Post on 28-Mar-2015
Gulf Computers Presentation
Vulnerability Assessment: Steps to a More Secure Network
Securing Your NetworkFethi Amara – Email: famara@gulfcomputers.com
04/10/23 2 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Gulf ComputersProfessional Services Provider of multivendor, data network consulting services
Reference list in the region includes: Standard Chartered Bank (Dubai)
Emirates Airlines / DNATA Group of Companies (Dubai)
Sharjah Municipality (Sharjah)
Town Planning Department (Abu Dhabi)
Civil Defense (Abu Dhabi)
GEC Marconi (Abu Dhabi)
Ericsson (Oman)
Sultan Qaboos University (Oman)
Oman Refinery Company (Oman)
Occidental (Dubai and Qatar)
QAFCO (Qatar)
Abdul Latif Jameel (Saudi Arabia)
etc.
04/10/23 3 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
The Twenty Most Critical Internet Security Vulnerabilities
The SANS Institute www.sans.org
(SysAdmin, Audit, Network, Security) The NIPC www.nipc.gov (National
Infrastructure Protection Center) The FBI www.fbi.gov
04/10/23 4 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Top 10 Vulnerabilities to Windows Systems
Internet Information Services (IIS) Microsoft Data Access Components (MDAC) -- Remote
Data Services Microsoft SQL Server NETBIOS -- Unprotected Windows Networking Shares Anonymous Logon -- Null Sessions LAN Manager Authentication -- Weak LM Hashing General Windows Authentication -- Accounts with No
Passwords or Weak Passwords Internet Explorer Remote Registry Access Windows Scripting Host
04/10/23 5 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Top 10 Vulnerabilities to Unix Systems
Remote Procedure Calls (RPC) Apache Web Server Secure Shell (SSH) Simple Network Management Protocol (SNMP) File Transfer Protocol (FTP) R-Services -- Trust Relationships Line Printer Daemon (LPD) Sendmail BIND/DNS General Unix Authentication -- Accounts with
No Passwords or Weak Passwords
04/10/23 6 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
The 7 Top Management Errors that Lead to Computer Security Vulnerabilities
Number Seven: Pretend the problem will go
away if they ignore it. Number Six: Authorize reactive, short-term fixes
so problems re-emerge rapidly Number Five: Fail to realize how much money
their information and organizational reputations
are worth. Number Four: Rely primarily on a firewall.
04/10/23 7 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
The 7 Top Management Errors that Lead to Computer Security Vulnerabilities
Number Three: Fail to deal with the operational
aspects of security: make a few fixes and then not
allow the follow through necessary to ensure the
problems stay fixed Number Two: Fail to understand the relationship of
information security to the business problem -- they
understand physical security but do not see the
consequences of poor information security. Number One: Assign untrained people to maintain
security and provide neither the training nor the time to
make it possible to do the job.
04/10/23 8 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Number of Vulnerabilities and incidents reported (According to www.cert.org)
Incidents reported in 2000-2003
Year 2000 2001 2002 1Q-2Q 2003
Incidents 21,756 52,658 82,094 76,404
Year 2000 2001 2002 1Q-2Q 2003
Vulnerabilities 1,090 2,437 4,129 1,993
Vulnerabilities reported in 2000-2003
04/10/23 9 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
The Virus Problem:major catastrophes
45 million e-mail users worldwide affected by LoveBug (Computer Economics, May 2000)
LoveBug cost companies an estimated US$10 billionDell stopped production for five days due to FunLove32,000 copies of Melissa hit one company in 45
minutesNo one is safe
Microsoft, FBI, Houses of Parliament, Barclays, BT
Lost productivity, but also loss of reputation
04/10/23 10 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
The LoveBug world spreadFirst 24 hours
04/10/23 11 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Vulnerability Scanning Definition
Testing for areas that allow
unauthorized access to
networks, systems, and
applications
From outside enterprise From internal sources
04/10/23 12 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Frequency and Damage of Security Threats/Attacks
04/10/23 13 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Vulnerability Sources
Networks Firewalls
Devices, e.g., routers, switches
Systems Servers
Operating system services
Applications Configuration problems
Design flaws
04/10/23 14 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Why Conduct Vulnerability Scans?
Obvious Find vulnerabilities
Not so obvious Test intrusion detection Test incident response Test managed security
provider
IDS is no substitute Speed of attack problem,
HoneyNet Project Limited scope
04/10/23 15 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Vulnerability Targets
Permissible systems
All access points including
Wireless
Dial-up
VPNs
04/10/23 16 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Vulnerability Scan Steps
Multiple scanners for different targets Firewalls Web servers Wireless network Lotus Notes Novell Netware Many more
Attack signature database Must be updatable
Identifies potential vulnerabilities False positives expected
04/10/23 17 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Scanner Characteristics
Specialization - specific target
Number of tests - multiple targets
Reporting
Fix information
False positives
Other features, e.g., client/server
04/10/23 18 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Open Source vs. Commercial Scanners
FreeFrequent updatesMore vulnerabilitiesCan be customized
Easy to install/operateEnhanced report generationFully supported
NessusSara
CybercopISS
Limited supportLots of false positivesLinux expertise needed
Cost can be highCost of support
ProsPros
ConsCons
ExamplesExamples
Open SourceOpen Source CommercialCommercial
04/10/23 19 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
How Long Does it Take?
It depends Number of subnets
Number of hosts
Blocks in place
– UDP
– Firewalls play dead mode
Thoroughness
04/10/23 20 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Conducting the Scan
Arrange time for scan Delay start to avoid
scapegoating
Special scan for potential trouble systems
Be available 24x7
04/10/23 21 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Data Analysis
Challenges Lots of false positives Meaningful data not
always easy to identify
Know your audience Severity classification Department focus
Reporting results Common Vulnerability
and Exposures (CVE)
04/10/23 22 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Report Styles
04/10/23 23 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Hidden Benefits
Study how security is implemented
Find unknown hosts
Learn about change control process
Good basis for a security policy if one doesn't exist
Policy enforcement
04/10/23 24 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Scan for vulnerabilities in
networks, systems & applications
Choose the right target and
matching scanner(s)
Conduct scan in defined
timeframe
Sift data for relevancy
The Bottom Line
04/10/23 25 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Gulf Computers Professional Security Services
Evaluation
Penetration testing, assessment,
audit, vulnerability analysis
Strategic
Incident response, programs,
policies, training
Technical
PKI, VPNs, Firewalls, IDS, AAA integration, PDIO
04/10/23 26 © © Gulf Computers L.L.C.Gulf Computers L.L.C.
www.gulfcomputers.comwww.gulfcomputers.com
Question and Answer