ITL Bulletin for November 2003

[InfoSec News <isn () c4i org>]

Forwarded from: Elizabeth Lennon <elizabeth.lennon () nist gov>

NETWORK SECURITY TESTING
Shirley M. Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Securing and operating today's complex systems is challenging and
demanding. Mission and operational requirements to deliver services
and applications swiftly and securely have never been greater.
Organizations, having invested precious resources and scarce skills in
various necessary security efforts such as risk analysis,
certification, accreditation, security architectures, policy
development, and other security efforts, can be tempted to neglect or
insufficiently develop a comprehensive and systematic operational
security testing program.

This guide stresses the need for an effective security testing program
within federal agencies. Testing serves several purposes. One, no
matter how well a given system may have been developed, the nature of
today's complex systems with large volumes of code, complex internal
interactions, interoperability with external components, unknown
interdependencies coupled with vendor cost and schedule pressures,
means that exploitable flaws will always be present and will surface
over time. Accordingly, security testing must fill the gap between the
state of system development as it is and actual operation of these
systems. Two, security testing is important for understanding,
calibrating, and documenting the operational security posture of an
organization. Aside from development of these systems, the operational
and security demands must be met in a fast-changing threat and
vulnerability environment. Attempting to learn and repair the state of
your security during a major attack, for example, may be too late as
the damage in cost and reputation could be extremely high. Three,
security testing is an essential component of improving the security
posture of your organization overall. Organizations that have a
systematic, comprehensive, ongoing, and priority-driven security
testing regimen are in a much better position to make prudent
investments to enhance the security posture of their systems.

NIST Guideline on Network Security Testing

NIST recently issued Special Publication (SP) 800-42, Guideline on
Network Security Testing, to assist organizations in testing their
Internet-connected and operational systems. The guide provides an
approach to adopting effective procedures that can help organizations
uncover unknown vulnerabilities, institute security controls, and
prevent incidents and attacks. Written by John Wack, Miles Tracy, and
Murugiah Souppaya, NIST SP 800-42 introduces three aspects of network
security testing:

* How network security testing fits into the system
  development life cycle and the organizational roles and 
  responsibilities related to security testing,

* Available testing techniques, their strengths and 
  weaknesses, and the recommended frequencies for testing, and

* Strategies for deploying network security testing, 
  including how to prioritize testing activities when 
  resources are limited and how to avoid duplication of 
  effort in adopting techniques that are appropriate to the 
  organization's mission and security objectives.

In addition to the basic information about establishing programs to
implement network security testing, the guideline provides references,
explanations of the terminology used, descriptions of available
testing tools, and recommendations on how to use selected tools.

This ITL bulletin summarizes the publication, which is available at
http://csrc.nist.gov/publications/nistpubs/index.html.

Security Testing and the System Development Life Cycle

Organizations should evaluate their systems security at different
stages of system development. Security evaluation activities include,
but are not limited to, risk assessment, certification and
accreditation (C&A), system audits, and security testing at
appropriate periods during a system's life cycle. These activities are
directed toward ensuring that the system is being developed and
operated in accordance with the organization's security policy.

The Security Test and Evaluation (ST&E) process is an examination or
analysis of the protective measures that are placed on an information
system once it is fully integrated and operational. The process will
help to uncover design, implementation, and operational flaws,
determine the adequacy of security mechanisms, and assess whether the
system is implemented as documented. ST&E addresses computer security,
communications security, emanations security, physical security,
personnel security, administrative security, and operations security.

Network security testing is conducted after the system has been
developed, installed, and integrated during its Implementation and
Operational stages. The results of testing can help to identify
vulnerabilities, demonstrate progress in meeting security
requirements, and indicate needs for system improvement. Therefore,
security testing provides information for other system development
life cycle activities such as risk analysis and contingency planning.
Security testing results should be made available for staff members
involved in other information technology and security-related areas.

