MODULE 24 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards
(144 cards)
1
Q
Syslog and NTP
Various protocols that commonly appear on networks have features that make them of special interest in security monitoring.
A
For example, syslog and Network Time Protocol (NTP) are essential to the work of the cybersecurity analyst.
2
Q
Syslog and NTP The syslog standard is used for
A
logging event messages from network devices and endpoints, as shown in the figure
https://snipboard.io/cuZAPX.jpg.
The standard allows for a system-neutral means of transmitting, storing, and analyzing messages.
Many types of devices from many different vendors can use syslog to send log entries to central servers that run a syslog daemon.
This centralization of log collection helps to make security monitoring practical. Servers that run syslog typically listen on UDP port 514.
3
Q
Syslog and NTP Because syslog is so important to security monitoring, syslog servers may be a target for threat actors.
A
Some exploits,
such as those involving data exfiltration, can take a long time to complete due to the
very slow ways in which data is secretly stolen from the network.
4
Q
Syslog and NTP Some attackers may try to hide the fact that exfiltration is occurring.
A
They attack syslog servers that contain the information that could lead to detection of the exploit.
Hackers may attempt to block the transfer of data from syslog clients to servers, tamper with or destroy log data, or tamper with the software that creates and transmits log messages.
The next generation (ng) syslog implementation, known as syslog-ng, offers enhancements that can help prevent some of the exploits that target syslog.
5
Q
NTP - Network Time Protocol Syslog messages are usually timestamped.
A
This allows messages from different sources to be organized by time to provide a view of network communication processes.
Because the messages can come from many devices, it is important that the devices share a consistent timeclock. One way that this can be achieved is for the devices to use Network Time Protocol (NTP).
NTP uses a hierarchy of authoritative time sources to share time information between devices on the network, as shown in the figure.
In this way, device messages that share consistent time information can be submitted to the syslog server. NTP operates on UDP port 123.
6
Q
NTP - Network Time Protocol
Because events that are connected to an exploit can leave traces across every network device on their path to the target system, timestamps are essential for detection.
A
Threat actors may attempt to attack the NTP infrastructure in order to corrupt time information used to correlate logged network events.
This can serve to obfuscate traces of ongoing exploits.
In addition, threat actors have been known to use NTP systems to direct DDoS attacks through vulnerabilities in client or server software.
While these attacks do not necessarily result in corrupted security monitoring data, they can disrupt network availability.
7
Q
NTP - Network Time Protocol
https://snipboard.io/RklCav.jpg
A
https://snipboard.io/RklCav.jpg
8
Q
DNS - DOMAIN NAME SERVICE
Domain Name Service (DNS) is used by millions of people daily.
A
Because of this, many organizations have less stringent policies in place to protect against DNS-based threats than they have to protect against other types of exploits.
Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.
9
Q
DNS - DOMAIN NAME SERVICE
DNS is now used by many types of malware.
A
Some varieties of malware use DNS to communicate with command-and-control (CnC) servers and to exfiltrate data in traffic disguised as normal DNS queries.
Various types of encoding, such as Base64, 8-bit binary, and Hex can be used to camouflage the data and evade basic data loss prevention (DLP) measures.
10
Q
DNS - DOMAIN NAME SERVICE
For example, malware could encode stolen data as the subdomain portion of a DNS lookup for a domain where the nameserver is under control of an attacker.
A
A DNS lookup for ‘long-string-of-exfiltrated-data.example.com’ would be forwarded to the nameserver of example.com, which would record ‘long-string-of-exfiltrated-data’ and reply back to the malware with a coded response.
This use of the DNS subdomain is shown in the figure.
The exfiltrated data is the encoded text shown in the box.
The threat actor collects this encoded data, decodes and combines it, and now has access to an entire data file, such as a username/password database.
11
Q
DNS - DOMAIN NAME SERVICE
It is likely that the subdomain part of such requests would be much longer than usual requests.
Cyber analysts can use the distribution of the lengths of subdomains within DNS requests to construct a mathematical model that describes normality.
A
They can then use this to compare their observations and identify an abuse of the DNS query process.
For example, it would not be normal to see a host on your network sending a query to
aW4gcGxhY2UgdG8gcHJvdGVjdC.example.com.
12
Q
DNS - DOMAIN NAME SERVICE
DNS queries for randomly generated domain names, or extremely long random-appearing subdomains, should be considered suspicious, especially if their occurrence spikes dramatically on the network.
A
DNS proxy logs can be analyzed to detect these conditions.
Alternatively, services such as the Cisco Umbrella passive DNS service can be used to block requests to suspected CnC and exploit domains.
13
Q
DNS - DOMAIN NAME SERVICE DNS Exfiltration
A
DNS Exfiltration:
https://snipboard.io/QJ0L2I.jpg
14
Q
HTTP and HTTPS Hypertext Transfer Protocol (HTTP)
is the backbone protocol of the World Wide Web.
A
However, all information carried in HTTP is transmitted in plaintext from the source computer to the destination on the internet.
HTTP does not protect data from alteration or interception by malicious parties, which is a serious threat to privacy, identity, and information security.
All browsing activity should be considered to be at risk.
15
Q
HTTP and HTTPS A common exploit of HTTP is called iFrame (inline frame) injection.
A
Most web-based threats consist of malware scripts that have been planted on webservers.
These webservers then direct browsers to infected servers by loading iframes.
In iFrame injection, a threat actor compromises a webserver and plants malicious code which creates an invisible iFrame on a commonly visited webpage.
When the iFrame loads, malware is downloaded, frequently from a different URL than the webpage that contains the iFrame code.
Network security services, such as Cisco Web Reputation filtering, can detect when a website attempts to send content from an untrusted website to the host, even when sent from an iFrame, as shown in the figure.
16
Q
HTTP and HTTPS HTTP iFrame Injection Exploit
A
HTTP iFrame Injection Exploit
https://snipboard.io/l0YQPu.jpg
To address the alteration or interception of confidential data, many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services.
17
Q
HTTP and HTTPS HTTPS adds a layer of encryption to the HTTP protocol by using secure socket layer (SSL), as shown in the figure :
https://snipboard.io/U2LS0n.jpg
A
This makes the HTTP data unreadable as it leaves the source computer until it reaches the server.
Note that HTTPS is not a mechanism for web server security.
It only secures HTTP protocol traffic while it is in transit.
HTTPS Protocol Diagram
https://snipboard.io/U2LS0n.jpg
18
Q
HTTP and HTTPS
Unfortunately, the encrypted HTTPS traffic complicates network security monitoring.
A
Some security devices include SSL decryption and inspection; however, this can present processing and privacy issues.
In addition, HTTPS adds complexity to packet captures due to the additional messaging involved in establishing the encrypted connection.
This process is summarized in the figure and represents additional overhead on top of HTTP.
HTTPS Transactions
https://snipboard.io/aNlyJY.jpg
19
Q
Email Protocols
Email protocols such as SMTP, POP3, and IMAP can be used
A
Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to spread malware, exfiltrate data, or provide channels to malware CnC servers, as shown in the figure.
https://snipboard.io/m82QnS.jpg
20
Q
Email Protocols SMTP sends data from a host to a mail server and between mail servers.
