286 Managing Network Vulnerability Assessment
network operating systems, 175–177
nontechnical management, 170–171
systems, 177
technical management and network
practices, 171–175
body of NVA report, 160–161
analysis, 160
conclusions, 160–161
final comments, 161
glossary, 161
key safeguards for providing
information security, 160
methodology overview, 160
security profile, 160
summary table of risk, vulnerabilities,
and recommendations, 161
executive summary, 159
final comments, 182
glossary, 184
key safeguards, 178–180
access control, 179
auditing, 179
authentication, 178
firewalls, 180
nonrepudiation, 178
secure messaging, 179
methodology overview, 164–165
introduction, 164
methodology, 164–165
recommendations to mitigate risks, 181
sample executive summary, 162–163
introduction, 162
methodology, 162
recommendations, 163
results and conclusions, 162–163
security profile, 166–170
background information, 166
computer operations and
telecommunications areas, 169
hands-on investigation reports, 168
interview reports, 167–168
list of company documentation, 166
network access and practices, 168–169
system and network configurations,
169–170
summary table of risk, vulnerabilities, and
recommendations, 183
table of contents, 159
NetWorld Scanner, 139, 140
NFS, see Network file systems
NI, see Network Inspector
Nimda, 37, 93
NIST
special publications, 267–269
Web site, 84
Nmap
for Linux, 127, 129
for NT, 128, 129
for Windows, 128
Node authentication, 54, 85
Noncompliance, 83
Nondisclosure agreements, 166
Nonrepudiation, 178
Novell NetWare, 175, 248
NT systems, access control on, 179
Null sessions, 248
NVA, see Network vulnerability assessment
NVA report, sample, 223–265, see also Network
vulnerability assessment sample
report
exceptions to vulnerability assessment test
protocol, 254
executive summary, 226–227
finding rating levels, 230
findings, 231–250
access control methodologies, 236–238
applications and systems security,
244–250
physical and operational security,
239–241
security architecture, 234–236
security management, 231–234
telecommunications and network
security, 241–244
general opinion, 227–230
critical vulnerabilities, 228
identification and authentication,
228–229
intrusion detection, 229
personnel, 227–228
policies and procedures, 228
reference model, 257–265
CLIENT trust model, 258
figures and diagrams, 262–263
glossary, 271–279
list of test performed, 258–261
standard information protection model,
257
summary information, 261–262
supplementary information, 263–265
standards applied, 254–257
common criteria, 254
common methodology, 254–256
functional areas of vulnerability, 256
ISO 177799, 256–257
table of contents, 224–226
version history information, 224
vulnerability assessment report, 223
vulnerability assessment team members,
224
Index 287
vulnerability assessment test protocol,
251–253
address space scan, 251
analysis and reporting, 252–253
document examination, 252
network scan/attack simulation from
within target network segment,
252
platform configuration assessment, 252
point scan, 251
verification, 252
zero-information-based footprint
analysis, 251
your company, 223
NVAT, see Network vulnerability assessment
team
O
Office
location list, 24
PCs, virus problems in, 66
One-stop shopping, assessment of, 133
One-time passwords, 238
Online auction site, 39
Online bug tracking information, 76
Operating system (OS), 126
bug, 66
fingerprint tools, 108
number of lines of code in popular, 8
Operations security procedures, violations of,
239
Opportunity cost, 74
OS, see Operating system
P
Pandora, 145, 146
Password(s)
applications, single sign-on, 178
attacks, vendor default, 41
checking, 163
Cleartext, 176
compromised, 62, 237
cracking, 25, 27
brute-force, 125, 140
tools, 144
default, 167
dial-in, 177
management, 71
one-time, 238
policy, 166, 231
sending of across network, 238
shared, 71
strength, 237
transmission of, 176
unencrypted, 237
user accounts without, 176
PayPal, 38
Pelttech Web site, 100
