Security Testing and Assessment Tools

Previous page
Table of content
Next page

To ensure that the organization's security controls are functioning properly, both the IT organization and the IS auditor should use the same techniques that hackers use in an attempt to bypass access controls.

A vulnerability assessment is used to determine potential risks to the organization's systems and data. Penetration testing is used to test controls implemented as countermeasures to vulnerabilities. Penetration tests performed by the organization are sometimes called intrusion tests or ethical hacking. The penetration test team uses public sources to gain information on an organization's network, systems, and data. Known as discovery, this includes passive scanning techniques to discover the perimeter systems' OS and applications that are listening for network connections (ports). It might also include the review of public websites, partner websites, and news groups, to discover information on applications and network connectivity. One example of discovery is the use of newsgroups. System administrators often post questions to newsgroups on the Internet to solve problems they are having with applications or network devices. An intruder can search newsgroups using the domain name of the organization to find potential vulnerabilities.

When the discovery process is complete, the penetration test team should develop a list of potential vulnerabilities on the network. They should then systematically attempt to bypass the access controls by attempting to guess passwords (using automated password-cracking tools and dictionaries), searching for back doors into the system, or exploiting known vulnerabilities based on the type of servers and applications within the organization. Penetration testing is intended to use the same techniques and tools intruders use. Penetration testing can be performed against both internal (applications) and external (firewalls) devices. It should be performed by qualified and authorized individuals. The penetration team should develop a penetration test plan and use caution when performing penetration tests on production systems. The penetration test plan should include methods by which vulnerabilities will be identified, documented, and communicated upon conclusion of the penetration testing period.


Authorized penetration testing is often performed using the same network diagnostic tools hackers commonly use.


The IT organization should implement regular vulnerability scanning in addition to penetration testing. Similar to virus-protection programs, vulnerability scanners combined with firewall and IDS logs ensure that the IT infrastructure is protected against both new and existing vulnerabilities. Vulnerability scanning is implemented using automated tools that periodically scan network devices looking for known vulnerabilities. These tools maintain a vulnerability database that is periodically updated as new vulnerabilities are discovered. The vulnerability scans produce reports and generally categorize vulnerabilities into three categories of risk (high, medium, low). The more sophisticated scanning tools provide a list of the vulnerabilities found on the network by device or application, as well as the remediation of that risk. One of the more popular tools used for vulnerability scanning is Nessus (www.nessus.org), an open-source scanner that maintains a vulnerability database (which can be updated via the Internet). An example of a Nessus vulnerability report is shown here (this example does not include the entire report):

Scan Details

 

Hosts that were alive and responding during test

9

Number of security holes found

54

Number of security warnings found

113


Host List

 

Host(s)

Possible Issue

10.163.156.10

Security hole(s) found


Security Issues and Fixes: 10.163.156.10

  

Type

Port

Issue and Fix

Warning

echo (7/tcp)

The echo port is open. This port is not of any use nowadays and could be a source of problems because it can be used along with other ports to perform a denial of service. You should really disable this service.

  

Risk factor: Low
Solution: Comment out 'echo' in /etc/inetd.conf
CVE: CVE-1999-0103
Nessus ID: 10061

Informational

echo (7/tcp)

An echo server is running on this port
Nessus ID: 10330

Vulnerability

telnet (23/tcp)

The Telnet server does not return an expected number of replies when it receives a long sequence of "Are You There" commands. This probably means that it overflows one of its internal buffers and crashes. It is likely that an attacker could abuse this bug to gain control over the remote host's superuser. For more information, see www.team-teso.net/advisories/teso-advisory-011.tar.gz.

  

Solution: Comment out the telnet line in /etc/inetd.conf.
Risk factor: High
CVE: CVE-2001-0554
BID: 3064
Nessus ID: 10709

Vulnerability

ssh (22/tcp)

You are running a version of OpenSSH that is older than 3.0.2.
Versions older than 3.0.2 are vulnerable to an environment variable's export, which can allow a local user to execute a command with root privileges. This problem affects only versions earlier than 3.0.2 and when the UseLogin feature is enabled (usually disabled by default).

  

Solution: Upgrade to OpenSSH 3.0.2 or apply the patch for older versions. (Available at ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH.)
Risk factor: High (if UseLogin is enabled, and locally)
CVE: CVE-2001-0872
BID: 3614
Nessus ID: 10823


The Nessus report shows the machine address, vulnerability (port/service), a text description of the vulnerability, the solution, and the Common Vulnerability and Exposure (CVE) ID. As public vulnerabilities are discovered, they are maintained in databases to provide naming and documentation standards. One such free public database is maintained by the MITRE Corporation (http://cve.mitre.org) and can be used to review known vulnerabilities and their remediation.

In addition to vulnerability testing, the organization can employ tools that are designed to entice and trap intruders. Honey pots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. Honey pots generally are placed in an area of the network that is publicly accessible and that contain known vulnerabilities. The concept of a honey pot is to learn from an intruder's actions by monitoring the methods and techniques employed by a hacker attempting to gain access to a system.


Honey pots are often used as a detection and deterrent control against Internet attacks.


The most significant vulnerability in any organization is the user. The use of appropriate access controls can sometimes be inconvenient or cumbersome for the user population. To ensure that the organization's security controls are effective, a comprehensive security program should be implemented. The security program should include these components:

  • Continuous user awareness training

  • Continuous monitoring and auditing of IT processes and management

  • Enforcement of acceptable use policies and information security controls


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
FileMaker Pro 8: The Missing Manual
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
.NET System Management Services
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy