Chapter 11 Cliff Notes Security and Vulnerability in the Network

rabidwestvirginiaNetworking and Communications

Oct 26, 2013 (4 years and 8 months ago)



CIST 1601 Information Security Fundamentals

Chapter 11 Security and Vulnerability in the Network

Compiled By

JD. Willard MCSE, MCSA, Network+

Attention: Accessing Videos in this document.

Videos with
blue links

are linked to Professor Messer on YouTube and
require nothing but a browser.

Videos with
red links

require that you be logged in to the Virtual Technical
College web site when you click on them to run.

To access and log in to the Virtual Technical Colleg
e web site:

To access the site type

in the url window

Log in using the username: ATCStudent1

Enter the password: student (case sensitive)

If you should click on the demo link and you get an Access Denied it i
s because
you have not logged in to or you need to log out and log back in.


Chapter 11 Security and Vulnerability in the Network 401

Network Security Threats 403


is an organization that tracks and reports on computer and network security threats. They
are part of the Software Engineering Institute (SEI) at Carnegie
Mellon University.

When you suspect a
hoax, check the CERT site

Penetration Testing


Penetration testing

is the attempt by an organization to circumvent security controls to identify
vulnerabilities in their information systems


trying to get access to your system from an attacker’s
. It simulates an actual attack on the network and is conducted f
rom outside the organization's
security perimeter. Penetration testing helps assure the effectiveness of an organization's security policy,
security mechanism implementations, and deployed countermeasures. In general, the following steps are
included in th
e penetration testing process:

Verifying that a threat exists

Bypassing security controls

Actively testing security controls

Exploiting vulnerabilities

Before starting a penetration test (also called a

pen test
) it is important to define

the Rules of
Engagement (ROE), or the boundaries of the test. Important actions to take include:

Obtain a written and signed authorization from the highest possible senior management.

Delegate personnel who are experts in the areas being tested.

Gain approval from the
Internet provider to perform the penetration test.

Make sure that all tools or programs used in the testing are legal and ethical.

Establish the scope and timeline.

Identify systems that will not be included in the test.

Include in the authorization a stat
ement which limits the tester's liability.

Recognize that even if this process is approved by management, some aspects may be illegal.

Review test findings with administrative personnel.

penetration tester

would need to be used outside your network. You
can only penetrate a network
from outside of it. A penetration test includes the following steps:

1. Gather initial information.

2. Determine the network range.

3. Identify active devices.

4. Discover open ports and access points.

5. Identify the operating

systems and their settings.

6. Discover which services are using the open ports.

7. Map the network.

Vulnerability tests may be complemented by directed efforts to exploit vulnerabilities in an attempt to gain
access to networked resources. Penetration te
sting includes all of the processes in vulnerability testing
plus an important extra step, which is to exploit the vulnerabilities found in the discovery phase.


Types of penetration testing include:




In a


test, the tester attempts to:

Enter a building without authorization.

Access servers or workstations without authorization.

Access wiring closets.

Shut down power or other services.


In an

operations penetration

test, the

tester attempts to gain as much information as
possible using the following methods:

dumpster diving
, the attacker looks through discarded papers or media for
sensitive information.


over the shoulder reconnaissance

(shoulder surfing)
, attackers
vesdrop or obtain sensitive information from items that are not properly stored.


social engineering
, attackers act as an imposter with the intent to gain
access or information.


In an

electronic penetration

test, the tester
attempts to gain access and information about
computer systems and the data on those systems. Definitions of the types of electronic
penetration testing are as follows.

System scanning

is using discovery protocols such as ICMP and SNMP to get as
much infor
mation as possible from a system.

Port scanning

is scanning various ports on remote hosts looking for well

Network monitoring

is using specialized tools to watch and log network activities.


is the duplication of captured packets wi
thout altering or interfering with
the flow of traffic on that medium.


(also called

) is scanning the system to identify the
operating system, the patch level, and applications and services available on it.
Footprinting obtains t
he active blueprint of an organization’s infrastructure and
security profile. ft includes using the thofs and ksiookup tools.

cor exampleI you
can identify the operating system used by examining the format of the response to
specific probes or messages.

lne distinction in penetration testing is the knowledge that the attacker and system personnel have prior
to the attack.

In a

zero knowledge

test (also called a

black box

test), the tester has no prior knowledge of the
target system.

In a

full knowledge

st (also called a

white box

test), the tester has detailed information prior to
starting the test.

In a

partial knowledge

test (also called the

y box

test), the tester has the same amount of
information that would be available to a typical insider in th
e organization.


single blind

test is one in which one side has advanced knowledge. For example, either the
attacker has prior knowledge about the target system, or the defender has knowledge about the
impending attack.



double blind

test is one in which

the penetration tester does not have prior information about
the system and the network administrator has no knowledge that the test is being performed. The
double blind test provides more accurate information about the security of the system.

The Open So
urce Security Testing Methodology Manual (OSSTMM) is a manual of a peer
methodology for performing security tests and metrics which analyze an organization's security in five

Personnel security

Fraud and social engineering

Computer and

telecommunications networks

Wireless and mobile devices

Physical security

Vulnerability Scanning


Vulnerability assessment

is the process of identifying the vulnerabilities in a system or network.
security vulnerability assessment is proof in and of itself of a corporation’s commitment to protecting both
data and customers.
An attacker attempts to take advantage of vulnerab
ilities to gain access to
information or to a network to which he is not authorized. An administrator checks a network for
vulnerabilities to plug security holes and provide a more secure network.

Tools that can be used to monitor the vulnerability of syst
ems include:





vulnerability scanner

is a software utility that will scan a range of IP addresses,
testing for
the presence of known vulnerabilities in software configuration and accessible
services. Unlike port scanners, which only test for the availability of services, vulnerability
scanners may check for the particular version or patch level of a service to dete
rmine its
level of vulnerability.

Unlike port scanners, which only test for the availability of services,
vulnerability scanners may check for the particular version or patch level of a service to
determine its level of vulnerability.

A vulnerability scann

checks for vulnerabilities such

Open ports

Active IP addresses

Running applications or services

Missing critical patches

Default user accounts that have not been disabled

Default or blank passwords


Missing security controls

bility scanners:

Should be updated regularly to include the latest known vulnerabilities.

Are the least intrusive methods to check the envir
onment for known software

Port scanners and penetration testers are potentially more intrusive.
Protocol analyzer
s cannot check for known software flaws.

Can be used to scan again after a security hole has been patched to verify that

the vulnerability has been removed and the system is secure.

rity tools that can be used for vulnerability scanning include:


is a comprehensive vulnerability assessment tool

one of the better
known vulnerability scanners

Microsoft Baseline Security Analyzer (MBSA)

is used to evaluate security
vulnerabilities in Microsoft products.

Retina Vulnerability Assessment Scanner

is used to remotely scan an
organization's network for vulnerabilities.

Ping scanner


ping scanner

is a tool that sends ICMP echo/request packets to one or multiple IP
addresses. Use a ping scanner to quickly identify systems on the network that respond to
ICMP packets. To protect against attacks that use ICMP, use a ping scanner to identify
systems th
at allow ICMP, then configure those systems to block ICMP messages. A
vulnerability scanner often includes a ping scanner.

Port scanner


port scanner

is a tool that probes systems for open ports. A TCP SYN scan is the
most common type of port scan of a p
ort scanning tool.

It performs a

way handshake
, also called a

open scan
, which does
not complete the TCP three
way handshake process (the TCP session is not

Devices that respond indicate devices with ports that are in a listening sta

The port scan output is a combination of IP address and port number separated
by a colon (e.g.,



is the port number) for both the source of
the port scan and the destination of the port scan.

A vulnerability scanner often includes
a port scanner.

Nmap is a common port scanner.

Ethical Hacking 407

Penetration testing, also know

as ethical hacking, is the vulnerability assessment procedure performed
by security professionals after receiving management approval.
The primary objective of penetration
testing or
ethical hacking

is to assess the capability of the system to resist attacks and to reveal system
and network vulnerabilities. ISS, Ballista, and SATAN are some examples of penetration testing or ethical
ng tools used to identify network and system vulnerabilities.

