| PREVENTION: Discusses the use of vulnerability assessment tools and
penetration analyses. When used regularly, both techniques can be integral components of
an institution’s information security program. Vulnerability assessment
tools,
also called security scanning tools, assess the security of network or host systems and
report system vulnerabilities. These tools can scan networks, servers, firewalls, routers,
and applications for vulnerabilities. Generally, the tools can detect known security flaws
or bugs in software and hardware, determine if the systems are susceptible to known
attacks and exploits, and search for system vulnerabilities such as settings contrary to
established security policies.
In evaluating a vulnerability assessment tool, management should consider how
frequently the tool is updated to include the detection of any new weaknesses such as
security flaws and bugs. If there is a time delay before a system patch is made available
to correct an identified weakness, mitigating controls may be needed until the system
patch is issued.
Generally, vulnerability assessment tools are not run in real-time, but they are
commonly run on a periodic basis. When using the tools, it is important to ensure that the
results from the scan are secure and only provided to authorized parties. The tools can
generate both technical and management reports, including text, charts, and graphs. The
vulnerability assessment reports can tell a user what weaknesses exist and how to fix
them. Some tools can automatically fix vulnerabilities after detection.
As in intrusion detection systems, which are discussed later in this appendix, there
are generally two types of vulnerability assessment tools: host-based and network-based.
Another category is sometimes used for products that assess vulnerabilities of specific
applications (application-based) on a host. A host is generally a single computer or
workstation that can be connected to a computer network. Host-based tools assess the
vulnerabilities of specific hosts. They usually reside on servers, but can be placed on
specific desktop computers, routers, or even firewalls.
Network-based vulnerability assessment tools generally reside on the network,
specifically analyzing the network to determine if it is vulnerable to known attacks. Both
host- and network-based products offer valuable features, and the risk assessment process
should help an institution determine which is best for its needs. Information systems
personnel should understand the types of tools available, how they operate, where they are
located, and the output generated from the tools.
Host-based vulnerability assessment tools are effective at identifying security risks
that result from internal misuse or hackers using a compromised system. They can detect
holes that would allow access to a system such as unauthorized modems, easily guessed
passwords, and unchanged vendor default passwords. The tools can detect system
vulnerabilities such as poor virus protection capabilities; identify hosts that are
configured improperly; and provide basic information such as user log-on hours,
password/account expiration settings, and users with dial-in access. The tools may also
provide a periodic check to confirm that various security policies are being followed. For
instance, they can check user permissions to access files and directories, and identify
files and directories without ownership.
Network-based vulnerability assessment tools are more effective than host-based at
detecting network attacks such as denial of service and Internet Protocol (IP) spoofing.
Network tools can detect unauthorized systems on a network or insecure connections to
business partners. Running a host-based scan does not consume network overhead, but can
consume processing time and available storage on the host. Conversely, frequently running
a network-based scan as part of daily operations increases network traffic during the
scan. This may cause inadvertent network problems such as router crashes.
After the initial risk assessment is completed, management may determine that a
penetration analysis (test) should be conducted. For the purpose of this paper,
"penetration analysis" is broadly defined. Bank management should determine the
scope and objectives of the analysis. The scope can range from a specific test of a
particular information system’s security or a review of multiple information security
processes in an institution.
A penetration analysis usually involves a team of experts who identify an information
system’s vulnerability to a series of attacks. The evaluators may attempt to
circumvent the security features of a system by exploiting the identified vulnerabilities.
Similar to running vulnerability scanning tools, the objective of a penetration analysis
is to locate system vulnerabilities so that appropriate corrective steps can be taken.
The analysis can apply to any institution with a network, but becomes more important if
system access is allowed via an external connection such as the Internet. The analysis
should be independent and may be conducted by a trusted third party, qualified internal
audit team, or a combination of both. The information security policy should address the
frequency and scope of the analysis. In determining the scope of the analysis, items to
consider include internal vs. external threats, systems to include in the test, testing
methods, and system architectures.
A penetration analysis is a snapshot of the security at a point in time and does not
provide a complete guaranty that the system(s) being tested is secure. It can test the
effectiveness of security controls and preparedness measures. Depending on the scope of
the analysis, the evaluators may work under the same constraints applied to ordinary
internal or external users. Conversely, the evaluators may use all system design and
implementation documentation. It is common for the evaluators to be given just the IP
address of the institution and any other public information, such as a listing of officers
that is normally available to outside hackers. The evaluators may use vulnerability
assessment tools, and employ some of the attack methods discussed in this paper such as
social engineering and war dialing. After completing the agreed-upon analysis, the
evaluators should provide the institution a detailed written report. The report should
identify vulnerabilities, prioritize weaknesses, and provide recommendations for
corrective action.
A penetration analysis itself can introduce new risks to an institution; therefore,
several items should be considered before having an analysis completed, including the
following:
? If using outside testers, the reputation of the firm
or consultants hired. The evaluators will assess the weaknesses in the bank’s
information security system. As such, the confidentiality of results and bank data is
crucial. Just like screening potential employees prior to their hire, banks should
carefully screen firms, consultants, and subcontractors who are entrusted with access to
sensitive data. A bank may want to require security clearance checks on the evaluators. An
institution should ask if the evaluators have liability insurance in case something goes
wrong during the test. The bank should enter into a written contact with the evaluators,
which at a minimum should address the above items.
? If using internal testers, the independence of the
testers from system administrators.
? The secrecy of the test. Some senior executives
may order an analysis without the knowledge of information systems personnel. This can
create unwanted results, including the notification of law enforcement personnel and
wasted resources responding to an attack. To prevent excessive responses to the attacks,
bank management may consider informing certain individuals in the organization of the
penetration analysis.
? The importance of the systems to be tested. Some
systems may be too critical to be exposed to some of the methods used by the evaluators
such as a critical database that could be damaged during the test.
|
