176 Managing Network Vulnerability Assessment
Exhibit 4. Analysis (Continued)
The lack of security-oriented default user profiles on Novell servers means
that critical data can be accessed from a noncritical system.
Recommendation. A firewall or segment configuration policy is needed
that defines the users who are allowed to access particular segments of
the network (ISO 17799, 9.2). Access to subnets can be achieved with
screened subnet architecture, proxy services, or interior routers.
User Accounts without Passwords
Risk = high. We discovered several accounts with no assigned passwords.
The lack of a password assigned to an account means that no authen-
tication of the actual person using the account exists. If the account is
misused, that misuse cannot be traced to a specific person. An account
without a password is highly vulnerable to hackers.
Recommendation. Run a NULL password checker on the network and
remove all NULL password accounts or assign passwords. For maximal
security, delete guest accounts. Use a password generator to generate
one-time random passwords for users when issuing a new password.
Force users to change that password immediately (ISO 17799, 9.2.3).
Passwords in Cleartext
Risk = high. Passwords are mechanisms used to identify individual network
users. If the password can be found, observed, or otherwise noted, the
user account can be used by an unauthorized person.
Passwords may exist in batch files for automated log-in and for resetting
multiple passwords within a list of user IDs. These passwords are stored
on the system unencrypted and can be easily discovered. Passwords
may be found in .bat files that execute log-in processes. They may also
be found in profiles (MAC) for RUMBA connections to the mainframe
or other systems.
Passwords were also found at user workstations. Users sometimes post
their account and application passwords within their immediate work
environment.
Recommendation. Employees need to be trained in good security practices
(ISO 17799, 10.3). A program should be implemented to ensure
employee adherence to good security practices. Passwords should never
be stored or transmitted in cleartext. Bogus Corporation needs to encrypt
stored passwords whenever user programs supersede the access control
mechanisms provided by the network. Also, Bogus Corporation needs
to protect stored passwords by access controls provided by the network.
These controls protect the password database from unauthorized mod-
ification and disclosure.
Network Vulnerability Assessment Sample Report 177
Exhibit 4. Analysis (Continued)
TCP/IP
Risk = medium. A security vulnerability called the “Land Attack” has been
posted to a security mailing list. This attack can “freeze” operating
systems, networks, and network devices. An attacker can send a SYN
packet, which is normally used to open a connection, to the host under
attack. The packet is spoofed to appear to the machine that it is coming
from itself, from the same port. When the system or device tries to
respond to it multiple times, it crashes.
Recommendation. Packet filters that protect against IP address spoofing
(ISO 17799, 8.5) will be effective in preventing Internet-based “Land
Attacks.” Cisco has released information on how to configure its hard-
ware to provide system security against this attack.
Remote Network Access
Risk = high. These practices are risky. Because the 800 number is well
known, unauthorized users can attack the system and attempt to gain
access by guessing dial-in passwords. Because the passwords are passed
in the clear over the telephone line, anyone seeking dial-in passwords
can “sniff” the wire. These passwords could then be used in a replay
attack.
Members of the sales force routinely dial in to the Bogus Corporation
network, using a well-known 800-access number. Dial-in users have an
additional dial-in password that allows them to connect to the system,
and then they can access the network with their system ID and password
information.
Recommendation. Secure the dial-in process with either token card or smart
card access (ISO 17799, 9.8). These provide an additional layer of
security, and both methods avoid sending passwords over the telephone
line in cleartext.
Systems — Client/Server, Mainframes
MVS
Risk = medium. RACF has the ability to log and record actions that are taken
when creating accounts and changing access to specific files and applica-
tions. This logging facility is not being used in the administration of
mainframe-based account management. If a security incident did occur,
Bogus Corporation would be unable to recreate the sequence of activities.
Recommendation. RACF should be configured to take advantage of its audit
and logging abilities (ISO 17799, 9.2).
178 Managing Network Vulnerability Assessment
Exhibit 4. Analysis (Continued)
Miscellaneous
Applications: UNIX
Telnet is not secured. This means that all information, including user name and
password, is sent and received across the wire in cleartext (ISO 17799, 8.2.7).
Secure Paper and Physical Media Disposal
In all of the offices we visited, few employees knew how or where to dispose
of critical or sensitive information. No shredders were available, and no
guidelines on the secure disposal of information have been provided to staff
(ISO 17799, 5.2.2).
Exhibit 5. Key Safeguards
Authentication
Authentication is the principle of identifying the user to the network. Once
users understand their responsibilities to follow Bogus security policies, they
should then be given user names and passwords. Some applications require
additional passwords for user access. Password management, under these
circumstances, becomes problematic. Different applications impose different
password criteria.
