionally, the techniques can be used across the IT infrastructure, or they may focus on only specific domains. This depends on the objectives of the assessment, which must consider available time and resources.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.167.173