[ISN] ITL Bulletin for November 2003

From: InfoSec News (isn@private)
Date: Thu Nov 20 2003 - 23:12:36 PST

  • Next message: InfoSec News: "Re: [ISN] Symantec CEO Warns of Drop in Internet Use"

    Forwarded from: Elizabeth Lennon <elizabeth.lennon@private>
    
    NETWORK SECURITY TESTING
    Shirley M. Radack, Editor
    Computer Security Division
    Information Technology Laboratory
    National Institute of Standards and Technology
    Technology Administration
    U.S. Department of Commerce
    
    Securing and operating today's complex systems is challenging and
    demanding. Mission and operational requirements to deliver services
    and applications swiftly and securely have never been greater.
    Organizations, having invested precious resources and scarce skills in
    various necessary security efforts such as risk analysis,
    certification, accreditation, security architectures, policy
    development, and other security efforts, can be tempted to neglect or
    insufficiently develop a comprehensive and systematic operational
    security testing program.
    
    This guide stresses the need for an effective security testing program
    within federal agencies. Testing serves several purposes. One, no
    matter how well a given system may have been developed, the nature of
    today's complex systems with large volumes of code, complex internal
    interactions, interoperability with external components, unknown
    interdependencies coupled with vendor cost and schedule pressures,
    means that exploitable flaws will always be present and will surface
    over time. Accordingly, security testing must fill the gap between the
    state of system development as it is and actual operation of these
    systems. Two, security testing is important for understanding,
    calibrating, and documenting the operational security posture of an
    organization. Aside from development of these systems, the operational
    and security demands must be met in a fast-changing threat and
    vulnerability environment. Attempting to learn and repair the state of
    your security during a major attack, for example, may be too late as
    the damage in cost and reputation could be extremely high. Three,
    security testing is an essential component of improving the security
    posture of your organization overall. Organizations that have a
    systematic, comprehensive, ongoing, and priority-driven security
    testing regimen are in a much better position to make prudent
    investments to enhance the security posture of their systems.
    
    NIST Guideline on Network Security Testing
    
    NIST recently issued Special Publication (SP) 800-42, Guideline on
    Network Security Testing, to assist organizations in testing their
    Internet-connected and operational systems. The guide provides an
    approach to adopting effective procedures that can help organizations
    uncover unknown vulnerabilities, institute security controls, and
    prevent incidents and attacks. Written by John Wack, Miles Tracy, and
    Murugiah Souppaya, NIST SP 800-42 introduces three aspects of network
    security testing:
    
    * How network security testing fits into the system
      development life cycle and the organizational roles and 
      responsibilities related to security testing,
    
    * Available testing techniques, their strengths and 
      weaknesses, and the recommended frequencies for testing, and
    
    * Strategies for deploying network security testing, 
      including how to prioritize testing activities when 
      resources are limited and how to avoid duplication of 
      effort in adopting techniques that are appropriate to the 
      organization's mission and security objectives.
    
    In addition to the basic information about establishing programs to
    implement network security testing, the guideline provides references,
    explanations of the terminology used, descriptions of available
    testing tools, and recommendations on how to use selected tools.
    
    This ITL bulletin summarizes the publication, which is available at
    http://csrc.nist.gov/publications/nistpubs/index.html.
    
    Security Testing and the System Development Life Cycle
    
    Organizations should evaluate their systems security at different
    stages of system development. Security evaluation activities include,
    but are not limited to, risk assessment, certification and
    accreditation (C&A), system audits, and security testing at
    appropriate periods during a system's life cycle. These activities are
    directed toward ensuring that the system is being developed and
    operated in accordance with the organization's security policy.
    
    The Security Test and Evaluation (ST&E) process is an examination or
    analysis of the protective measures that are placed on an information
    system once it is fully integrated and operational. The process will
    help to uncover design, implementation, and operational flaws,
    determine the adequacy of security mechanisms, and assess whether the
    system is implemented as documented. ST&E addresses computer security,
    communications security, emanations security, physical security,
    personnel security, administrative security, and operations security.
    
    Network security testing is conducted after the system has been
    developed, installed, and integrated during its Implementation and
    Operational stages. The results of testing can help to identify
    vulnerabilities, demonstrate progress in meeting security
    requirements, and indicate needs for system improvement. Therefore,
    security testing provides information for other system development
    life cycle activities such as risk analysis and contingency planning.
    Security testing results should be made available for staff members
    involved in other information technology and security-related areas.
    
