Chapter 7: Security Assessment,
Analysis, and Assurance
Guide to Computer Network Security
Security Assessment, Analysis,
and Assurance
The rapid development in both computer and
telecommunication technologies has resulted in
massive interconnectivity and interoperability of
systems
The bigger the networks, the bigger the security
problems involving system resources on these
networks. Many companies, businesses, and
institutions whose systems work in coordination and
collaboration with other systems as they share each
others’ resources and communicate with each other,
face a constant security threat to these systems,
yet the collaboration must go on.
Kizza - Guide to Computer Network
Security
2
For security assurance of networked systems,
such risks must be assessed to determine the
adequacy of existing security measures and
safeguards and also to determine if
improvement in the existing measures is needed.
The security assessment process consists of a
comprehensive and continuous analysis of the
security threat risk to the system that involves
an auditing of the system, assessing the
vulnerabilities of the system, and maintaining a
creditable security policy and a vigorous regime
for the installation of patches and security
updates.
In addition, there must also be a standard
process to minimize the risks associated with
non-standard security implementations across
shared infrastructures and end systems
Kizza - Guide to Computer Network
Security
3
The process to achieve all these and
more consists of several tasks
including:
– A security policy
– Security requirements specification
– Identification of and threat analysis
– Vulnerability assessment,
– Security certification,
– Monitoring of vulnerabilities and
auditing.
Kizza - Guide to Computer Network
Security
4
Vulnerability Assessment lets
you:
– Understand the state of vulnerability
within your network.
– Better evaluate the risks from new
vulnerabilities.
– Learn about new fixes and workarounds from a single source.
– Avoid unplanned downtime and lost
productivity.
– Minimize the costs that are associated
with security incidents.
Kizza - Guide to Computer Network
Security
5
Vulnerability Assessment
Techniques
Active Assessments
– Any use of a network scanner to find hosts, services and
vulnerabilities
– is a form of active assessment. Regardless if the scan is
sending one ICMP packet, or a full fledged DOS attack,
any assessment invoking placing packets on the wire to
interrogate a host for unknown services or vulnerabilities
is an active assessment.
– Many network scanners have controls on how aggressive
they pursue their interrogation of the network and the
servers they encounter. For example, Nessus
(http://www.nessus.org), has a concept of ‘safe checks’
which causes it to be less intrusive when performing
security audits of network services.
– Other commercial scanners have a similar mode which is
deceptively called ‘passive scanning’.
Kizza - Guide to Computer Network
Security
6
Passive Assessments
– Sniffing network traffic to deduce a list of active
systems, active services, active applications and even
active vulnerabilities is referred to as a passive
assessment.
– Passive assessment is a continuous effort such that the
sniffer performing the analysis can see the network
24x7. An active assessment is really a picture of the
network at a point in time. Passive assessments offer a
more accurate listing of who is actually using the
network.
– There are a lot of ‘gotchas’ with passive assessment. For
example, how does one know if an IP address is active
or not? Consider a DHCP network (Dynamic Host
Configuration Protocol - a client/server protocol that
automatically provides an Internet Protocol (IP) host
with its IP address and other related configuration
information such as the subnet mask and default
gateway.) . Through the course of a week, many hosts
will boot up and receive an IP each day. If the host gets
a different IP each day, by the end of the week, it will
7
Kizza - Guide to Computer Network
look like many hosts
areSecurity
active on the network.
Host-based audits
Host-based audits are conducted on
individual computers. The
advantages of host-based
assessment are:
– Greatly reduced numbers of false
positive and false negative reports when
compared with network-based products.
– Superior scalability over network-based
products.
– Increased security over agent-less
assessments that require administrative
privileges.
Kizza - Guide to Computer Network
Security
8
Network-based audits
Network-based audits are conducted from
central locations on the network The
advantages of network-based assessment
are:
– Immediate network-wide vulnerability
information
– Immediate vulnerability information about
network resources that cannot install
monitoring agents; for example, network
routers or firewalls.
