Chapter 10. Vulnerability and Risk Assessment

Let’s take it to the next level and talk some serious security. As people, we’re all vulnerable to something. They say that you need to “manage your own healthcare”—our computers are no different. The potential health of your computers and network is based on vulnerabilities. One of the most important tasks of a network security administrator is to find vulnerabilities and either remove them or secure them as much as possible—within acceptable parameters. Vulnerabilities are weaknesses in your computer network design and individual host configuration. Vulnerabilities, such as open ports, unnecessary services, weak passwords, systems that aren’t updated, lack of policy, and so on, are invitations to threats such as malicious attacks. Of course, your computer network can be vulnerable to other types of threats as well, such as environmental or natural threats, but these are covered in more depth in Chapter 14, “Redundancy and Disaster Recovery,” and Chapter 15, “Policies, Procedures, and People.”

Vulnerability assessment is just part of overall risk management. Risk includes computer vulnerabilities, potential dangers, possible hardware and software failure, man hours wasted, and of course, monetary loss. Having a computer network is inherently a risky business, so we need to conduct risk assessments to define what an organization’s risks are and how to reduce those risks.

Foundation Topics: Conducting Risk Assessments

When dealing with computer security, a risk is the possibility of a malicious attack or other threat causing damage or downtime to a computer system. Generally, this is done by exploiting vulnerabilities in a computer system or network. The more vulnerability—the more risk. Smart organizations are extremely interested in managing vulnerabilities, and thereby managing risk. Risk management can be defined as the identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks. Organizations usually employ one of the four following general strategies when managing a particular risk:

• Transfer the risk to another organization or third party.

• Avoid the risk.

• Reduce the risk.

• Accept some or all of the consequences of a risk.

The ultimate goal of risk management is to reduce all risk to a level acceptable to the organization. It is impossible to remove all risk, but it should be mitigated as much as possible within reason. Usually, budgeting and IT resources will dictate how much risk can be reduced. For example, installing antivirus/firewall software on every client computer is common; most companies will do this. However, installing a high-end, hardware-based firewall at every computer is not common. Although it would probably make for a secure network, the amount of money and administration needed to implement that solution would make it unacceptable. Most organizations are willing to accept the risk of threats exploiting vulnerabilities that would otherwise be mitigated by the use of that type of equipment. IT budgeting is always on the mind of a network security administrator. This concept would be an example of residual risk, which is the risk left over after a security and disaster recovery plan have been implemented. There is always risk, as a company cannot possibly foresee every future event, nor can it secure against every single threat. Senior management as a collective whole is ultimately responsible for deciding how much residual risk there will be in a company’s network. Quite often, no one person will be in charge of this, but it will be decided on as a group.

There are many different types of risks to computers and computer networks. Of course, before you can decide what to do about a particular risk, you need to assess what those risks are.

Risk assessment is the attempt to determine the amount of threats or hazards that could possibly occur in a given amount of time to your computers and networks. When you assess risks, they are often recognized threats—but risk assessment can also take into account new types of threats that might occur. When risk has been assessed, it can be mitigated up until the point in which the organization will accept any additional risk. Generally, risk assessments follow a particular order, for example:

Step 1. Identify the organization’s assets.

Step 2. Identify vulnerabilities.

Step 3. Identify threats and threat likelihood.

Step 4. Identify potential monetary impact.

The fourth step is also known as impact assessment. This is when you determine the potential monetary costs related to a threat. See the section “Vulnerability Management” later in this chapter for more on information on Steps 2 and 3, including how to mitigate potential threats.

The two most common risk assessment methods are qualitative and quantitative. Let’s discuss these now.

Qualitative Risk Assessment

Qualitative risk assessment is an assessment that assigns numeric values to the probability of a risk, and the impact it can have on the system or network. Unlike its counterpart, it does not assign monetary values to assets or possible losses. It is the easier, quicker, and cheaper way to assess risk but cannot assign asset value or give a total for possible monetary loss.

With this method, ranges can be assigned, for example 1 to 10 or 1 to 100. The higher the number, the higher the probability of risk, or the greater the impact on the system. As a basic example, a computer without antivirus software that is connected to the Internet will most likely have a high probability of risk; it will also most likely have a great impact on the system. We could assign the number 99 as the probability of risk. We are not sure exactly when it will happen but are 99% sure that it will happen at some point. Next, we could assign the number 90 as the impact of the risk. 90 out of 100 implies a heavy impact; probably either the system has crashed or has been rendered unusable at some point. There is a 10% chance that the system will remain usable, but it is unlikely. Finally, we multiply the two numbers together to find out the qualitative risk: 99 × 90 = 8,910. That’s 8,910 out of a possible 10,000, which is a high level of risk. Risk mitigation is when a risk is reduced or eliminated altogether. The way to mitigate risk in this example would be to install antivirus software and verify that it is configured to auto-update. By assigning these types of qualitative values to various risks, we can make comparisons from one risk to another and get a better idea of what needs to be mitigated and what doesn’t.

The main issue with this type of risk assessment is that it is difficult to place an exact value on many types of risks. The type of qualitative system will vary from organization to organization, even from person to person; it is a common source of debate as well. This makes qualitative risk assessments more descriptive than truly measurable. However, by relying on group surveys, company history, and personal experience, you can get a basic idea of the risk involved.

Quantitative Risk Assessment

Quantitative risk assessment measures risk by using exact monetary values. It attempts to give an expected yearly loss in dollars for any given risk. It also defines asset values to servers, routers, and other network equipment.

