Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Vulnerability Assessment Methodology Lesson 6.

Published byMadison Bennett Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Vulnerability Assessment Methodology Lesson 6."— Presentation transcript:

1 Network Vulnerability Assessment Methodology Lesson 6

2 Review of Some Definitions Risk: the probability that a threat will exploit a vulnerability to adversely affect an information asset. Threat: an event, the occurrence of which could have an undesired impact Threat impact: a measure of the magnitude of loss or harm on the value of an asset. Threat probability: the chance that an event will occur or that a specific loss value may be attained should the event occur. Safeguard: a risk-reducing measure that acts to detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats. Vulnerability: the absence or weakness of a risk-reducing safeguard. Definitions from Peltier Text

3 Philosophy of an NVA “The NVA examines the network systems from both a policy and a practice point of view” – the top-down and bottom-up assessments mentioned in a previous lesson. Top-Down concentrates on the extent to which policies and procedures promote a secure computing environment. Team examines procedural framework upon which corporate security rests. Bottom-up concentrates on the hardware and software implementations of network security. Exhibit 1, page 50 from Peltier

4 NVA Methodology Page 51 from Peltier text

5 NVA Methodology Page 52 from Peltier Text

6 NVA Team Members and Skills Major Roles NVA Lead Policy examiner(s) Technical examiner(s) May need experts in several OS’s and programs Page 58 from Peltier Text

7 Project Initiation Develop detailed project plan Assemble teams and make tentative assignments Hold a kick-off meeting with the sponsor (client) Earlier meeting may be needed to complete Pre- NVA checklist (before detailed plan is completed) Obtain approval of detailed project plan by sponsor (before kick-off meeting)

8 Phase I Data Collection Obtain documents that client has from list in Pre-NVA checklist. Review applicable state and federal laws affecting the client. Review documentation and list of equipment. Create list of known bugs and security vulnerabilities to test for in the client environment.

9 Phase II, Interviews, Information Reviews, Hands-on Investigation Interviews Determine what interviews you might want to conduct Provide list of requested interviews to POC Conduct Interviews Request for additional documents that may not have been considered during Phase I Request facility and network clearance and passwords for team members from the POC We will differ from this slightly Take tour of facility and conduct tests of HW and SW as well a physical inspection.

10 Phase II, our version What text has is good, we will be adding to it We need the onsite evaluation of HW/SW and the look at the physical facilities. We will want to conduct: Public Presence analysis External Penetration Test Reconnaissance Focused Reconnaissance Vulnerability Scanning Web Page Inspection/Alteration Passwords Social Engineering

11 Reconnaissance Port scanning Single ports Port scanning multiple ports Focused Reconnaissance Port scans and connection programs to grab banner information from all open services, sometimes integrated into vulnerability scanners Basic configuration information Password protection Site content

12 Vulnerability Scanning Automated scanning of known vulnerabilities based upon server type Many different scanners exist, open source as well as commercial Whisker CIS Netsonar ISS Nmap Nessus

13 Web Page Examination Raw HTML Examination Path Names Directory Listing Clues to directory structure Database commands Hard coded IP addresses Other extraneous information Editing HTML Saving local copy, then making key edits to attempt unauthorized data access SQL injection Form entry Overly long inputs, inputs with invalid characters SQL injection

14 Passwords and Social Engineering Attempt to guess passwords Default and Common passwords Intelligent guesses based on obtained info Brute force (later we may ask for password file to crack) Social Engineering Attempt to obtain information through SE Names of individuals, positions, phone numbers, email addresses (this gives login ID generally) Attempt to social engineer a password/userid (for small company may not be able to do this) Physical attack on facility Dumpster diving Shoulder surf, piggyback

15 Phase III Analysis Spans most of the NVA process as it is being conducted at multiple levels Ongoing analysis may shape and direct further activities. Need to identify threats and vulnerabilities Also need to take a look at possible ways to mitigate the risks. Need to consider most cost effective mechanisms Analysis of Security Policies Do policies explicitly state what is and is not permissible? Do they cover all security-related factors (network to physical)?

16 Security Handbook It has been recommended by several sources that every organization have a security handbook for all employees. This book translates the company’s policies into specific practices for the employees Examine the handbook (if they have one) and ensure: Users can implement the security policy correctly Book provides specific examples as opposed to generalized statements. Consequences for failure to follow policies are clearly delineated. Users are provided an understanding of their responsibilities and expectations It covers all situations (e.g. telecommuting) It has a procedure to report violations of policies

17 Additional Phase III items Examination of Standards and Practices Document handling Incident Handling Do they have procedures? Do they have an established IRT Asset protection Management and Awareness Organizational suitability E.g. is senior management openly supportive of security program? Personnel issues (enough people to do the job?, good HR and security related policies?) After-Hours procedures Auditing Application Design and development procedures Technical safeguards (and their operation)

18 Phase IV & V: Reports Phase IV, draft report (sample sections covered in text). Provides sponsor opportunity to review and for you to re-evaluate areas that might be in question (if necessary) or to clarify points. Provides sponsor opportunity to provide comments Phase V: Final Report and Presentation Can include comments from sponsor obtained after draft report was reviewed Formal presentation signals formal conclusion of project. Provided to senior management if possible Several final reports Senior Management Techie Summary report and Techie detailed report

19 Text Book Timeline - Laredo Exhibit 4, page 58 from Peltier Lesson 10 14 16 18 20 22 24 26 28 Final Interviews, analysis, tests

20 Textbook Timeline - Austin Exhibit 4, page 58 from Peltier Lesson 10 14 16 18 20 22 24 26 28 Final Interviews, analysis, tests

21 Summary What is the importance and significance of this material? How does this topic fit into the subject of “Security Risk Analysis”?

Download ppt "Network Vulnerability Assessment Methodology Lesson 6."

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Technical Methodology (bottom-up) Lesson 8. 6-step Process Step 1: Site Survey Step 2: Develop a test plan Step 3: Build the toolkit Step 4: Conduct the.

Technical Methodology (bottom-up) Lesson 8. 6-step Process Step 1: Site Survey Step 2: Develop a test plan Step 3: Build the toolkit Step 4: Conduct the.
Auditing Computer Systems

Auditing Computer Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google