– Discovery of unknown computers and other
resources on the network.
– Ability to audit the vulnerability of computers
to attacks from
inside or outside the network.
Kizza - Guide to Computer Network
Security
9
Blended Assessments
– A “blended” form of security assessment
utilizes a combination of active, passive
and host-based techniques. Each
method in the combo has several
advantages and disadvantages which
can be used to offset a variety of
technical and political limitations
imposed by large enterprise networks.
Kizza - Guide to Computer Network
Security
10
Additional features
– Centralized reporting and management
of vulnerabilities.
– Comprehensive "health check" of the
network is available from a central
location with a consistent, automated,
repeatable, and on-demand system.
– Identifies vulnerabilities in mission
critical systems and applications, not
just the operating system.
– Can be scalable to provide coverage
for the entire enterprise that can extend
across the Internet.
Kizza - Guide to Computer Network
Security
11
Design and Implementation of an
Enterprise Security Policy
The design of a security policy must
take into account the following
issues:
Kizza - Guide to Computer Network
Security
12
Physical Security Controls:
– This includes the physical infrastructure, device
security and physical access. The physical
infrastructure involves appropriate media and
path of physical cabling. Make sure that
intruders cannot eavesdrop between lines by
using detectors like time domain reflectometer
for coaxial cable and optical splitter using an
optical time domain reflectometer for fiber
optics.
– Physical cabling network topology to ensure
the availability of the network to all attached
devices. The cabling should be well secured to
prevent access to any part
Kizza - Guide to Computer Network
Security
13
Physical Device Security
– The location of the critical network resources is
very important. All network resources (
network hosts, switches, routers, firewalls,
access servers) should be located in very
restricted areas. Physical access restrictions
and requirements are determined from the
results of the risk analysis or physical security
surveys.
– Environment safeguards – all the following are
important:
Fire (prevention/protection/detection)
Water
Electric power
Temperature/humidity
Natural disasters
Magnetic fields
Good housekeeping procedures
Kizza - Guide to Computer Network
Security
14
Logical Security Controls
– Create boundaries between network segments:
To control the flow of traffic between different cabled
segments – subnets by using IP-address filters to
deny access of specific subnets by IP addresses from
non-trusted hosts.
Permit or deny access based on subnet addresses – if
possible.
But keep in mind that IP addresses are very easy to
spoof.
– The logical infrastructure of a network depends largely
on how a network is logically separated and how traffic
is controlled between those subnets.
– Routing (layer-3 switching) is how traffic is controlled
between subnets.
Determining optional routing path
Transporting packets through the subnets.
– A security plan must include a detailed routing policy.
– Fully understand the routing protocols used in the
corporate environment.
Kizza - Guide to Computer Network
Security
15
Logical Access Control – access to equipment and
network segments should be restricted to
individuals who require access.
– Two types of control on access to network
resources should be implemented:
Preventive controls – uniquely identifies
every authorized user and denies others
Detective controls – logs and reports
activities of users – also logs and reports un
authorized users.
– Remember the human factor
Any security implemented is as good as the
weakest link.
Kizza - Guide to Computer Network
Security
16
Infrastructure and Data Integrity
– Ensure as best as you can that your traffic on the
network is valid. It may be any of the following
Supported services – like firewalls. Firewalls are very
essential in the control of traffic. It relies solely on
the TCP, UDP, ICMP, and IP headers of individual
packets to allow or deny the packet. It may also use
TCP and UDP source and destination port numbers.
Unspoofed traffic
Unaltered traffic
– Most of the traffic control is based on the following
characteristics of the traffic:
Direction
Origin
IP address
Port numbers
Authentication
Application content
Kizza - Guide to Computer Network
Security
17
Network Services
– Choosing what type of network services and protocols
the network will use is a daunting job. A few policies to
choose from
Permit all and deny as needed. It is easy to implement.