Three values are used when making quantitative risk calculations:

• Single loss expectancy (SLE)—The loss of value in dollars based on a single incident.

• Annualized rate of occurrence (ARO)—The amount of times per year that the specific incident occurs.

• Annualized loss expectancy (ALE)—The total loss in dollars per year due to a specific incident. The incident might happen once, or more than once; either way, this number is the total loss in dollars for that particular type of incident. It is computed with the following calculation:

SLE × ARO = ALE

So, for example, suppose you wanted to find out how much an e-commerce web server’s downtime would cost the company per year. We would need some additional information such as the average web server downtime in minutes and the amount of times this occurs per year. We also would need to know the average sale amount in dollars and how many sales are made per minute on this e-commerce web server. This information can be deduced by using accounting reports and by further security analysis of the web server, which we discuss later. For now, let’s just say that over the past year our web server failed 7 times. The average downtime for each failure was 45 minutes. That equals a total of 315 minutes of downtime per year, close to 99.9% uptime. (The more years we can measure, the better our estimate will be.) Now let’s say that this web server processes an average of 10 orders per minute with an average revenue of $35. That means that $350 of revenue comes in per minute. As we mentioned, a single downtime averages 45 minutes, corresponding to a $15,750 loss per occurrence. So, the SLE is $15,750. Ouch! Some salespeople are going to be quite unhappy with your 99.9% uptime! But we’re not done. We want to know the annualized loss expectancy (ALE). This can be calculated by multiplying the SLE ($15,750) by the annualized rate of occurrence (ARO). We said that the web server failed 7 times last year, so the SLE × ARO would be $15,750 × 7, which equals $110,250 (the ALE). This is shown in Table 10-1.

Table 10-1. Example of Quantitative Risk Assessment

Whoa! Apparently, we need to increase the uptime of our e-commerce web server! Many organizations will demand 99.99% or even 99.999% uptime; 99.999% uptime means that the server will only have 5 minutes of downtime over the entire course of the year. Of course, to accomplish this we first need to scrutinize our server to see precisely why it fails so often. What exactly are the vulnerabilities of the web server? Which ones were exploited? Which threats exploited those vulnerabilities? By exploring the server’s logs, configurations, and policies, and by using security tools, we can discern exactly why this happens so often. However, this analysis should be done carefully because the server does so much business for the company. We continue this example and show the specific tools you can use in the section “Assessing Vulnerability with Security Tools.”

It isn’t possible to assign a specific ALE to incidents that will happen in the future, so new technologies should be monitored carefully. Any failures should be documented thoroughly. For example, a spreadsheet could be maintained that contains the various technologies your organization uses, their failure history, their SLE, ARO, and SLE, and mitigation techniques that you have employed, and when they were implemented.

Table 10-2. Summary of Risk Assessment Types

Security Analysis Methodologies

To assess risk properly, we must analyze the security of our computers, servers, and network devices. But before making an analysis, the computer, server, or other device should be backed up accordingly. This might require a backup of files, a complete image backup, or a backup of firmware. It all depends on the device in question. When this is done, an analysis can be made. Hosts should be analyzed to discern whether a firewall is in place, what type of configuration is used (or worse if the device is using a default configuration), what antimalware software is installed if any, and what updates have been made. A list of vulnerabilities should be developed, and a security person should watch for threats that could exploit these vulnerabilities; they might occur naturally, or be perpetuated by malicious persons, or could be due to user error.

Security analysis can be done in one of two ways: actively or passively.

Active security analysis is when actual hands-on tests are run on the system in question. These tests might require a device to be taken off the network for a short time, or it might cause a loss in productivity. Active scanning is used to find out if ports are open on a specific device, or to find out what IP addresses are in use on the network. A backup of the systems to be analyzed should be accomplished before the scan takes place. Active scanning can be detrimental to systems or the entire network, especially if you are dealing with a mission-critical network that requires close to 100% uptime. In some cases, you can pull systems off the network or run your test on off hours. But in other cases you must rely on passive security analysis.

Passive security analysis is when servers, devices, and networks are not affected by your analyses, scans, and other tests. It could be as simple as using documentation only to test the security of a system. For example, if an organization’s network documentation shows computers, switches, servers, and routers, but no firewall, you have found a vulnerability to the network (a rather large one). Passive security analysis might be required in real-time, mission-critical networks or if you are conducting computer forensics analysis; but even if you are performing a passive security analysis, a backup of the system is normal procedure.

One example of the difference between active and passive is fingerprinting, which is when a security person (or hacker) scans hosts to find out what ports are open, ultimately helping the person to distinguish the operating system used by the computer. It is also known as OS fingerprinting or TCP/IP fingerprinting. Active fingerprinting is when a direct connection is made to the computer starting with ICMP requests. This type of test could cause the system to respond slowly to other requests from legitimate computers. Passive fingerprinting is when the scanning host sniffs the network by chance, classifying hosts as the scanning host observes its traffic on the occasion that it occurs. This method is less common in port scanners but can help to reduce stress on the system being scanned.

Vulnerability Management

Vulnerability management is the practice of finding and mitigating software vulnerabilities in computers and networks. It consists of analyzing network documentation, testing computers and networks with a variety of security tools, mitigating vulnerabilities, and periodically monitoring for effects and changes. Vulnerability management can be broken down into five steps:

Step 1. Define the desired state of security—An organization might have written policies defining the desired state of security, or you as the network security administrator might have to create those policies. These policies include access control rules, device configurations, network configurations, network documentation, and so on.

