Researching Network Attacks And Security Audit Tools
. in:. Note: Here’s an upfront declaration of our agenda in writing this blog post. Our Elastic Detector network vulnerability assessment delivers – or integrates with – the features from the following six tools (and much more) in a seamless way. But if you prefer to roll up your sleeves and integrate (often free) tools yourself these are the products we suggest you consider to achieve for a basic level of security. So, having got the commercial message out of the way at the very start of this story let’s get straight into the respected individual tools that can help you address network security threats. We’ve split our comments on these tools into three sections: Vulnerability Analysis, Configuration Analysis and Log Analysis.
First, a list of the six tools we’ve included in this roundup: 1. Nmap / port scanner. OpenVAS / vulnerability scanner. Arachni / web vulnerability scanner. Lynis / linux configuration audit.
MBSA / MS configuration audit. ELK / Elasticsearch Logstash Kibana. Of course there’s more you may want to do, and expand your action into such things as passwords checks, real time security monitoring or other refinements, not to forget getting stats and following KPIs about your system security trend. Elastic Detector can help in all these cases.
This chapter discusses software tools and techniques auditors can use to test network security controls. Security Auditing Tools. Network attack and. Chapter 1 Lab A: Researching Network Attacks and Security Audit Tools. You research network security audit tools and investigate one that can be used to identify.
But if you’re happy with the minimum set and you can spend the necessary time to handle the process manually, there’s an overview of each product at the end of this article. The Three-Stage Process for DIY Network Security. A ‘Do It Yourself’ network security process will involve three key stages: vulnerability, configuration and log analysis. You might be auditing your network because you have already been attacked, or to better understand your network SI security level, or as the first step in planning a security strategy. But in all cases, the flow of vulnerability then configuration then log analysis is a prudent way to approach your project.
Vulnerability Analysis. A combination of tools can help you to prepare a vulnerability analysis.
We suggest you carry out the checks in a certain order as there is a hierarchy to the actions you’ll take, and dependencies to consider (ie, fixing one problem can affect a different function.) Step 1. Use Nmap to create an inventory of your network assets. This will identify the various services that are visible and accessible by users (or hackers).
Use the OpenVAS vulnerability scanner to detect flaws based on the Nmap inventory. OpenVAS includes over 35,000 threat alerts from the open community.
Use Arachni to provide a deep search of web application vulnerabilities. Depending on your network assets, you might also use other scanners to ‘dive deep’ into specific network components. Configuration Analysis. To quote Microsoft Research and the University of California: “Configuring networks is arduous because policy requirements (for resource management, access control, etc.) can be complex and configuration languages are low level. Consequently, configuration errors that compromise availability, security, and performance are common.” – Use MBSA (Microsoft Baseline Security Analyzer) for Windows environments. – Use Lynis for Linux environments. Log Analysis.
A log analysis enables you to search system logs for patterns that could reveal hacking attempts. The ELK suite consists of four key components which – between them, can help you identify irregular network intrusions. – Use ELK suite components. Managing the Complexity of Vulnerability. Between those six software tools, network security managers can implement a threat assessment protocol.
If you’ll allow us to re-iterate our own commercial message, Elastic Detector does at least all the above from within a single, integrated package. – Automated, daily enterprise threat assessment. – Security alerts and remediation tips. – Free 30-day trial. If you still want to review the six individual tools, to save you a few minutes we grabbed the outline description for each of our ‘top six’ IT network security tools from their respective websites. Those overviews are below: Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 35,000 in total (as of April 2014). All OpenVAS products are Free Software.
Most components are licensed under the GNU General Public License (GNU GPL). Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application’s behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly. Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux/Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners. Lynis is flexible and easy to use.
Installation is optional. Just copy it to a system, and use “./lynis audit system” to start the security scan. It is written in shell script and released as open source software (GPL). During the scan, technical details about the scan are stored in a log file. At the same time findings (warnings, suggestions, data collection), are stored in a report file. The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations.
MBSA 2.3 release adds support for Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012. MBSA 2.3 runs on Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP systems and will scan for missing security updates, rollups and service packs using Microsoft Update technologies. To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update.
MBSA will not scan or report missing non-security updates, tools or drivers. The Logstash / Kibana setup has four main components: – Logstash: The server component of Logstash that processes incoming logs. – Elasticsearch: Stores all of the logs.
– Kibana: Web interface for searching and visualizing logs, which will be proxied through Nginx. – Logstash Forwarder: Installed on servers that will send their logs to Logstash, Logstash Forwarder serves as a log forwarding agent that utilizes the lumberjack networking protocol to communicate with Logstash.