Turn on all services and protocols and turn them off
selectively as security holes become apparent. It is simple
however, it is prone to attacks.
Deny all mode is generally more secure but more complex
to implement.
– Security complexity can grow exponentially
– Services most commonly needed include:
SNMP
DNS
NTP
WWW
Telnet
FTP
NNTP
SMTP
Kizza -services
Guide to Computer
– To determine which
toNetwork
filter follow guidelines
Security
i.e. CERT
18
Authenticated Data
– To ensure a reasonable amount of data
integrity, you should authenticate most of the
traffic traversing the network. Traffic specific
to the operations of a secure network
infrastructure ( such as updating of routing
tables) should be authenticated.
– Checksum protects against the injection of
spurious packets from an intruder. Combined
with sequence number techniques, checksum
can also protect against replay attacks.
– Most security is always provided by complete
encryption routing tables. However encryption
has an overhead.
Kizza - Guide to Computer Network
Security
19
Common Attack Deterrents
– In many cases attacks against a host behind a
firewall can be stopped. Develop a policy to
insulate internal hosts.
– Web servers, FTP servers, mail servers, even
behind a firewall, are among the network
service provider resources at most risk
because any host, in the inside network can
play bad to it. You are generally better of
putting those exposed service providers on a
demilitarized zone (DMZ) network.
– Install a honeypot.
Kizza - Guide to Computer Network
Security
20
– The following list provides an example of
some items in an infrastructure and data
integrity security policy:
Infrastructure Security:
– Access to switch LAN ports and router interfaces will be
disabled when not in use
– Firewall functionality will be used at all engress access
points – any connection that provides access anywhere
outside the Enterprise
– Only necessary network services will be supported.
These services will be defined by the Network
Operations Group.
Data Integrity:
– Software not related to work will not be used on any
computer that is part of the network.
– All software images and operating systems should use
checksum verification scheme before installation to
confirm their integrity.
– All routing updates
and VLAN updates must be21
Kizza - Guide to Computer Network
Security
authenticated between
sending and receiving
Data Confidentiality
– This calls for encryption. The hardest part is to decide
which data to encrypt. The decision should be based on
the outcome of the Risk Assessment procedure in which
data is classified according to its security sensitivity.
Encrypt the data that will take the greatest risk without.
– For example in an enterprise:
All data dealing with employee salary and benefits.
All data on product development
All data on sales, etc..
– Pay attention to the local Network Address Translation
(NAT) – a system used to help Network administrators
with large pools of hosts from renumbering them when
they all come on the Internet.
Kizza - Guide to Computer Network
Security
22
Policies and Procedures for Staff
– These are guidelines to help people working on the
network infrastructure.
– Secure Backup – of all network service servers, and that
of configurations and images of networking
infrastructure equipment is critical
Ensure that the system creates backups for all
network infrastructure equipment configurations and
software images
Ensure that backups of all servers that provide
network services
Ensure that an offsite storage of the backups is used
– selected for both security and availability
Encrypt the backups – making sure that the will be a
key to decrypt the backups when needed.
Kizza - Guide to Computer Network
Security
23
Periodically verify the correctness and completeness
of the backups
Keep the original and backup safe. It is important to
keep the backup copies in separate and secure
locations ( Recall World Trade Center backups in
Colorado and Utah)
The following are good guidelines:
– Key positions must be identified and potential
successors should be identified
– Recruiting employees for positions in the
implementation and operation of the network
infrastructure requires a thorough background
check
– All personnel involved in the implementation and
supporting the network infrastructure must attend
a security seminar for awareness
– All backups will be stored in a dedicated locked
area.
Kizza - Guide to Computer Network
Security
24
– Equipment Certification
All new equipment to be added to the infrastructure
should adhere to specified security requirements.
Each site of the infrastructure should decide which
security features and functionalities are necessary to
support the security policy.
