NIST Publication Review
Guideline on Network Security Testing NIST 800-42
After reviewing the NIST publication we were asked to answer some questions regarding network security and testing. The publication in reference can be found here:
NIST 800-42
1. What is the purpose of Network Security?
Due to the complex nature of current computer systems exploitable flaws will always be present or surface over time. Security testing actively addresses these issues and allows for the actual development and operation of these systems to continue. Security testing is important for understanding, calibrating, and documenting the current state of security for an organization. Testing allows an organization to be proactive in avoiding costly incidents brought on by computer attacks and to plan for future growth.
2. Describe basic capabilities and limitations of vulnerability testing.
Vulnerability testing is using tools and processes to scan the network for vulnerabilities. It is only as good as the tools that are used to perform the tests. Not all vulnerabilities may be discovered. Penetration testing should be used in addition to vulnerability testing to help discover hidden vulnerabilities. Knowledge of the testers and security personnel involved are a huge part of how effective the testing is. Organizations may still remain at risk despite all precautions and results.
3. Why are security testing results valuable?
Testing results can be used to improve the security policy of an organization.
4. What does a comprehensive network scan produce?
Network scanning involves using a port scanner to identify all hosts potentially connected to an organization's network, the network services operating on those hosts, and the specific application running identified services. The result of the scan is a comprehensive list of all active hosts and services, printers, switches, and routers operating in the address space scanned by the port-scanning tool.
5. What does network scanning enable an organization to do?
Organizations should conduct network scanning to:
- Check for unauthorized hosts connected to the organization’s network
- Identify vulnerable services
- Identify deviations from the allowed services defined in the organization’s security policy
- Prepare for penetration testing
- Assist in the configuration of the intrusion detection system (IDS)
- Collect forensics evidence
6. Describe the types of corrective actions that may be necessary as a result of network scanning.
Network scanning results should be documented and identified deficiencies corrected. The following corrective actions may be necessary as a result of network scanning:
- Investigate and disconnect unauthorized hosts
- Disable or remove unnecessary and vulnerable services
- Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts (e.g., host level firewall or TCP wrappers)
- Modify enterprise firewalls to restrict outside access to known vulnerable services
7. Compare and contrast port and vulnerability scanners.
Vulnerability scanners go beyond what a port scanner can do. Like a port scanner, a vulnerability scanner identifies hosts and open ports, but it also provides information on the associated vulnerabilities. Port scanners mostly rely on human interpretation of the results. Most vulnerability scanners also attempt to provide information on mitigating discovered vulnerabilities.
8. Describe a vulnerability scanner and include capabilities
Vulnerability scanners provide system and network administrators with proactive tools that can be used to identify vulnerabilities before an attacker can find them. A vulnerability scanner is a fast and easy way to quantify an organization's exposure to surface vulnerabilities.
Vulnerability scanners provide the following capabilities:
- Identifying active hosts on network
- Identifying active and vulnerable services (ports) on hosts
- Identifying applications and banner grabbing
- Identifying operating systems
- Identifying vulnerabilities associated with discovered operating systems and applications
- Identifying misconfigured settings
- Testing compliance with host application usage/security policies
- Establishing a foundation for penetration testing
9. Describe the types of corrective actions that may be necessary as a result of vulnerability scanning.
Vulnerability scanners can automatically make corrections and fix certain discovered vulnerabilities. Also the following corrective actions may be necessary as a result of vulnerability scanning:
- Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate.
- Deploy mitigating measures (technical or procedural) if the system cannot be immediately patched (e.g., operating system upgrade will make the application running on top of the operating system inoperable), in order to minimize the probability of this system being compromised.
- Improve configuration management program and procedures to ensure that systems are upgraded routinely.
- Assign a staff member to monitor vulnerability alerts and mailing lists, examine their applicability to the organization's environment and initiate appropriate system changes.
- Modify the organization's security policies, architecture, or other documentation to ensure that security practices include timely system updates and upgrades.
10. What is the purpose of penetration testing?
While vulnerability scanners only check that a vulnerability may exist, the attack phase of a penetration test exploits the vulnerability, confirming its existence. Penetration testing is security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques used by attackers.
11. Compare and contrast blue teaming and red teaming
Penetration testing can be overt or covert. These two types of penetration testing are commonly referred to as Blue Teaming and Red Teaming. Blue Teaming involves performing a penetration test with the knowledge and consent of the organization's IT staff. Red Teaming involves performing a penetration test without the knowledge of the organization's IT staff but with full knowledge and permission of the upper management.
12. Select a few of the General Information Security Principles. Present them and elaborate on their importance.
Open Design—System security should not depend on the secrecy of the implementation or it components. “Security through obscurity” does not work.
The process of sharing the design of a system helps open source platforms actually become more secure than a closed source system. Due to the additional sources of error checking and testing open source platform succeed in identifying and fixing vulnerabilities and flaws quickly and with greater regularity than a system that does not make its code public. Open source systems rely on the good organizational policies and properly trained personnel to securely lock down their systems.
Separation of Privilege—Functions, to the degree possible, should be separate and provide as much granularity as possible. The concept can apply to both systems and operators/users. In the case of system operators and users, roles should be as separate as possible. For example if resources allow, the role of system administrator should be separate from that of the security administrator.
A key requirement of Sarbanes-Oxley (SOX) compliance is separation of duties in the change management process. In a packaged application environment, separation of duties means that the same individual cannot make a change to the development database AND then move that change to the production database. This requirement is designed to eliminate fraudulent changes to the systems affecting your financial reporting.
Following this principle forces organizations to start thinking in terms of role-based security assignments.
Psychological Acceptability—Users should understand the necessity of security. This can be provided through training and education. In addition, the security mechanisms in place should present users with sensible options that will give them the usability they require on a daily basis. If users find the security mechanisms too cumbersome, they find ways to work around or compromise them. An example of this is using random passwords that are very strong but difficult to remember; users may write them down or looks for methods to circumvent the policy.
This may be the most important principle. Unless users understand why the controls are in place, they will not be motivated to help do their part in keeping the system secure. An attacked that opts to go the social engineering route will have great success in such a case.