A
Like DNS and HTTP, it is a common protocol to see leaving the network.
Because there is so much SMTP traffic, it is not always monitored. However, SMTP has been used in the past by malware to exfiltrate data from the network.
In the 2014 hack of Sony Pictures, one of the exploits used SMTP to exfiltrate user details from compromised hosts to CnC servers.
This information may have been used to help develop exploits of secured resources within the Sony Pictures network.
Security monitoring could reveal this type of traffic based on features of the email message.
21
Q
Email Protocols IMAP and POP3 are used to download email messages from a mail server to the host computer.
For this reason, they are the application protocols that are responsible for bringing malware to the host.
A
Security monitoring can identify when a malware attachment entered the network and which host it first infected.
Retrospective analysis can then track the behavior of the malware from that point forward.
In this way, the malware behavior can better be understood and the threat identified.
Security monitoring tools may also allow recovery of infected file attachments for submission to malware sandboxes for analysis.
22
Q
Email Protocols Email Protocol Threats
A
https://snipboard.io/lH1uE4.jpg
23
Q
ICMP ICMP has many legitimate uses,
A
however ICMP functionality has also been used to craft a number of types of exploits.
ICMP can be used to identify hosts on a network, the structure of a network, and determine the operating systems at use on the network.
It can also be used as a vehicle for various types of DoS attacks.
24
Q
ICMP ICMP can also be used for data exfiltration.
A
Because of the concern that ICMP can be used to surveil or deny service from outside of the network, ICMP traffic from inside the network is sometimes overlooked.
However, some varieties of malware use crafted ICMP packets to transfer files from infected hosts to threat actors using this method, which is known as ICMP tunneling.
25
Security Technologies ACLs
-- Access Control Lists (ACLs) Many technologies and protocols can have impacts on security monitoring.
Access Control Lists (ACLs) are among these technologies. ACLs can give a false sense of security if they are overly relied upon.
ACLs, and packet filtering in general, are technologies that contribute to an evolving set of network security protections.
26
ACLs -- Access Control Lists (ACLs)
The figure illustrates the use of ACLs to permit only specific types of Internet Control Message Protocol (ICMP) traffic:
https://snipboard.io/t0HGos.jpg
The server at 192.168.1.10 is part of the inside network and is allowed to send ping requests to the outside host at 209.165.201.3.
The outside host’s return ICMP traffic is allowed if it is an ICMP reply, source quench (tells the source to reduce the pace of traffic), or any ICMP unreachable message.
All other ICMP traffic types are denied. For example, the outside host cannot initiate a ping request to the inside host.
The outbound ACL is allowing ICMP messages that report various problems. This will allow ICMP tunneling and data exfiltration.
27
ACLs -- Access Control Lists (ACLs)
Attackers can determine which IP addresses, protocols, and ports are allowed by ACLs.
This can be done either by port scanning, penetration testing, or through other forms of reconnaissance.
Attackers can craft packets that use spoofed source IP addresses.
Applications can establish connections on arbitrary ports.
Other features of protocol traffic can also be manipulated, such as the established flag in TCP segments.
Rules cannot be anticipated and configured for all emerging packet manipulation techniques.
28
ACLs -- Access Control Lists (ACLs)
In order to detect and react to packet manipulation, more sophisticated behavior and context-based measures need to be taken.
Cisco Next Generation firewalls, Advanced Malware Protection (AMP), and email and web content appliances are able to address the shortcomings of rule-based security measures.
Mitigating ICMP Abuse:
https://snipboard.io/t0HGos.jpg
29
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT)
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT) can complicate security monitoring.
Multiple IP addresses are mapped to one or more public addresses that are visible on the internet, hiding the individual IP addresses that are inside the network (inside addresses).
30
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT) The figure illustrates the relationship between internal and external addresses that are used as source addresses (SA) and destination addresses (DA):
https://snipboard.io/jYDF6V.jpg
These internal and external addresses are in a network that is using NAT to communicate with a destination on the internet.
If PAT is in effect, and all IP addresses leaving the network use the 209.165.200.226 inside global address for traffic to the internet, it could be difficult to log the specific inside device that is requesting and receiving the traffic when it enters the network.
This problem can be especially relevant with NetFlow data.
NetFlow flows are unidirectional and are defined by the addresses and ports that they share. NAT will essentially break a flow that passes a NAT gateway, making flow information beyond that point unavailable.
Cisco offers security products that will “stitch” flows together even if the IP addresses have been replaced by NAT.
31
NAT and PAT Network Address Translation (NAT) and Port Address Translation (PAT) Network Address Translation
Network Address Translation:
https://snipboard.io/jYDF6V.jpg
32
Encryption, Encapsulation, and Tunneling
As mentioned with HTTPS, encryption can present challenges to security monitoring by making packet details unreadable.
Encryption is part of VPN technologies.
In VPNs, a commonplace protocol like IP, is used to carry encrypted traffic.
The encrypted traffic essentially establishes a virtual point-to-point connection between networks over public facilities.
Encryption makes the traffic unreadable to any other devices but the VPN endpoints.
33
Encryption, Encapsulation, and Tunneling Encryption is part of VPN technologies.
In VPNs, a commonplace protocol like IP, is used to carry encrypted traffic.
The encrypted traffic essentially establishes a virtual point-to-point connection between networks over public facilities.
Encryption makes the traffic unreadable to any other devices but the VPN endpoints.
A similar technology can be used to create a virtual point-to-point connection between an internal host and threat actor devices.
Malware can establish an encrypted tunnel that rides on a common and trusted protocol, and use it to exfiltrate data from the network.
A similar method of data exfiltration was discussed previously for DNS.
34
Peer-to-Peer Networking and Tor In peer-to-peer (P2P) networking, shown in the figure
https://snipboard.io/jYDF6V.jpg,
hosts can operate in both client and server roles.
Three types of P2P applications exist: file sharing, processor sharing, and instant messaging.
In file sharing P2P, files on a participating machine are shared with members of the P2P network.
Examples of this are the once popular Napster and Gnutella.
Bitcoin is a P2P operation that involves the sharing of a distributed database, or ledger, that records Bitcoin balances and transactions.
BitTorrent is a P2P file sharing network.
35
Peer-to-Peer Networking and Tor In file sharing P2P, files on a participating machine are shared with members of the P2P network.
Examples of this are the once popular Napster and Gnutella.
Bitcoin is a P2P operation that involves the sharing of a distributed database, or ledger, that records Bitcoin balances and transactions.
BitTorrent is a P2P file sharing network.
Any time that unknown users are provided access to network resources, security is a concern. File-sharing P2P applications should not be allowed on corporate networks.
P2P network activity can circumvent firewall protections and is a common vector for the spread of malware.
P2P is inherently dynamic. It can operate by connecting to numerous destination IP addresses, and it can also use dynamic port numbering.
Shared files are often infected with malware, and threat actors can position their malware on P2P clients for distribution to other users.
36
Peer-to-Peer Networking and Tor Any time that unknown users are provided access to network resources, security is a concern.
File-sharing P2P applications should not be allowed on corporate networks.
