Chapter 7: Security Assessment, Analysis, and Assurance Guide to Computer Network Security Security Assessment, Analysis, and Assurance The rapid development in both computer and telecommunication technologies has resulted in massive interconnectivity and interoperability of systems The bigger the networks, the bigger the security problems involving system resources on these networks. Many companies, businesses, and institutions whose systems work in coordination and collaboration with other systems as they share each others’ resources and communicate with each other, face a constant security threat to these systems, yet the collaboration must go on. Kizza - Guide to Computer Network Security 2 For security assurance of networked systems, such risks must be assessed to determine the adequacy of existing security measures and safeguards and also to determine if improvement in the existing measures is needed. The security assessment process consists of a comprehensive and continuous analysis of the security threat risk to the system that involves an auditing of the system, assessing the vulnerabilities of the system, and maintaining a creditable security policy and a vigorous regime for the installation of patches and security updates. In addition, there must also be a standard process to minimize the risks associated with non-standard security implementations across shared infrastructures and end systems Kizza - Guide to Computer Network Security 3 The process to achieve all these and more consists of several tasks including: – A security policy – Security requirements specification – Identification of and threat analysis – Vulnerability assessment, – Security certification, – Monitoring of vulnerabilities and auditing. Kizza - Guide to Computer Network Security 4 Vulnerability Assessment lets you: – Understand the state of vulnerability within your network. – Better evaluate the risks from new vulnerabilities. – Learn about new fixes and workarounds from a single source. – Avoid unplanned downtime and lost productivity. – Minimize the costs that are associated with security incidents. Kizza - Guide to Computer Network Security 5 Vulnerability Assessment Techniques Active Assessments – Any use of a network scanner to find hosts, services and vulnerabilities – is a form of active assessment. Regardless if the scan is sending one ICMP packet, or a full fledged DOS attack, any assessment invoking placing packets on the wire to interrogate a host for unknown services or vulnerabilities is an active assessment. – Many network scanners have controls on how aggressive they pursue their interrogation of the network and the servers they encounter. For example, Nessus (http://www.nessus.org), has a concept of ‘safe checks’ which causes it to be less intrusive when performing security audits of network services. – Other commercial scanners have a similar mode which is deceptively called ‘passive scanning’. Kizza - Guide to Computer Network Security 6 Passive Assessments – Sniffing network traffic to deduce a list of active systems, active services, active applications and even active vulnerabilities is referred to as a passive assessment. – Passive assessment is a continuous effort such that the sniffer performing the analysis can see the network 24x7. An active assessment is really a picture of the network at a point in time. Passive assessments offer a more accurate listing of who is actually using the network. – There are a lot of ‘gotchas’ with passive assessment. For example, how does one know if an IP address is active or not? Consider a DHCP network (Dynamic Host Configuration Protocol - a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.) . Through the course of a week, many hosts will boot up and receive an IP each day. If the host gets a different IP each day, by the end of the week, it will 7 Kizza - Guide to Computer Network look like many hosts areSecurity active on the network. Host-based audits Host-based audits are conducted on individual computers. The advantages of host-based assessment are: – Greatly reduced numbers of false positive and false negative reports when compared with network-based products. – Superior scalability over network-based products. – Increased security over agent-less assessments that require administrative privileges. Kizza - Guide to Computer Network Security 8 Network-based audits Network-based audits are conducted from central locations on the network The advantages of network-based assessment are: – Immediate network-wide vulnerability information – Immediate vulnerability information about network resources that cannot install monitoring agents; for example, network routers or firewalls. – Discovery of unknown computers and other resources on the network. – Ability to audit the vulnerability of computers to attacks from inside or outside the network. Kizza - Guide to Computer Network Security 9 Blended Assessments – A “blended” form of security assessment utilizes a combination of active, passive and host-based techniques. Each method in the combo has several advantages and disadvantages which can be used to offset a variety of technical and political limitations imposed by large enterprise networks. Kizza - Guide to Computer Network Security 10 Additional features – Centralized reporting and management of vulnerabilities. – Comprehensive "health check" of the network is available from a central location with a consistent, automated, repeatable, and on-demand system. – Identifies vulnerabilities in mission critical systems and applications, not just the operating system. – Can be scalable to provide coverage for the entire enterprise that can extend across the Internet. Kizza - Guide to Computer Network Security 11 Design and Implementation of an Enterprise Security Policy The design of a security policy must take into account the following issues: Kizza - Guide to Computer Network Security 12 Physical Security