Tools for Network Security Testing

Network security testing should be conducted on a regular basis while
systems are running in their operational environments to provide
information about the integrity of an organization's networks and
associated systems. Some testing techniques are predominantly manual,
requiring an individual to initiate and conduct the test. Other tests
are highly automated and require less human involvement.  The staff
members who set up and conduct the security testing activities must
have solid security and networking knowledge.

Testing techniques are available for network mapping, vulnerability
scanning, password cracking, penetration testing, war dialing, war
driving, file integrity checking, and virus scanning. Often, several
of these testing techniques are used together to gain a more
comprehensive assessment of the overall status of network security.
For example, penetration testing usually includes network scanning and
vulnerability scanning to identify vulnerable hosts and services that
may be targeted for later penetration. Some vulnerability scanners
incorporate password cracking. None of the tests by themselves will
provide a complete picture of the network or its security posture.
After tests are completed, all test results should be documented, and
system owners should be informed of the results to ensure that
vulnerabilities are patched or mitigated.

Several techniques for network testing are introduced in SP 800-42.
The following table summarizes the types of testing and the strengths
and weaknesses of each test technique.

Type of Test

Network Scanning
Strengths

* Fast (as compared to vulnerability scanners or
  penetration testing)

* Efficiently scans hosts, depending on number of hosts in
  network

* Many excellent freeware tools available

* Highly automated (for scanning component)

* Low cost Weaknesses

* Does not directly identify known vulnerabilities
  (although will identify commonly use Trojan ports
  [e.g., 31337, 12345, etc.])

* Generally used as a prelude to penetration testing not as
  final test

* Requires significant expertise to interpret results

Vulnerability Scanning
Strengths

* Can be fairly fast depending on number of hosts scanned

* Some freeware tools available

* Highly automated (for scanning)

* Identifies known vulnerabilities

* Often provides advice on mitigating discovered vulnerabilities

* High cost (commercial scanners) to low (freeware scanners)

* Easy to run on a regular basis

Weaknesses

* Has high false positive rate

* Generates large amount of traffic aimed at a specific 
  host (which can cause the host to crash or lead to a 
  temporary denial of service)

* Not stealthy (e.g., easily detected by IDS, firewall and 
  even end-users [although this may be useful in testing 
  the response of staff and altering mechanisms])

* Can be dangerous in the hands of a novice (particularly 
  DoS attacks)
* Often misses latest vulnerabilities

* Identifies only surface vulnerabilities

Penetration Testing
Strengths

* Tests network using the methodologies and tools that 
  attackers employ

* Verifies vulnerabilities

* Goes beyond surface vulnerabilities and demonstrates how 
  these vulnerabilities can be exploited iteratively to 
  gain greater access

* Demonstrates that vulnerabilities are not purely theoretical

* Can provide the realism and evidence needed to address 
  security issues

* Social engineering allows for testing of procedures and 
  the human element network security

Weaknesses

* Requires great expertise

* Very labor intensive

* Slow, target hosts may take hours/days to "crack"

* Due to time required not all hosts on medium or large 
  sized networks will be  tested individually

* Dangerous when conducted by inexperienced testers

* Certain tools and techniques may be banned or controlled 
  by agency regulations (e.g., network sniffers, password 
  crackers, etc.)

* Expensive

* Can be organizationally disruptive

Password Cracking
Strengths

* Quickly identifies weak passwords

* Provides clear demonstration of password strength or weakness

* Easily implemented

* Low cost

Weaknesses

* Potential for abuse

* Certain organizations restrict use

Log Reviews
Strengths
* Provides excellent information

* Only data source that provides historical information
  Weaknesses

* Cumbersome to manually review

* May filter out important information

File Integrity Checkers
Strengths

* Reliable method of determining whether a host has been 
  compromised

* Highly automated

* Low cost

Weaknesses

* Does not detect any compromise prior to installation

* Checksums need to be updated when system is updated

* Checksums need to be protected (e.g., read only CD-Rom) 
  because they provide  no protection if they can be modified 
  by an attacker