P2P network activity can circumvent firewall protections and is a common vector for the spread of malware. P2P is inherently dynamic.
It can operate by connecting to numerous destination IP addresses, and it can also use dynamic port numbering.
Shared files are often infected with malware, and threat actors can position their malware on P2P clients for distribution to other users.
Processor sharing P2P networks donate processor cycles to distributed computational tasks.
Cancer research, searching for extraterrestrials, and scientific research use donated processor cycles to distribute computational tasks.
37
Peer-to-Peer Networking and Tor Processor sharing P2P networks donate processor cycles to distributed computational tasks.
Cancer research, searching for extraterrestrials, and scientific research use donated processor cycles to distribute computational tasks.
Instant messaging (IM) is also considered to be a P2P application.
IM has legitimate value within organizations that have geographically distributed project teams.
In this case, specialized IM applications are available, such as the Webex Teams platform, which are more secure than IM that uses public servers.
38
P2P - Peer-to-Peer Networking and Tor Instant messaging (IM) is also considered to be a P2P application.
IM has legitimate value within organizations that have geographically distributed project teams.
In this case, specialized IM applications are available, such as the Webex Teams platform, which are more secure than IM that uses public servers.
https://snipboard.io/WUPXYF.jpg
39
P2P - Peer-to-Peer Networking and Tor Tor is a software platform and network of P2P hosts that function as internet routers on the Tor network.
The Tor network allows users to browse the internet anonymously.
Users access the Tor network by using a special browser.
When a browsing session is begun, the browser constructs a layered end-to-end path across the Tor server network that is encrypted, as shown in the figure.
Each encrypted layer is “peeled away” like the layers of an onion (hence “onion routing”) as the traffic traverses a Tor relay.
40
P2P - Peer-to-Peer Networking and Tor Users access the Tor network by using a special browser.
When a browsing session is begun, the browser constructs a layered end-to-end path across the Tor server network that is encrypted, as shown in the figure.
Each encrypted layer is “peeled away” like the layers of an onion (hence “onion routing”) as the traffic traverses a Tor relay.
The layers contain encrypted next-hop information that can only be read by the router that needs to read the information.
In this way, no single device knows the entire path to the destination, and routing information is readable only by the device that requires it.
Finally, at the end of the Tor path, the traffic reaches its internet destination.
When traffic is returned to the source, an encrypted layered path is again constructed.
41
P2P - Peer-to-Peer Networking and Tor
The layers contain encrypted next-hop information that can only be read by the router that needs to read the information.
In this way, no single device knows the entire path to the destination, and routing information is readable only by the device that requires it.
Finally, at the end of the Tor path, the traffic reaches its internet destination.
When traffic is returned to the source, an encrypted layered path is again constructed.
Tor presents a number of challenges to cybersecurity analysts. First, Tor is widely used by criminal organizations on the “dark net.” In addition, Tor has been used as a communications channel for malware CnC.
Because the destination IP address of Tor traffic is obfuscated by encryption, with only the next-hop Tor node known, Tor traffic avoids blacklists that have been configured on security devices.
42
P2P - Peer-to-Peer Networking and Tor Tor Operation
Tor Operation
https://snipboard.io/ZnAvNC.jpg
43
Load Balancing Load balancing involves the distribution of traffic between devices or network paths to prevent overwhelming network resources with too much traffic.
If redundant resources exist, a load balancing algorithm or device will work to distribute traffic between those resources, as shown in the figure.
Load balancing involves the distribution of traffic between devices or network paths to prevent overwhelming network resources with too much traffic.
If redundant resources exist, a load balancing algorithm or device will work to distribute traffic between those resources, as shown in the figure.
https://snipboard.io/ynObzW.jpg
44
Load Balancing One way this is done on the internet is through various techniques that use DNS to send traffic to resources that have the same domain name but multiple IP addresses.
In some cases, the distribution may be to servers that are distributed geographically.
This can result in a single internet transaction being represented by multiple IP addresses on the incoming packets.
This may cause suspicious features to appear in packet captures. In addition, some load balancing manager (LBM) devices use probes to test for the performance of different paths and the health of different devices.
For example, an LBM may send probes to the different servers that it is load balancing traffic to in order to detect that the servers are operating.
This is done to avoid sending traffic to a resource that is not available.
These probes can appear to be suspicious traffic if the cybersecurity analyst is not aware that this traffic is part of the operation of the LBM.
45
Load Balancing Load Balancing with DNS Delegation
Load Balancing with DNS Delegation
https://snipboard.io/ynObzW.jpg
46
Network and Server Profiling Network Profiling In order to detect serious security incidents, it is important to understand, characterize, and analyze information about normal network functioning.
Networks, servers, and hosts all exhibit typical behavior for a given point in time.
Network and device profiling can provide a statistical baseline that serves as a reference point.
Unexplained deviations from the baseline may indicate a compromise.
47
Network and Server Profiling Network Profiling Network and device profiling can provide a statistical baseline that serves as a reference point.
Unexplained deviations from the baseline may indicate a compromise.
Care must be taken when capturing baseline data so that all normal network operations are included in the baseline. In addition, it is important that the baseline is current.
It should not include network performance data that is no longer part of normal functioning.
For example, rises in network utilization during periodic server backup operations is part of normal network functioning and should be part of the baseline data.
However, measurement of traffic that corresponds to outside access to an internal server that has been moved to the cloud would not be.
A means of capturing just the right period for baseline measurement is known as sliding window anomaly detection. It defines a window that is most representative of network operation and deletes data that is out of date.
This process continues with repeated baseline measurements to ensure that baseline measurement statistics depict network operation with maximum accuracy.
48
Network and Server Profiling Network Profiling Increased utilization of WAN links at unusual times can indicate a network breach and exfiltration of data.
Hosts that begin to access obscure internet servers, resolve domains that are obtained through dynamic DNS, or use protocols or services that are not needed by the system user can also indicate compromise.
Deviations in network behavior are difficult to detect if normal behavior is not known.
49
Network and Server Profiling Network Profiling Tools like NetFlow and Wireshark can be used to characterize normal network traffic characteristics.
Because organizations can make different demands on their networks depending on the time of day or day of the year, network baselining should be carried out over an extended period.
The figure displays some questions to ask when establishing a network baseline.
50
Network and Server Profiling Network Profiling Elements of a Network Profile
Elements of a Network Profile
https://snipboard.io/FKCZeE.jpg
51
Network and Server Profiling Network Profiling
The table lists important elements of the network profile.
The table lists important elements of the network profile.
https://snipboard.io/kTY1jA.jpg
52
Network and Server Profiling Network Profiling In addition, a profile of the types of traffic that typically enter and leave the network is an important tool in understanding network behavior.
Malware can use unusual ports that may not be typically seen during normal network operation.
Host-to-host traffic is another important metric.
Most network clients communicate directly with servers, so an increase of traffic between clients can indicate that malware is spreading laterally through the network.
Finally, changes in user behavior, as revealed by AAA, server logs, or a user profiling system like Cisco Identity Services Engine (ISE) is another valuable indicator.
Knowing how individual users typically use the network leads to detection of potential compromise of user accounts.