Assessing security controls involves more than simply scanning a firewall to see what ports are open and then running off to a quiet room to generate a report. It is natural for security engineers to gravitate toward technology and focus on technical security control testing (otherwise known as penetration testing), because it is likely the 'fun' part of security for most engineers. Conducting a penetration test is like throwing down the gauntlet to security professionals, and it gives them an opportunity to flex their hacker skills. Testing security as a system, however, involves significantly more than launching carefully crafted evil packets at the network to see what happens.
This chapter discusses software tools and techniques auditors can use to test network security controls. It is important to note that this is not a chapter about hacking.
You will not learn all of the techniques and tools available today for breaking into networks. Do a search at your favorite online bookseller for the terms hacking, hacker, or penetration testing and you will find a slew of books devoted to the topics. Security testing as a process is covered, but the focus is on gathering the evidence useful for an audit.
Thoroughly assessing security controls serves a vital part in determining whether or not a business is compliant with its policies, procedures, and standards. Through security controls testing, you can determine whether the organization meets its goals for reducing risk and keeping evildoers out of the network and away from critical systems. Evaluating Security Controls Security controls are the safeguards that a business uses to reduce risk and protect assets. Policy determines what security controls are needed, and those controls are selected by identifying a risk and choosing the appropriate countermeasure that reduces the impact of an undesirable event (such as a customer database being stolen). The evaluation of security controls in its simplest form validates whether or not the control adequately addresses policy, best practice, and law. Testing security controls for effectiveness and measuring them against standards are of the best ways to help an organization meet its obligations to shareholders and regulatory responsibilities. As discussed in Chapter 1, 'The Principles of Auditing,' the main security control types are administrative, technical, and physical.
Under each category, the specific controls that can be implemented are preventative, detective, corrective, or recovery. These control types work together, and in general, you must provide controls from each category to effectively protect an asset.
When testing controls, make sure that each functional category is addressed and all controls are implemented in a way that doesn't allow someone easy circumvention. You can have the most advanced firewall in the world as a preventative control, but without monitoring its effectiveness through detective controls, such as log reviews and IPS, you would never know for sure if it enforced policy. These missing pieces are typically what hackers exploit to break into systems, and it's the auditor's job to identify and report on weaknesses in the system. When evaluating security effectiveness, you need to examine three primary facets for every control.
All security incidents, from break-ins to lost customer records, can usually be traced back to a deficiency that can be attributed to people, process, or technology. Testing these areas enables you to analyze security from a big picture perspective, gives you a better understanding of how an organization performs today, and recommends improvements for tomorrow. Following are the three facets to examine:. People are users, administrators, data owners, and managers of the organization with varying levels of skills, attitudes, and agendas. If users are not following security policies, there might be a need for stronger administrative controls such as security awareness training or penalties for noncompliance (this is the 'up to and including getting fired' clause that HR puts in the employee manual).
Network Security Tools
An organization can also implement a detective/corrective control to enforce policies such as having the latest antivirus updates or operating system patches before the user is allowed on the network. People also represent the organizational structure and policies that drive security. Process represents how the organization delivers the service of IT. These are the procedures and standards that are put into place to protect assets. Processes must be up to date, consistent, and follow best practices to be effective. Process is one of the most important areas to test, because most attacks that result in significant loss have a component in which process has failed. Take, for example user account creation and decommission.
D (named dee / d iː /) is the fourth letter of the modern English alphabet and the ISO basic Latin alphabet. D is a general-purpose programming language with static typing, systems-level access, and C-like syntax. Feb 06, 2018 Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET.
Someone is hired, and a request is put into IT to create the appropriate accounts the new hire. Who is allowed to send the request? Is it any hiring manager or does it have to be one from Human Resources? How is the request validated as legitimate? Without strong process and the appropriate controls in place to prevent, detect, and correct, anyone can call and impersonate a hiring manager and request an account be created.
This is significantly easier (and quicker) than trying to run a brute force, password-cracking tool against a server. Technology represents the facilities, equipment, computer hardware, and software that automate a business. Technology enables people to accomplish repetitive jobs faster and with less error. Of course, technology also enables someone to do stupid things just as efficiently (and faster). Misconfigurations and poorly implemented software can take a mistake and multiply its impact exponentially. Imagine leaving the door unlocked on a room that houses hardcopy files.
Network Security Audit Tools And Attack Tools
Someone could potentially walk into the room and take files, but it would take a long time (not to mention effort) to hand carry those documents out to a car. Now, imagine misconfiguring a server in the DMZ to allow for access from the Internet to a key database server. Someone could download the entire database and not even leave a trace that they were there.
This is why it is so important for a business to standardize on best practices and configurations that are known to work. Best practices tend to anticipate many of these scenarios. Evaluating security controls requires the auditor to look at a system with the eyes of a hacker and anticipate how things could be exploited to gain unauthorized access. Just because something 'shouldn't' be exploitable, doesn't mean that it isn't. The only way to know is to test the system and the individuals who are tasked with monitoring and maintaining it should do the testing.