DOCSLIB.ORG

Guideline on Network Security Testing

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Guideline on Network Security Testing NIST Special Publication 800-42 DRAFT Guideline on Network Security Testing Recommendations of the National Institute of Standards and Technology John Wack, Miles Tracey C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director ii DRAFT GUIDE TO NETWORK SELF-TEST Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-42 Natl. Inst. Stand. Technol. Spec. Publ. 800-42, XX pages (Feb. 2002) CODEN: XXXXX Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or con cept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Stan- dards and Technology, nor is it intended to imply th at the entities, materials, or equipment are necessarily the best available for the purpose. U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2001 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 ii DRAFT GUIDE TO NETWORK SELF-TEST Acknowledgements The authors, John Wack of NIST and Miles Tracy of Booz, Allen, and Hamilton (BAH), wish to acknowledge staff at NIST and BAH who reviewed drafts of this publication and made substantial improvements to its quality, including Murugiah Souppaya, Timothy Grance, and Peter Mell. iii DRAFT GUIDE TO NETWORK SELF-TEST iv DRAFT GUIDE TO NETWORK SELF-TEST Table Of Contents 1. Introduction........................................................................................................................... 3 1.1. Purpose and Scope..........................................................................................................3 1.2. Definitions....................................................................................................................... 4 1.3. Audience ......................................................................................................................... 5 1.4. Document Organization ................................................................................................. 5 2. Security Testing and the System Development Life Cycle............................................. 7 2.1. Why Test? ....................................................................................................................... 7 2.2. Life cycle......................................................................................................................... 7 2.3. Documentation................................................................................................................ 9 2.4. Security Management Staff............................................................................................ 9 3. Security Testing Techniques............................................................................................. 11 3.1. Network Mapping......................................................................................................... 11 3.2. Vulnerability Scanning................................................................................................. 13 3.3. Penetration Testing....................................................................................................... 16 3.4. Security Test and Evaluation ....................................................................................... 21 3.5. Password Cracking....................................................................................................... 22 3.6. Log Reviews ................................................................................................................. 23 3.7. File Integrity Checkers ................................................................................................. 24 3.8. Virus Detectors ............................................................................................................. 25 3.9. War Dialing................................................................................................................... 26 3.10. Summary Comparisons of Network testing Techniques.......................................... 27 4. Prioritizing Security Testing............................................................................................. 31 A. Terminology................................................................................................................... 35 B. References ......................................................................................................................37 C. Common Testing Tools ................................................................................................ 39 C.1. File Integrity Checkers................................................................................................. 39 C.2. Network Sniffers.......................................................................................................... 39 C.3. Password Crackers....................................................................................................... 40 C.4. Privilege Escalation and Back Door Tools................................................................. 40 C.5. Scanning and Enumeration Tools ............................................................................... 41 C.6. Vulnerability Scanning Tools...................................................................................... 42 v DRAFT GUIDE TO NETWORK SELF-TEST C.7. War Dialing Tools ....................................................................................................... 43 D. Example Usage Of Common Testing Tools .............................................................. 44 D.1. Using Nmap Port Scanner........................................................................................... 44 D.2. Using L0pht Crack ...................................................................................................... 50 D.3. Using LANguard File Integrity Checker.................................................................... 