Passwords need to be established and maintained in a manner that provides
the greatest security, without causing undue burden and loss of productivity
for users. Single sign-on password applications offer the ability to sign on to
the network and a variety of applications with one password entry.
Recommendation. The NVA recommends deployment of Single SignOn
clients. This will provide strong authentication to Bogus’ multiple environments
with effective and secure password management. Bogus system developers can
also use Bart’s Security Software Development Kit (SDK) to customize Bogus
applications to support Kerberos or public key authentication and encryption.
Nonrepudiation
Nonrepudiation allows the digital signing of electronic documents and autho-
rizations. Neither sender nor receiver can repudiate such documents.
Recommendation. We recommend deployment of the Homer Security
Server and Single SignOn clients for secure network log-ons. Kerberos and
public key encryption can be utilized for ensuring data confidentiality and
integrity between the client and the network service. Bogus applications can
be further secured using Marge’s Security SDK.
Network Vulnerability Assessment Sample Report 179
Exhibit 5. Key Safeguards (Continued)
Secure Messaging
It is important that all messages containing confidential information be sent
by a secure means within the network environment. This is true even for
information that is being kept within the corporate network. Because the
major threat to your data comes from within the network, it is important that
your data be protected from internal threats. Protection for data that is passed
across the network can be made available through the use of file encryption
software of “link encryption,” where the path the data takes is protected.
Recommendation. Protection for network data can be provided through
the use of file encryption software or “link encryption,” where the path the
data takes is protected. Virtual private networks (VPNs) are an additional
means of protecting data at the network layer.
Access Control (Authorization)
Access control is the process of determining what actions a properly authenticated
individual user can take on the network. “Read, write, and execute” are access
control rights. We found little formal evidence that Bogus has any explicit access
control policies. What access control is there is mostly anecdotal. “Everybody
knows that manufacturing personnel cannot access the finance database.” Every-
one who is responsible for providing access to internal network data is expected
to “do the right thing.” Access control is the method used to control access at a
very granular level and can be managed by a number of products.
Recommendation. Bogus should deploy Authorization Software to enhance
access control on Bogus’ UNIX and NT systems.
Auditing
Auditing allows an organization to determine what actions have been taken
in the network environment. With this information, it is possible to determine
what happened, when it happened, and who did it. This information is
essential for investigations into breaches of data security. Gathering evidence
and establishing events leading up to a security incident require that network,
file, and application data is available. All significant events should be monitored
by detective controls.
Recommendation. The Homer Security Server logs all relevant authentica-
tion events according to system default settings for security logging in a
distributed environment. Even without strict audit implementation, network
management should consider using a variety of auditing software to better
monitor network activities. Logging of significant events in the network needs
to be identified and recorded. The NVA recommends additional deployment
of Intrusion Detection’s KANE products (Monitor and Analyst) or ISS’s SAFE-
suite products (System Security Scanner and RealSecure) for system monitoring
and analysis.
180 Managing Network Vulnerability Assessment
Exhibit 5. Key Safeguards (Continued)
Firewalls
Firewalls are designed to restrict the ability of network users to pass and to
access data between nodes or within certain spheres of data on a network.
They are also used to restrict access to data for persons or systems not within
the Bogus environment. Basically, firewalls use a variety of methods for
performing their functions. Some deal with “listening” on specific port
addresses, while others are designed to pass only data that meets an address
requirement. The current “firewall” mechanism at Bogus is intended to restrict
access to systems via network address recognition and authorization. With
this configuration, IP address filtering can be spoofed; it is not a secure method
for isolation or protecting data. Bogus systems are exposed to attacks from
the Internet.
Recommendation. We believe that there are other means available and
other design considerations for restricting access to the network and from
external networks. Each environment within Bogus must be considered an
entity, and restrictive subnetworks should be established to prevent access to
the most critical data or processes. This is similar to a set of concentric fences
that serve as increasingly secure barriers as a network user approaches critical
or sensitive data. CheckPoint’s Firewall-1 product can control and restrict
access within the network and from the outside.
A firewall alone cannot protect network resources from attack by an internal
user of the private network. The firewall is a gateway that simply intercepts
the traffic between a private network and the Internet. An intra-company
firewall can intercept traffic among different parts of an organization, but an
insider might steal critical information or damage resources without any
awareness by the firewall. This threat can be addressed by implementing
appropriate authentication and access control mechanisms. The Homer product
is designed to authenticate all users to a network, thereby restricting access
to unauthorized applications.
Although additional products can be installed that more properly restrict
access, the policy basis for firewalls constitutes the greatest initial step because
it determines how the restrictions will be established in the router or firewall
mechanism. Finally, this recommendation suggests that an overall network
architecture be explored and implemented.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.