Controls: – This includes the physical infrastructure, device security and physical access. The physical infrastructure involves appropriate media and path of physical cabling. Make sure that intruders cannot eavesdrop between lines by using detectors like time domain reflectometer for coaxial cable and optical splitter using an optical time domain reflectometer for fiber optics. – Physical cabling network topology to ensure the availability of the network to all attached devices. The cabling should be well secured to prevent access to any part Kizza - Guide to Computer Network Security 13 Physical Device Security – The location of the critical network resources is very important. All network resources ( network hosts, switches, routers, firewalls, access servers) should be located in very restricted areas. Physical access restrictions and requirements are determined from the results of the risk analysis or physical security surveys. – Environment safeguards – all the following are important: Fire (prevention/protection/detection) Water Electric power Temperature/humidity Natural disasters Magnetic fields Good housekeeping procedures Kizza - Guide to Computer Network Security 14 Logical Security Controls – Create boundaries between network segments: To control the flow of traffic between different cabled segments – subnets by using IP-address filters to deny access of specific subnets by IP addresses from non-trusted hosts. Permit or deny access based on subnet addresses – if possible. But keep in mind that IP addresses are very easy to spoof. – The logical infrastructure of a network depends largely on how a network is logically separated and how traffic is controlled between those subnets. – Routing (layer-3 switching) is how traffic is controlled between subnets. Determining optional routing path Transporting packets through the subnets. – A security plan must include a detailed routing policy. – Fully understand the routing protocols used in the corporate environment. Kizza - Guide to Computer Network Security 15 Logical Access Control – access to equipment and network segments should be restricted to individuals who require access. – Two types of control on access to network resources should be implemented: Preventive controls – uniquely identifies every authorized user and denies others Detective controls – logs and reports activities of users – also logs and reports un authorized users. – Remember the human factor Any security implemented is as good as the weakest link. Kizza - Guide to Computer Network Security 16 Infrastructure and Data Integrity – Ensure as best as you can that your traffic on the network is valid. It may be any of the following Supported services – like firewalls. Firewalls are very essential in the control of traffic. It relies solely on the TCP, UDP, ICMP, and IP headers of individual packets to allow or deny the packet. It may also use TCP and UDP source and destination port numbers. Unspoofed traffic Unaltered traffic – Most of the traffic control is based on the following characteristics of the traffic: Direction Origin IP address Port numbers Authentication Application content Kizza - Guide to Computer Network Security 17 Network Services – Choosing what type of network services and protocols the network will use is a daunting job. A few policies to choose from Permit all and deny as needed. It is easy to implement. Turn on all services and protocols and turn them off selectively as security holes become apparent. It is simple however, it is prone to attacks. Deny all mode is generally more secure but more complex to implement. – Security complexity can grow exponentially – Services most commonly needed include: SNMP DNS NTP WWW Telnet FTP NNTP SMTP Kizza -services Guide to Computer – To determine which toNetwork filter follow guidelines Security i.e. CERT 18 Authenticated Data – To ensure a reasonable amount of data integrity, you should authenticate most of the traffic traversing the network. Traffic specific to the operations of a secure network infrastructure ( such as updating of routing tables) should be authenticated. – Checksum protects against the injection of spurious packets from an intruder. Combined with sequence number techniques, checksum can also protect against replay attacks. – Most security is always provided by complete encryption routing tables. However encryption has an overhead. Kizza - Guide to Computer Network Security 19 Common Attack Deterrents – In many cases attacks against a host behind a firewall can be stopped. Develop a policy to insulate internal hosts. – Web servers, FTP servers, mail servers, even behind a firewall, are among the network service provider resources at most risk because any host, in the inside network can play bad to it. You are generally better of putting those exposed service providers on a demilitarized zone (DMZ) network. – Install a honeypot. Kizza - Guide to Computer Network Security 20 – The following list provides an example of some items in an infrastructure and data integrity security policy: Infrastructure Security: – Access to switch LAN ports and router interfaces will be disabled when not in use – Firewall functionality will be used at all engress access points – any connection that provides access anywhere outside the Enterprise – Only necessary network services will be supported. These services will be defined by the Network Operations Group. Data Integrity: – Software not related to work will not be used on any computer that is part of the network. – All software images and operating systems should use checksum verification scheme before installation to confirm their integrity. – All routing updates and VLAN updates must be21 Kizza - Guide to Computer Network Security authenticated between sending and receiving Data Confidentiality – This calls for encryption. The hardest part is to decide which data to encrypt. The decision should be based on