• Define vulnerability assessment and explain why it is important
• List vulnerability assessment techniques and tools
• Explain the differences between vulnerability scanning and penetration testing
• List techniques for mitigating and deterring attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 2

• Systematic evaluation of asset exposure
– Attackers
– Forces of nature
– Any potentially harmful entity
• Aspects of vulnerability assessment
– Asset identification
– Threat evaluation
– Vulnerability appraisal
– Risk assessment
– Risk mitigation
Security+ Guide to Network Security Fundamentals, Fourth Edition 3

• Asset identification
– Process of inventorying items with economic value
• Common assets
– People
– Physical assets
– Data
– Hardware
– Software
Security+ Guide to Network Security Fundamentals, Fourth Edition 4

• Determine each item’s relative value
– Asset’s criticality to organization’s goals
– How much revenue asset generates
– How difficult to replace asset
– Impact of asset unavailability to the organization
• Could rank using a number scale
Security+ Guide to Network Security Fundamentals, Fourth Edition 5

• Threat evaluation
– List potential threats
• Threat modeling
– Goal: understand attackers and their methods
– Often done by constructing scenarios
• Attack tree
– Provides visual representation of potential attacks
– Inverted tree structure
Security+ Guide to Network Security Fundamentals, Fourth Edition 6

Table 4-1 Common threat agents
Security+ Guide to Network Security Fundamentals, Fourth Edition 7

Figure 4-1 Attack tree for stealing a car stereo
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 8

Figure 4-2 Attack tree for breaking into grading system
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 9

• Vulnerability appraisal
– Determine current weaknesses
• Snapshot of current organization security
– Every asset should be viewed in light of each threat
– Catalog each vulnerability
• Risk assessment
– Determine damage resulting from attack
– Assess likelihood that vulnerability is a risk to organization
Security+ Guide to Network Security Fundamentals, Fourth Edition 10

Table 4-2 Vulnerability impact scale
Security+ Guide to Network Security Fundamentals, Fourth Edition 11

• Single loss expectancy (SLE)
– Expected monetary loss each time a risk occurs
– Calculated by multiplying the asset value by exposure factor
– Exposure factor: percentage of asset value likely to be destroyed by a particular risk
Security+ Guide to Network Security Fundamentals, Fourth Edition 12

• Annualized loss expectancy (ALE)
– Expected monetary loss over a one year period
– Multiply SLE by annualized rate of occurrence
– Annualized rate of occurrence: probability that a risk will occur in a particular year
Security+ Guide to Network Security Fundamentals, Fourth Edition 13

• Estimate probability that vulnerability will actually occur
• Risk mitigation
– Determine what to do about risks
– Determine how much risk can be tolerated
• Options for dealing with risk
– Diminish
– Transfer (outsourcing, insurance)
– Accept
Security+ Guide to Network Security Fundamentals, Fourth Edition 14

Table 4-3 Risk identification steps
Security+ Guide to Network Security Fundamentals, Fourth Edition 15

• Baseline reporting
– Baseline: standard for solid security
– Compare present state to baseline
– Note, evaluate, and possibly address differences
Security+ Guide to Network Security Fundamentals, Fourth Edition 16

• Application development techniques
– Minimize vulnerabilities during software development
• Challenges to approach
– Software application size and complexity
– Lack of security specifications
– Future attack techniques unknown
Security+ Guide to Network Security Fundamentals, Fourth Edition 17

• Software development assessment techniques
– Review architectural design in requirements phase
– Conduct design reviews
• Consider including a security consultant
– Conduct code review during implementation phase
• Examine attack surface (code executed by users)
– Correct bugs during verification phase
– Create and distribute security updates as necessary
Security+ Guide to Network Security Fundamentals, Fourth Edition 18

Figure 4-3 Software development process
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 19

• IP addresses uniquely identify each network device
• TCP/IP communication
– Involves information exchange between one system’s program and another system’s corresponding program
• Port number
– Unique identifier for applications and services
– 16 bits in length
Security+ Guide to Network Security Fundamentals, Fourth Edition 20

• Well-known port numbers
– Reserved for most universal applications
• Registered port numbers
– Other applications not as widely used
• Dynamic and private port numbers
– Available for any application to use
Security+ Guide to Network Security Fundamentals, Fourth Edition 21

Table 4-4 Commonly used default network ports
Security+ Guide to Network Security Fundamentals, Fourth Edition 22

• Knowledge of what port is being used
– Can be used by attacker to target specific service
• Port scanner software
– Searches system for port vulnerabilities
– Used to determine port state
• Open
• Closed
• Blocked
Security+ Guide to Network Security Fundamentals, Fourth Edition 23

Figure 4-4 Port scanner
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 24

Table 4-5 Port scanning
Security+ Guide to Network Security Fundamentals, Fourth Edition 25

• Protocol analyzers
– Hardware or software that captures packets:
• To decode and analyze contents
– Also known as sniffers
• Common uses for protocol analyzers
– Used by network administrators for troubleshooting
– Characterizing network traffic
– Security analysis
Security+ Guide to Network Security Fundamentals, Fourth Edition 26