Virus Detectors
Strengths

* Excellent at preventing and removing viruses

* Low/Medium cost

Weaknesses

* Require constant updates to be effective

* Some false positive issues

* Ability to react to new, fast-replicating viruses is 
  often limited

War Dialing
Strength

* Effective way to identify unauthorized modems
  Weaknesses

* Legal and regulatory issues especially if using public 
  switched network

* Slow

War Driving
Strength

* Effective way to identify unauthorized wireless access points
  Weaknesses

* Possible legal issues if other organization's signals are 
  intercepted

* Requires some expertise in computing, wireless networking 
  and radio   engineering

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The following table summarizes the baseline frequencies for 
running the tests:
(See the definitions for Category 1 and Category 2 systems at the end
of the table.)

Test Type

Network Scanning
Category 1 Frequency
         Continuously to Quarterly
Category 2 Frequency
         Semi-Annually
Benefits

* Enumerates the network structure and determines the set 
  of active hosts, and  associated software

* Identifies unauthorized hosts connected to a network

* Identifies open ports

* Identifies unauthorized services

Vulnerability Scanning
Category 1 Frequency
         Quarterly or bi-monthly (more often for certain 
high risk systems), when the vulnerability database 
is updated
Category 2 Frequency
         Semi-Annually

Benefits

* Enumerates the network structure and determines the set 
  of active hosts, and  associated software

* Identifies a target set of computers to focus 
  vulnerability analysis

* Identifies potential vulnerabilities on the target set

* Validates that operating systems and major applications 
  are up to date with   security patches and software versions

Penetration Testing
Category 1 Frequency
         Annually
Category 2 Frequency
         Annually
Benefits

* Determines how vulnerable an organization's network is to 
  penetration and the level of damage that can be incurred

* Tests IT staff's response to perceived security incidents 
  and their knowledge of and implementation of the organization's 
  security policy and system's security requirements

Password Cracking
Category 1 Frequency
         Continuously to same frequency as expiration policy
Category 2 Frequency
         Same frequency as expiration policy
Benefits

* Verifies that the policy is effective in producing 
  passwords that are more or less difficult to break

* Verifies that users select passwords that are compliant 
  with the organization's security policy

Log Reviews
Category 1 Frequency
         Daily for critical systems, e.g., firewalls
Category 2 Frequency
         Weekly
Benefit

* Validates that the system is operating according to policies

Integrity Checkers
Category 1 Frequency
         Monthly and in case of suspected incident
Category 2 Frequency
         Monthly
Benefit

* Detects unauthorized file modifications

Virus Detectors
Category 1 Frequency
         Weekly or as required
Category 2 Frequency
         Weekly or as required

Benefit
* Detects and deletes viruses before successful 
  installation on the system

War Dialing
Category 1 Frequency
         Annually
Category 2 Frequency
         Annually

* Detects unauthorized modems and prevents unauthorized  
  access to a protected network

War Driving
Category 1 Frequency
         Continuously to weekly
Category 2 Frequency
         Semi-annually
Benefit

* Detects unauthorized wireless access points and prevents 
  unauthorized access to a protected network

Category 1 systems are generally those systems whose 
operation is critical to the organizational mission. 
Category l systems include:

* Firewalls, both internal and external,

* Routers and switches,

* Related network-perimeter security systems such as 
  intrusion detection systems,

* Web servers, e-mail servers, and other application servers,

* Other servers such as for Domain Name Service (DNS) or 
  directory servers or file servers, and

* Other selected high-priority applications and systems.

Category 2 systems include general staff and related systems, e.g.,
desktop, standalone and mobile client systems. While the security of
these systems is important, Category 1 systems should generally be
tested more frequently than Category 2 systems.

Deployment Strategies

The goal of security testing is to maximize the benefit to the
organization as a whole. The guideline recommends that organizations
adopt consistent approaches to network security testing, using levels
of security testing that are appropriate to organizational missions
and security objectives.