the outcome of the Risk Assessment procedure in which data is classified according to its security sensitivity. Encrypt the data that will take the greatest risk without. – For example in an enterprise: All data dealing with employee salary and benefits. All data on product development All data on sales, etc.. – Pay attention to the local Network Address Translation (NAT) – a system used to help Network administrators with large pools of hosts from renumbering them when they all come on the Internet. Kizza - Guide to Computer Network Security 22 Policies and Procedures for Staff – These are guidelines to help people working on the network infrastructure. – Secure Backup – of all network service servers, and that of configurations and images of networking infrastructure equipment is critical Ensure that the system creates backups for all network infrastructure equipment configurations and software images Ensure that backups of all servers that provide network services Ensure that an offsite storage of the backups is used – selected for both security and availability Encrypt the backups – making sure that the will be a key to decrypt the backups when needed. Kizza - Guide to Computer Network Security 23 Periodically verify the correctness and completeness of the backups Keep the original and backup safe. It is important to keep the backup copies in separate and secure locations ( Recall World Trade Center backups in Colorado and Utah) The following are good guidelines: – Key positions must be identified and potential successors should be identified – Recruiting employees for positions in the implementation and operation of the network infrastructure requires a thorough background check – All personnel involved in the implementation and supporting the network infrastructure must attend a security seminar for awareness – All backups will be stored in a dedicated locked area. Kizza - Guide to Computer Network Security 24 – Equipment Certification All new equipment to be added to the infrastructure should adhere to specified security requirements. Each site of the infrastructure should decide which security features and functionalities are necessary to support the security policy. The following are good guidelines: – All infrastructure equipment must pass the acquisition certification process before purchase – All new images and configurations must be modeled in a test facility before deployment – All major scheduled network outages and interruptions of services must announced to those to be affected well ahead of time. – Use of Portable Tools Note that portable tools like laptops always pose some security risks. Develop guidelines for the kinds of data allowed to reside on hard drives of portable tools and how that data should be protected. Kizza - Guide to Computer Network Security 25 – Audit Trails Keep logs of traffic patterns and noting any deviations from normal behavior found. Such deviations are the first clues to security problems. The data to be collected in the logs should include the following: – User name – Host name – Source and destination IP addresses – Source and destination port numbers – Timestamp This collected data should be kept local to the resource until an event is finished upon which it may be taken to a secure location. Make sure that the paths (Channels) from the collection points to the storage location are secure. Audit data should be one of the most secured data on location and in back ups. – Legal Considerations Because of the content of the audit trail, a number of legal questions arise that may need attention. One area of concern is the privacy issue of the users and data content – because it may contain personal information. Second area of concern is the knowledge of an intrusive behavior. For example having knowledge of the intrusive behavior of others including organization. Kizza - Guide to Computer Network Security 26 Security Awareness Training – Users of computers and computer networks are not usually aware of the security ramifications caused by certain actions . It is imperative for employees to be aware of the importance of security through security training – The training should provided to all personnel – Training should contain the following: Types of security Internal control techniques Maintenance – For those employees with network security responsibilities, they must be taught the following: Security techniques Methodologies for evaluating threats and vulnerabilities Selection criteria and implementation of controls The importance of what is at risk if security is not maintained Kizza - Guide to Computer Network Security 27 – Make the following rules abided to before connecting a LAN to the corporate backbone: Provide documentation on network infrastructure layout Provide controlled software downloads Provide adequate user training Provide training to personnel in charge of issuing passwords. – Social Engineering Train employees not to believe anyone who calls/emails them to do something that might compromise security. Before giving any information they must positively identify they are dealing with Kizza - Guide to Computer Network Security 28 Incident Handling – A security bleach is an incident resulting from an external intruder, unintentional damage, an employee testing some new program and inadvertently exploiting a software vulnerability, or a disgruntled employee causing intentional damage. – Build an Incident Response Team This is centralized group which is the primary focus when an incident occurs It is a small core group with the following responsibilities: – Keeping up-to-date with the latest threats and incidents – Being the main point of contact for incident reporting – Notifying others of the incident – Assessing the damage and impact of the incident – Finding out how to avoid further exploitation of the same vulnerability – Recovering from the incident Core team members must be knowledgeable, all