Network Vulnerability Assessment

[ric-o]

Originally posted here by AngelicKnight
This appeared in the firewall log shortly after my Nmap playing:

Does this explain the lost Internet connection?

Yep, you maxed out the connection pool on your firewall (not sure if that is EXACTLY what they call it but a firewall expert here will chime in if no). I've had the same problem when doing scanning from home to my work sitting behind a consumer firewall...not to mention my home ISP blocking/filtering ports!

[Lv4]

yes be careful with the switch choices for nMap it can have some very "undesirable" output.

I currently use the following:

nmap -sT -vv -O -P0 -oN "log name goes here" log "IP addy goes here"

with no "undesireables". As far as the guess it gave you for your OS, that is based off of the number of ports open and the responses nMap gets back from those ports when it finds them. The fewer ports open the harder it is to guess what is really there.


Retina is a good, solid product. I use it here at work and yes it makes some really nice and colorful reports. The c-level execs like them a lot, and it looks pretty in board presentations too

I like Nessus though as my real scanner, even though eEye makes a great product, and I use it in conjunction with Retina when doing my vulnerability assessments. I just put in a PO for Core Impact though so I'll be adding something else to my tool belt. Oh yeah, both Retina and Nessus can have undesireable effects on your network also, so be careful what choices you use with either of those products.

As an aside I got a couple of mailings from eEye last week, one is about the new Enterprise Retina that seems to have patch management built in, and the other is for the new Retina 5.0 that is coming out in the near future. It's in beta right now, and I'm not real sure if it is public beta or not... I'll check on that and see.

[ianbigboy]

Your production network is not a good place to learn how to do a vulnerability assessment. There are huge legal issues when running any security tools against a network, espically one in the financial industry. A lawyer can save your a$$, by drawing up your paper work!! You need written permission signed by some top level managment specifically defining all the tools your allowed to use and the ip space you are able to test.

Good Luck and Get it in Writing!!

[Tiger Shark]

Good Luck and Get it in Writing!!

Ahem, it's his network to scan.... and he's doing his job.

Angelic: Since the data you hold is of "high value" and the potential for internal "abuse" is high you really need to split the audit into two distinct portions. You need to start with a risk assessment. It sounds fancy but all you are doing is listing your data sources and their locations. So if you have an SQL database on server A that contains data of "value" 10/10 about your customers finances then server A and the database are something that will require protection from both the outside world and the inside. If you have an employee database listing their attendance at the company party with nothing confidential it's value may be 3/10, (You don't want the employee list public but it won't cripple your company if it gets there). Once all the data are categorized by risk and documented along with the threat to each you can put it together in a nice pretty report and wander into the boss-man's office and gently drop it in his lap. When he gives you the blank check I would start on the outside.

The first question from the outside is does the public need direct access to the data? Hopefully the answer is no because it makes your life a lot easier. Assuming "no", you need to make sure that there is no direct access from the public network to the trusted through any conduit. We don't want to be hosting our pretty little web site in the trusted zone because it is too close to our high risk data..... Lets build a DMZ for things that the public need access to and allow the absolute minimum to pass from the DMZ to the truated network, (preferably Nothing!). If you _have_ to allow access, (remember, the business need must exceed the risk so, with the public's financial data it had better be an incredibly high business need to justify placing such data at such high risk and the cost of securing it will be high in dollars), then you need to work out how to secure that within budget and OS's. This will include a professional independent audit which will cost you good hard cash.

Once the perimeter is secured you need to look at the internal security. Determine what employess require what access to what parts of customer records and lock them to it. If they don't need to see customer pins let's not let them... . Let's make sure that they can't pull the entire database and take it home, (encrypt it), let's make sure they can't break it... But let's have a good backup system in place and make sure it gets tested regularly per policy. This is where you need to think like a thief.... Sit at their consoles and determine how you would steal money from the company or the customers. Go to higher level people with the knowledge of the accounting side and ask them how they would steal and how they would prevent it, then implement their suggestions.

This is all a rather big subject and I kinda glossed over it.... I'm just trying to give you a base for your methodology. Hope it helps.

[AngelicKnight]

Yep yep, I'm taking lots of notes, do keep going.

The first question from the outside is does the public need direct access to the data?

Unfortunately, they do. Our prez wrote his own software that we give clients that allows them to connect to our database from the comfort of their own homes so that they can check up on the status of their trades and other account info. They put in their user name and password, and boom, in comes all their account info straight from our database server.

The passwords for each client are kept elsewhere in the same database. The potentially scary thing here is that all employees have full access to all of this information, whether it be the finanical planners, executives, or their assistants. The company's pretty close-knit, so there's a lot of trust between everyone, but I still fear there's a potential formula for disaster here.

Another big red flag that I'm looking at concerns trade monitoring. Because various employees can take turns monitoring the trades, it has it's own user account, and guess what? To make things simple, the username and password are the same! Considering our prez is very IT-educated, this really leaves me wondering what he's thinking...

I also think he's too confident in our firewalls. I've mentioned penetration testing to him before, and his response was that the SonicWALLS catch all such activity. Personally I think that's dangerously overconfident in that. The firewalls are tightly secure and configured well, but I think we need to be more prepared for someone who can still get past them.

That's just a few examples of what I'm dealing with. But all this advice is very helpful, I'm taking it all into serious consideration as I continue to examine this.

[cacosapo]

just tell him that whatever kind of security you have, you anyone have the "key" to enter, he will...
Firewall wont protect him against weak passwords..

[brichards99]

I have to pipe in about that last post.

I agree!

I used to work for a really big university, and so performing vulernability assessments was a big, fun project. I mean, at a unversity you have a lot of different kinds of systems, a lot of hosts, and a lot of people wanking away at the soft spots. I learned a lot, but it got tiring after a few passes.

In the end I had to make a decision to back off on my hardware / software based analysis and actually talk to some people, and participate in committees, and preach about modifying the behavior of our users. Our network was pretty darn tight, but that just doesn't mean anything when you have an account system that doesn't require complex passwords or even password expiration. Or when you have professors who give all their students their account info "just so I can get class started in more quickly".

[AngelicKnight]

Oh, good point, and that brings up another question:

Our user account passwords do expire often, and our admin password is very complex so it's hard to crack (in theory). However, I've been reading suggestions about changing the name of the admin account and then setting up a decoy low-permission account named "admin", which I think is a really good idea.

So, in order to that, how much am I going to have to change? Will a simple account change within Active Directory do the job, or am I going to have to do this in multiple places or on multiple machines?

[cacosapo]

what about to start to write some policies?
like "password cannot be easly guessed, such as wife's name, dog's name, or equal userid"
If you have a well established environment, maybe it is time to implement "best pratices".
1. Take a look at IEC 17799 and see some "ideas"
2. Go to some place like CERT.ORG and take a look on some best pratices (a lot of guys here can give you a bunch of places to look)
3. do what you can at technicall stuff
4. Write policies.
5. Create mechanisms to enforce that policies

Rest in your chair on 7th day

[AngelicKnight]

Yeah, that all sounds good, think I might do just that.

Ok, I think I may be having trouble grasping this DMZ concept. "Demilitarized zones" are supposed to help created layered security, right? My understanding was that it creates a sort of border within the network so that those with lower permissions can't get past it to access the rest of the network with higher permissions.

However, boss is saying it's not a security tool, rather the opposite, that a DMZ allows the router to open all ports on a machine so that it is completely exposed to the Internet as if there was no firewall at all.

So, can anybody further educate me on this and clear this up?