    Tools for Network Security Testing
    
    Network security testing should be conducted on a regular basis while
    systems are running in their operational environments to provide
    information about the integrity of an organization's networks and
    associated systems. Some testing techniques are predominantly manual,
    requiring an individual to initiate and conduct the test. Other tests
    are highly automated and require less human involvement.  The staff
    members who set up and conduct the security testing activities must
    have solid security and networking knowledge.
    
    Testing techniques are available for network mapping, vulnerability
    scanning, password cracking, penetration testing, war dialing, war
    driving, file integrity checking, and virus scanning. Often, several
    of these testing techniques are used together to gain a more
    comprehensive assessment of the overall status of network security.
    For example, penetration testing usually includes network scanning and
    vulnerability scanning to identify vulnerable hosts and services that
    may be targeted for later penetration. Some vulnerability scanners
    incorporate password cracking. None of the tests by themselves will
    provide a complete picture of the network or its security posture.
    After tests are completed, all test results should be documented, and
    system owners should be informed of the results to ensure that
    vulnerabilities are patched or mitigated.
    
    Several techniques for network testing are introduced in SP 800-42.
    The following table summarizes the types of testing and the strengths
    and weaknesses of each test technique.
    
    Type of Test
    
    Network Scanning
    Strengths
    
    * Fast (as compared to vulnerability scanners or
      penetration testing)
    
    * Efficiently scans hosts, depending on number of hosts in
      network
    
    * Many excellent freeware tools available
    
    * Highly automated (for scanning component)
    
    * Low cost Weaknesses
    
    * Does not directly identify known vulnerabilities
      (although will identify commonly use Trojan ports
      [e.g., 31337, 12345, etc.])
    
    * Generally used as a prelude to penetration testing not as
      final test
    
    * Requires significant expertise to interpret results
    
    Vulnerability Scanning
    Strengths
    
    * Can be fairly fast depending on number of hosts scanned
    
    * Some freeware tools available
    
    * Highly automated (for scanning)
    
    * Identifies known vulnerabilities
    
    * Often provides advice on mitigating discovered vulnerabilities
    
    * High cost (commercial scanners) to low (freeware scanners)
    
    * Easy to run on a regular basis
    
    Weaknesses
    
    * Has high false positive rate
    
    * Generates large amount of traffic aimed at a specific 
      host (which can cause the host to crash or lead to a 
      temporary denial of service)
    
    * Not stealthy (e.g., easily detected by IDS, firewall and 
      even end-users [although this may be useful in testing 
      the response of staff and altering mechanisms])
    
    * Can be dangerous in the hands of a novice (particularly 
      DoS attacks)
    * Often misses latest vulnerabilities
    
    * Identifies only surface vulnerabilities
    
    Penetration Testing
    Strengths
    
    * Tests network using the methodologies and tools that 
      attackers employ
    
    * Verifies vulnerabilities
    
    * Goes beyond surface vulnerabilities and demonstrates how 
      these vulnerabilities can be exploited iteratively to 
      gain greater access
    
    * Demonstrates that vulnerabilities are not purely theoretical
    
    * Can provide the realism and evidence needed to address 
      security issues
    
    * Social engineering allows for testing of procedures and 
      the human element network security
    
    Weaknesses
    
    * Requires great expertise
    
    * Very labor intensive
    
    * Slow, target hosts may take hours/days to "crack"
    
    * Due to time required not all hosts on medium or large 
      sized networks will be  tested individually
    
    * Dangerous when conducted by inexperienced testers
    
    * Certain tools and techniques may be banned or controlled 
      by agency regulations (e.g., network sniffers, password 
      crackers, etc.)
    
