Various tools are used to perform a security assessment. The assessment may target the entire IT infrastructure, a single domain of the IT infrastructure, or anything in between. All assessments should follow a plan and be performed with a disciplined approach. There are different approaches to identify security weaknesses within an organization. Some of the approaches include the following:
Network scan—This provides an automated method for discovering host systems on a network. Although a network scan doesn’t necessarily discover all vulnerabilities, it does determine which systems are active on the network and what services they offer or what ports are available. A network scan provides valuable information pertaining to the environment. A network scan can also provide an adversary with a footprint from which he or she can later conduct a more targeted attack. For this reason, network scans are an important part of defining the assessment process and understanding what an attacker might discover and target.
Vulnerability scan—This provides the fundamental process for managing vulnerabilities. A vulnerability scan is an automated method for testing a system’s services and applications for known security holes. Most vulnerability scans also provide reports on the identified holes along with additional information for improving security. Unlike a network scan, which looks more broadly for available systems, a vulnerability scan is targeted to specific systems. Vulnerability scans can be conducted across the entire infrastructure or specific components within the individual domains, such as the following:
Operating systems
Web servers
Mail servers
Databases
File Transfer Protocol (FTP) servers
Firewalls
Load-balancing servers
Switches and hubs
Wireless access points
Penetration test—A penetration test is most often associated with a security assessment. A penetration test, also known as a pen test, is an active, hands-on assessment that uses methods similar to what a real-world attacker might use. A penetration test goes beyond simply looking for vulnerabilities. When vulnerabilities are identified, a penetration test attempts to actually exploit the vulnerability. The test helps determine how practical or viable specific attacks might be. This includes understanding what the impact might be of a successful attack.
The technical skill set required to conduct a security assessment depends on the scope of the assessment and the types of tools or techniques used. Knowledge of basic security principles and technical fundamentals, such as understanding Transmission Control Protocol/Internet Protocol (TCP/IP), is helpful. TCP/IP is the basic protocol, or language, of modern networks and the Internet.
All three of the preceding methods may be used independently or may be used together as part of the overall plan. It is common, for example, for a network scan to precede a penetration test. Both network scans and vulnerability scans are more easily automated on a regular basis than a penetration test. Penetration tests require more planning and coordination.
There are several popular frameworks for conducting comprehensive security assessments. Three examples are as follows:
Open Source Security Testing Methodology Manual (OSSTMM)—A method that takes a scientific approach to security testing, the Open Source Security Testing Methodology Manual (OSSTMM) is made up of five sections called channels, and each channel includes various modules.
Information Systems Security Assessment Framework (ISSAF)—A method for evaluating networks, systems, and applications, the Information Systems Security Assessment Framework (ISSAF) is divided into a three-phase approach, which includes a nine-step assessment process.
NIST 800-115—A guide to the basic technical testing and examination functions of conducting an information security assessment, NIST 800-115 is composed of seven major sections and several appendixes.
Regardless of the method chosen, each uses similar techniques for conducting a security assessment. The remainder of this section uses the NIST methodology as a guide. NIST breaks the assessment down across three different types of primary techniques:
Review techniques
Target identification and analysis techniques
Target vulnerability validation techniques
Review techniques involve examining the components across the domains of IT infrastructure. Reviewing is a passive process, using noninvasive techniques, and has minimal impact on the systems. Table 6-1 provides examples of specific review techniques, along with the capabilities of the technique and the specific skill set required to use the technique.
TABLE 6-1 Summary of major capabilities of review techniques.
Technique | Capabilities | Skill Set |
---|---|---|
Document review | Examines policies and procedures for accuracy and completeness | General knowledge of information security and information policies |
Log review | Provides data on system use, changes, and configuration Might reveal potential problems and deviations from policies and standards | Knowledge of log events and ability to interpret log data Ability to use automated logging and log correlation tools |
Ruleset review | Exposes holes in security controls based on rulesets | Knowledge of ruleset formats Ability to correlate and analyze rulesets from different devices and different vendors |
Network sniffing | Monitors network traffic to capture information such as active systems, operating systems, communication protocols, and services Exposes unencrypted communications | Knowledge of TCP/IP and networking Ability to interpret and analyze network traffic Ability to deploy and use network-sniffing tools |
File integrity checking | Identifies changes to important files and can identify unwanted files that might be malicious | General file system knowledge Ability to use file integrity checking tools and interpret the results |
After performing a document review, the next step involves the use of target identification and analysis techniques. The goal is to identify active devices along with their available ports and services and look for possible vulnerabilities. The information collected sets the stage for the next step of trying to exploit and validate the vulnerabilities. Table 6-2 provides examples of the techniques involved, along with the capabilities of the technique and the specific skill set required to use the technique.
TABLE 6-2 Summary of major capabilities of target identification and analysis techniques.
Technique | Capabilities | Skill Set |
---|---|---|
Network discovery | Discovers active devices on the network Identifies communication paths and facilitates determination of network architectures | General TCP/IP and networking knowledge Ability to use both passive and active network discovery tools |
Network port and service identification | Discovers active devices on the network Discovers open ports and associated service/applications | General TCP/IP and networking knowledge Knowledge of ports and protocols Ability to use port-scanning tools Ability to interpret results from tools |
Vulnerability scanning | Identifies hosts and open ports Identifies known vulnerabilities Provides advice on mitigating discovered vulnerabilities | General TCP/IP and networking knowledge Knowledge of ports, protocols, services, and vulnerabilities Ability to use automated vulnerability-scanning tools and interpret the results |
Wireless scanning | Identifies unauthorized wireless devices on the network Discovers wireless signals outside an organization Detects potential backdoors and other security violations | General knowledge of computing and wireless transmissions, protocols, services, and architecture Ability to use automated wireless scanning and sniffing tools |
Finally, with the information from the previous phase, potential vulnerabilities are probed further. The techniques shown in Table 6-3 are used to exploit the vulnerability.
TABLE 6-3 Summary of major capabilities of target vulnerability validation techniques.
Technique | Capabilities | Skill Set |
---|---|---|
Password cracking | Identifies weak passwords and password settings | Knowledge of secure password composition and how operating systems maintain passwords Ability to use automated cracking tools |
Penetration testing | Tests security using the same methods and tools that attackers use Verifies vulnerabilities Demonstrates how vulnerabilities can be exploited iteratively to gain access to internal systems | Extensive knowledge of TCP/IP, networking, and operating systems knowledge Advanced knowledge of network and system vulnerabilities and exploits Knowledge of techniques to evade security detection |
Social engineering | Allows testing user awareness and if proper procedures are followed | Ability to influence and persuade people Ability to remain calm under pressure |
An organization may use all the preceding techniques as part of an overall security assessment or selected parts. Additionally, the techniques can be used across the IT infrastructure, or they may focus on only specific domains. This depends on the objectives of the assessment, which must consider available time and resources.