The three most commonly recognized approaches taken in ethical hacking undertakings:

Black Box

In black box testing, the administrator acts as if they have no prior knowledge of the
network. They act as if they are an attacker from the outside with no familiarity of the system and
look for an opening. This is also known as

testing. Only a ba
re minimum of administrators
know what is happening. This allows other administrators to act normally while the attack is under

White Box

In white box testing, the ethical hacker begins from the premise of knowing
something about the network and sys
tems in place, just like a malicious insider. They try to find a
weakness armed with information about the source code, the routing, and so on. This is also
known as
full disclosure


Gray Box

Also known as
partial disclosure

testing. The usual sc
enario trying to be created is
one of an outsider working in conjunction with an insider who has given them some information.
Because an insider is involved, the big question is what can an insider get to?


Assessment Types and Techniques



defines the

level of security and performance of a system in an organization. A
baseline is also used as a benchmark for future changes. Any change made to the system should match
the defined minimum security baseline. A security baseline is defined through the adopt
ion of standards
in an organization.

You should create a
System Monitor

chart based on a performance log. This will ensure that
performance baseline statistics are recorded for an extended period of time. The first step to creating a
performance baseline

is to create a security policy. Without the policy, the baseline has no guidelines to

Metrics for security baselines and hardening efforts rely on identification of vulnerability and risk. It is
necessary to have some mechanism for measuring vuln
erability to determine whether a baseline has
been met, or if a new security measure has been effective.

Baseline reporting checks to make sure that things are operating status quo and that change detection is
used to alert when modifications are made.

uring a
code review
, you look at all custom written applications for holes that may exist (in the form of
the finished application, configuration files, libraries, and the like).

Simply reading the code is known as
manual assessment, while using tools to
scan the code is known as automated assessment.

attack surface

of an application is the area of that application that is available to

are authenticated and more importantly those who are not. As such, it can include the services, protocols,
interfaces, and code.
The goal of attack surface reduction (ASR) is to minimize the possibility of
exploitation by reducing the amount of code an
d limiting potential damage.

Secure Network Administration Principles 409

Based Management 410

based management
, also known as label
based management, defines conditions for access to
objects. The access is granted to the object based on both
the object’s sensitivity label and the user’s
sensitivity label. With all rules, an action must be defined. That action is triggered when conditions
are/aren’t met.

Port Security



Port security

works at level 2 of the OSI model and allows an administrator to configure
switch ports so that only certain MAC addresses can use the port.
switch port
, the
devices that can connect to a switch through the port are restricted.

Port security uses the MAC address to identify allowed and denied devices.

You can specify only a single MAC address that is allowed, or allow multiple
addresses per port.

With automatic

configuration, the net device to connect to the port is allowed,
while additional devices are denied.

On the switch, MAC addresses are stored in RAM in a table, and are associated
with the port.


port violation

occurs when an unauthorized device tries t
o connect. When a
violation occurs, you can drop all frames from the unauthorized device or shut
down the port, disabling all communications through that port.


MAC filtering uses the MAC address of a device to drop or forward frames
through the switch. Por
t authentication requires that the user or device
authenticates before frames are forwarded through the switch.

In general, all switch ports are enabled by default. To increase the security of the
switch and network, you should disable individual ports whi
ch are not in use.

: If you don’t know a workstation’s MAC address, use ipconfig /all to find it in the
based world and
use the ifconfig in Unix/Linux.

Working with 802.1X 411

The IEEE standard 802.1X is often referred to as EAP over LAN. It

defines port
based security for
wireless network access control.


Port authentication

is provided by the 802.1x protocol, and allows only authenticated
devices to connect to the LAN through the switch. Authentication uses usernames and
passwords, smart cards, or other authentication methods.

When a device first connects, the port is set to

an unauthorized state. Ports in
unauthorized states can only be used for 802.1x authentication traffic.

The process begins by the switch sending an authentication request to the

The device responds with authentication credentials, which are forwar
ded by
the switch to the authentication device (such as a RADIUS server).

After the server authenticates the device or the user, the switch port is placed
in an authorized state, and access to other LAN devices is allowed.

When a device disconnects, the sw
itch places the port in the unauthorized


Flood Guards

Loop Protection


flood guard

is a protection feature built into many firewalls that allow the administrator to tweak the
tolerance for unanswered login attacks. By reducing this tolerance, it is possible to reduce the likelihood
of a successful DoS attack.