Figure 4-5 Protocol analyzer
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 27

• Attacker can use protocol analyzer to display content of each transmitted packet
• Vulnerability scanners
– Products that look for vulnerabilities in networks or systems
– Most maintain a database categorizing vulnerabilities they can detect
Security+ Guide to Network Security Fundamentals, Fourth Edition 28

Figure 4-6 Vulnerability scanner
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 29

• Examples of vulnerability scanners’ capabilities
– Alert when new systems added to network
– Detect when internal system begins to port scan other systems
– Maintain a log of all interactive network sessions
– Track all client and server application vulnerabilities
– Track which systems communicate with other internal systems
Security+ Guide to Network Security Fundamentals, Fourth Edition 30

• Problem with assessment tools
– No standard for collecting, analyzing, reporting vulnerabilities
• Open Vulnerability and Assessment Language
(OVAL)
– Designed to promote open and publicly available security content
– Standardizes information transfer across different security tools and services
Security+ Guide to Network Security Fundamentals, Fourth Edition 31

Figure 4-7 OVAL output
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 32

• Honeypot
– Computer protected by minimal security
– Intentionally configured with vulnerabilities
– Contains bogus data files
• Goal: trick attackers into revealing their techniques
– Compare to actual production systems to determine security level against the attack
• Honeynet
– Network set up with one or more honeypots
Security+ Guide to Network Security Fundamentals, Fourth Edition 33

• Vulnerability scan
– Automated software searches a system for known security weaknesses
– Creates report of potential exposures
– Should be conducted on existing systems and as new technology is deployed
– Usually performed from inside security perimeter
– Does not interfere with normal network operations
Security+ Guide to Network Security Fundamentals, Fourth Edition 34

• Designed to exploit system weaknesses
• Relies on tester’s skill, knowledge, cunning
• Usually conducted by independent contractor
• Tests usually conducted outside the security perimeter
– May even disrupt network operations
• End result: penetration test report
Security+ Guide to Network Security Fundamentals, Fourth Edition 35

• Black box test
– Tester has no prior knowledge of network infrastructure
• White box test
– Tester has in-depth knowledge of network and systems being tested
• Gray box test
– Some limited information has been provided to the tester
Security+ Guide to Network Security Fundamentals, Fourth Edition 36

Table 4-6 Vulnerability scan and penetration testing features
Security+ Guide to Network Security Fundamentals, Fourth Edition 37

• Standard techniques for mitigating and deterring attacks
– Creating a security posture
– Configuring controls
– Hardening
– Reporting
Security+ Guide to Network Security Fundamentals, Fourth Edition 38

• Security posture describes strategy regarding security
• Initial baseline configuration
– Standard security checklist
– Systems evaluated against baseline
– Starting point for security
• Continuous security monitoring
– Regularly observe systems and networks
Security+ Guide to Network Security Fundamentals, Fourth Edition 39

• Remediation
– As vulnerabilities are exposed, put plan in place to address them
Security+ Guide to Network Security Fundamentals, Fourth Edition 40

• Properly configuring controls is key to mitigating and deterring attacks
• Some controls are for detection
– Security camera
• Some controls are for prevention
– Properly positioned security guard
• Information security controls
– Can be configured to detect attacks and sound alarms, or prevent attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 41

• Additional consideration
– When normal function interrupted by failure:
• Which is higher priority, security or safety?
– Fail-open lock unlocks doors automatically upon failure
– Fail-safe lock automatically locks
• Highest security level
– Firewall can be configured in fail-safe or fail-open state
Security+ Guide to Network Security Fundamentals, Fourth Edition 42

• Purpose of hardening
– Eliminate as many security risks as possible
• Techniques to harden systems
– Protecting accounts with passwords
– Disabling unnecessary accounts
– Disabling unnecessary services
– Protecting management interfaces and applications
Security+ Guide to Network Security Fundamentals, Fourth Edition 43

• Providing information regarding events that occur
• Alarms or alerts
– Sound warning if specific situation is occurring
– Example: alert if too many failed password attempts
• Reporting can provide information on trends
– Can indicate a serious impending situation
– Example: multiple user accounts experiencing multiple password attempts
Security+ Guide to Network Security Fundamentals, Fourth Edition 44

• Vulnerability assessment
– Methodical evaluation of exposure of assets to risk
– Five steps in an assessment
• Risk describes likelihood that threat agent will exploit a vulnerability
• Several techniques can be used in a vulnerability assessment
• Port scanners, protocol analyzers, honeypots are used as assessment tools
Security+ Guide to Network Security Fundamentals, Fourth Edition 45

• Vulnerability scan searches system for known security weakness and reports findings
• Penetration testing designed to exploit any discovered system weaknesses
– Tester may have various levels of system knowledge
• Standard techniques used to mitigate and deter attacks
– Healthy security posture
– Proper configuration of controls
– Hardening and reporting
Security+ Guide to Network Security Fundamentals, Fourth Edition 46