The types and frequency of testing during the operational and
maintenance phase (both for minimum and comprehensive testing) should
be ranked according to a priority order, based on the security
category, cost of conducting the tests, and the expected overall
benefits to the organization's systems. The decision about what to
test for during the implementation phase normally involves a single
system. The same decision during the operational and maintenance phase
becomes more complicated because of internal and external connections.
To maximize the value of testing, the prioritization process should
consider the interconnectivity of systems. Senior managers should be
involved in the prioritization process to ensure that the
organizational perspective is considered.

The basic steps that organizations should take in developing a
priority ranking for their network testing activities include:

* Determine the security category for the organization's information
systems. Federal Information Processing Standards (FIPS) 199,
Standards for Security Categorization of Federal Information and
Information Systems, covers this important step. It defines three
levels of potential impact on organizations (or on individuals) should
certain adverse events occur. These are events that could jeopardize
the information systems needed by the organization to accomplish its
assigned mission, protect its assets, fulfill its legal
responsibilities, maintain its day-to-day functions, and protect
individuals.  Security categories are to be used in conjunction with
vulnerability and threat information to assess the risk that an
organization incurs when operating an information system. FIPS 199 is
available as a pre-publication final document at
http://csrc.nist.gov/publications.

* Determine the cost of performing each test for each system. Costs
vary depending upon the size and complexity of the system to be
tested, the level of human interaction required for each test, the
feasibility of selecting a sample for the tests, and the size of the
sample.

* Identify the benefits of each test type per system to assure that
the cost of testing does not exceed its value to the organization.
These benefits can include knowledge gained about systems and
networks, and reduced chances for intrusion or business disruption.

* Prioritize systems for testing, based on security category, cost of
testing, and benefits. The prioritized list should include the
resources required for conducting each type of test for each system
under consideration. The starting point for determining minimum
required resources should be minimum testing for those systems with
the highest level of impact. If resources are not available for
minimum testing for the highest impact systems, additional resources
should be requested.

Summary of NIST Recommendations

* Make network security testing a routine and integral part of the
system and network operations and administration.  Organizations
should conduct routine tests of systems and verify that systems have
been configured correctly with the appropriate security mechanisms and
policy. Routine testing prevents many types of incidents from
occurring in the first place. The additional costs for performing this
testing will likely be offset by the reduced costs in incident
response.

* Test the most important systems first. In general, systems that
should be tested first include those systems that are publicly
accessible, that is, routers, firewalls, web servers, e-mail servers,
and certain other systems that are open to the public, are not
protected behind firewalls, or are mission-critical systems.
Organizations can then use various metrics to determine the importance
or criticality of other systems in the organization and then test
those systems as well.

* Use caution when testing. Certain types of testing, including
network scanning, vulnerability testing, and penetration testing, can
mimic the signs of attack. Testing should be done in a coordinated
manner, with the knowledge and consent of appropriate officials.

* Ensure that security policy accurately reflects the organization's
needs. The policy must be used as a baseline for comparison with
testing results. Without an appropriate policy, the usefulness of
testing is drastically limited.  For example, discovering that a
firewall permits the flow of certain types of traffic may be
irrelevant if there is no policy that states what type of traffic or
what type of network activity is permitted. When there is a policy,
testing results can be used to improve the policy.

* Integrate security testing into the risk management process. Testing
can uncover unknown vulnerabilities and misconfigurations. As a
result, testing frequencies may need to be adjusted to meet the
prevailing circumstances, such as when new controls are added to
vulnerable systems or other configuration changes are made because of
a new threat environment. Security testing reveals crucial information
about an organization's security posture and its ability to surmount
external attacks or to avoid significant financial costs or damage to
its reputation as a result of internal malfeasance.  In some cases,
the results of the testing may indicate that the policy and the
security architecture should be updated.