Step 2. Create baselines—After the desired state of security is defined, baselines should be taken to assess the current security state of computers, servers, network devices, and the network in general. These baselines are known as vulnerability assessments. The baselines should find as many vulnerabilities as possible. These baselines will be known as premitigation baselines and should be saved for later comparison.

Step 3. Prioritize vulnerabilities—Which vulnerabilities should take precedence? For example, the e-commerce web server we talked about earlier should definitely have a higher priority than a single client computer that does not have antivirus software installed. Prioritize all the vulnerabilities; this creates a list of items that need to be mitigated in order.

Step 4. Mitigate vulnerabilities—Go through the prioritized list and mitigate as many of the vulnerabilities as possible. This depends on the level of acceptable risk your organization will allow.

Step 5. Monitor the environment—When you finish mitigation, monitor the environment and compare the results to the original baseline. Use the new results as the post-mitigation baseline to be compared against future analyses. Because new vulnerabilities are always being discovered, and because company policies may change over time, you should periodically monitor the environment and compare your results to the post-mitigation baseline. Do this any time policies change or the environment changes.

This five-step process has helped me when managing vulnerabilities for customers. It should be noted again that some organizations already have a defined policy for their desired security level. You might come into a company as an employee or consultant who needs to work within their pre-existing mindset. In other cases, an organization won’t have a policy defined; it might not even know what type of security it needs. Just don’t jump the gun assuming that you need to complete Step 1 from scratch.

The most important parts of vulnerability management are the finding and mitigating of vulnerabilities. Actual tools used to conduct vulnerability assessments include network mappers, port scanners, and other vulnerability scanners, ping scanners, protocol analyzers (also called network sniffers), and password crackers. Vulnerability assessments might discover confidential data or sensitive data that is not properly protected, open ports, weak passwords, default configurations, prior attacks, system failures, and so on. Vulnerability assessments or vulnerability scanning can be taken to the next level by administering a penetration test.

Penetration Testing

Penetration testing is a method of evaluating the security of a system by simulating one or more attacks on that system. One of the differences between regular vulnerability scanning and penetration testing is that vulnerability scanning may be passive or active, whereas penetration testing will be active. Penetration tests can be done blind, as in black box testing, where testers have no knowledge of the computer, infrastructure, or environment that they are testing. This simulates an attack from a person who is unfamiliar with the system. White box testing is the converse, where the tester is provided with complete knowledge of the computer, infrastructure, or environment to be tested. Generally, penetration testing is performed on servers or network devices that will face the Internet publicly. This would be an example of external security testing—when a test is conducted from outside the organization’s security perimeter. Following are a couple methodologies for accomplishing penetration testing:

• The Open Source Security Testing Methodology Manual (OSSTMM)—This manual and corresponding methodology define the proper way to conduct security testing. It adheres to the scientific method. The manual is freely obtained from ISECOM (link at the end of the chapter).

• NIST penetration testing—This is discussed in the document SP800-115 (link at the end of the chapter). This document and methodology is less thorough than the OSSTMM; however, many organizations find it satisfactory because it comes from a department of the U.S. government. At times, it refers to the OSSTMM instead of going into more detail.

OVAL

The Open Vulnerability and Assessment Language (OVAL) is a standard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available at the time. It is an international standard but is funded by the U.S. Department of Homeland Security. There is a worldwide OVAL community that contributes to the standard, storing OVAL content in several locations, such as the MITRE Corporation (http://oval.mitre.org/). OVAL can be defined in two parts: the OVAL Language and the OVAL Interpreter.

• OVAL Language—Three different XML schemas have been developed that act as the framework of OVAL:

1. System testing information

2. System state analysis

3. Assessment results reporting

OVAL is not a language like C++ but is an XML schema that defines and describes the XML documents to be created for use with OVAL.

• OVAL Interpreter—A reference developed to ensure that the correct syntax is used by comparing it to OVAL schemas and definitions. There are several downloads associated with the OVAL Interpreter and help files and forums that enable security people to check their work for accuracy.

OVAL has several uses, for example as a tool to standardize security advisory distributions. Software vendors need to publish vulnerabilities in a standard, machine-readable format. By including an authoring tool, definitions repository, and definition evaluator, OVAL enables users to regulate their security advisories. Other uses for OVAL include vulnerability assessment, patch management, auditing, threat indicators, and so on.

Some of the entities that use OVAL include Hewlett-Packard, Red Hat Inc., CA Inc., and the U.S. Army CERDEC (Communications-Electronics Research, Development and Engineering Center).

Assessing Vulnerability with Security Tools

Up until now, we have talked about processes, methodologies, and concepts. But without actual security tools, testing, analyzing, and assessing cannot be accomplished. This section delves into the tools you might use in the field today.

Computer and networks are naturally vulnerable. Whether it is an operating system or appliance installed out-of-the-box, they are inherently insecure. Vulnerabilities could come in the form of backdoors or open ports. They could also be caused after installation due to poor design.

To understand what can be affected, network security administrators should possess thorough computer and network documentation, and if they don’t already, they should develop it themselves. Tools such as LAN Surveyor, Network Magic, and Microsoft Visio can help to create proper network documentation. Then, tools such as vulnerability scanners, protocol analyzers, and password crackers should be used to assess the level of vulnerability on a computer network. When vulnerabilities are found, they should be eliminated or reduced as much as possible. Finally, scanning tools should be used again to prove that the vulnerabilities to the computer network have been removed.

You will find that most of the tools described in this section will be used by network security administrators and hackers alike. One uses the tools to find vulnerabilities and mitigate risk. The other uses the tools to exploit those vulnerabilities. However, remember that not all hackers are malevolent. Some are just curious, but they can cause just as much damage and down time as any other hacker.