The following are good guidelines:
– All infrastructure equipment must pass the acquisition
certification process before purchase
– All new images and configurations must be modeled in
a test facility before deployment
– All major scheduled network outages and interruptions
of services must announced to those to be affected
well ahead of time.
– Use of Portable Tools
Note that portable tools like laptops always pose
some security risks.
Develop guidelines for the kinds of data allowed to
reside on hard drives of portable tools and how that
data should be protected.
Kizza - Guide to Computer Network
Security
25
– Audit Trails
Keep logs of traffic patterns and noting any deviations from
normal behavior found. Such deviations are the first clues to
security problems.
The data to be collected in the logs should include the following:
– User name
– Host name
– Source and destination IP addresses
– Source and destination port numbers
– Timestamp
This collected data should be kept local to the resource until an
event is finished upon which it may be taken to a secure location.
Make sure that the paths (Channels) from the collection points to
the storage location are secure.
Audit data should be one of the most secured data on location and
in back ups.
– Legal Considerations
Because of the content of the audit trail, a number of legal
questions arise that may need attention.
One area of concern is the privacy issue of the users and data
content – because it may contain personal information.
Second area of concern is the knowledge of an intrusive behavior.
For example having knowledge of the intrusive behavior of others
including organization.
Kizza - Guide to Computer Network
Security
26
Security Awareness Training
– Users of computers and computer networks are not usually
aware of the security ramifications caused by certain actions .
It is imperative for employees to be aware of the importance
of security through security training
– The training should provided to all personnel
– Training should contain the following:
Types of security
Internal control techniques
Maintenance
– For those employees with network security responsibilities,
they must be taught the following:
Security techniques
Methodologies for evaluating threats and vulnerabilities
Selection criteria and implementation of controls
The importance of what is at risk if security is not
maintained
Kizza - Guide to Computer Network
Security
27
– Make the following rules abided to before connecting a
LAN to the corporate backbone:
Provide documentation on network infrastructure
layout
Provide controlled software downloads
Provide adequate user training
Provide training to personnel in charge of issuing
passwords.
– Social Engineering
Train employees not to believe anyone who
calls/emails them to do something that might
compromise security.
Before giving any information they must positively
identify they are dealing with
Kizza - Guide to Computer Network
Security
28
Incident Handling
– A security bleach is an incident resulting from an external intruder,
unintentional damage, an employee testing some new program and
inadvertently exploiting a software vulnerability, or a disgruntled
employee causing intentional damage.
– Build an Incident Response Team
This is centralized group which is the primary focus when an
incident occurs
It is a small core group with the following responsibilities:
– Keeping up-to-date with the latest threats and incidents
– Being the main point of contact for incident reporting
– Notifying others of the incident
– Assessing the damage and impact of the incident
– Finding out how to avoid further exploitation of the same
vulnerability
– Recovering from the incident
Core team members must be knowledgeable, all rounded with a
correct mix of technical, communication, and political skills.
Kizza - Guide to Computer Network
Security
29
– Detecting an Incident –
when looking for signs of a security bleach focus on the following:
– Accounting discrepancies
– Data modification and deletion
– Users complaining of poor system performance
– Atypical traffic patterns
– Atypical time of system use
– Large numbers of failed login attempts
Detecting anomalies of normal behavior requires having
knowledge of “normal” systems functions. Use audit trails to learn
historical behavior of the system.
You must follow certain steps when handling an incident whose
goals are defined by management and legal counsel.
But the most fundament goal is to restore the affected system and
to limit the impact and damage. In the worst-case scenario it is
better to shut down the system.
