You are previewing Network Security Assessment: From Vulnerability to Patch.
O'Reilly logo
Network Security Assessment: From Vulnerability to Patch

Book Description

This book will take readers from the discovery of vulnerabilities and the creation of the corresponding exploits, through a complete security assessment, all the way through deploying patches against these vulnerabilities to protect their networks. This book is unique in that it details both the management and technical skill and tools required to develop an effective vulnerability management system. Business case studies and real world vulnerabilities are used through the book.

This book starts by introducing the reader to the concepts of a vulnerability management system. Readers will be provided detailed timelines of exploit development, vendors' time to patch, and corporate path installations. Next, the differences between security assessment s and penetration tests will be clearly explained along with best practices for conducting both.

Next, several case studies from different industries will illustrate the effectiveness of varying vulnerability assessment methodologies. The next several chapters will define the steps of a vulnerability assessment including: defining objectives, identifying and classifying assets, defining rules of engagement, scanning hosts, and identifying operating systems and applications.

The next several chapters provide detailed instructions and examples for differentiating vulnerabilities from configuration problems, validating vulnerabilities through penetration testing. The last section of the book provides best practices for vulnerability management and remediation.

Table of Contents

  1. Copyright
  2. Visit us at: www.syngress.com
  3. Acknowledgments
  4. Lead Author and Technical Editor
  5. Coauthor and Technical Editor
  6. Contributing Authors
  7. Foreword
    1. Notes
  8. 1. Windows of Vulnerability
    1. Introduction
    2. What Are Vulnerabilities?
    3. Understanding the Risks Posed by Vulnerabilities
    4. Summary
    5. Solutions Fast Track
      1. What Are Vulnerabilities?
      2. Understanding the Risks Posed by Vulnerabilities
    6. Frequently Asked Questions
  9. 2. Vulnerability Assessment 101
    1. Introduction
    2. What Is a Vulnerability Assessment?
      1. Step 1: Information Gathering/Discovery
      2. Step 2: Enumeration
      3. Step 3: Detection
    3. Seeking Out Vulnerabilities
    4. Detecting Vulnerabilities via Security Technologies
      1. Deciphering VA Data Gathered by Security Technologies
      2. Accessing Vulnerabilities via Remediation (Patch) Technologies
      3. Extracting VA Data from Remediation Repositories
      4. Leveraging Configuration Tools to Assess Vulnerabilities
    5. The Importance of Seeking Out Vulnerabilities
      1. Looking Closer at the Numbers
    6. Summary
    7. Solutions Fast Track
      1. What Is a Vulnerability Assessment?
      2. Seeking Out Vulnerabilities
      3. Importance of Seeking Out Vulnerabilities
    8. Frequently Asked Questions
  10. 3. Vulnerability Assessment Tools
    1. Introduction
    2. Features of a Good Vulnerability Assessment Tool
    3. Using a Vulnerability Assessment Tool
      1. Step 1: Identify the Hosts on Your Network
      2. Step 2: Classify the Hosts into Asset Groups
      3. Step 3: Create an Audit Policy
      4. Step 4: Launch the Scan
      5. Step 5: Analyze the Reports
      6. Step 6: Remediate Where Necessary
    4. Summary
    5. Solutions Fast Track
      1. Features of a Good Vulnerability Assessment Tool
    6. Frequently Asked Questions
  11. 4. Vulnerability Assessment: Step One
    1. Introduction
    2. Know Your Network
    3. Classifying Your Assets
    4. I Thought This Was a Vulnerability Assessment Chapter
    5. Summary
    6. Solutions Fast Track
      1. Know Your Network
      2. Classifying Your Assets
    7. Frequently Asked Questions
  12. 5. Vulnerability Assessment: Step Two
    1. Introduction
    2. An Effective Scanning Program
    3. Scanning Your Network
    4. When to Scan
    5. Summary
    6. Solutions Fast Track
      1. An Effective Scanning Program
      2. Scanning Your Network
      3. When to Scan
    7. Frequently Asked Questions
  13. 6. Going Further
    1. Introduction
    2. Types of Penetration Tests
    3. Scenario: An Internal Network Attack
      1. Client Network
      2. Step 1: Information Gathering
        1. Operating System Detection
        2. Discovering Open Ports and Enumerating
      3. Step 2: Determine Vulnerabilities
        1. Setting Up the VA
        2. Interpreting the VA Results
    4. Penetration Testing
      1. Step 3: Attack and Penetrate
        1. Uploading Our Data
        2. Attack and Penetrate
        3. Searching the Web Server for Information
        4. Discovering Web Services
    5. Vulnerability Assessment versus a Penetration Test
      1. Tips for Deciding between Conducting a VA or a Penetration Test
    6. Internal versus External
    7. Summary
    8. Solutions Fast Track
      1. Types of Penetration Tests
      2. Who conducts Pen Test?
      3. Penetration Testing Involves
      4. Value of VA vs Pen Test
    9. Frequently Asked Questions
  14. 7. Vulnerability Management
    1. Introduction
    2. The Vulnerability Management Plan
    3. The Six Stages of Vulnerability Management
      1. Stage One: Identify
      2. Stage Two: Assess
      3. Stage Three: Remediate
      4. Stage Four: Report
      5. Stage Five: Improve
      6. Stage Six: Monitor
    4. Governance (What the Auditors Want to Know)
    5. Measuring the Performance of a Vulnerability Management Program
      1. Instructions
    6. Common Problems with Vulnerability Management
    7. Summary
    8. Solutions Fast Track
      1. The Vulnerability Management Plan
      2. What is Vulnerability Management Comprised of?
      3. Governance (What the Auditors want to know)
      4. Measurement
      5. Common Problems with Vulnerability Management
    9. Frequently Asked Questions
  15. 8. Vulnerability Management Tools
    1. Introduction
    2. The Perfect Tool in a Perfect World
    3. Evaluating Vulnerability Management Tools
    4. Commercial Vulnerability Management Tools
      1. eEye Digital Security
      2. Symantec (BindView)
      3. Attachmate (NetIQ)
      4. StillSecure
      5. McAfee
    5. Open Source and Free Vulnerability Management Tools
      1. Asset Management, Workflow, and Knowledgebase
      2. Host Discovery
      3. Vulnerability Scanning and Configuration Scanning
      4. Configuration and Patch Scanning
      5. Vulnerability Notification
      6. Security Information Management
    6. Managed Vulnerability Services
    7. Summary
    8. Solutions Fast Track
      1. The Perfect Tool in a Perfect World
      2. Evaluating Vulnerability Management Tools
      3. Commercial Vulnerability Management Tools
      4. Open Source and Free Vulnerability Management Tools
      5. Managed Vulnerability Services
    9. Frequently Asked Questions
  16. 9. Vulnerability and Configuration Management
    1. Introduction
    2. Patch Management
      1. System Inventories
      2. System Classification
      3. System Baselines
        1. Creating a Baseline
        2. Baseline Example
        3. The Common Vulnerability Scoring System
    3. Building a Patch Test Lab
      1. Establish a Patch Test Lab with “Sacrificial Systems”
        1. Virtualization
        2. Environmental Simulation
    4. Patch Distribution and Deployment
      1. Logging and Reporting
    5. Configuration Management
      1. Change Control
    6. Summary
    7. Solutions Fast Track
      1. Patch Management
      2. Keys To Patch & Configuration Management
      3. Change Management Process
    8. Frequently Asked Questions
  17. 10. Regulatory Compliance
    1. Introduction
    2. Regulating Assessments and Pen Tests
      1. The Payment Card Industry (PCI) Standard
      2. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
      3. The Sarbanes-Oxley Act of 2002 (SOX)
      4. Compliance Recap
    3. Drafting an Information Security Program
    4. Summary
    5. Solutions Fast Track
      1. Regulating Assessments and Pen Tests
      2. Drafting an Information Security Program
    6. Frequently Asked Questions
  18. 11. Tying It All Together
    1. Introduction
    2. A Vulnerability Management Methodology
    3. Step One: Know Your Assets
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
      4. What Tools Exist to Help You Do It
    4. Step Two: Categorize Your Assets
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
      4. What Tools Exist to Help You Do It
    5. Step Three: Create a Baseline Scan of Assets
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
      4. What Tools Exist to Help You Do It
    6. Step Four: Perform a Penetration Test on Certain Assets
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
      4. What Tools Exist to Help You Do It
    7. Step Five: Remediate Vulnerabilities and Risk
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
      4. What Tools Exist to Help You Do It
    8. Step Six: Create a Vulnerability Assessment Schedule
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
    9. Step Seven: Create a Patch and Change Management Process
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
      4. What Tools Exist to Help You Do It
    10. Step Eight: Monitor for New Risks to Assets
      1. What You Need to Do
      2. Why You Need to Do It
      3. How to Do It