Network Mapping

Network documentation is an important part of defining the desired state of security. To develop adequate detailed network documentation, network mapping software should be used with network diagramming software. Network mapping is the study of physical and logical connectivity of networks. One example of network mapping software is LAN Surveyor by Solarwinds. This product can map elements on Layers 1–3 of the OSI model giving you a thorough representation of what is on the network. This type of network scan is not for the “weak of bandwidth.” It should be attempted only during off hours (if there is such a thing nowadays). Otherwise, when the network is at its lowest point of usage. Figure 10-1 shows an example of a test network mapped with LAN Surveyor. It was configured to map the 10.254.254.0 network but can be arranged to analyze a larger network space. You will notice that a computer named Server2003 is listed twice. This could be a possible security issue, or it could mean that the computer is multihomed or has two IP addresses bound to the same network adapter. Either way, it should be verified and possibly fixed during the mitigation phase of vulnerability assessment. This program shows routers, Layer 3 switches, client computers, servers, and virtual machines. It can also export the mapped contents directly to Microsoft Visio, a handy time-saver.

Figure 10-1. LAN Surveyor Network Map

Another example of a network mapping tool is Network Magic, available as a free trial from the Cisco Pure Networks Solutions website. This tool also comes as a full or lite version with various models of routers. You just might have the software in your possession if you have a Linksys or D-Link router. This tool is easy to use and works well in small networks. An example of another test network mapped with Network Magic is shown in Figure 10-2. There are plenty of other free and pay versions of network mapping software. A quick Google search will display a list. Try out different programs, get to know them, and decide what works best for your infrastructure.

Figure 10-2. Network Magic Network Map

Wireless networks can be surveyed in a similar fashion. Applications such as AirMagnet can map out the wireless clients on your network and output the information as you want to aid in your network documentation efforts.

When you are working on your network documentation, certain areas of the network probably will need to be filled in manually. Some devices will be tough to scan, and you will have to rely on your eyes and other network administrators’ knowledge to get a clear picture of the network. Network documentation can be written out or developed with a network diagramming program, such as Microsoft Visio. (A free trial is available at Microsoft’s Office website.) Visio can make all kinds of diagrams and flowcharts that can be a real time-saver and planning tool for network administrators and security people. An example of a network diagram is shown in Figure 10-3. This network diagram was created by mapping a now-defunct network with LAN Surveyor, exporting those results to Visio, and then making some tweaks to the diagram manually. Names and IP addresses (among other things) were changed to protect the innocent. This documentation helped to discover a few weaknesses such as the lack of firewalling and other DMZ issues such as the lack of CIDR notation on the DMZ IP network. Just the act of documenting revealed some other issues with some of the servers on the DMZ, making it much easier to mitigate risk. When the risks were mitigated, the resulting final network documentation acted as a foundation for later security analysis and comparison to future baselines.

Figure 10-3. Network Diagram Created with Microsoft Visio

At times, you might be tempted to put passwords into a network diagram—don’t do it! If there are too many passwords to memorize, and you need to keep passwords stored somewhere, the best way is to write them on a piece of paper and lock that paper in a fireproof, nonremovable safe, perhaps offsite. The people (admins) who know the combination to the safe should be limited. Don’t keep passwords on any computers!

You might also want to keep a list of IP addresses, computer names, and so on. This can be done on paper, within Excel or Access, or can be developed within your network mapping program and exported as you want. I find that Excel works great because you can sort different categories by the column header.

To summarize, network mapping can help in several of the vulnerability assessment phases. Be sure to use network mapping programs and document your network thoroughly. It can aid you when baselining and analyzing your networks and systems.

Vulnerability Scanning

When you are ready to assess the level of vulnerability on the network, it is wise to use a general vulnerability scanner and a port scanner (or two). By scanning all the systems on the network, you can gain much insight as to the risks that you need to mitigate, and malicious activity that might already be going on underneath your nose.

One such vulnerability scanner is called Nessus. Originally developed for UNIX, you can now obtain versions for Linux and Windows as well. As of the writing of this book, Nessus 4 is the current version. It is available for home study use for free, but if you use it in the business world, there is a subscription fee. Vulnerability scanners like this one are usually active and can discover vulnerabilities within your network and beyond. Because it is a powerful, active-scanning, high-speed software tool, it should be used cautiously and most likely when there is a lull in network usage or perhaps off-hours.

The tool has a server and a client side. The server side is used to manage users and settings. The client side runs within a browser and is where you do your actual scans. To scan a host or network, you must first create a policy defining what you want to scan for. Then scan according to the policy you created. Again, these types of active scans are resource-intensive, so they take some time to complete. An example of a vulnerability scan with Nessus is shown in Figure 10-4. It shows some open ports on the IP 10.254.254.1 and their corresponding services that may or may not be vulnerabilities. The tool can also check for backdoors, denial-of-service attacks, and lots of other families of threats. If you suspect that a particular computer is the victim of a malicious attack, this is an excellent tool to use to make that determination. Even if you are not sure, scanning important hosts on the network can help to put your mind at ease or...uncover risks that you must mitigate.

Figure 10-4. Network Vulnerability Scan with Nessus

Other formidable vulnerability scanners include GFI LANguard, ISS Internet Scanner, X-scan, and Sara. Sometimes, these tools are referred to as network scanners if they are used to find open ports within multiple computers on the network or the entire network.