People skills, 58
Personal privacy
loss of, 74
threats to, 42
Personnel, threat analysis and, 63
PestPatrol, 106
PhoneTag, 153, 154
Physical security, 35
after-hours review of, 69
procedures, violations of, 240
tests, 261
Ping
function, 124
response, 120
Pinger, 126
Pirated software, 36
Platform configuration assessment, 252
POC, see Point of Contact
Point-and-click tool, 95–96
Point of Contact (POC), 59, 164
Point scan, 251
PoisonBox, 38
Policy(ies)
Asset Classification, 84
development, 181
examiners, 52, 58
global, 82
system-specific, 82
topic-specific, 82, 85–86
writing skills, 11
Policy review (top-down) methodology, 81–87
contents, 83–84
definitions, 81–82
general program policy, 82
policy, 81
system- or application-specific policy, 82
topic-specific policy, 82
policy content, 82–83
review elements, 84–87
Pornography, downloading of, 36
Port Scanner, 130, 132
Port scanners, 108, 128
PowerPoint, 78
Prefix scanning, 41
Pre-NVA checklist, 59, 81, 215–221
applications, 219
documentation, 219–221
host, 218
infrastructure support contacts,
216–217
288 Managing Network Vulnerability Assessment
network, 217–218
NVA team members, 215
Pre-vulnerability assessment questionnaire, 90
Privacy
loss of, 74
threats to, 42
Probability, definition of, 42
Product development administrator, 168
Programmer, disgruntled, 40
Program policy, components of, 83
Project(s)
definition, 14, 17
Definition Statement, 28
failed, 31
initiation, 59
management, 11, 58
Overview Statement, 13, 16, 20–21, 29
Scope Change Request, 30
Scope Document, 13, 16, 27, 28, 30
Project scoping, 13–31
developing project overview statement,
16–19
developing project scope, 19–27
scope of bottom-up assessment tasks,
24–27
scope of top-down assessment tasks,
22–24
task list, 19–22
general scoping practices, 14–16
project overview statement, 14–15
work breakdown structure or task list,
15–16
project scope change, 29–30
project scope document, 27–29
Proof of concept script, 7
Proprietary software copying, control of, 257
Proxying, 105, 243
Public-domain software, 64
Public key encryption, 178
Public telecommunications networks, 44
Q
Queso, 130
Questionnaire
bottom-up scope, 25–27
pre-vulnerability assessment, 90
R
RBL database check, 119
Red Hat Linux, 10
Registry settings, 250
Remote access phone dialing tests, 260
Remote network access policy, 231
Remote user log-ins, 250
Retina, 138
Review elements, 84
Risk(s)
analysis, 2, 62, 233
aversion, 73
definition of, 48, 184
equation, 62
prioritizing, 42
Routers, 71, 91
S
Safeguard, definition of, 48
Sales administrator, 168
Sam Spade, 113
advanced options screen, 115
default fields, 115
Dig, 118
failed zone transfer, 117
options screen, 114
raw Web site, 121
Whois, 116
workspace, default, 114
SANCTUM AppScan, 146, 148
Scanner(s)
overreliance on, 5
probes using, 155
tools, 108, 135
Scope
change, 14
documents, review of, 28
Script kiddies, 7
SEC.gov Web site, 111
Secure Shell, 238
Security
architecture, 234, 235
audits, 70
cabling, 53
configuration(s)
high-level, 206
settings, 205
device, hacked, 8
efforts, company funding of, 67
e-mail, 54
errors, 68
firewall, 72
incidents, reporting of, 56
Linux, 99
management, 231
oversight, 163, 170
physical, after-hours review of, 69
policy, 63
design, 60
lack of, 9
Index 289
procedures, employee productivity and,
67
profile, 75
settings, optional, 206
tools, Web, 138
training, 70
vulnerabilities, 138
weaknesses, reporting of, 56
Web sites, 101–104
SecurityAnalyst, 149
SecurityFocus, 96
SecurityFocus Web site, 97–98
Sensitive data, definition of, 184
Server(s)
application, 71
DNS, 118
file, 71
mail, 246
Web
development, 247
tools, 142
vulnerabilities in, 143
Simple Network Management Protocol
(SNMP), 124, 241
brute-force password crack, 125
vulnerabilities inside, 93
Site survey, 90
SMTP relay check, 118, 119
Sniffer Pro, 152
Sniffing, 41
SNMP, see Simple Network Management
Protocol
SNScan, 125
Social engineering, 156, 261
Soft vulnerabilities, 7, 8
Software
authorization, 179