A user who suddenly begins logging in to the network at strange times from a remote location should raise alarms if this behavior is a deviation from a known norm.
53
Server Profiling Server profiling is used to establish the accepted operating state of servers.
A server profile is a security baseline for a given server.
It establishes the network, user, and application parameters that are accepted for a specific server.
54
Server Profiling A server profile is a security baseline for a given server.
It establishes the network, user, and application parameters that are accepted for a specific server.
In order to establish a server profile, it is important to understand the function that a server is intended to perform in a network.
From there, various operating and usage parameters can be defined and documented.
The table lists elements of a server profile.
https://snipboard.io/m3VYIa.jpg
55
Server Profiling Network Anomaly Detection Network behavior is described by a large amount of diverse data such as the features of packet flow, features of the packets themselves, and telemetry from multiple sources.
One approach to detection of network attacks is the analysis of this diverse, unstructured data using Big Data analytics techniques.
This is known as network behavior analysis (NBA).
This entails the use of sophisticated statistical and machine learning techniques to compare normal performance baselines with network performance at a given time.
Significant deviations can be indicators of compromise.
In addition, network behavior can be analyzed for known network behaviors that indicate compromise.
56
Server Profiling Network Anomaly Detection Anomaly detection can recognize network traffic caused by worm activity that exhibits scanning behavior.
Anomaly detection also can identify infected hosts on the network that are scanning for other vulnerable hosts.
The figure illustrates a simplified version of an algorithm designed to detect an unusual condition at the border routers of an enterprise.
https://snipboard.io/ZIMS0T.jpg
57
Server Profiling Network Anomaly Detection
For example, the cybersecurity analyst could provide the following values:
X = 5 Y = 100 Z = 30 N = 500 Now, the algorithm can be interpreted as: Every 5th minute, get a sampling of 1/100th of the flows during second 30.
If the number of flows is greater than 500, generate an alarm. If the number of flows is less than 500, do nothing.
This is a simple example of using a traffic profile to identify the potential for data loss.
In addition to statistical and behavioral approaches to anomaly detection is rule-based anomaly detection.
Rule-based detection analyzes decoded packets for attacks based on pre-defined patterns.
58
Network Vulnerability Testing:
Most organizations connect to public networks in some way due to the need to access the internet.
These organizations must also provide internet facing services of various types to the public.
Because of the vast number of potential vulnerabilities, and the fact that new vulnerabilities can be created within an organization network and its internet facing services, periodic security testing is essential.
59
Network Vulnerability Testing:
The table lists various types of tests that can be performed.:
-- Risk Analysis
-- Vulnerability Assessment
-- Penetration Testing
Network Vulnerability Testing:
The table lists various types of tests that can be performed.:
-- Risk Analysis
-- Vulnerability Assessment
-- Penetration Testing
60
Network Vulnerability Testing:
The table lists various types of tests that can be performed.:
-- Risk Analysis
-- Vulnerability Assessment
-- Penetration Testing
-- Risk Analysis
This is a discipline in which analysts evaluate the risk posed by vulnerabilities to a specific organization.
A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.
61
Network Vulnerability Testing:
The table lists various types of tests that can be performed.:
-- Risk Analysis
-- Vulnerability Assessment
-- Penetration Testing
-- Vulnerability Assessment
This test employs software to scan internet facing servers and internal networks for various types of vulnerabilities.
These vulnerabilities include unknown infections, weaknesses in web-facing database services, missing software patches, unnecessary listening ports, etc.
Tools for vulnerability assessment include the
open source OpenVAS platform,
Microsoft Baseline Security Analyzer,
Nessus, Qualys, and FireEye Mandiant services.
Vulnerability assessment includes,
but goes beyond, port scanning.
62
Network Vulnerability Testing:
The table lists various types of tests that can be performed.:
-- Risk Analysis
-- Vulnerability Assessment
-- Penetration Testing
-- Penetration Testing
This type of test uses authorized simulated attacks to test the strength of network security. Internal personnel with hacker experience, or professional ethical hackers, identify assets that could be targeted by threat actors.
A series of exploits is used to test security of those assets. Simulated exploit software tools are frequently used.
Penetration testing does not only verify that vulnerabilities exist, it actually exploits those vulnerabilities to determine the potential impact of a successful exploit.
An individual penetration test is often known as a pen test. Metasploit is a tool used in penetration testing.
CORE Impact offers penetration testing software and services.
63
Network Vulnerability Testing:
The table lists examples of activities and tools that are used in vulnerability testing.
Activity : Risk Analysis : Tools :
Individuals conduct comprehensive analysis of impacts of attacks on core company assets and functioning
Internal or external consultants, risk management framework.
Activity : Vulnerability : Tools :
Patch management, host scans, port scanning, other vulnerability scans and services.
OpenVas, Microsoft BaseLine Analyzer, Nessus, Qualys, Nmap.
The table lists examples of activities and tools that are used in vulnerability testing:
https://snipboard.io/myeaOu.jpg
Activity : Penetration Testing : Tools :
Use of hacking techniques, and tools to penetrate network defenses and identify depth of potential penetration.
Metasploit, CORE Impact, ethical hackers.
64
Common Vulnerability Scoring System (CVSS) CVSS Overview
The Common Vulnerability Scoring System (CVSS) is a risk assessment tool that is designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems.
The third revision, CVSS 3.0, is a vendor-neutral, industry standard, open framework for weighting the risks of a vulnerability using a variety of metrics.
These weights combine to provide a score of the risk inherent in a vulnerability. The numeric score can be used to determine the urgency of the vulnerability, and the priority of addressing it.
The benefits of the CVSS can be summarized as follows:
It provides **standardized vulnerability scores that should be meaningful across organizations.**
It provides **an open framework with the meaning of each metric openly available to all users.**
It helps **prioritize risk in a way that is meaningful to individual organizations.**
65
Common Vulnerability Scoring System (CVSS) CVSS Overview
The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of the CVSS to promote its adoption globally.
The Version 3 standard was developed with contributions by Cisco and other industry partners.
Version 3.1 was released in June of 2019.
The figure displays the specification page for the CVSS at the FIRST website.
https://snipboard.io/xepQIr.jpg
66
CVSS Metric Groups Before performing a CVSS assessment, it is important to know key terms that are used in the assessment instrument.
Many of the metrics address the role of what the CVSS calls an authority.
An authority is a computer entity, such as a database, operating system, or virtual sandbox, that grants and manages access and privileges to users.
https://snipboard.io/8ar9GF.jpg
67
CVSS Metric Groups As shown in the figure, the CVSS uses three groups of metrics to assess vulnerability:
https://snipboard.io/8ar9GF.jpg
- BASE METRIC GROUP
- TEMPORTAL METRIC GROUP
- ENVIRONMENTAL GROUP
68
CVSS Metric Groups As shown in the figure, the CVSS uses three groups of metrics to assess vulnerability:
https://snipboard.io/8ar9GF.jpg :
BASE METRIC GROUP
This represents the characteristics of a vulnerability that are constant over time and across contexts.
It has two classes of metrics:
Exploitability - These are features of the exploit such as the vector, complexity, and user interaction required by the exploit.
