CSS300 – Vulnerability Assessment and ManagementVulnerabilit

1.  
2.  
3.  
4.  
5.  
6.  
7.  
8.  
9.  
10. CSS300 – Vulnerability Assessment and Management
11. Vulnerability Assessment Project
12. Christopher Sanders
13. 8/14/19
14.  
15.  
16.  
17.  
18.  
19.  
20.  
21.  
22.  
23.  
24.  
25.  
26.  
27.  
28.  
29.  
30. Contents
31. Intrusion Tools and Techniques  3
32. Intrusion Detection 3
33. Auditing    4
34. Audit Data Review   4
35. Common Vulnerabilities and Exposures (TBD)  6
36. Definition of CVE   6
37. Calculation of CVSS 6
38. The use of NVD  6
39. Attack Methods (TBD)    8
40. Various Attack Methods  8
41. Authenticated and Unauthenticated   8
42. Active and passive  8
43. Intrusion Detection System Policies (TBD)   10
44. Policies    10
45. Protective Measures (TBD)   12
46. Vulnerability Assessment    12
47.  
48.  
49.  
50.  
51.  
52.  
53.  
54.  
55.  
56.  
57.  
58.  
59.  
60. Intrusion Tools and Techniques
61. Intrusion Detection
62. Intrusion Detection is a pivotal part to any information system, and it is necessary when trying to mitigate risk to your network while ensuring the safety of the data on your network. You can address an issue like this with either a hardware appliance or some type of software suite integrated into your system to detect malicious activity on your network. This can be accomplished 1 of 2 ways: either with an IDS or Intrusion Detection System or an IPS or Intrusion Prevention System. These two appliances offer the same benefits but one has an added benefit. The IPS has the ability to actually stop and report any malicious sources on your network. With the IDS it does not have the ability to stop the attack but it can report that something is afoot on the network. Both are very useful and can benefit any IT structure they are implemented on.
63. Auditing
64.     Auditing is the process of reviewing the documentation of an organization and finding and addressing any discrepancies in the company. This is essentially the same thing we are doing when auditing the systems on a given network. This information that is collected is used by the IA or information assurance team to track all happenings on the network and mitigate risk. This data allows the Security admins to see attempted log-ins, what systems are on the network, and even what data the user or machine has interacted with on the network. These logs can also be used to diagnosis any issue you might find on the network, like hardware failures or recent changes to the networks configurations that could have caused some unforeseen problem. Most auditing is conducted from a dedicated security server. This keeps the integrity of the data secure and keeps the average user from attempting alter or accidently deleting the logs. The data is usually collected from all connected devices i.e. user machines and network devices and servers.
65. Audit Data Review
66.     The auditing process is a great tool to use when trying to gain more depth about your systems and network. Audit reviews help you figure out where all the data on your network is and raise awareness to collection and use of data on the network. These audits highlight the any inadequacies in data procurement and protection which also speaks to risk management. Ideally you would audit your organizations logs based on how critical and crucial the system is to the network. You also ensure that users are aware of being monitored on the network and have them sign AUP’s or acceptable use policies. This also gives you some leverage when worried about user or malicious sources augmenting the logs. Just because the data is collected and reviewed does not mean it is secure and accurate. If the wrong people were to penetrate your network and find these logs they could in turn mask their presences by changing around the data to hide themselves.
67.  
68.  
69.  
70.  
71.  
72. Common Vulnerabilities and Exposures
73. Definition of CVE
74.     To begin we have to first understand what CVE is in terms of information security on your system. CVE stands for Common Vulnerabilities and Exposures, and these are common names for publicly known information on security vulnerabilities. This is compiled and maintained by the Department of Homeland Security. They are also all listed in the National Vulnerability Database. This helps security researchers prepare by already having a database to look at to ensure they are properly prepared for any attack on the organization they are supporting. This way researchers won’t have to feel in the dark as to what may affect their systems, they also don’t have to spend countless hours scouring the internet to find methods they may be vulnerable to.
75. Calculation of CVSS
76. CVSS or Common Vulnerability Scoring System is a free open standard for assessing the severity of vulnerabilities found on computer systems. The CVSS tries to calculate the severity of all the vulnerabilities which in turn allows the analyst to prioritize what they should do and what resources they need. The formula is calculated via different metrics that tell the ease of using an exploit and the impact said exploit will have on the system. The set of metrics that tend to be used when calculating a CVSS, they are Base metrics and temporal metrics. Base metrics have a score of ten being the highest threat of a vulnerability, it is three different values each having a score value assigned to them. They are the access vector, the attack complexity and the authentication. AV shows how vulnerability may be exploited, AC describes how easy or difficult is to exploit the discovered vulnerability. Au tells us how many times an attacker has to authenticate to target an exploit. With temporal metrics the values are a little different, these values change over the lifetime of a vulnerability.  It consist of the Exploitability, the remediation level, the Report Confidence and then these metrics are used in conjunction with the base score to get the temporal score. E metric tells the current state of the exploitation, RL of a vulnerability allow for the score to decrease as the vulnerabilities are fixed or mitigated. And finally report confidence measure the level of confidence in the existence of a vulnerability and the credibility of the publisher.