      4. What Tools Exist to Help You Do It
    11. Summary
  19. A. Legal Principles for Information Security Evaluations[1]
    1. Introduction
    2. Uncle Sam Wants You: How Your Company’s Information Security Can Affect U.S. National Security (and Vice Versa)
    3. Legal Standards Relevant to Information Security
      1. Selected Federal Laws
        1. Gramm-Leach-Bliley Act
        2. Health Insurance Portability and Accountability Act
        3. Sarbanes-Oxley
        4. Federal Information Security and Management Act
        5. FERPA and the TEACH Act
        6. Electronic Communications Privacy Act and Computer Fraud and Abuse Act
      2. State Laws
        1. Unauthorized Access
        2. Deceptive Trade Practices
      3. Enforcement Actions
      4. Three Fatal Fallacies
        1. The “Single Law” Fallacy
        2. The Private Entity Fallacy
        3. The “Pen Test Only” Fallacy
    4. Do It Right or Bet the Company: Tools to Mitigate Legal Liability
      1. We Did our Best; What’s the Problem?
        1. The Basis for Liability
        2. Negligence and the “Standard of Care”
      2. What Can Be Done?
        1. Understand your Legal Environment
        2. Comprehensive and Ongoing Security Assessments, Evaluations, and Implementation
        3. Use Contracts to Define Rights and Protect Information
        4. Use Qualified Third-party Professionals
        5. Making Sure Your Standards-of-Care Assessments Keep Up with Evolving Law
        6. Plan for the Worst
        7. Insurance
    5. What to Cover in Security Evalutaion Contracts[64]
      1. What, Who, When, Where, How, and How Much
        1. What
          1. Description of the Security Evaluation and Business Model
          2. Definitions Used in the Contract
          3. Description of the Project
          4. Assumptions, Representations, and Warranties
          5. Boundaries and Limitations
          6. Identification of Deliverables
        2. Who
          1. Statement of Parties to the Contractual Agreement
          2. Authority of Signatories to the Contractual Agreement
          3. Roles and Responsibilities of Each Party to the Contractual Agreement
          4. Non-disclosure and Secrecy Agreements
          5. Assessment Personnel
          6. Crisis Management and Public Communications
          7. Indemnification, Hold Harmless, and Duty to Defend
          8. Ownership and Control of Information
          9. Intellectual Property Concerns
          10. Licenses
        3. When
          1. Actions or Events that Affect Schedule
        4. Where
        5. How
        6. How Much
          1. Fees and Cost
          2. Billing Methodology
          3. Payment Expectations and Schedule
          4. Rights and Procedures to Collect Payment
          5. Insurance for Potential Damage During Evaluation
        7. Murphy’s Law (When Something Goes Wrong)
          1. Governing Law
          2. Acts of God, Terror Attacks, and other Unforeseeable Even
          3. When Agreement is Breached and Remedies
          4. Liquidated Damages
          5. Limitations on Liability
          6. Survival of Obligations
          7. Waiver and Severability
          8. Amendments to the Contract
      2. Where the Rubber Meets the Road: The LOA as Liability Protection
        1. Beyond You and Your Customer
          1. Software License Agreements
          2. Your Customer’s Customer
    6. The First Thing We Do...? Why You Want Your Lawyers Involved From Start to Finish
      1. Attorney-Client Privilege
      2. Advice of Counsel Defense
      3. Establishment and Enforcement of Rigorous Assessment, Interview, and Report-Writing Standards
      4. Creating a Good Record for Future Litigation
      5. Maximizing Ability to Defend Litigation
      6. Dealing with Regulators, Law Enforcement, Intelligence, and Homeland Security Officials
      7. The Ethics of Information Security Evaluation[92]
    7. Solutions Fast Track
      1. Uncle Sam Wants You: How Your Company’s Information Security Can Affect U.S. National Security (and Vice Versa)
      2. Legal Standards Relevant to Information Security
      3. Selected Laws
      4. Do It Right of Bet the Company: Tools to Mitigate Legal Liability
      5. What to Cover in IEM Contracts[94]
      6. The First Thing We Do...? Why You Want Your Lawyers Involved From Start to Finish
    8. Frequently Asked Questions
    9. References
  20. B. Examples of INFOSEC Tools by Baseline Activity
    1. Port Scanning
    2. SNMP Scanning
    3. Enumeration and Banner Grabbing
    4. Wireless Enumeration
    5. Vulnerability Scanning
    6. Host Evaluation
    7. Network Device Analysis
    8. Password-Compliance Testing
    9. Application-Specific Scanning
    10. Network Protocol Analysis