Impact metrics - The impacts of the exploit are rooted in the CIA triad of confidentiality, integrity, and availability.
69
CVSS Metric Groups As shown in the figure, the CVSS uses three groups of metrics to assess vulnerability:
https://snipboard.io/8ar9GF.jpg :
TEMPORTAL METRIC GROUP
This measures the characteristics of a vulnerability that may change over time, but not across user environments.
Over time, the severity of a vulnerability will change as it is detected and measures to counter it are developed.
The severity of a new vulnerability may be high, but will decrease as patches, signatures, and other countermeasures are developed.
70
CVSS Metric Groups As shown in the figure, the CVSS uses three groups of metrics to assess vulnerability:
https://snipboard.io/8ar9GF.jpg :
ENVIRONMENTAL GROUP
This measures the aspects of a vulnerability that are rooted in a specific organization’s environment.
These metrics help to rate consequences within an organization and allow adjustment of metrics that are less relevant to what an organization does.
71
CVSS Base Metric Group
The figure highlights the Base Metric Group.
The figure highlights the Base Metric Group:
https://snipboard.io/Stb9IK.jpg
72
CVSS Base Metric Group
The table lists the criteria for the Base Metric Group Exploitability metrics.
https://snipboard.io/DKaF6l.jpg
-- Attack Vector
This is a metric that reflects the proximity of the threat actor to the vulnerable component. The more remote the threat actor is to the component, the higher the severity. Threat actors close to your network or inside your network are easier to detect and mitigate.
-- Attack Complexity
This is a metric that expresses the number of components, software, hardware, or networks that are beyond the attacker's control and that must be present for a vulnerability to be successfully exploited.
Attack vector Attack complexity Privileges required User interaction Scope
https://snipboard.io/DKaF6l.jpg
-- Privileges Required
This is a metric that captures the level of access that is required for a successful exploit of the vulnerability.
-- User Interaction
This metric expresses the presence or absence of the equipment for the user interaction for an exploit to be successful.
-- Scope
This metric expresses whether mutliple authorities must be invlolved in an exploit. This is expressed as whether the initial authority changes to a second authority during the exploit.
73
CVSS Base Metric Group The table lists the criteria for the Base Metric Group Exploitability metrics.
Attack vector
https://snipboard.io/DKaF6l.jpg
This is a metric that reflects the proximity of the threat actor to the vulnerable component.
The more remote the threat actor is to the component, the higher the severity.
Threat actors close to your network or inside your network are easier to detect and mitigate.
https://snipboard.io/DKaF6l.jpg
74
CVSS Base Metric Group
The table lists the criteria for the Base Metric Group Exploitability metrics.
Attack complexity
https://snipboard.io/DKaF6l.jpg
This is a metric that expresses the number of components, software, hardware, or networks, that are beyond the attacker’s control and that must be present for a vulnerability to be successfully exploited.
75
CVSS Base Metric Group
The table lists the criteria for the Base Metric Group Exploitability metrics.
Privileges required
https://snipboard.io/DKaF6l.jpg
This is a metric that captures the level of access that is required for a successful exploit of the vulnerability.
76
CVSS Base Metric Group
The table lists the criteria for the Base Metric Group Exploitability metrics.
User interaction
https://snipboard.io/DKaF6l.jpg
This metric expresses the presence or absence of the requirement for user interaction for an exploit to be successful.
77
CVSS Base Metric Group
The table lists the criteria for the Base Metric Group
Exploitability metrics.
Scope
https://snipboard.io/DKaF6l.jpg
This metric expresses whether multiple authorities must be involved in an exploit.
This is expressed as whether the initial authority changes to a second authority during the exploit.
78
CVSS Base Metric Group
The Base Metric Group
Impact metrics increase with the degree or consequence of loss due to the impacted component.
The table lists the impact metric components.
Confidentiality Impact Integrity
Impact Availability Impact
https://snipboard.io/ZJMBn2.jpg
79
CVSS Base Metric Group
The Base Metric Group Impact metrics increase with the degree or consequence of loss due to the impacted component.
The table lists the impact metric components:
Confidentiality Impact
https://snipboard.io/ZJMBn2.jpg
This is a metric that measures the impact to confidentiality due to a successfully exploited vulnerability.
Confidentiality refers to the limiting of access to only authorized users.
https://snipboard.io/ZJMBn2.jpg
80
CVSS Base Metric Group
The Base Metric Group Impact metrics increase with the degree or consequence of loss due to the impacted component.
The table lists the impact metric components:
Integrity Impact
This is a metric that measures the impact to integrity due to a successfully exploited vulnerability.
Integrity refers to the trustworthiness and authenticity of information.
81
CVSS Base Metric Group
The Base Metric Group Impact metrics increase with the degree or consequence of loss due to the impacted component.
The table lists the impact metric components:
Availability Impact
https://snipboard.io/ZJMBn2.jpg
This is a metric that measures the impact to availability due to a successfully exploited vulnerability.
Availability refers to the accessibility of information and network resources.
Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability.
https://snipboard.io/ZJMBn2.jpg
82
The CVSS Process
The CVSS Base Metrics Group is designed as a way to assess security vulnerabilities that are found in software and hardware systems.
It describes the severity of a vulnerability based on the characteristics of a successful exploit of the vulnerability.
https://snipboard.io/6zqOvE.jpg
The other metric groups modify the base severity score by accounting for how the base severity rating is affected by time and environmental factors.
The CVSS process uses a tool called the CVSS v3.1 Calculator, shown in the figure.
https://snipboard.io/6zqOvE.jpg
83
The CVSS process uses a tool called the CVSS v3.1 Calculator, shown in the figure.
https://snipboard.io/6zqOvE.jpg
The calculator is like a questionnaire in which choices are made that describe the vulnerability for each metric group.
After all choices are made, a score is generated.
Pop-up text that explains each metric and metric value is displayed by hovering the mouse over each.
Choices are made by choosing one of the values for the metric. Only one choice can be made per metric.
84
The CVSS Process
The calculator is like a questionnaire in which choices are made that describe the vulnerability for each metric group.
After all choices are made, a score is generated.
Pop-up text that explains each metric and metric value is displayed by hovering the mouse over each.
Choices are made by choosing one of the values for the metric. Only one choice can be made per metric.
The CVSS calculator can be accessed on the CVSS portion of the FIRST website.
A detailed user guide that defines metric criteria, examples of assessments of common vulnerabilities, and the relationship of metric values to the final score is available to support the process.
After the Base Metric group is completed, the numeric severity rating is displayed, as shown in the figure.
https://snipboard.io/kK54rz.jpg
85
The CVSS Process
A vector string is also created that summarizes the choices made.
If other metric groups are completed, those values are appended to the vector string.
The string consists of the initial(s) for the metric, and an abbreviated value for the selected metric value separated by a colon.
The metric-value pairs are separated by slashes.
The vector strings allow the results of the assessment to be easily shared and compared.
The table lists the key for the Base Metric group.
https://snipboard.io/NdI6Uv.jpg https://snipboard.io/BW0tli.jpg
86
The CVSS Process
The values for the numeric severity rating string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
are listed in the table.
https://snipboard.io/N5oKbP.jpg
https://snipboard.io/N5oKbP.jpg
In order for a score to be calculated for the Temporal or Environmental metric groups, the Base Metric group must first be completed.