To provide for fault tolera
nce, many networks implement redundant paths between devices using multiple
switches. However, providing redundant paths between segments causes packets to be passed between
the redundant paths endlessly. This condition is known as a

switching loop
. Switch
ing loops lead to
incorrect entries in a MAC address table, making a device appear to be connected to the wrong port, and
causing unicast traffic being circulated in a loop between switches. The
ng tree protocol

runs on
switches to prevent switching loops by making only a single path between switches active at a single
time. The spanning tree protocol also provides the following benefits:

Provides redundant paths between devices

automatically from a topology change or device failure

Identifies the optimal path between any two network devices

Calculates the best loop
free path through a network by assigning a role to each bridge or switch
and by assigning roles to the ports of each

bridge or switch.

Preventing Network Bridging 411

Network bridging

occurs when a device has more than one network adapter card installed and the
opportunity presents itself for a user on one of the networks to which the device is attached to jump to the


To prevent network bridging, you can configure your network such that when bridging is detected, you
shut off/disable that jack. You can also create profiles that allow for only one interface.

It is not uncommon for a network bridge to appear in
the Network Sharing Center. If it does appear, you
will want to delete it. Windows
Internet Connection
Sharing (ICS)

is often pointed to as a cause of
unintended bridging and should be disabled.



Log analysis is crucial to identifying problems that occur related to security. As an administrator, you have
the ability to turn on logging at many different locations and levels. Not only do you need to collect and
analyze the logs, but you

also need to store them for a time in the future when you want to compare what
is happening now to then (baselining).

Mitigation and Deterrent Techniques 412

Manual Bypassing of Electronic Controls 412

When an application, system, or safeguard fails, ei
ther through a crash or someone bypassing the
expected control path, there are two states it can fail in;

(secure) or

(not secure). When
using failsafe, the application stops work, reports an error, and closes out/exits. The alternative,
known as
failopen, is for the application to stop running and let you know that it encountered the unexpected
character. You can enter what the character is supposed to be at a prompt, and the application will pick
back up where it left off, continuing the

process. The problem with this scenario is that when the
application crashes, it stays running at the elevated privileges needed to make the changes and is
susceptible to an attacker breaking out of it in order to do harm.


The choice of states to fail in

is relevant not only to applications you create but also to firewalls (when the
control fails, is all traffic blocked or allowed?), databases, and network appliances.

Monitoring System Logs


There are four logs that exist on most systems. These are
event logs, security logs, access logs

audit logs
. You can view the event logs in
Event Viewer
. The options within Event Viewer allow you to
perform such actions as save the log file, open saved

logs, filter the log file, and see/change properties.

Security Logs

are accessed beneath
Windows Logs

in Event Viewer, and each event is preceded
by either a key (audit success) or a lock (audit failure).
The Security log in Windows shows successful
nd unsuccessful login attempts

You should look at these logs periodically and not just when something
goes wrong.

Security Posture


security posture

is the approach a business takes to security. This runs the entire gamut from the
planning phase to implementation and everything in between: hardware, software, settings, and so on.



lmost every department generates its own reports and uses what they find as a dashboard for action.
When it comes to analyzing or sharing security report information with others, you want to focus on three
key areas:



Alarms are indications of a
problem currently going on. These are conditions that you
must respond to right now. Alarm rates can indicate trends that are occurring, and after
you solve the problem, you need to look for indications that the condition may not be



tly below alarms are alerts; these are issues that you need to pay attention to but
are not bringing the system to its knees at this very moment.



Trends indicate where problems are occurring. By focusing on trends, you can identify
weaknesses in yo
ur system and areas where you need to devote more resources to head
off future problems.

Trend reporting
is most useful in predicting the possibility of an event
occurring for security planning purposes

Detection/Prevention Controls


One of the easiest ways to detect and prevent problems is to let people know that they are being monitored. In
the physical world, monitoring can be done by either cameras or guards. Where possible, you can combine
guards with cameras to create a potent deterrent. The cameras can send signals to a room where they are
monitored by a guard capable of responding to a situation when a need arises.