network vulnerabilities

7/31/2019 network vulnerabilities

1/27

Chapter 4: Computer Network

Vulnerabilities

Computer Network Security


2/27

Kizza - Computer Network Security 2

Sources of Vulnerabilities

There is no definitive list of all possiblesources of these system vulnerabilitiesAmong the most frequently mentionedsources of security vulnerability problems incomputer networks are design flaws, poor security management, incorrect implementation,

Internet technology vulnerability, the nature of intruder activity, the difficulty of fixing vulnerable systems,

the limits of effectiveness of reactive solutions,

social engineering


3/27


Computer Network Vulnerabilities

System vulnerabilities are weaknessesin the software or hardware on aserver or a client that can be exploited

by a determined intruder to gainaccess to or shut down a network.

A system vulnerability is a condition, aweakness of or an absence of securityprocedure, or technical, physical, or

other controls that could be exploitedby a threat


4/27


Design Flaws

The two major components of a computersystem, hardware and software, quite oftenhave design flaws

Hardware systems are less susceptible to

design flaws than their softwarecounterparts owing to less complexity andthe long history of hardware engineering.

But even with all these factors backing uphardware engineering, design flaws are stillcommon.

But the biggest problems in system securityvulnerability are due to software designflaws


5/27


three major factors contribute a greatdeal to software design flaws:

human factors, software complexity,

trustworthy software sources


6/27


Human Factors - Poor softwareperformance can be a result of:

Memory lapses and attentional failures: Forexample, someone was supposed to haveremoved or added a line of code, tested, orverified but did not because of simpleforgetfulness.

Rush to finish: The result of pressure, most oftenfrom management, to get the product on themarket either to cut development costs or tomeet a client deadline can cause problems.

Overconfidence and use of nonstandard oruntested algorithms: Before algorithms are fully

tested by peers, they are put into the productline because they seem to have worked on a few

test runs.


7/27


Malice: Software developers, like anyother professionals, have malicious peoplein their ranks. Bugs, viruses, and wormshave been known to be embedded anddownloaded in software, as is the casewith Trojan horse software, which boots

itself at a timed location.Complacency: When either an individual

or a software producer has significantexperience in software development, it is

easy to overlook certain testing and othererror control measures in those parts ofsoftware that were tested previously in asimilar or related product, forgetting that

no one software product can conform to


8/27


Software Complexity - Professionals andnonprofessionals who use software know thedifferences between software programming andhardware engineering. It is in these differences that

underlie many of the causes of software failure andpoor performance. Consider the following: Complexity: Unlike hardwired programming in which it is

easy to exhaust the possible outcomes on a given set ofinput sequences, in software programming a similarprogram may present billions of possible outcomes on the

same input sequence. Difficult testing: There will never be a complete set of test

programs to check software exhaustively for all bugs for agiven input sequence.

Ease of programming: The fact that softwareprogramming is easy to learn encourages many people

with little formal training and education in the field to startdeveloping programs, but many are not knowledgeableabout good programming practices or able to check forerrors.

Misunderstanding of basic design specifications: Thisaffects the subsequent design phases including coding,documenting, and testing. It also results in improper andambiguous specifications of major components of thesoftware and in ill-chosen and oorl defined internal


9/27


Trustworthy Software Sources There are thousands of software sources for the millions of

software products on the market today. However, if wewere required to name well known software producers,very few of us would succeed in naming more than ahandful. Yet we buy software products every day withouteven ever minding their sources. Most important, we donot care about the quality of that software, the honesty ofthe anonymous programmer, and of course the reliabilityof it as long as it does what we want it to do.

Even if we want to trace the authorship of the softwareproduct, it is impossible because software companies areclosed within months of their opening. Chances are when asoftware product is 2 years old, its producer is likely to beout of business. In addition to the difficulties in tracing the

producers of software who go out of business as fast asthey come in, there is also fear that such software may noteven have been tested at all.

The growth of the Internet and the escalating costs ofsoftware production have led many small in-housesoftware developers to use the marketplace as a giant

testing laboratory through the use of beta testing,shareware and freeware. Shareware and freeware have a


10/27


Software Re-Use, Re-engineering, andOutlived Design

New developments in software engineering arespearheading new developments such assoftware re-use and software re-engineering.Software re-use is the integration and use ofsoftware assets from a previously developed

system. It is the process in which old orupdated software such as library, component,requirements and design documents, and designpatterns is used along with new software.

Both software re-engineering and re-use arehailed for cutting down on the escalatingdevelopment and testing costs. They havebrought efficiency by reducing time spentdesigning or coding, popularizedstandardization, and led to common look-and-feel between applications. They have made

debugging easier through use of thoroughlytested designs and code .