The Temporal and Environmental metric values then modify the Base Metric results to provide an overall score.
The interaction of the scores for the metric groups is shown in the figure.
https://snipboard.io/nSdxtE.jpg
87
CVSS Reports
The ranges of scores and the corresponding qualitative meaning is shown in the table.
https://snipboard.io/3pjfeJ.jpg
The ranges of scores and the corresponding qualitative meaning is shown in the table.
https://snipboard.io/3pjfeJ.jpg
Frequently, the Base and Temporal metric group scores will be supplied to customers by the application or security vendor in whose product the vulnerability has been discovered.
The affected organization completes the environmental metric group to tailor the vendor-supplied scoring to the local context.
88
Frequently, the Base and Temporal metric group scores will be supplied to customers by the application or security vendor in whose product the vulnerability has been discovered.
The affected organization completes the environmental metric group to tailor the vendor-supplied scoring to the local context.
The resulting score serves to guide the affected organization in the allocation of resources to address the vulnerability.
The higher the severity rating, the greater the potential impact of an exploit and the greater the urgency in addressing the vulnerability.
While not as precise as the numeric CVSS scores, the qualitative labels are very useful for communicating with stakeholders who are unable to relate to the numeric scores.
89
The resulting score serves to guide the affected organization in the allocation of resources to address the vulnerability.
The higher the severity rating, the greater the potential impact of an exploit and the greater the urgency in addressing the vulnerability.
While not as precise as the numeric CVSS scores, the qualitative labels are very useful for communicating with stakeholders who are unable to relate to the numeric scores.
In general, any vulnerability that exceeds 3.9 should be addressed.
The higher the rating level, the greater the urgency for remediation.
90
Other Vulnerability Information Sources There are other important vulnerability information sources.
These work together with the CVSS to provide a comprehensive assessment of vulnerability severity.
There are two systems that operate in the United States:
Common Vulnerabilities and Exposures (CVE) This is a dictionary of common names, in the form of CVE identifiers, for known cybersecurity vulnerabilities.
The CVE identifier provides a standard way to research a reference to vulnerabilities. When a vulnerability has been identified, CVE identifiers can be used to access fixes.
In addition, threat intelligence services use CVE identifiers, and they appear in various security system logs. The CVE Details website provides a linkage between CVSS scores and CVE information.
It allows browsing of CVE vulnerability records by CVSS severity rating. Search the internet for Mitre for more information on CVE as shown in the figure.
https://snipboard.io/Jvk7A4.jpg
91
Other Vulnerability Information Sources There are other important vulnerability information sources.
These work together with the CVSS to provide a comprehensive assessment of vulnerability severity.
There are two systems that operate in the United States:
National Vulnerability Database (NVD) This utilizes CVE identifiers and supplies additional information on vulnerabilities such as CVSS threat scores, technical details, affected entities, and resources for further investigation.
The database was created and is maintained by the U.S. government National Institute of Standards and Technology (NIST) agency.
https://snipboard.io/9YJRou.jpg
92
Risk Management
Risk management involves the selection and specification of security controls for an organization.
It is part of an ongoing organization-wide information security program that involves the management of the risk to the organization or to individuals associated with the operation of a system.
Risk management is an ongoing, multi-step, cyclical process, as shown in the figure.
https://snipboard.io/kbDVZN.jpg
93
Risk Management
Risk is determined as the relationship between threat, vulnerability, and the nature of the organization.
It first involves answering the following questions as part of a risk assessment:
Who are the threat actors who want to attack us?
What vulnerabilities can threat actors exploit?
How would we be affected by attacks?
What is the likelihood that different attacks will occur?
94
Risk Management
NIST Special Publication 800-30 describes risk assessment as:
…the process of identifying, estimating, and prioritizing information security risks.
Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
95
Risk Management
A mandatory activity in risk assessment is the identification of threats and vulnerabilities and the matching of threats with vulnerabilities in what is often called threat-vulnerability (T-V) pairing.
The T-V pairs can then be used as a baseline to indicate risk before security controls are implemented.
This baseline can then be compared to ongoing risk assessments as a means of evaluating risk management effectiveness.
This part of risk assessment is referred to as determining the inherent risk profile of an organization.
96
Risk Management
After the risks are identified, they may be scored or weighted as a way of prioritizing risk reduction strategies.
For example, vulnerabilities that are found to have corresponded with multiple threats can receive higher ratings.
In addition, T-V pairs that map to the greatest institutional impact will also receive higher weightings.
97
Risk Management
The table lists the four potential ways to respond to risks that have been identified, based on their weightings or scores.
The table lists the four potential ways to respond to risks that have been identified, based on their weightings or scores.
https://snipboard.io/i8Wb24.jpg https://snipboard.io/DlxQV0.jpg
98
Vulnerability Management
According to NIST, vulnerability management is a security practice that is designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization.
The expected result is to reduce the time and money spent dealing with vulnerabilities and the exploitation of those vulnerabilities.
Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after an exploitation has occurred.
99
Vulnerability Management
Vulnerability management requires a robust means of identifying vulnerabilities based on vendor security bulletins and other information systems such as CVE.
Security personnel must be competent in assessing the impact, if any, of vulnerability information they have received.
Solutions should be identified with effective means of implementing and assessing the unanticipated consequences of implemented solutions.
Finally, the solution should be tested to verify that the vulnerability has been eliminated.
Vulnerability Management Life Cycle
https://snipboard.io/jLf6Ri.jpg
100
Vulnerability Management Life Cycle
https://snipboard.io/jLf6Ri.jpg
-- DISCOVER
-- PRIORITIZE ASSETS
-- ASSESS
-- REPORT
-- REMEDIATE
-- VERIFY
101
-- DISCOVER
-- PRIORITIZE ASSETS
-- ASSESS
-- REPORT
-- REMEDIATE
-- VERIFY
Vulnerability Management Life Cycle https://snipboard.io/jLf6Ri.jpg :
DISCOVER
DISCOVER:
Inventory all assets across the network and identify host details, including operating systems and open services, to identify vulnerabilities.
Develop a network baseline.
Identify security vulnerabilities on a regular automated schedule.
102
Vulnerability Management Life Cycle https://snipboard.io/jLf6Ri.jpg : PRIORITIZE ASSETS
-- DISCOVER
-- PRIORITIZE ASSETS
-- ASSESS
-- REPORT
-- REMEDIATE
-- VERIFY
PRIORITIZE ASSETS:
Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations.
103
Vulnerability Management Life Cycle https://snipboard.io/jLf6Ri.jpg : ASSESS
-- DISCOVER
-- PRIORITIZE ASSETS
-- ASSESS
-- REPORT
-- REMEDIATE
-- VERIFY
ASSESS:
Determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability, threats, and asset classification.
104
Vulnerability Management Life Cycle https://snipboard.io/jLf6Ri.jpg : REPORT
-- DISCOVER
-- PRIORITIZE ASSETS
-- ASSESS
-- REPORT
-- REMEDIATE
-- VERIFY
REPORT:
Measure the level of business risk associated with your assets according to your security policies.