    * Expensive
    
    * Can be organizationally disruptive
    
    Password Cracking
    Strengths
    
    * Quickly identifies weak passwords
    
    * Provides clear demonstration of password strength or weakness
    
    * Easily implemented
    
    * Low cost
    
    Weaknesses
    
    * Potential for abuse
    
    * Certain organizations restrict use
    
    Log Reviews
    Strengths
    * Provides excellent information
    
    * Only data source that provides historical information
      Weaknesses
    
    * Cumbersome to manually review
    
    * May filter out important information
    
    File Integrity Checkers
    Strengths
    
    * Reliable method of determining whether a host has been 
      compromised
    
    * Highly automated
    
    * Low cost
    
    Weaknesses
    
    * Does not detect any compromise prior to installation
    
    * Checksums need to be updated when system is updated
    
    * Checksums need to be protected (e.g., read only CD-Rom) 
      because they provide  no protection if they can be modified 
      by an attacker
    
    Virus Detectors
    Strengths
    
    * Excellent at preventing and removing viruses
    
    * Low/Medium cost
    
    Weaknesses
    
    * Require constant updates to be effective
    
    * Some false positive issues
    
    * Ability to react to new, fast-replicating viruses is 
      often limited
    
    War Dialing
    Strength
    
    * Effective way to identify unauthorized modems
      Weaknesses
    
    * Legal and regulatory issues especially if using public 
      switched network
    
    * Slow
    
    War Driving
    Strength
    
    * Effective way to identify unauthorized wireless access points
      Weaknesses
    
    * Possible legal issues if other organization's signals are 
      intercepted
    
    * Requires some expertise in computing, wireless networking 
      and radio   engineering
    
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    The following table summarizes the baseline frequencies for 
    running the tests:
    (See the definitions for Category 1 and Category 2 systems at the end
    of the table.)
    
    Test Type
    
    Network Scanning
    Category 1 Frequency
             Continuously to Quarterly
    Category 2 Frequency
             Semi-Annually
    Benefits
    
    * Enumerates the network structure and determines the set 
      of active hosts, and  associated software
    
    * Identifies unauthorized hosts connected to a network
    
    * Identifies open ports
    
    * Identifies unauthorized services
    
    Vulnerability Scanning
    Category 1 Frequency
             Quarterly or bi-monthly (more often for certain 
    high risk systems), when the vulnerability database 
    is updated
    Category 2 Frequency
             Semi-Annually
    
    Benefits
    
    * Enumerates the network structure and determines the set 
      of active hosts, and  associated software
    
    * Identifies a target set of computers to focus 
      vulnerability analysis
    
    * Identifies potential vulnerabilities on the target set
    
    * Validates that operating systems and major applications 
      are up to date with   security patches and software versions
    
    Penetration Testing
    Category 1 Frequency
             Annually
    Category 2 Frequency
             Annually
    Benefits
    
    * Determines how vulnerable an organization's network is to 
      penetration and the level of damage that can be incurred
    
    * Tests IT staff's response to perceived security incidents 
      and their knowledge of and implementation of the organization's 
      security policy and system's security requirements
    
    Password Cracking
    Category 1 Frequency
             Continuously to same frequency as expiration policy
    Category 2 Frequency
             Same frequency as expiration policy
    Benefits
    
    * Verifies that the policy is effective in producing 
      passwords that are more or less difficult to break
    
    * Verifies that users select passwords that are compliant 
      with the organization's security policy
    
    Log Reviews
    Category 1 Frequency
             Daily for critical systems, e.g., firewalls
    Category 2 Frequency
             Weekly
    Benefit
    
    * Validates that the system is operating according to policies
    
    Integrity Checkers
    Category 1 Frequency
             Monthly and in case of suspected incident
    Category 2 Frequency
             Monthly
    Benefit
    
    * Detects unauthorized file modifications
    
    Virus Detectors
    Category 1 Frequency
             Weekly or as required
    Category 2 Frequency
             Weekly or as required
    
    Benefit
    * Detects and deletes viruses before successful 
      installation on the system
    
    War Dialing
    Category 1 Frequency
             Annually
    Category 2 Frequency
             Annually
    
    * Detects unauthorized modems and prevents unauthorized  
      access to a protected network
    
    War Driving
    Category 1 Frequency
             Continuously to weekly
    Category 2 Frequency
             Semi-annually
    Benefit
    
    * Detects unauthorized wireless access points and prevents 
      unauthorized access to a protected network
    
    Category 1 systems are generally those systems whose 
    operation is critical to the organizational mission. 
    Category l systems include:
    
    * Firewalls, both internal and external,
    
    * Routers and switches,
    
    * Related network-perimeter security systems such as 
      intrusion detection systems,
    
    * Web servers, e-mail servers, and other application servers,
    
    * Other servers such as for Domain Name Service (DNS) or 
      directory servers or file servers, and
    
    * Other selected high-priority applications and systems.
    