51 D.4. Using Tripwire.............................................................................................................53 D.5. Snort ............................................................................................................................. 57 List Of Tables Table 3.1- Comparison of Testing Procedures........................................................................ 29 Table 3.2 - Summarized Evaluation Factors ........................................................................... 30 List Of Figures Figure 2.1 - Security Testing and the System Development Life Cycle.................................. 8 Figure 3.1 - Four-Stage Penetration Testing Methodology.................................................... 18 Figure 3.2 - Attack Phase Steps with Loopback to Discovery Phase .................................... 19 vi DRAFT GUIDE TO NETWORK SELF-TEST Executive Summary Network security testing should be integrated into an organization’s security program to evaluate system security mechanisms and validate that systems are operating according to the organization’s security policies and system security requirements. To maximize their usefulness and ensure that they are affordable, organizations should prioritize network test- ing activities according to system criticality, testing costs, and the benefits that testing will provide. Organizations can use a prioritization process, described in this document, to de- termine minimum required sets of tests and appropriate frequencies for these tests Routine testing of networks can greatly reduce the chances of a network compromise by helping to ensure that critical systems, e.g., firewalls, routers, servers, are configured, main- tained, and operated according to the organization's security policy. Exploitation of a sys- tem could have a costly impact on an organization’s operations. Network testing can be a valuable and cost effective measure of protecting a network and preventing costly compro- mise. 1 DRAFT GUIDE TO NETWORK SELF-TEST 2 DRAFT GUIDE TO NETWORK SELF-TEST 1. Introduction The Internet has interconnected the world and produced many benefits. It is now possible to share ideas and resources instantaneously
Load more

Recommended publications
  • Servicenow Vulnerability Response
    ServiceNow Vulnerability Response Connect security and IT The vulnerability challenge Coordinate response across teams for smoother task Critical vulnerabilities often hide under the radar of security challenges today. When exploited, lack of effective vulnerability response carries major impact to handoffs between groups and business reputation and data security. A study conducted by ServiceNow and quicker resolution. Get the Ponemon Institute found that over a third of organizations who suffered a accountability across the breach already knew they were vulnerable. In many cases, there was an existing organization and know work is patch for the vulnerability which was not applied due to reliance on manual getting done with remediation processes, siloed information, and lack of visibility.1 targets. Additionally, breaches are becoming more severe. Methods to exploit Drive faster, more efficient vulnerabilities are growing more sophisticated, with cybercriminals increasingly leveraging machine learning and artificial intelligence to thwart traditional security response vulnerability response mechanisms. Having a solution which interlocks all components —security, risk, and IT— is crucial to organizations staying ahead of Reduce the amount of time these tactics and taking a holistic approach to vulnerability response. spent on basic tasks with orchestration tools. Automatically prioritize and The ServiceNow solution respond to vulnerabilities with workflows and automation. ServiceNow® Vulnerability Response helps organizations respond faster and more efficiently to vulnerabilities, connect security and IT teams, and provide real-time Know your security posture visibility. It connects the workflow and automation capabilities of the Now Platform® with vulnerability scan data from leading vendors to give your teams a View your current vulnerability single platform for response that can be shared between security and IT.
    [Show full text]
  • Designing Vulnerability Testing Tools for Web Services: Approach, Components, and Tools
    Int. J. Inf. Secur. DOI 10.1007/s10207-016-0334-0 REGULAR CONTRIBUTION Designing vulnerability testing tools for web services: approach, components, and tools Nuno Antunes1 · Marco Vieira1 © Springer-Verlag Berlin Heidelberg 2016 Abstract This paper proposes a generic approach for infrastructure, which typically includes an application server, designing vulnerability testing tools for web services, which the operating system, and a set of external systems (e.g. other includes the definition of the testing procedure and the tool services, databases, and payment gateways). Web services components. Based on the proposed approach, we present are one of the cornerstones of service-oriented architecture the design of three innovative testing tools that implement (SOA), making them the lingua franca for systems integra- three complementary techniques (improved penetration test- tion. ing, attack signatures and interface monitoring, and runtime The security of web applications is, in general, quite anomaly detection) for detecting injection vulnerabilities, poor [2,3]. Web services are no exception, and research thus offering an extensive support for different scenarios. A and practice show that web services are often deployed case study has been designed to demonstrate the tools for the with software bugs (i.e. vulnerabilities) that can be mali- particular case of SQL Injection vulnerabilities. The experi- ciously exploited [4]. Injection vulnerabilities, consisting of mental evaluation demonstrates that the tools can effectively improper code that allows the attacker to inject and execute be used in different scenarios and that they outperform commands, enabling, for instance, access to critical data, are well-known commercial tools by achieving higher detection particularly frequent [2].