Document a security plan, monitor suspicious activity, and describe known vulnerabilities.
105
Vulnerability Management Life Cycle https://snipboard.io/jLf6Ri.jpg : REMEDIATE
-- DISCOVER
-- PRIORITIZE ASSETS
-- ASSESS
-- REPORT
-- REMEDIATE
-- VERIFY
REMEDIATE:
Prioritize according to business risk and address vulnerabilities in order of risk.
106
Vulnerability Management Life Cycle https://snipboard.io/jLf6Ri.jpg : VERIFY
-- DISCOVER
-- PRIORITIZE ASSETS
-- ASSESS
-- REPORT
-- REMEDIATE
-- VERIFY
VERIFY:
Verify that threats have been eliminated through follow-up audits.
107
Asset Management
Asset management involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise.
As part of any security management plan, organizations must know what equipment accesses the network, where that equipment is within the enterprise and logically on the network, and what software and data those systems store or can access.
Asset management not only tracks corporate assets and other authorized devices, but also can be used to identify devices that are not authorized on the network.
108
Asset Management
As part of any security management plan, organizations must know what equipment accesses the network, where that equipment is within the enterprise and logically on the network, and what software and data those systems store or can access.
Asset management not only tracks corporate assets and other authorized devices, but also can be used to identify devices that are not authorized on the network.
NIST specifies in publication NISTIR 8011 Volume 2, the detailed records that should be kept for each relevant device. NIST describes potential techniques and tools for operationalizing an asset management process:
Automated discovery and inventory of the actual state of devices
Articulation of the desired state for those devices using policies, plans, and procedures in the organization’s information security plan
Identification of non-compliant authorized assets
Remediation or acceptance of device state, possible iteration of desired state definition
Repeat the process at regular intervals, or ongoing
109
Asset Management
The figure provides an overview of this process.
The figure provides an overview of this process.
https://snipboard.io/dJ2lbR.jpg
110
Mobile Device Management
Mobile device management (MDM), especially in the age of BYOD (BRING YOUR OWN DEVICE)
presents special challenges to asset management. Mobile devices cannot be physically controlled on the premises of an organization.
They can be lost, stolen, or tampered with, putting data and network access at risk.
Part of an MDM plan is acting when devices leave the custody of the responsible party.
Measures that can be taken include disabling the lost device, encrypting the data on the device, and enhancing device access with more robust authentication measures.
111
Mobile Device Management presents special challenges to asset management.
Mobile devices cannot be physically controlled on the premises of an organization.
They can be lost, stolen, or tampered with, putting data and network access at risk.
Part of an MDM plan is acting when devices leave the custody of the responsible party.
Measures that can be taken include disabling the lost device, encrypting the data on the device, and enhancing device access with more robust authentication measures.
Due to the diversity of mobile devices it is possible that some devices that will be used on the network are inherently less secure than others.
Network administrators should assume that all mobile devices are untrusted until they have been properly secured by the organization.
112
Mobile Device Management
Due to the diversity of mobile devices it is possible that some devices that will be used on the network are inherently less secure than others.
Network administrators should assume that all mobile devices are untrusted until they have been properly secured by the organization.
MDM systems, such as Cisco Meraki Systems Manager, shown in the figure, allow security personnel to configure, monitor and update a very diverse set of mobile clients from the cloud.
https://snipboard.io/XJbxNp.jpg
113
Configuration Management
Configuration management addresses the inventory and control of hardware and software configurations of systems.
Secure device configurations reduce security risk.
For example, an organization provides many computers and laptops to its workers.
This enlarges the attack surface for the organization, because each system may be vulnerable to exploits.
To manage this, the organization may create baseline software images and hardware configurations for each type of machine.
These images may include a basic package of required software, endpoint security software, and customized security policies that control user access to aspects of the system configuration that could be made vulnerable.
Hardware configurations may specify the permitted types of network interfaces and the permitted types of external storage.
114
Configuration Management
To manage this, the organization may create baseline software images and hardware configurations for each type of machine.
These images may include a basic package of required software, endpoint security software, and customized security policies that control user access to aspects of the system configuration that could be made vulnerable.
Hardware configurations may specify the permitted types of network interfaces and the permitted types of external storage.
Configuration management extends to the software and hardware configuration of networking devices and servers as well.
As defined by NIST, configuration management:
Comprises a collection of activities focused on
establishing and maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
115
Configuration Management Configuration management extends to the software and hardware configuration of networking devices and servers as well.
As defined by NIST, configuration management:
Comprises a collection of activities focused on
establishing and maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
NIST Special Publication 800-128 on configuration management for network security is available for download from NIST.
For internetworking devices, software tools are available that will backup configurations, detect changes in configuration files, and enable bulk change of configurations across a number of devices.
With the advent of cloud data centers and virtualization, management of numerous servers presents special challenges.
Tools like Puppet, Chef, Ansible, and SaltStack enable efficient management of servers that are used in cloud-based computing.
116
Enterprise Patch Management
Patch management is related to vulnerability management.
Vulnerabilities frequently appear in critical client, server, and networking device operating systems and firmware.
Application software, especially internet applications and frameworks like Acrobat, Flash, and Java, also are frequently discovered to have vulnerabilities.
Patch management involves all aspects of software patching, including identifying required patches, acquiring, distributing, installing, and verifying that the patch is installed on all required systems.
Installing patches is frequently the most effective way to mitigate software vulnerabilities.
Sometimes, they are the only way to do so.
117
Enterprise Patch Management
Patch management involves all aspects of software patching, including identifying required patches, acquiring, distributing, installing, and verifying that the patch is installed on all required systems.
Installing patches is frequently the most effective way to mitigate software vulnerabilities.
Sometimes, they are the only way to do so.
Patch management is required by some compliance regulations, such as Sarbanes Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA).
Failure to implement patches in a systematic and timely manner could result in audit failure and penalties for non-compliance.
118
Enterprise Patch Management Patch management is required by some compliance regulations, such as Sarbanes Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA).
Failure to implement patches in a systematic and timely manner could result in audit failure and penalties for non-compliance.
Patch management depends on asset management data to identify systems that are running software that requires patching.
Patch management software is available from companies such as SolarWinds and LANDesk.
Microsoft System Center Configuration Manager (SCCM) is an enterprise-level tool for automated distribution of patches to a large number of Microsoft Windows workstations and servers.
https://snipboard.io/WhK2Sv.jpg
119
Patch Management Techniques AGENT - BASED
This requires a software agent to be running on each host to be patched. The agent reports whether vulnerable software is installed on the host.
The agent communicates with the patch management server, determines if patches exist that require installation, and installs the patches.
The agent runs with sufficient privileges to allow it to install the patches.
Agent-based approaches are the preferred means of patching mobile devices.
https://snipboard.io/gZzyKB.jpg
120
Patch Management Techniques AGENTLESS SCANNING
Patch management servers scan the network for devices that require patching.
The server determines which patches are required and installs those patches on the clients.
Only devices that are on scanned network segments can be patched in this way.