Sometimes, a full-blown vulnerability scanner isn’t necessary. There will be times when you simply want to scan ports or run other basic tests. An example of a good port scanner is Nmap. Although this tool has other functionality in addition to port scanning, it is probably best known for its port scanning capability. Figure 10-5 shows an example of a port scan with Nmap. This shows a scan (using the –sS parameter) to a computer that runs Kerberos (port 88), DNS (port 53), and web services (port 80) among other things. By using a port scanner like this one, you are taking a fingerprint of the operating system. The port scanner tells you what inbound ports are open on the remote computer and what services are running. From this, you can discern much more information, for example what operating system the computer is running, what applications, and so on. In the example in Figure 10-5, you can gather that the scanned computer is a Microsoft domain controller running additional services. So this is an example of OS fingerprinting.

Figure 10-5. Port Scan with Nmap

Open ports should be examined. You should be fully aware of the services or processes that use those ports. If services are unnecessary, they should be stopped and disabled. For example, if this computer was indeed a domain controller but wasn’t supposed to be a DNS server, the DNS service (port 53) should be stopped. Otherwise, the DNS port could act as a vulnerability of the server. Afterward, the computer should be rescanned to ensure that the risk has been mitigated.

Nonessential services are often not configured, monitored, or secured by the network administrator. It is imperative that network administrators scan for nonessential services and close any corresponding ports. Even though services may be nonessential, that doesn’t necessarily mean that they are not in use, maliciously or otherwise.

Another tool that can be used to scan the ports in use is the netstat command. For example, the netstat, netstat –a, netstat –n and netstat –an commands. However, this is only for the local computer. More port scanners include Superscan and Angry IP Scanner among others. Some of these tools can be used as ping scanners, sending out ICMP echoes to find the IP addresses within a particular network segment.

Network Sniffing

For all intents and purposes, the terms protocol analyzer, packet sniffer, and network sniffer all mean the same thing. Sniffing the network is when you use a tool to find and investigate other computers on the network; the term is often used when capturing packets for later analysis. Protocol analyzers can tell you much more about the traffic that is coming and going to and from a host than a vulnerability scanner or port scanner might. In reality, the program captures Ethernet frames of information directly from the network adapter and displays the packets inside of those frames within a capture window. Each packet is encapsulated inside a frame.

One common example of a protocol analyzer is Wireshark, previously known as Ethereal, which is a free download that can run on a variety of platforms. By default, it captures packets on the local computer that it was installed on. Figure 10-6 shows an example of a packet capture. This capture is centered on frame number 10, which encapsulates an ICMP packet. This particular packet is a ping request sent from the local computer (10.254.254.205) to the remote host (10.254.254.1). Although my local computer can definitely send out pings, it is unknown whether 10.254.254.1 should be replying to those pings. Perhaps there is a desired policy that states that this device (which is actually a router) should not reply to pings. As we learned in Chapter 5, “Network Design Elements and Network Threats,” an ICMP reply can be a vulnerability. Now, if we look at Frame 11 we see it shows an echo reply from 10.254.254.1—not what we want. So, to mitigate this risk and remove the vulnerability, we would turn off ICMP echo replies on the router.

Figure 10-6. Packet Capture with Wireshark

This is just one example of many that we could show with this program. I’ve used this program to find unauthorized FTP, gaming, and P2P traffic among other things! You’d be surprised how often network admins and even regular old users set up these types of servers. It uses up valuable bandwidth and resources, so you can imagine that an organization would want these removed. Not only that, but they can be vulnerabilities as well. By running these services, a person opens up the computer system to a whole new set of threats. By removing these unauthorized servers, we are reducing risk. I know—I’m such a buzzkill. But really now, work is work, and play is play; that’s how companies are going to look at it.

On the other side of things, malicious users will utilize a protocol analyzer to capture passwords and other confidential information. We discuss software-based protocol analyzers more in Chapter 11, “Monitoring and Auditing.”

Also, hardware-based devices can analyze your networks and hosts; for example, Fluke Networks devices such as the NetTool Inline Network Tester. Handheld computers often have a text-based menu system that can be used to monitor ports, troubleshoot authentication issues, identify network resources and IP addresses, and lots more. The name Fluke is used by some techs even if they use a handheld device by a different vendor; the brand is that well-known.

Password Analysis

Well, we’ve mapped the network, documented it, scanned for vulnerabilities, scanned ports, and analyzed packets. But wait, let’s not forget about passwords. We’ve mentioned more than once in this book that weak passwords are the bane of today’s networks. This could be because no policy for passwords was defined, and people naturally gravitate toward weaker, easier-to-remember passwords. Or it could be that a policy was defined but is not complex enough, or is out of date. Whatever the reason, it would be wise to scan computers and other devices for weak passwords with a password cracker, which uses comparative analysis to break passwords and systematically guesses until it cracks the password. And of course, a variety of password cracking programs can help with this. For Windows computers, there is the well-documented Cain & Abel password recovery tool. This program has a bit of a learning curve but is quite powerful. It can be used to crack all kinds of different passwords on the local system or on remote devices and computers. It sniffs out other hosts on the network the way a protocol analyzer would. This is an excellent tool to find out whether weak passwords are on the network, or to help if users forgot their passwords. Figure 10-7 shows an example of Cain & Abel. You can see hashed passwords (encrypted) that the program has discovered for various accounts on a test computer. From these hashes, the program can attempt to crack the password and deliver the original plaintext version of the password.

Figure 10-7. Password Cracking with Cain & Abel

We talk more about hashes and hashing algorithms in Chapter 12, “Encryption and Hashing Concepts.”