    [Show full text]
  • Implementing Cisco Cyber Security Operations
    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
    [Show full text]
  • Opentext Product Security Assurance Program
    The Information Company ™ Product Security Assurance Program Contents Objective 03 Scope 03 Sources 03 Introduction 03 Concept and design 04 Development 05 Testing and quality assurance 07 Maintain and support 09 Partnership and responsibility 10 Privavy and Security Policy 11 Product Security Assurance Program 2/11 Objective The goals of the OpenText Product Security Assurance Program (PSAP) are to help ensure that all products, solutions, and services are designed, developed, and maintained with security in mind, and to provide OpenText customers with the assurance that their important assets and information are protected at all times. This document provides a general, public overview of the key aspects and components of the PSAP program. Scope The scope of the PSAP includes all software solutions designed and developed by OpenText and its subsidiaries. All OpenText employees are responsible to uphold and participate in this program. Sources The source of this overview document is the PSAP Standard Operating Procedure (SOP). This SOP is highly confidential in nature, for internal OpenText consumption only. This overview document represents the aspects that are able to be shared with OpenText customers and partners. Introduction OpenText is committed to the confidentiality, integrity, and availability of its customer information. OpenText believes that the foundation of a highly secure system is that the security is built in to the software from the initial stages of its concept, design, development, deployment, and beyond. In this respect,
    [Show full text]
  • Tenable and Ahnlab Leveraging Network Intelligence to Stop Malware Cold
    Tenable and AhnLab Leveraging Network Intelligence to Stop Malware Cold Key Challenges The breaching of organizations large and small occurs all too frequently, damaging the confidentiality, availability and integrity of the critical data assets that organizations rely on. Also at risk is hard-earned reputation. Most organizations focus on the perimeter of their networks, and neglect the intranet – ignoring threats that circumvent the based defenses and inject themselves directly into the core of the infrastructure. Additionally, most organizations are unprepared to deal with advanced malware threats that go undetected by traditional anti-malware technologies. Finally, the complex nature of today’s software results in vulnerabilities that appear at an alarming rate, increasing the threat surface that attackers can leverage. A solution is required that: • Addresses the network universally rather than just at the edge • Can deal with advanced malware threats using non-traditional analysis methods • Can detect and help to manage vulnerabilities that exist within the entire infrastructure on Solution Components all device types Tenable Network Security has teamed up with AhnLab to deliver just such a solution. • Tenable SecurityCenter Continuous View • Tenable Nessus Vulnerability Scanner Solution Overview The solution combines Tenable’s SecurityCenter Continuous View (SCCV) solution with AhnLab • Tenable Passive Vulnerability Scanner Malware Defense System (MDS) to provide a system that actively blocks malware bearing • Tenable Log Correlation Engine content, malicious traffic, and outbound C&C traffic. This is done within the AhnLab MDS at the network edge, using a hybrid behavior and signature based approach. • AhnLab Malware Defense System Within the intranet, Tenable’s Passive Vulnerability Scanner (PVS) monitors network segments to Key Benefits detect vulnerabilities, C&C traffic, policy violations, and signs of malicious activities.
    [Show full text]
  • IBM Qradar Vulnerability Manager Version 7.3.2
    IBM QRadar Vulnerability Manager Version 7.3.2 User Guide IBM Note Before you use this information and the product that it supports, read the information in “Notices” on page 127. Product information This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unless superseded by an updated version of this document. © Copyright International Business Machines Corporation 2012, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction........................................................................................................ vii Chapter 1. What's new for users in QRadar Vulnerability Manager V7.3.2................1 Chapter 2. Installations and deployments.............................................................. 3 Vulnerability processor and scanner appliance activation keys.................................................................4 Vulnerability backup and recovery.............................................................................................................. 4 Ports used for communication between QRadar and QRadar Vulnerability Manager managed hosts.....5 Options for moving the vulnerability processor in your QRadar Vulnerability Manager deployment....... 5 Deploying a dedicated QRadar Vulnerability Manager processor appliance........................................6 Moving your vulnerability processor to a managed host or console.....................................................7
    [Show full text]
  • TV Superscan 2 Enhanced Users Guide
    TV Superscan 2 Enhanced Users Guide To Reset the TV SuperScan Unit: 1. Unplug Power from Unit 2. Press & Hold “Select” and “Zoom” buttons at the same time. 3. While holding buttons, plug in power. When red lights on, release the two buttons. 4. If you get some output on the screen press the “Zoom” button once more to complete the reset procedure. © 1998 ADS Technologies. All Rights Reserved First Edition: Revision 1.0 April, 1998 Microsoft, MS-DOS, Windows, and Windows 95 and Windows 98 are registered trademarks of Microsoft Corporation. IBM is a registered trade- mark of International Business Machines, Inc. ADS is a registered trademark of ADS Technologies Inc. ADS Technologies (ADS) makes no warranty of any kind with regard to this material, including but not limited to, the implied warranties of mer- chantability and fitness for a particular purpose. The information furnished within this written document is for information purposes only and is sub- ject to change without notice. ADS Technologies assumes no responsi- bility or liability for any errors or inaccuracies that may appear herein. ADS makes no commitment to update or to keep current information contained within this document. Table of Contents A Letter from the President of ADS . 6 Introduction . 7 System Requirements . 7 Package Contents . 8 Chapter 1 Installation Guide . 9 Installing the Hardware . 11 Connecting to a Desktop Computer . 11 Connecting to a Laptop Computer . 14 Connection Diagrams. 16 Desktop Connection Diagram . 16 Laptop Connection Diagram . 16 Chapter 2 TV Superscan 2 Enhanced . 17 Overview . 19 Menu/Enter Button . 19 Select .