downloading of pirated, 36
malfunctions, reporting of, 56
proprietary, 257
public-domain, 64
Solaris, enterprise-scale vulnerability
assessment product for,
149
SolarWinds, 241
IP network browser, 124
tools, 155
Spam
relay, 110
sender’s list, 119
Span port, 91
Specialty tools, 108
Splicing attacks, 41
Spoofing, 41
Spying, industrial, 40
Standards and practices
security issues, 64
threat analysis and, 63
Stealth scanning, 127
Strobe, 133
SunRPC scanning, 127
Super Scan, 131
Switch-versus-hub debate, 91
Symantec
Enterprise Security Manager, 149
NetProwler, 150, 151
NetRecon, 135
System(s)
acceptance, 53, 85
access policy, 231
administrator
operations manual, 166
responsibilities, 34
auditing, 250
configurations, 62
design, 60
installation, 60
probing, 41
-specific policy, 82
support, 35
use, monitoring of, 56
utilities, use of, 57
T
Tailgating, 169
Task
list, 13, 19, 22
status, measurable, 15
TCP communication, OS response to, 127
TCP/IP, 122, 127
Technical (bottom-up) methodology,
89–158
analysis, 156–157
conducting of assessment, 153–156
documentation, 157
site survey, 90–93
test plan development, 93–107
building of plan, 106–107
Internet sources, 94–100
protection from Internet sources,
100–106
toolkit building, 107–153
application discovery tools, 128–133
application tools, 146–148
host testing tools, 148–150
miscellaneous tools, 150–151
NetBIOS tools, 139–142
network enumeration tools, 122–126
network sniffers, 152–153
290 Managing Network Vulnerability Assessment
operating system fingerprint tools,
126–128
password cracking tools, 144–146
specialty tools, 138–139
vulnerability scanning tools, 133–138
war dialing, 153
Web server tools, 142–143
wireless tools, 151–152
zero-information-based tools, 109–122
Technical examiner skills, 58
Technical safeguards, threat analysis and, 63
Telecommunications, 35, 241
Telesweep, 153
Telnet
outside availability of, 242
security of, 178
session, nonpassword-protected, 5
Terminal log-on procedures, 55
Test plan development, 93
ThePike, 38
Threat(s), 79
analysis, 63
computer system, 35, 37
definition of, 48, 184
financial losses and, 43
identification of possible, 40
impact, definition of, 48
information losses and, 43
known, 76
personal privacy, 42
prioritizing, 42
probability, definition of, 48
Time of Change versus Time of Use
(TOCTOU), 229
TOCTOU, see Time of Change versus Time of
Use
Token Ring, 91
Tokens, 238
Top-down methodology, see Policy review
methodology
Topic-specific policy, 82, 85–86
Training
security, 70
threat analysis and, 63
Trojan applications, toll checking for, 150
Trojan code, 57
Trojan detecting tools, 108, 139
Trojan horses, 42
Trust model, company culture and, 227
U
Ultra Scan, 130, 132
Underground Systems Security Research, 95
UNIX
command-line tools, 113
controls, 76
critique of, 33
systems, access control on, 179
U.S. Department of Defense, TCSEC guidelines
developed by, 106
User
IDs, 227, 231
log-ins, remote, 250
password, compromise of, 237
Usernames, sending of across network, 238
USSR Back Web Site, 96
V
Vendor default password attacks, 41
Virtual local area network (VLAN), 91
Virtual private networks (VPNs), 92, 107, 179
Virus(es)
detection, 36, 231
problems, office PC, 66
Visio document, 121
Visual Basic scripting, 249
VLAD the Scanner, 143
VLAN, see Virtual local area network
VPNs, see Virtual private networks
Vulnerability(ies)
assessment
elements of good, 9–10
goals of, 4
model, 108, 154
application discovery layer, 129
application scanning layer, 146
host testing layer, 148
network enumeration layer, 123
OS fingerprint layer, 127
specialty tool layer, 139
vulnerability scanning layer, 133
zero information layers, 109
classes of, 7–9
definition of, 2, 4–6, 48, 184
patch released, 7
vulnerability announced, 7
vulnerability discovered, 6–7
functional areas of, 256
hard, 7
life cycle, 6
scanning tools, 133
soft, 7, 8
W
WAN, see Wide area network
War dialing, 25, 27, 109, 139, 153
Web
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.