Cain & Abel is a free download, and many other tools are available for various platforms; some free, some not, including John the Ripper, L0phtcrack, THC Hydra, Aircrack (and the older AirSnort), SolarWinds, and RainbowCrack. Some of these tools have additional functionality but are known best as password cracking tools, otherwise referred to as password recovery programs.

The following list shows the various password cracking methods. Password recovery (or cracking) can be done in several different ways:

• Guessing—Weak passwords can be guessed by a smart person, especially if the person has knowledge of the user he is trying to exploit. Blank passwords are all too common. And then there are common passwords such as password, admin, secret, love, and many more. If a guessing attacker knew the person and some of the person’s details, he might attempt the person’s username as the password, or someone the person knows, date of birth, and so on. Reversing letters or adding a 1 on to the end of a password are other common methods. Although guessing is not as much of a technical method as the following three options, it reveals many passwords every day all over the world.

• Dictionary attack—Uses a pre-arranged list of likely words, trying each of them one at a time. It can be used for cracking passwords, passphrases, and keys. It works best with weak passwords and when targeting multiple systems. The power of the dictionary attack depends on the strength of the dictionary used by the password cracking program.

• Brute force attack—When every possible password instance is attempted. This is often a last resort due to the amount of CPU resources it might require. It works best on shorter passwords but can theoretically break any password given enough time and CPU power. For example, a 4 -character, lowercase password with no numbers or symbols could be cracked fairly quickly. But a 10-character, complex password will take much longer; some computers will fail to complete the process. Also, you have to consider whether the attack is online or offline. Online means that a connection has been made to the host, giving the password cracking program only a short window to break the password. Offline means that there is no connection and that the password cracking computer knows the target host’s password hash and hashing algorithm giving the cracking computer more (or unlimited) time to make the attempt.

• Cryptanalysis attack—Uses a considerable set of precalculated encrypted passwords located in a lookup table. These tables are known as Rainbow Tables, and the type of password attack is also known as precomputation, where all words in the dictionary (or a specific set of possible passwords) are hashed and stored. This is done in an attempt to recover passwords quicker. It is often used with the RainbowCrack application. This attack can be defeating by implementing salting, which is the randomization of the hashing process.

Passwords can also be obtained through viruses and Trojans, wiretapping, keystroke logging, phishing, shoulder surfing, social engineering, and dumpster diving. Yikes! It should go without mentioning that protecting passwords is just as important as creating complex passwords and complex password policies that are periodically monitored and updated. Remember that password policies created on a Windows server will not have jurisdiction where other vendor’s devices are concerned, such as Cisco routers and firewalls or Check Point security devices. These need to be checked individually or by scanning particular network segments.

We could talk about password cracking for days because there are so many types of hashes, hashing algorithms, and password cracking tools and ways to crack the passwords. But for the Security+ exam, a basic understanding of password cracking is enough.

Table 10-3. Summary of Chapter 10 Security Tools

Exam Preparation Tasks: Review Key Topics

Review the most important topics in the chapter, noted with the Key Topics icon in the outer margin of the page. Table 10-4 lists a reference of these key topics and the page numbers on which each is found.

Table 10-4. Key Topics for Chapter 10

Complete Tables and Lists from Memory

Print a copy of Appendix A, “Memory Tables,” (found on the DVD), or at least the section for this chapter, and complete the tables and lists from memory. Appendix B, “Memory Tables Answer Key,” also on the DVD, includes completed tables and lists to check your work.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

vulnerability,

risk,

risk management,

residual risk,

risk assessment,

qualitative risk assessment,

quantitative risk assessment,

risk mitigation,

vulnerability management,

vulnerability assessment,

penetration testing,

Open Vulnerability and Assessment Language (OVAL),

network mapping,

vulnerability scanning,

port scanner,

protocol analyzer,

password cracker,

dictionary attack,

brute force attack,

cryptanalysis attack,

Rainbow Tables,

salting

Hands-On Labs

Complete the following written step-by-step scenarios. After you finish (or if you do not have adequate equipment to complete the scenario), watch the corresponding video solutions on the DVD.

If you have additional questions, feel free to post them at my website: www.davidlprowse.com in the Ask Dave forum. (Free registration is required to post on the website.)

Equipment Needed

A Windows client computer to run tests with the following security software:

• LAN Surveyor: Trial download: www.solarwinds.com/products/lansurveyor/

• Nessus: Free download: www.nessus.org/nessus/

• Cain and Abel: Free download: www.oxid.it/cain.html

• A Windows Server (2003 or 2008 preferred) that runs at least one network service such as DNS, DHCP, and so on.

• Several other computer and network devices on the same network segment. Exactly what these are isn’t important. These will be used for default mapping and scanning purposes.

Lab 10-1: Mapping and Scanning the Network

In this lab, you map your network with LAN Surveyor and then scan devices on the network with Nessus. The steps are as follows:

Step 1. Download, install, and run LAN Surveyor.

Step 2. Click File and select New. That should automatically see your network segment.

Step 3. Click OK to scan for hosts on the network. This takes a few minutes to locate and map all the computers and other devices on the network.

Step 4. Examine the hosts on your network. Define which host you want to analyze with Nessus. In the video, we use a 4-port SOHO router as the device to scan.

Step 5. Download, install, and run Nessus. You need to run the server side first and add users by clicking the Manage Users button. Then run the client (which runs in a browser) and log in.

Step 6. Click Policies and create a new scanning policy. Make sure that TCP Scan and Ping Host are selected. Click Next and complete creating the scan.

Step 7. Create a new scan:

A. Click Scans.

B. Click Add.

C. Name the scan.

D. Add the IP address of the host you want to scan into the Scan Targets field.

E. Click Launch.

Let the scan complete; it takes a few minutes.