    [Show full text]
  • A Comparative Evaluation of Automated Vulnerability Scans Versus Manual
    CYBER 2018 : The Third International Conference on Cyber-Technologies and Cyber-Systems A Comparative Evaluation of Automated Vulnerability Scans versus Manual Penetration Tests on False-negative Errors Saed Alavi, Niklas Bessler, Michael Massoth Department of Computer Science Hochschule Darmstadt (h da) — University of Applied Sciences Darmstadt, and Center for Research in Security and Privacy (CRISP), Darmstadt, Germany E-mail: fsaed.alavi,[email protected], [email protected] Abstract—Security analysis can be done through different types knowledge. Then, we use two popular vulnerability scanners to of methods, which include manual penetration testing and au- generate automated vulnerability reports. We make use of the tomated vulnerability scans. These two different approaches proprietary software Nessus and the free software framework are often confused and believed to result in the same value. OpenVAS. In a final step, we validate both manually and To evaluate this, we have build a lab with several prepared automatically generated reports and determine error rates, vulnerabilities to simulate a typical small and medium-sized where we finally consider the knowledge, of building a self- enterprise. Then, we performed a real penetration test on the lab, and a vulnerability scan as well, and then compared the results. made lab environment, which has been totally absent up to Our conclusion shows, that the results obtained through both this point. types of security analysis are highly distinct. They differ in time This paper is organized as follows: Section II gives an expenditure and false-positive rate. Most importantly, we have overview of the relevant terminology. Section III summarize seen a remarkable higher false-negative rate in the vulnerability the research achievement of previous scientific publications on scan, which suggests that automated methods cannot replace this topic.
    [Show full text]
  • Secure by Design, Secure by Default: Requirements and Guidance
    Biometrics and Surveillance Camera Commissioner Secure by Design, Secure by Default Video Surveillance Products Introduction This guidance is for any organisation manufacturing Video Surveillance Systems (VSS), or manufacturing or assembling components intended to be utilised as part of a VSS. It is intended to layout the Biometrics and Surveillance Camera Commissioners (BSCC) minimum requirements to ensure such systems are designed and manufactured in a manner that assures they are Secure by Design. It also contains certain component requirements that will ensure a configuration that is Secure by Default when the component is shipped, thereby making it more likely that the system will be installed and left in a secure state. This guidance forms part of a wider suite of documentation being developed as part of the SCC Strategy, in support of the SCC Code of Practice. Background and Context The nature of the Internet means that connected devices can be subjected to a cyber attack from anywhere in the world. Widespread attacks on connected products is a current and real threat, and a number of highly publicised attacks have already occurred. The Mirai malware targeted devices such as internet-enabled cameras (IP cameras). Mirai was successful because it exploited the use of common default credentials (such as a username and password being set by the manufacturer as ‘admin’) and poor security configuration of devices. Ultimately, this facilitated attacks on a range of commercial and social media services and included an outage of streaming services such as Netflix. An evolution of Mirai, called Reaper, has also been discovered. Reaper used publicly and easily available exploits that remained unfixed (patched) and highlighted the problem around non patching of known security vulnerabilities, allowing attackers to utilise them to cause harm.
    [Show full text]
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • Wireshark & Ethereal Network Protocol Analyzer
    377_Eth2e_FM.qxd 11/14/06 1:23 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • Know Your Network
    Know Your Network Network Security Assessment Chris McNab CHAPTERChapter 4 4 IP Network Scanning This chapter focuses on the technical execution of IP network scanning. After under- taking initial reconnaissance to identify IP address spaces of interest, network scan- ning builds a clearer picture of accessible hosts and their network services. Network scanning and reconnaissance is the real data gathering exercise of an Internet-based security assessment. The rationale behind IP network scanning is to gain insight into the following elements of a given network: • ICMP message types that generate responses from target hosts • Accessible TCP and UDP network services running on the target hosts • Operating platforms of target hosts and their configuration • Areas of vulnerability within target host IP stack implementations (including sequence number predictability for TCP spoofing and session hijacking) • Configuration of filtering and security systems (including firewalls, border rout- ers, switches, and IDS sensors) Performing both network scanning and reconnaissance tasks paints a clear picture of the network topology and its security mechanisms. Before penetrating the target net- work, further assessment steps involve gathering specific information about the TCP and UDP network services that are running, including their versions and enabled options. ICMP Probing The Internet Control Message Protocol (ICMP) identifies potentially weak and poorly protected networks. ICMP is a short messaging protocol that’s used by sys- tems administrators and end users for continuity testing of networks (e.g., using the ping or traceroute commands). From a network scanning and probing perspective, the following types of ICMP messages are useful: 36 This is the Title of the Book, eMatter Edition Copyright © 2004 O’Reilly & Associates, Inc.
    [Show full text]