    Category 2 systems include general staff and related systems, e.g.,
    desktop, standalone and mobile client systems. While the security of
    these systems is important, Category 1 systems should generally be
    tested more frequently than Category 2 systems.
    
    Deployment Strategies
    
    The goal of security testing is to maximize the benefit to the
    organization as a whole. The guideline recommends that organizations
    adopt consistent approaches to network security testing, using levels
    of security testing that are appropriate to organizational missions
    and security objectives.
    
    The types and frequency of testing during the operational and
    maintenance phase (both for minimum and comprehensive testing) should
    be ranked according to a priority order, based on the security
    category, cost of conducting the tests, and the expected overall
    benefits to the organization's systems. The decision about what to
    test for during the implementation phase normally involves a single
    system. The same decision during the operational and maintenance phase
    becomes more complicated because of internal and external connections.
    To maximize the value of testing, the prioritization process should
    consider the interconnectivity of systems. Senior managers should be
    involved in the prioritization process to ensure that the
    organizational perspective is considered.
    
    The basic steps that organizations should take in developing a
    priority ranking for their network testing activities include:
    
    * Determine the security category for the organization's information
    systems. Federal Information Processing Standards (FIPS) 199,
    Standards for Security Categorization of Federal Information and
    Information Systems, covers this important step. It defines three
    levels of potential impact on organizations (or on individuals) should
    certain adverse events occur. These are events that could jeopardize
    the information systems needed by the organization to accomplish its
    assigned mission, protect its assets, fulfill its legal
    responsibilities, maintain its day-to-day functions, and protect
    individuals.  Security categories are to be used in conjunction with
    vulnerability and threat information to assess the risk that an
    organization incurs when operating an information system. FIPS 199 is
    available as a pre-publication final document at
    http://csrc.nist.gov/publications.
    
    * Determine the cost of performing each test for each system. Costs
    vary depending upon the size and complexity of the system to be
    tested, the level of human interaction required for each test, the
    feasibility of selecting a sample for the tests, and the size of the
    sample.
    
    * Identify the benefits of each test type per system to assure that
    the cost of testing does not exceed its value to the organization.
    These benefits can include knowledge gained about systems and
    networks, and reduced chances for intrusion or business disruption.
    
    * Prioritize systems for testing, based on security category, cost of
    testing, and benefits. The prioritized list should include the
    resources required for conducting each type of test for each system
    under consideration. The starting point for determining minimum
    required resources should be minimum testing for those systems with
    the highest level of impact. If resources are not available for
    minimum testing for the highest impact systems, additional resources
    should be requested.
    
    Summary of NIST Recommendations
    
    * Make network security testing a routine and integral part of the
    system and network operations and administration.  Organizations
    should conduct routine tests of systems and verify that systems have
    been configured correctly with the appropriate security mechanisms and
    policy. Routine testing prevents many types of incidents from
    occurring in the first place. The additional costs for performing this
    testing will likely be offset by the reduced costs in incident
    response.
    
    * Test the most important systems first. In general, systems that
    should be tested first include those systems that are publicly
    accessible, that is, routers, firewalls, web servers, e-mail servers,
    and certain other systems that are open to the public, are not
    protected behind firewalls, or are mission-critical systems.
    Organizations can then use various metrics to determine the importance
    or criticality of other systems in the organization and then test
    those systems as well.
    
    * Use caution when testing. Certain types of testing, including
    network scanning, vulnerability testing, and penetration testing, can
    mimic the signs of attack. Testing should be done in a coordinated
    manner, with the knowledge and consent of appropriate officials.
    
    * Ensure that security policy accurately reflects the organization's
    needs. The policy must be used as a baseline for comparison with
    testing results. Without an appropriate policy, the usefulness of
    testing is drastically limited.  For example, discovering that a
    firewall permits the flow of certain types of traffic may be
    irrelevant if there is no policy that states what type of traffic or
    what type of network activity is permitted. When there is a policy,
    testing results can be used to improve the policy.
    
    * Integrate security testing into the risk management process. Testing
    can uncover unknown vulnerabilities and misconfigurations. As a
    result, testing frequencies may need to be adjusted to meet the
    prevailing circumstances, such as when new controls are added to
    vulnerable systems or other configuration changes are made because of
    a new threat environment. Security testing reveals crucial information
    about an organization's security posture and its ability to surmount
    external attacks or to avoid significant financial costs or damage to
    its reputation as a result of internal malfeasance.  In some cases,
    the results of the testing may indicate that the policy and the
    security architecture should be updated.
    
