InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity March 2009
Tech Trend

The Significance of Vulnerability Assessment

Sometimes, a low security vulnerability could create a huge havoc with your computer or network. Vulnerability assessment is undoubtedly the one subject that is crucial to continuation of computers and networks around the world. This article familiarizes the readers with importance of vulnerability assessment as considered by ethical hackers.

A vulnerability rated as a low risk this morning could turn into your worst nightmare tonight. To meet the ever-increasing speed with which exploits are written and propagated, traditional vulnerability assessment have morphed into more full-scale exercise among many organizations.

Ensuring maximum protection against the latest security threats of the day is a growing concern within most organizations. In addition to deploying various solution for network protection, continuously auditing corporate network to discover vulnerabilities, ensure compliance and prioritize remediation according to risk to business operations is also important.

Vulnerability Assessment in Organizations

Organizations have a tremendous opportunity to use information technologies to increase their productivity. Securing information and communications systems will be a necessary factor in taking advantage of all this increased connectivity, speed and information. However, no security measure will guarantee a risk free environment in which to operate. In fact, many organizations will need to provide easier access by users to portions of their information systems, thereby increasing potential exposure.

Administrative error, for example, is a primary cause of vulnerabilities that can be exploited by a novice hacker, whether an outsider or insider in the organization. Routine use of vulnerability assessment tools along with immediate response to problems identified will alleviate this risk. It follows, therefore, that routine vulnerability assessment should be a standard element of every organization's security policy.

Why Vulnerability Assessment?

The instant access that hackers have to the latest tools and techniques demands that companies become more aggressive in defending the security of their networks. Conducting a network vulnerability assessment, a self-induced hack attack, identifies the network components and faults in policies, and procedures that expose a company to the damage caused by malicious network intruders.

Managing a Network Vulnerability Assessment provides a formal framework for finding and eliminating network security threats, ensuring that no vulnerabilities are overlooked. This thorough overview focuses on the steps necessary to successfully manage an assessment, including the development of a scope statement, the understanding and proper use of assessment methodology, the creation of an expert assessment team, and the production of a valuable response report.

By following the procedures outlined in this guide, a company can pinpoint what individual parts of their network need to be hardened, and avoid expensive and unnecessary purchases.

With the functionality of vulnerability assessment, assets can be given values—in terms of cash or business-critical value. How vulnerabilities potentially could affect business and give management a more accurate picture of the company's overall security posture can be correlated. A critical vulnerability on the core, Internet-facing system that generates revenue should be treated differently than a critical vulnerability on a system inside a test network that's isolated from the rest of the company.

Ethical Hacker and Vulnerability Testing

It is the ethical hacker who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. The job of a ethical hacker also includes penetration testing and intrusion testing.

Functionalities and Advantages

Network Vulnerability Assessment identifies network vulnerabilities using the most sophisticated techniques available. Mimicking a malicious intruder, a vulnerability assessment software gathers network information, runs automated scanning tools, and uses extensive manual testing to discover network vulnerabilities.

Without incurring the burden or cost of deploying and maintaining complex software and hardware, Vulnerability Assessment services also enables organizations to take control of their network security and confidently eliminate threats, providing a best practice security approach to easily manage vulnerability and ensure remediation.

This help to secure all of the network entry points, enforce organization security policy and assists organization to meet industrial security standards.

Assessment Strategies

In the ideal world, the assessment strategy begins before a computer network becomes operational with the individual computers so that no flawed computers are introduced into the network. The network can then be probed for security vulnerabilities. Finally, the external network defense, the firewall, is verified before any connection to a public network is allowed.

In reality, there are often existing computer networks and external Internet connections. This situation introduces a significant number of known vulnerabilities. The tendency is to squander scarce resources on the most prominent vulnerabilities rather than investing the effort on the vulnerabilities that pose the greatest risk to the enterprise.

Various Questionnaires on Vulnerability Assessment

In order to assess the vulnerabilities in a given broad spectrum of an organization, one should prepare a set of questionnaires and answer them accordingly. Given below are some of the questionnaires that we have prepared with respect to security.

Recovery and Incident Handling

  • Are there procedures to identify and respond to security events?
  • Are there procedures for the Identification, notification, and response to suspected attacks?
  • Are there procedures for the containment of security concerns?
  • Are there procedures for the eradication of specific security concerns?
  • Is there virus protection on the system?
  • How is the virus software configured?
  • What version or latest update is being used?
  • Are there procedures in place for vulnerability identification and correction?
  • Does the system maintain logs or audit files?
  • Are there methods in place to ensure the preservation of logs?
  • Are there procedures in place to effect the recovery of the system?
  • Are there methods for file recovery on the system?
  • Are there any network intrusion detectors (NID) on the system?
  • In what fashion is the NID Used?
  • What does the NID do in terms of protection?
  • What are the NID detection rules?