11/27


Poor Security ManagementSecurity management is both a technical and an administrative

security process that involves security policies and controls that theorganization decides to put in place to provide the required level ofprotection. In addition, it also involves security monitoring andevaluation of the effectiveness of those policies.The most effective way to meet those goals is to implement securityrisk assessment through a security policy and securing access tonetwork resources through the use of firewalls and strong

cryptography. These and others offer the security required for thedifferent information systems in the organization in terms ofintegrity, confidentiality, and availability of that information.Security management by itself is a complex process; however, if itis not well organized it can result in a security nightmare for theorganization.Poor security management is a result of little control over security

implementation, administration, and monitoring. It is a failure inhaving solid control of the security situation of the organization whenthe security administrator does not know who is setting theorganizations security policy, administering security compliance, andwho manages system security configurations and is in charge ofsecurity event and incident handling.


12/27


Good security management is made up of anumber of implementable security componentsthat include

risk management,

information security policies and procedures,standards, guidelines,information classification,security monitoring,security education.

These core components serve to protect the organizations

resources. A risk analysis will identify these assets, discover the

threats that put them at risk, and estimate the possibledamage and potential loss a company could endure if anyof these threats become real. The results of the riskanalysis help management construct a budget with the

necessary funds to protect the recognized assets from theiridentified threats and develop applicable security policiesthat provide direction for security activities. Securityeducation takes this information to each and everyemployee.

Security policies and procedures to create, implement,and enforce security issues that may include people andtechnology.


13/27

Kizza - Computer Network Security13

Information classification to manage thesearch, identification, and reduction of

system vulnerabilities by establishingsecurity configurations.

Security monitoring to prevent and detectintrusions, consolidate event logs for

future log and trend analysis, managesecurity events in real-time, manageparameter security including multiplefirewall reporting systems, and analyze

security events enterprise-wide.Security education to bring security

awareness to every employee of theorganization and teach them their

individual security responsibility.


14/27

Kizza - Computer Network Security14

Incorrect Implementation

Incorrect implantation very often is a resultof incompatible interfaces. Two productmodules can be deployed and work together

only if they are compatible. That meansthat the module must be additive, that isthe environment of the interface needs toremain intact.

An incompatible interface, on the otherhand, means that the introduction of themodule has changed the existing interfacein such a way that existing references to theinterface can fail or behave incorrectly.


15/27


Incompatibility in system interfacesmay be cause by a variety of

conditions usually created by thingssuch as:

Too much detail

Not enough understanding of theunderlying parameters

Poor communication during design

Selecting the software or hardwaremodules before understanding thereceiving software

Ignoring integration issues

Error in manual entry


16/27


Internet Technology

Vulnerability

The fact that computer and telecommunicationtechnologies have developed at such an amazingand frightening speed and people haveoverwhelmingly embraced both of them hascaused security experts to worry about the sideeffects of these booming technologies.Internet technology has been and continues to bevulnerable. There have been reports of all sorts ofloopholes, weaknesses, and gaping holes in bothsoftware and hardware technologies.

No one knows how many of these vulnerabilitiesthere are both in software and hardware. Theassumption is that there are thousands. As historyhas shown us, a few are always discovered everyday by hackers


17/27


Although the list spans both hardware andsoftware, the problem is more prevalentwith software. In fact softwarevulnerabilities can be put into fourcategories:

Operating system vulnerabilities: Operating

systems are the main sources of all reportedsystem vulnerabilities.

Port-based vulnerabilities: Besides operatingsystems, network service ports take secondplace is sourcing system vulnerabilities. Forsystem administrators, knowing the list of mostvulnerable ports can go a long way to helpenhance system security by blocking thoseknown ports at the firewall.

Application software based errors


18/27


Changing Nature of Hacker

Technologies and Activities

It is ironic that as useful technology develops sodoes the bad technology. What we call usefultechnology is the development in all computer and

telecommunication technologies that are drivingthe Internet, telecommunication, and the Web.Bad technology is the technology that systemintruders are using to attack systems.Unfortunately these technologies are all developing

in tandem.In fact there are times when it looks like hackertechnologies are developing faster that the rest ofthe technology. One thing is clear, though: hacker

technology is flourishing.


19/27


Systems

It is difficult to fix known system vulnerabilities. There isconcern about the ability of system administrators to copewith the number of patches issued for system vulnerabilities.As the number of vulnerabilities rises, system and networkadministrators face a difficult situation. They are challengedwith keeping up with all the systems they have and all thepatches released for those systems. Patches can be difficult to

apply and might even have unexpected side effects as a resultof compatibility issues [2].Beside the problem of keeping abreast of the number ofvulnerabilities and the corresponding patches there are alsologistic problems between the time a vendor releases asecurity patch, and the time a system administrator fixes the

vulnerable computer system.There are several factors affecting the quick fixing of patches.Sometimes it is the logistics of the distribution of patches.Many vendors disseminate the patches on their Web sites;others send e-mail alerts. However, sometimes busy systemsadministrators do not get around to these e-mails andsecurity alerts until sometime after. Sometimes it can bemonths or years before the patches are implemented on ama orit of the vulnerable com uters.