Step 8. Double-click the scan name, and then double-click the IP address of the host scanned. Examine the open ports and associated vulnerabilities.

Step 9. In the video, we shut down DHCP on the SOHO 4-port router. If there are other threats that you find, disable or shut them down now.

Step 10. Rescan the original host and verify that the vulnerabilities have been mitigated.

Watch the solution video in the “Hands-On Scenarios” section of the DVD.

Lab 10-2: Password Cracking and Defense

In this lab, you crack a basic password on a Windows computer and then run through a couple of the precautions that can be taken to reduce the risk of passwords being cracked on your computers and network. For this lab, we use Windows Vista as the example target computer.

Be sure to run this lab on a test computer!

The steps are as follows:

Pre-lab procedure:

Step 1. Change the password policy so that you can have a noncomplex, 4-character password. See Lab 9-1 in Chapter 9 for details on how to configure the password policy.

Step 2. Change the Administrator password to a blank password.

Step 3. Select another account and change the password to test.

Continue with the lab:

Step 1. Download, install, and run Cain and Abel.

Step 2. Click the Cracker tab.

Step 3. Select LM & NTLM Hashes.

Step 4. Click the + sign on the toolbar.

Step 5. In the Add NT Hashes from dialog box, leave the default values, and click Next.

This should display the accounts on the system. Note that the Administrator account displays *empty* in both the LM Password and NT Password columns. This is because you changed it to blank previously.

Step 6. Examine the account that you set up with the test password. We will attempt to crack this password.

Step 7. Right-click the account, and select Brute-Force Attack > NTLM Hashes.

Step 8. Modify the Max password length to 4.

Step 9. Click Start. This should deduce the password test in a few seconds or less.

Step 10. To mitigate this, do the following:

A. Assign a tougher policy in Windows. Make sure that complexity requirements are turned on and that the minimum password length is set to 8 characters or more.

B. Assign a complex password to the account using the test password.

C. Assign a complex password to the Administrator account.

D. Consider giving the Guest account a complex password also.

Watch the solution video in the “Hands-On Scenarios” section of the DVD.

View Recommended Resources

• ISO 31000: “Risk Management—Principles and Guidelines”: www.iso.org/iso/catalogue_detail.htm?csnumber=43170

• OSSTMM download: www.isecom.org/osstmm/

• NIST Special Publication 800-115: “Technical Guide to Information Security Testing and Assessment”: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

• Link to all NIST Special Publication 800 Series documents (SP800): http://csrc.nist.gov/publications/PubsSPs.html

• Open Vulnerability and Assessment Language repository website: http://oval.mitre.org/

• OVAL download: http://oval.mitre.org/language/version5.7/

• LAN Surveyor trial download: www.solarwinds.com/products/lansurveyor/

• Cisco—Network Magic trial: www.purenetworks.com/download/

• Microsoft Visio trial: http://office.microsoft.com/en-us/visio/

• Nessus Network Vulnerability Scanner: www.nessus.org/nessus/

• Nmap: http://nmap.org/download.html

• Superscan: www.foundstone.com/us/resources/proddesc/superscan.htm

• Angry IP Scanner: www.angryip.org/w/Home

• Wireshark Protocol Analyzer: www.wireshark.org/download.html

• NetTool Inline Network Tester: www.flukenetworks.com/fnet/en-us/products/NetTool/Overview.htm

• Cain & Abel password recovery tool: www.oxid.it/cain.html

• John the Ripper password recovery tool: www.openwall.com/john/

Answer Review Questions

Answer the following review questions. You can find the answers at the end of this chapter.

1. Which type of vulnerability assessments software can check for weak passwords on the network?

A. Wireshark

B. Antivirus software

C. Performance Monitor

D. A password cracker

2. You are contracted to conduct a forensics analysis of the computer. What should you do first?

A. Back up the system.

B. Analyze the files.

C. Scan for viruses.

D. Make changes to the operating system.

3. Which of the following has schemas written in XML?

A. OVAL

B. 3DES

C. WPA

D. PAP

4. Russ is using only documentation to test the security of a system. What type of testing methodology is this known as?

A. Active security analysis

B. Passive security analysis

C. Hybrid security analysis

D. Hands-on security analysis

5. Of the following which is the best way for a person to find out what security holes exist on the network?

A. Run a port scan.

B. Use a network sniffer.

C. Perform a vulnerability assessment.

D. Use an IDS solution.

6. After using NMAP to do a port scan of your server, you find that several ports are open. Which of the following should you do next?

A. Leave the ports open and monitor them for malicious attacks.

B. Run the port scan again.

C. Close all ports.

D. Examine the services and/or processes that use those ports.

7. Which of the following is a vulnerability assessment tool?

A. John the Ripper

B. AirSnort

C. Nessus

D. Cain & Abel

8. You are a consultant for an IT company. Your boss asks you to determine the topology of the network. What is the best device to use in this circumstance?

A. Network mapper

B. Protocol analyzer

C. Port scanner

D. A vulnerability scanner

9. Which of the following can enable you to find all the open ports on an entire network?

A. Protocol analyzer

B. Network scanner

C. Firewall

D. Performance monitor

10. What can hackers accomplish using malicious port scanning?

A. ”Fingerprint” of the operating system

B. Topology of the network

C. All the computer names on the network

D. All the usernames and passwords

11. Many companies send passwords via clear text. Which of the following can view these passwords?

A. Rainbow table

B. Port scanner

C. John the Ripper

D. Protocol analyzer

12. Which of the following persons is ultimately in charge of deciding how much residual risk there will be?

A. Chief security officer

B. Security administrator

C. Senior management

D. Disaster Recovery Plan coordinator

13. To show risk from a monetary standpoint, which of the following should risk assessments be based upon?

A. Survey of loss, potential threats, and asset value

B. Quantitative measurement of risk, impact, and asset value

C. Complete measurement of all threats

D. Qualitative measurement of risk and impact

14. The main objective of risk management in an organization is to reduce risk to a level _____________. (Fill in the blank.)