Software

  • What applications are on the system? What are their functions?
  • Are the applications in their default configuration? With default accounts and security posture?
  • Is there any contract maintenance? If so, by who, for what, and how?
  • Is there any remote administration on the system? If so, by who, for what, and how?
  • What access control is on the system? (Network/Applications/OS/email logins)
  • How are the permissions configured? (Applications) Can users access more than they need?
  • What application specific ports are open/in use? Are any ports blocked?
  • Can the general user install programs?
  • Are backup copies of software maintained?
  • Are software modifications controlled or monitored? (Patch or upgrade)
  • Are licenses audited?
  • Can users exit the applications to gain access to the operating system?
  • Are applications and software protected by passwords?
  • Do help desk personnel have access to anything on the system? If so, who are they, do they have access to the system, and how?
  • Does the system have maintenance accounts?
  • Are there group accounts on the system?
  • Does the system have any default accounts?
  • Does the system have any unused accounts?
  • Does the system have remote administration capability?
  • Does the system have diagnostic ports?
  • What tools are available to the user on the system? (bin, sbin)
  • Are administrator tools available? Admin tools/On-Site, Unix roots path (bin)(sys)?
  • How available are they? Can users access them?

Integrity

  • Are there methods in place to ensure and check hardware integrity?
  • Are there methods in place to ensure and check software integrity?
  • Are there methods in place to ensure and check the integrity of system files and stored information?
  • Are there methods in place to ensure the confidentiality of the information on the system?

Security Awareness Training

  • Is security awareness training in place?
  • Is the training scheduled regularly? With what frequency?
  • Does the training require mandatory attendance?
  • What items are covered in the training?
  • Have the staff personnel been fully briefed on how to mitigate system security risk?

Computer Security

  • Does anything on the system use identification and authentication in the clear across the network or Internet?
  • Does the system have operations guidelines? ( hours, location, and type of work; user access and login privileges restricted to duty hours?)
  • Is there an inactivity timeout on the system? Logout/Screensaver?
  • Does the system require passwords to gain access?
  • What are the password rules or guidance?
  • Where is the password file kept?
  • Are there any backdoor circuits on the system (connections to anything other than the connection to the indigenous system)?
  • If there is SBU on the system, are the passwords randomly generated?
  • Is the password file protected? How?
  • Does the system run a time synchronization process to keep the workstations in sync with the server?
  • Does the system permit NetBios access from the Internet?
  • Does the system use dynamic host configuration protocol?
  • Does the system use the DISA information assurance vulnerability alert (IAVA) process?

Wide Area Connectivity

  • Can the system be remotely accessed?
  • Does remote access require user id and password?
  • Does the system use warning banners?
  • What info is offered by login banners? Normal login, telnet and ftp logins?
  • How is the router accessed? By whom and why?
  • Does the system employ access control lists? How are they configured?
  • Is router change management in place? By whom and how?
  • Does the system have its own domain name service?
  • Are there procedures for network address management?
  • Does the system employ Network Address Translation? (Firewall IP change to hide internal IP's)
  • Are there any virtual private networks (VPNs) on the system? (Get a description.)
  • Are there any virtual local area networks (VLANs) on the system? (Get a description.)
  • Are any routers leased and maintained under a maintenance contract?
  • Are any routers running config stored on a TFTP Server? If so, can the router config can be read and written to?
  • Are there any dual-homed servers or workstations? (i.e., computers with 2 NIC cards with access to 2 subnets at once.?) If so, is IP forwarding enabled?
  • Are any servers acting as mail servers? ( i.e., Exchange)

Account Policies and User Rights

  • Is the system currently set to audit? To what extent?
  • Does system have audit log requirements for workstations?
  • How, if at all, are the logs protected?
  • Are system administrator actions logged?
  • Does the system support Windows Remote Shell Service (RSH)? Is it running? Why and how?
  • Do applications on they system have any security features?
  • Is the system running Microsoft Systems Management Server (SMS)?

UNIX

  • Does the system employ user account controls? How?
  • Are there any inactive accounts on the system?
  • How do users access their account?
  • What password controls are on the system?
  • What password guidelines are adhered to?
  • Is there any special privilege access on the system?
  • Who has access to the root account or other high level accounts on they system?
  • How is the root account accessed? Remotely? Encrypted?
  • Are group accounts used on the system?
  • Are resources controlled on the system? How? (Kernel, drives, printers)
  • How are the permissions set? (minimal rights?)
  • Do users have home directories?
  • Can users exit the application and access a shell?

Trust Relationships

  • Is the system using Network Information Service (NIS)?
  • Is the system using Network Information Service Plus (NIS+)?
  • Is the system using Network File System (NFS)?
  • Are any UNIX Security Tools being used on the system?
  • Vulnerability assessment tools:
    • Enterprise Security Manager (ESM)
    • Computer Oracle and Password System (COPS)
    • Security Profile Inspector (SPI-NET)
    • CRACK
    • Tripwire
    • Intruder Alert (ITA)
    • Ifstatus and Cpm
    • Wrapper programs
    • Sendmail Wrapper Program
    • TCP_Wrappers

A Brief Conclusion

The complexity of modern enterprises, their reliance on technology, and the heightened interconnectivity among organizations are rapidly evolving developments that create widespread opportunities for theft, fraud, and other forms of exploitation by offenders both outside and inside an organization. Internal and external perpetrators can exploit traditional vulnerabilities in seconds.

As detailed in this article, it is envisioned that using the vulnerability assessment aids on a regular basis, along with immediate response to problems identified will alleviate these risks. Routine vulnerability assessment, therefore, should be a standard element of every organization's security policy.

—By:R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore.


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media