    * Ensure that system and network administrators are trained and
    capable.  The staff members recruited for network system testing may
    already be involved in system administration. While system
    administration is an increasingly complex task, the numbers of trained
    system administrators generally has not kept pace with the increase in
    computing systems. Competent system administration may be the most
    important security measure an organization can employ, and
    organizations should ensure they have sufficient staff members with
    the required skill level to perform system administration and security
    testing correctly.
    
    * Ensure that systems are kept up-to-date with patches. As a result of
    security testing, it may become necessary to patch many systems.
    Applying patches in a timely manner can sharply reduce the
    organization's exposure to vulnerabilities.
    
    * Look at the big picture. The results of routine testing may indicate
    that the organization should readdress its systems security
    architecture. Some organizations may need to step back and undergo a
    formal process of identifying the security requirements for many of
    its systems, and then begin to redesign or adapt its security
    architecture accordingly. This process will result in improved
    efficiency of operations and fewer costs related to incident response
    operations.
    
    * Understand the capabilities and limitations of vulnerability
    testing.  Vulnerability testing may result in many false positive
    scores, or it may not detect certain types of problems that are beyond
    the detection capabilities of the tools. Penetration testing is an
    effective complement to vulnerability testing, aimed at uncovering
    hidden vulnerabilities. However, it is resource intensive, requires
    much expertise, and can be expensive.  Organizations should assume
    that they are vulnerable to attack regardless of how well their
    testing scores indicate.
    
    Useful References The following NIST Special Publications (SPs) and
    Federal Information Processing Standard Publication (FIPS) provide
    useful information about planning, implementing, and maintaining
    secure information systems. These publications are available on NIST's
    web pages:  http://csrc.nist.gov/publications/
    
    NIST SP 800-12, An Introduction to Computer Security: The NIST
    Handbook, October 1995, provides guidance on general security
    procedures.
    
    NIST SP 800-14, Generally Accepted Principles and Practices for
    Securing Information Technology Systems, September 1996, describes
    common practices for the security of information systems.
    
    NIST SP 800-18, Guide for Developing Security Plans for Information
    Technology Systems, December 1998, provides details on developing and
    updating security plans.
    
    NIST SP 800-26, Security Self-Assessment Guide for IT Systems,
    November 2001, provides details on self-assessment.
    
    NIST SP 800-27, Engineering Principles for Information Technology
    Security (A Baseline for Achieving Security), June 2001, presents
    system-level security principles to be considered in the design,
    development, and operation of information systems.
    
    NIST SP 800-30, Risk Management Guide for Information Technology
    Systems, January 2002, discusses the process of identifying risk,
    assessing risk, and taking steps to reduce risk to an acceptable
    level.
    
    NIST SP 800-31, Intrusion Detection Systems (IDS), November 2001,
    discusses hardware and software systems that monitor events occurring
    in a computer system or network.
    
    NIST SP 800-34, Contingency Planning Guide for Information Technology
    (IT) Systems, June 2002, gives information on developing and
    implementing IT contingency plans.
    
    NIST SP 800-40, Procedures for Handling Security Patches, September
    2002, provides guidance on developing and implementing an
    organizational patch and vulnerability approach.
    
    NIST SP 800-41, Guideline on Firewalls and Firewall Policy, January
    2002, presents information about the use of firewalls and development
    of firewall policies.
    
    NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth, and
    Handheld Devices, November 2002, provides guidance on improving the
    security of wireless systems and mobile devices.
    
    NIST, SP 800-61 (Draft), Computer Security Incident Handling Guide,
    September 2003, discusses forming incident response teams,
    establishing incident response policies and procedures, and handling
    incidents.
    
    NIST SP 800-64, Security Considerations in the Information System
    Development Life Cycle, October 2003, presents a framework for
    incorporating security into all phases of the system development life
    cycle.
    
    FIPS 199 (Pre-publication Final), Standards for Security
    Categorization of Federal Information and Information Systems,
    December 2003.  
    http://csrc.nist.gov/publications/drafts/draft-fips-pub-199.pdf
    
    Disclaimer Any mention of commercial products or reference to
    commercial organizations is for information only; it does not imply
    recommendation or endorsement by NIST nor does it imply that the
    products mentioned are necessarily the best available for the purpose.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 21 2003 - 02:01:04 PST