20/27


Limits of Effectiveness of Reactive

Solutions

Because just a small percentage of all attacks isreported, this indicates a serious growing systemsecurity problem.Urgent action is needed to find an effective

solution to this monstrous problem.The security community, including scrupulousvendors, have come up with various solutions,some good and others not. In fact, in anunexpected reversal of fortunes one of the newsecurity problems is to find a good solution fromamong thousands of solutions and to find anexpert security option from the many differentviews.Are we reaching the limits of our efforts, as acommunity, to come up with a few good and

effective solutions to this security problem? Thereare man si ns to su ort an affirmative answer


21/27


It is clear that we are reaching the limits ofeffectiveness of our reactive solutions. Richard D.Pethia gives the following reasons: The number of vulnerabilities in commercial off-the-shelf

software is now at the level that it is virtually impossiblefor any but the best resourced organizations to keep upwith the vulnerability fixes.

The Internet now connects more than 109,000,000computers and continues to grow at a rapid pace. At anypoint in time, there are hundreds of thousands of

connected computers that are vulnerable to one form ofattack or another. Attack technology has now advanced to the point where it

is easy for attackers to take advantage of these vulnerablemachines and harness them together to launch high-powered attacks.

Many attacks are now fully automated, thus reducing theturnaround time even further as they spread aroundcyberspace.

The attack technology has become increasingly complexand in some cases intentionally stealthy, thus reducing theturnaround time and increasing the time it takes todiscover and analyze the attack mechanisms in order toproduce antidotes.


22/27


Social Engineering

Social engineering is an outside hacker'suse of psychological tricks on legitimateusers of a computer system, in order togain the information (usernames and

passwords) one needs to gain access to thesystem.Social engineering is a diversion, in theprocess of system attack, on peoples

intelligence to utilize two humanweaknesses: first no one wants to beconsidered ignorant and second is humantrust. Ironically these are two weaknessesthat have made social engineering difficult

to fight because no one wants to admit


23/27


Vulnerability Assessment

Vulnerability assessment is a process that workson a system to identify, track, and manage therepair of vulnerabilities on the system.

The assortment of items that are checked by thisprocess in a system under review varies depending

on the organization. It may include all desktops,servers, routers, and firewalls.

Most vulnerability assessment services will providesystem administrators with: network mapping and system finger printing of all known

vulnerabilities a complete vulnerability analysis and ranking of all

exploitable weaknesses based on potential impact andlikelihood of occurrence for all services on each host

prioritized list of misconfigurations.


24/27


A final report is always produceddetailing the findings and the best way

to go about overcoming suchvulnerabilities.

This report consists of:

prioritized recommendations formitigating or eliminating weaknesses,

based on an organizations operationalschedule, it also contains

recommendations of furtherreassessments of the system within giventime intervals or on a regular basis.


25/27


Vulnerability Assessment Services

Due to the massive growth of the number ofcompanies and organizations owning their ownnetworks, the growth of vulnerability monitoringtechnologies, the increase in network intrusionsand attacks with viruses, and world-wide publicityof such attacks, there is a growing number ofcompanies offering system vulnerability services

Among the services are: Vulnerability Scanning - to provide a comprehensive

security review of the system including both the perimeterand system internals. The aim of this kind of scanning isto spot critical vulnerabilities and gaps in the systemssecurity practices. Comprehensive system scanning usuallyresults in a number of both false positives and negatives.It is the job of the system administrator to find ways ofdealing with these false positives and negatives. The final

report produced after each scan consists of strategicadvice and prioritized recommendations to ensure critical


26/27


Vulnerability Assessment andPenetration Testing - a hands-on

testing of a system for identified andunidentified vulnerabilities. All knownhacking techniques and tools are

tested during this phase to reproducereal-world attack scenarios. One of theoutcomes of these real-life testings isthat new and sometimes obscure

vulnerabilities are found, processesand procedures of attack areidentified, and sources and severity

of vulnerabilities are categorized and


27/27


Assessment Services

They can, and actually always do, provideand develop signatures and updates for newvulnerabilities and automatically includethem in the next scan. This eliminates theneed for the system administrator to

schedule periodic updates.Probably the best advantage to anoverworked and many times resourcestrapped system administrator is theautomated and regularly scheduled scan ofall network resources. They provide, inaddition, a badly needed third-party

security eye. thus helping theadministrator to provide an objective yet

independent security evaluation of the

network vulnerabilities

Documents