This can be a problem for mobile devices. https://snipboard.io/foRvUi.jpg
121
Patch Management Techniques PASSIVE NetworkMonitoring
Devices requiring patching are identified through the monitoring of traffic on the network.
This approach is only effective for software that includes version information in its network traffic.
https://snipboard.io/pMTcR1.jpg
122
Information Security Management Systems Security Management Systems
An Information Security Management System (ISMS) consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. ISMSs are not based in servers or security devices.
Instead, an ISMS consists of a set of practices that are systematically applied by an organization to ensure continuous improvement in information security.
ISMSs provide conceptual models that guide organizations in planning, implementing, governing, and evaluating information security programs.
123
Information Security Management
Systems Security Management Systems Instead, an ISMS consists of a set of practices that are systematically applied by an organization to ensure continuous improvement in information security.
ISMSs provide conceptual models that guide organizations in planning, implementing, governing, and evaluating information security programs.
ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity.
An ISMS is a systematic, multi-layered approach to cybersecurity.
The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.
124
Information Security Management Systems Security Management Systems ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity.
An ISMS is a systematic, multi-layered approach to cybersecurity.
The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.
An ISMS often incorporates the “plan-do-check-act” framework, known as the Deming cycle, from TQM.
It is seen as an elaboration on the process component of the People-Process-Technology-Culture model of organizational capability, as shown in the figure.
A General Model for Organizational Capability
https://snipboard.io/iBIhyS.jpg
125
ISO-27001 ISO is the International Organization for Standardization.
ISO’s voluntary standards are internationally accepted and facilitate business conducted between nations.
ISO partnered with the International Electrotechnical Commission (IEC) to develop the ISO/IEC 27000 series of specifications for ISMSs, as shown in the table.
https://snipboard.io/HnYZPv.jpg
126
ISO-27001 The ISO 27001 certification is a global, industry-wide specification for an ISMS.
The figure illustrates the relationship of actions stipulated by the standard with the plan-do-check-act cycle.
In the figure, the four steps in the plan-do-check-act framework are shown in a clockwise circle surrounding the text:
Develop, Improve, Maintain, ISMS. ISO 27001 ISMS Plan-Do-Check-Act Cycle
ISO-27001 The ISO 27001 certification is a global, industry-wide specification for an ISMS.
The figure illustrates the relationship of actions stipulated by the standard with the plan-do-check-act cycle.
In the figure, the four steps in the plan-do-check-act framework are shown in a clockwise circle surrounding the text:
Develop, Improve, Maintain, ISMS. ISO 27001 ISMS Plan-Do-Check-Act Cycle
https://snipboard.io/tJOTiE.jpg
127
ISO 27001 ISMS Plan-Do-Check-Act Cycle
https://snipboard.io/tJOTiE.jpg :
PLAN
Understand relevant business objectives
Define scope of activities
Access and manage support
Assess and define risk
Perform asset management and vulnerability assessment ISO-27001 certification means an organization’s security policies and procedures have been independently verified to provide a systematic and proactive approach for effectively managing security risks to confidential customer information.
128
ISO 27001 ISMS Plan-Do-Check-Act Cycle
https://snipboard.io/tJOTiE.jpg :
DO
Create and implement risk management plan
Establish and enforce risk management policies and procedures
Train personnel, allocate resources ISO-27001 certification means an organization’s security policies and procedures have been independently verified to provide a systematic and proactive approach for effectively managing security risks to confidential customer information.
129
ISO 27001 ISMS Plan-Do-Check-Act Cycle
https://snipboard.io/tJOTiE.jpg :
CHECK
Monitor implementation
Compile reports
Support external certification audit ISO-27001 certification means an organization’s security policies and procedures have been independently verified to provide a systematic and proactive approach for effectively managing security risks to confidential customer information.
130
ISO 27001 ISMS Plan-Do-Check-Act Cycle
https://snipboard.io/tJOTiE.jpg :
ACT
Continually audit processes
Continually improve processes
Take corrective action
Take preventive action ISO-27001 certification means an organization’s security policies and procedures have been independently verified to provide a systematic and proactive approach for effectively managing security risks to confidential customer information.
131
NIST Cybersecurity Framework
NIST is very effective in the area of cybersecurity, as we have seen in this module.
More NIST standards will be discussed later in the course.
NIST has also developed the Cybersecurity framework which is similar to the ISO/IEC 27000 standards.
The NIST framework is a set of standards designed to integrate existing standards, guidelines, and practices to help better manage and reduce cybersecurity risk.
The framework was first issued in February 2014 and continues to undergo development.
132
NIST Cybersecurity Framework NIST has also developed the Cybersecurity framework which is similar to the ISO/IEC 27000 standards.
The NIST framework is a set of standards designed to integrate existing standards, guidelines, and practices to help better manage and reduce cybersecurity risk.
The framework was first issued in February 2014 and continues to undergo development.
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The core functions, which are defined in the table, are split into major categories and subcategories.
https://snipboard.io/OR0m4I.jpg
133
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The core functions, which are defined in the table, are split into major categories and subcategories.
Core Functions:
IDENTIFY PROTECT DETECT RESPOND RECOVER
134
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The core functions, which are defined in the table, are split into major categories and subcategories.
Core function : IDENTIFY
DESCRIPTION
Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
135
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The core functions, which are defined in the table, are split into major categories and subcategories.
Core function : PROTECT
DESCRIPTION
Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
136
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The core functions, which are defined in the table, are split into major categories and subcategories.
Core function : DETECT
DESCRIPTION
Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
137
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The core functions, which are defined in the table, are split into major categories and subcategories.
Core function : RESPOND
DESCRIPTION
Develop and implement the appropriate activities to act on a detected cybersecurity event.
138
The framework core consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.
The core functions, which are defined in the table, are split into major categories and subcategories.
Core function : RECOVER
DESCRIPTION
Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table.
139
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table:
IDENTIFY PROTECT DETECT RESPOND RECOVER
IDENTIFY :
Asset Management
Business Environment Governance
Risk Assessment
Risk Management Strategy
140
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table:
IDENTIFY PROTECT DETECT RESPOND RECOVER
PROTECT :
Identity Management and Access Control Information
Protection Processes and Procedures Maintenance
Protective Technology
141
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table:
IDENTIFY PROTECT DETECT RESPOND RECOVER
DETECT :
Anomalies and Events Security
Continuous Monitoring Detection Processes
142
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table:
IDENTIFY PROTECT DETECT RESPOND RECOVER
RESPOND :
Response Planning Communications
Analysis Mitigation Improvements
143
The major categories provide an understanding of the types of activities and outcomes related to each function, as shown in the next table:
IDENTIFY PROTECT DETECT RESPOND RECOVER
RECOVER :
Recovery Planning Improvements
Communications
144
NIST Cybersecurity Framework Organizations of many types are using the Framework in a number of ways.
Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership.
The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors.
By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework’s standards, guidelines, and best practices.
Some parties are using the Framework to reconcile internal policy with legislation, regulation, and industry best practice.
The Framework also is being used as a strategic planning tool to assess risks and current practices.
Search the internet for to learn more about the NIST Cybersecurity Framework.