rounded with a correct mix of technical, communication, and political skills. Kizza - Guide to Computer Network Security 29 – Detecting an Incident – when looking for signs of a security bleach focus on the following: – Accounting discrepancies – Data modification and deletion – Users complaining of poor system performance – Atypical traffic patterns – Atypical time of system use – Large numbers of failed login attempts Detecting anomalies of normal behavior requires having knowledge of “normal” systems functions. Use audit trails to learn historical behavior of the system. You must follow certain steps when handling an incident whose goals are defined by management and legal counsel. But the most fundament goal is to restore the affected system and to limit the impact and damage. In the worst-case scenario it is better to shut down the system. It is better to prioritize actions to be taken during an incident handling Kizza - Guide to Computer Network Security 30 Priorities should correspond to the organizations security policy and they should include the following: – Protecting human life and peoples’ safety – Protecting sensitive and/or classified data – Protecting data that is costly in terms of resources – Preventing damage to systems – Minimizing the disruption of computing resources It is always important to assess the damage by doing some or all of the following: – Check and analyze all traffic logs for abnormal behavior , especially on network perimeter access points like internet access or dial-in access – Verify infrastructure device checksum or operating systems checksum on critical servers to see whether operating system software has been compromised. – Verify configuration changes on infrastructure devices like servers to ensure that no one has tempered with them – Check the sensitive data to see whether it is assessed or changed – Check traffic logs for unusually large traffic streams from a single source or streams going to a single destination – Run a check on the network on any new or unknown devices – Check passwords on critical systems to ensure that they have not been modified Kizza - Guide to Computer Network Security 31 – Reporting and Alerting Procedures Establish a systematic approach for reporting incidents and subsequently notifying affected areas Essential communication mechanisms include: – A monitored central phone, email, pager , or other quick communication device Establish clearly who to alert first and who should be on the list of people to alert next. Decide on how much information to give each member on the list Find ways to minimize negative exposure ( Read RFC 2196 on guidelines for level of details to provide) including: – Keeping technical level of details low – Working with law enforcement agents to protect evidence – Delegating all handling of the public to in-house PR people – keeping speculation out of public comments Kizza - Guide to Computer Network Security 32 – Responding to the Incident Control must be restored and normalcy must be restored If it requires shutting down the system to stop the intruder, do so. Keep accurate documentation so that it can be used later to analyze any causes and effects Keep a log book of all activities during the incident. – Recovering from an Incident Make a post-mortem analysis of what happened, how it happened, and what steps need to be taken to prevent similar incidents in the future. Develop a formal report with proper chronological sequence of events to be presented to management. Make sure not to over react by turning your system into a fortress. Kizza - Guide to Computer Network Security 33 Strengths and Weaknesses of Assessment Technologies Active Scanning – Strengths All active scans can be independent of any network management or system administration information. This makes for a much more ‘honest’ security audit of any system or network. Active scans can provide extremely accurate information about what services are running, what hosts are active and if there are any vulnerabilities present. – Weaknesses Unfortunately, the information discovered by an active scan may be out of date as soon as the scan is completed. Many small changes to the network topology such as the addition of new hosts will go unnoticed until the next active scan. To compensate for speed and potential adverse impact: – minimize the ports and the vulnerabilities scanned Active scans can also generate an excessive amount of firewall and intrusion detection logs. Kizza - Guide to Computer Network Security 34 Passive Scanning – Strengths The greatest strength of a passive scan is the lack of any impact to the network and the minimal time it takes to find real results. A passive scanner operates 24x7 and when you want to know what vulnerabilities it has seen, a report can be immediately generated. Passive scanning also has an advantage of discovering client side vulnerabilities and vulnerabilities in Intranet networks we don’t have permission to scan. – Weaknesses Unfortunately, for a passive scan to work, a detectable host must elicit or respond to a packet. If a server never communicates on the network, the console will never see it. Kizza - Guide to Computer Network Security 35 Host-based Scanning – Strengths The greatest strengths that host-based scanning has going for it are speed and accuracy. It takes a few seconds in most cases to complete an audit of all patches for a RedHat or Windows 2000 server if credentials have been provided. This audit consists of well-known APIs and patch management tools provided by the underlying operating system. – Weaknesses The biggest weakness for host-based scanning with many scanners like Nessus and NeWT is that credentials need to be supplied. Often, obtaining these credentials is takes time. In many cases, an IT group may not appreciate giving a security group the ability to audit it at any time. Kizza - Guide to Computer Network Security 36