A. The organization will mitigate

B. Where the ARO equals the SLE

C. The organization will accept

D. Where the ALE is lower than the SLE

15. Why would a security administrator use a vulnerability scanner? (Select the best answer.)

A. To identify remote access policies

B. To analyze protocols

C. To map the network

D. To find open ports on a server

16. An example of a program that does comparative analysis is what?

A. Protocol analyzer

B. Password cracker

C. Port scanner

D. Event Viewer

17. Why do hacker’s often target nonessential services? (Select the two best answers.)

A. Quite often, they are not configured correctly.

B. They are not monitored as often.

C. They are not used.

D. They are not monitored by an IDS.

18. Which of the following tools uses ICMP as its main underlying protocol?

A. Ping scanner

B. Port scanner

C. Image scanner

D. Barcode scanner

19. Which command would display the following output?

A. Ping

B. Ipconfig

C. Nbtstat

D. Netstat

Answers and Explanations

1. D. A password cracker can check for weak passwords on the network. Antivirus software can scan for viruses on a computer. Performance Monitor enables you to create baselines to check the performance of a computer. Wire shark is a protocol analyzer.

2. A. Back up the system before you do anything else. This way, you have a backup copy in the case that anything goes wrong when you analyze or make changes to the system.

3. A. OVAL (Open Vulnerability and Assessment Language) uses XML as a framework for the language. It is a community standard dealing with the standardization of information transfer. 3DES is an encryption algorithm. WPA is a wireless encryption standard, and the deprecated PAP is the Password Authentication Protocol, used for identifying users to a server.

4. B. Passive security analysis or passive security testing would be one that possibly does not include a hands-on test. It is less tangible and often includes the use of documentation only. To better protect a system or network, a person should also use active security analysis.

5. C. The best way to find all the security holes that exist on a network is to perform a vulnerability assessment. This may include utilizing a port scanner and using a network sniffer and perhaps using some sort of IDS.

6. D. If you find ports open that you don’t expect, be sure to examine the services and or processes that use those ports. You may have to close some or all those ports. When you finish with your examination, and after you have taken action, run the port scan again to verify that those ports are closed.

7. C. Nessus is a vulnerability assessment tool. AirSnort is used to crack wireless encryption codes. John the Ripper and Cain & Abel are password cracking programs.

8. A. A network mapper is the best tool to use to determine the topology of the network and to find out what devices and computers reside on that network. An example of this would be LAN Surveyor.

9. B. A network scanner is a port scanner used to find open ports on multiple computers on the network. A protocol analyzer is used to delve into packets. A firewall protects a network, and a performance monitor is used to create baselines for and monitor a computer.

10. A. Port scanning can be used in a malicious way to find out all the openings to a computer’s operating system; this is known as the “fingerprint” of the operating system. Port scanning cannot find out the topology of the network, computer names, usernames, or passwords.

11. D. A protocol analyzer can delve into the packets sent across the network that contain the clear text passwords. Rainbow tables and John the Ripper deal with cracking passwords that were previously encrypted; they aren’t necessary if the password were sent via clear text. Port scanners scan computers for any open ports.

12. C. Residual risk is the risk left over after a security and disaster recovery plan have been implemented. There is always risk, because a company cannot possibly foresee every future event, nor can it secure against every single threat. Senior management as a collective whole is ultimately responsible for deciding how much residual risk there will be in a company’s network. No one person should be in charge of this, but it should be decided on as a group. If the group decides that residual risk is too high, the group might decide to get insurance in addition to its security plan. The security administrator is in charge of finding and removing risks to the network and systems and should mitigate risks if possible. The disaster recovery plan (DRP) coordinator usually assesses risks and documents them, along with creating strategies to defend against any disastrous problems that might occur from that risk, but that person does not decide on the amount of acceptable residual risk to a company.

13. B. When dealing with dollars, risk assessments should be based upon a quantitative measurement of risk, impact, and asset value.

14. C. The main objective of risk management is to reduce risk to a level that the organization or company will accept. Mitigation is the act of reducing threats in general.

15. D. The best answer for why a security administrator would use a vulnerability scanner is to find open ports on a particular computer. Although a vulnerability scanner can do more than scan for open ports, it is the best answer listed.

16. B. A password cracker is considered to be a program that does comparative analysis. It systematically guesses the password and compares all previous guesses before making new ones until it cracks the password.

17. A and B. Nonessential services are often not configured and secured by the network administrator; this goes hand-in-hand with the fact that they are not monitored as often as essential services. It is imperative that network administrators scan for nonessential services and close any corresponding ports. Even though services may be nonessential, that doesn’t necessarily mean that they are not used. An IDS, if installed properly, should monitor everything on a given system.

18. A. A ping scanner uses the Internet Control Message Protocol (ICMP) to conduct its scans. Ping uses ICMP as its underlying protocol and IP and ARP. Image scanners are found in printers and as standalone items that scan images, photos, and text into a computer. Barcode scanners are used to scan barcodes, for example at the supermarket.

19. D. Netstat shows sessions including the local computer and remote computer. It shows these connections by computer name (or IP) and port name (or number).