77. The use of NVD
78.     Firstly, NVD stands for the National Vulnerability Database, which is a government owned repository of standard vulnerability information. Organizations such as Homeland security and the NSA use this resources to harden and secure their systems from known exploits. To show what this means exactly there are three vulnerabilities that my organization has that can be found on the NVD.Nist website. One is the Ghostscript applications exploit or CVE-2018-19134, which is a fault of the developers with this particular software version in which a dummy ghostscript file could be loaded to execute arbitrary code on the system affected. Another is CVE-2018-17195 or an API exploit in which when the endpoint client user can be tricked into divulging their PC info to an unknown user by way of ARP spoofing and a man in the middle attack. And the last exploit that can affect my organizations systems is CVE-2018-0048. This is a networking exploit taking advantage of RPD using a Juniper toolkit, which allows the attacker unauthenticated attacker to cause memory failure in said system. These are just a few exploits that can affect a system severely.
79.  
80. Attack Methods
81.     There are various ways to attack a system in information security, and in this section I will discuss these ways and what exactly you must know to avoid them. Below I discuss the various attack methods and what to do to mitigate these threats. Two major attack types are passive and active attacks. Usually used in conjunction with either an authenticated method or an unauthenticated method. In a passive attack an authenticated method would be tapping someone’s phone and stealing log in credentials unbeknownst to the user. In an active attack an unauthenticated attack would be phishing, in which the attacker tricks the user into divulging sensitive information that they can use to infiltrate the system.
82. Various Attack Methods
83. Authenticated and Unauthenticated
84.     Authenticated attacks target the authentication of a website, it exploits the site that users use to verify their identity when accessing an application. These attacks are usually carried out by someone who is trusted to the organization, for instance a disgruntled employee seeking to hurt the company as much as possible before their exit. They usually gain access to some login credential of a single user, then once in the system they begin their attack. Authenticated attacks tend to make use of the username and password as to help prove "their identity". A good example of an authenticated attack is brute force hacking. This is an instance where the attacker barrages a login terminal with different passwords (pulled from dictionary) till one gets the attacker in the system. You can even request a password change for the user you are trying to steal from and change their info so that the account is essentially yours now. These attacks are possible when there is no security measures to stop unauthorized access to sensitive resources.
85.  
86. With unauthenticated attacks, the attacker explores the network looking for various vulnerabilities without having actually authenticated to the network. The attackers want to gain access to sensitive information without actually having supplied login credentials to the network. These attackers from here usually pretend to be normal users on the network as to not set off any red flags on the system. Because ultimately they are on the network thanks to a flaw in security or a vulnerability and would not want a security admin to notice the hole they've made. An example of an unauthenticated attack would be a reconnaissance attack, in which the attacker sends some kind of invite or message to the victim and then waits for a reply to gain SIP info from them. Another example would be a phishing attack, in which a user poses as a trusted institution and seeks personal info from the user to steal for personal gain.
87.  
88. Active and passive
89.     In information security active and passive attacks are incidents that result in damage to systems, data, infrastructure or the facilities. These things could cripple the business continuity of your company and cause major setbacks in production. First let’s start with what a passive attack is, these attacks are incidents in which the attacker do not alter the system but instead gather data or execute malicious transfers of files. While an active attack is an incident that does result in changes to the system, data, or infrastructure. Some examples of passive attacks that can affect both windows systems and linux systems are, tapping, scanning, and traffic analysis. With tapping the attacker monitors all unencrypted communications like email or the telephone calls made from the organization. With the scanning attack, the attacker scans a device that is connected to the internet for vulnerabilities such as open ports or an unpatched OS version. Meaning they have found vulnerabilities in the operating system that could be tragic to the network. And finally there is traffic analysis, which involves monitoring internet traffic on systems to build a data profile. This entails who is visiting the site and what they are doing. Some examples of active attacks are viruses, DOS (Denial of Service), and password cracking software. These attacks can harm both Windows and Linux systems. With viruses the attacker insert malicious code into the system that runs and replicates itself across the system. With denial of service the attacker hopes to make certain resources on your network unavailable. This is done by flooding the target system with requests to overload it or stop legitimate request from getting through. And finally with passwords crackers the attacker attempts to gain access to unauthorized systems by guessing what a user’s password is till they get in. They check the guess passwords against a cryptographic hash to see if they have the right one.
90.  
91.  
92.  
93.  
94.  
95.  
96.  
97.  
98.  
99.  
100.  
101.  
102.  
103.  
104.  
105.  
106.  
107.  
108.  
109.  
110.  
111.  
112.  
113.  
114.  
115.  
116.  
117.  
118.  
119. Intrusion Detection System Policies (TBD)
120. Policies
121.  
122.  
123.  
124.  
125.  
126.  
127.  
128.  
129.  
130.  
131.  
132.  
133.  
134.  
135.  
136.  
137.  
138.  
139.  
140.  
141.  
142.  
143.  
144.  
145.  
146.  
147.  
148.  
149.  
150. Protective Measures (TBD)
151. Vulnerability Assessment
152. 0