* Ensure that system and network administrators are trained and
capable.  The staff members recruited for network system testing may
already be involved in system administration. While system
administration is an increasingly complex task, the numbers of trained
system administrators generally has not kept pace with the increase in
computing systems. Competent system administration may be the most
important security measure an organization can employ, and
organizations should ensure they have sufficient staff members with
the required skill level to perform system administration and security
testing correctly.

* Ensure that systems are kept up-to-date with patches. As a result of
security testing, it may become necessary to patch many systems.
Applying patches in a timely manner can sharply reduce the
organization's exposure to vulnerabilities.

* Look at the big picture. The results of routine testing may indicate
that the organization should readdress its systems security
architecture. Some organizations may need to step back and undergo a
formal process of identifying the security requirements for many of
its systems, and then begin to redesign or adapt its security
architecture accordingly. This process will result in improved
efficiency of operations and fewer costs related to incident response
operations.

* Understand the capabilities and limitations of vulnerability
testing.  Vulnerability testing may result in many false positive
scores, or it may not detect certain types of problems that are beyond
the detection capabilities of the tools. Penetration testing is an
effective complement to vulnerability testing, aimed at uncovering
hidden vulnerabilities. However, it is resource intensive, requires
much expertise, and can be expensive.  Organizations should assume
that they are vulnerable to attack regardless of how well their
testing scores indicate.

Useful References The following NIST Special Publications (SPs) and
Federal Information Processing Standard Publication (FIPS) provide
useful information about planning, implementing, and maintaining
secure information systems. These publications are available on NIST's
web pages:  http://csrc.nist.gov/publications/

NIST SP 800-12, An Introduction to Computer Security: The NIST
Handbook, October 1995, provides guidance on general security
procedures.

NIST SP 800-14, Generally Accepted Principles and Practices for
Securing Information Technology Systems, September 1996, describes
common practices for the security of information systems.

NIST SP 800-18, Guide for Developing Security Plans for Information
Technology Systems, December 1998, provides details on developing and
updating security plans.

NIST SP 800-26, Security Self-Assessment Guide for IT Systems,
November 2001, provides details on self-assessment.

NIST SP 800-27, Engineering Principles for Information Technology
Security (A Baseline for Achieving Security), June 2001, presents
system-level security principles to be considered in the design,
development, and operation of information systems.

NIST SP 800-30, Risk Management Guide for Information Technology
Systems, January 2002, discusses the process of identifying risk,
assessing risk, and taking steps to reduce risk to an acceptable
level.

NIST SP 800-31, Intrusion Detection Systems (IDS), November 2001,
discusses hardware and software systems that monitor events occurring
in a computer system or network.

NIST SP 800-34, Contingency Planning Guide for Information Technology
(IT) Systems, June 2002, gives information on developing and
implementing IT contingency plans.

NIST SP 800-40, Procedures for Handling Security Patches, September
2002, provides guidance on developing and implementing an
organizational patch and vulnerability approach.

NIST SP 800-41, Guideline on Firewalls and Firewall Policy, January
2002, presents information about the use of firewalls and development
of firewall policies.

NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth, and
Handheld Devices, November 2002, provides guidance on improving the
security of wireless systems and mobile devices.

NIST, SP 800-61 (Draft), Computer Security Incident Handling Guide,
September 2003, discusses forming incident response teams,
establishing incident response policies and procedures, and handling
incidents.

NIST SP 800-64, Security Considerations in the Information System
Development Life Cycle, October 2003, presents a framework for
incorporating security into all phases of the system development life
cycle.

FIPS 199 (Pre-publication Final), Standards for Security
Categorization of Federal Information and Information Systems,
December 2003.  
http://csrc.nist.gov/publications/drafts/draft-fips-pub-199.pdf

Disclaimer Any mention of commercial products or reference to
commercial organizations is for information only; it does not imply
recommendation or endorsement by NIST nor does it imply that the
products mentioned are necessarily the best available for the purpose.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.