It is better to prioritize actions to be taken during an incident
handling
Kizza - Guide to Computer Network
Security
30
Priorities should correspond to the organizations security policy
and they should include the following:
– Protecting human life and peoples’ safety
– Protecting sensitive and/or classified data
– Protecting data that is costly in terms of resources
– Preventing damage to systems
– Minimizing the disruption of computing resources
It is always important to assess the damage by doing some or all
of the following:
– Check and analyze all traffic logs for abnormal behavior ,
especially on network perimeter access points like internet
access or dial-in access
– Verify infrastructure device checksum or operating systems
checksum on critical servers to see whether operating system
software has been compromised.
– Verify configuration changes on infrastructure devices like
servers to ensure that no one has tempered with them
– Check the sensitive data to see whether it is assessed or
changed
– Check traffic logs for unusually large traffic streams from a
single source or streams going to a single destination
– Run a check on the network on any new or unknown devices
– Check passwords on critical systems to ensure that they have
not been modified
Kizza - Guide to Computer Network
Security
31
– Reporting and Alerting Procedures
Establish a systematic approach for reporting incidents and
subsequently notifying affected areas
Essential communication mechanisms include:
– A monitored central phone, email, pager , or other quick
communication device
Establish clearly who to alert first and who should be on the list of
people to alert next.
Decide on how much information to give each member on the list
Find ways to minimize negative exposure ( Read RFC 2196 on
guidelines for level of details to provide) including:
– Keeping technical level of details low
– Working with law enforcement agents to protect evidence
– Delegating all handling of the public to in-house PR people
– keeping speculation out of public comments
Kizza - Guide to Computer Network
Security
32
– Responding to the Incident
Control must be restored and normalcy must be
restored
If it requires shutting down the system to stop the
intruder, do so.
Keep accurate documentation so that it can be used
later to analyze any causes and effects
Keep a log book of all activities during the incident.
– Recovering from an Incident
Make a post-mortem analysis of what happened, how
it happened, and what steps need to be taken to
prevent similar incidents in the future.
Develop a formal report with proper chronological
sequence of events to be presented to management.
Make sure not to over react by turning your system
into a fortress.
Kizza - Guide to Computer Network
Security
33
Strengths and Weaknesses of
Assessment Technologies
Active Scanning
– Strengths
All active scans can be independent of any network management
or system administration information. This makes for a much more
‘honest’ security audit of any system or network.
Active scans can provide extremely accurate information about
what services are running, what hosts are active and if there are
any vulnerabilities present.
– Weaknesses
Unfortunately, the information discovered by an active scan may
be out of date as soon as the scan is completed.
Many small changes to the network topology such as the addition
of new hosts will go unnoticed until the next active scan.
To compensate for speed and potential adverse impact:
– minimize the ports and the vulnerabilities scanned
Active scans can also generate an excessive amount of firewall and
intrusion detection logs.
Kizza - Guide to Computer Network
Security
34
Passive Scanning
– Strengths
The greatest strength of a passive scan is the lack of
any impact to the network and the minimal time it
takes to find real results.
A passive scanner operates 24x7 and when you want
to know what vulnerabilities it has seen, a report can
be immediately generated.
Passive scanning also has an advantage of
discovering client side vulnerabilities and
vulnerabilities in Intranet networks we don’t have
permission to scan.
– Weaknesses
Unfortunately, for a passive scan to work, a
detectable host must elicit or respond to a packet. If
a server never communicates on the network, the
console will never see it.
Kizza - Guide to Computer Network
Security
35
Host-based Scanning
– Strengths
The greatest strengths that host-based scanning has
going for it are speed and accuracy. It takes a few
seconds in most cases to complete an audit of all
patches for a RedHat or Windows 2000 server if
credentials have been provided. This audit consists of
well-known APIs and patch management tools
provided by the underlying operating system.
– Weaknesses
The biggest weakness for host-based scanning with
many scanners like Nessus and NeWT is that
credentials need to be supplied. Often, obtaining
these credentials is takes time. In many cases, an
IT group may not appreciate giving a security group
the ability to audit it at any time.
Kizza - Guide to Computer Network
Security
36