238 Managing Network Vulnerability Assessment
Urgency Rating*****
Risk
Sending usernames and passwords across the network in cleartext allows an
attacker to log onto the resource. The systems affected by this are all routers
and switches, as well as all the Sun Solaris systems. Any user with a sniffer
could potentially access any resource sending usernames and passwords in
cleartext.
Recommendations
There are two recommendations to resolve this issue. The first is to install
an Identification and Authentication (I&A) service that supports two-factor
authentication. The one-time passwords (tokens) generated by these types
of systems mean that even if the password is noticed on the wire, the
password will have changed at the next log-in. A second solution is to utilize
SSH (Secure Shell) where possible. SSH encrypts all traffic, including user-
name and password, as well as supporting the use of public/private key
pairs, which negates the need for using a password in the situation where
that is supported.
Finding 4: User Account Management
Every NT system tested by Your Company resulted in several user account
management issues. These ranged from active guest accounts, to missing
account policies, to short passwords. The other problem noticed was that
there was no consistent policy enforced across all systems and there were no
apparent guidelines as to what those policies should be.
Urgency Rating****
Risk
Failings in user account management is one of the first places a potential
attacker will look to gain entry into a system. Nonexistent user account
management policies will result in varying system strength across critical
systems, leaving significant opportunity for an attacker — either internal or
external — to gain unauthorized access.
Recommendations
Develop a User Account Management Policy — including minimum password
length, change frequency, account lockout, and password history — and then
implement the policy across all platforms.
Sample NVA Report 239
Physical and Operational Security
Finding 1: Violations of Operations Security Procedures
Access to the CLIENT computer room is through a card key system. Visitors
are supposed to then log in on a sign-in sheet when entering and sign-out
when exiting. Employees are to swipe their cards when entering or leaving.
Your Company noticed employees following the procedure of swiping in and
out; however, visitors, such as PA, were not required to sign almost every
time the facility was visited. Of the entrances and exits from the computer
room, Your Company employees were required to sign out only once. Most
of the time, Your Company employees exited the room without someone
swiping them out. Also, even when Your Company signed in, the names were
never checked. A review of the log should show a recent visit to the CLIENT
computer room by Mickey Mouse.
Also, consoles in the computer room were routinely left unlocked with an
administrator account logged in. In almost a month of time in the CLIENT
computer room, the consoles to all of the NT servers were never locked, and
most of them had the XXX Administrative account logged in, an account which
has Administrator privileges on the NT system.
Urgency Rating*****
Risk
Control of the central computing facility is critical to the survival of CLIENT.
Unauthorized access to the computer facility and unrestricted access to admin-
istrative accounts would allow a user to do whatever he wished. Additional
investigation revealed that developers have access to the computer room,
thereby effectively giving them and anyone else in the computer room admin-
istrator access to the NT servers. With this access, anyone can do whatever
he wants to the system under his control. Additionally, physical access to the
computer room grants physical access to the Sun servers and the network
core. Physical access would allow someone to shut down these systems.
Recommendations
The following steps should be taken immediately:
Enforce strict sign-in and sign-out procedures.
Lock all NT server screens, thereby requiring a log-in.
Do not allow developers access to the computer room.
Additional steps should be taken as follows:
Physically isolate the Sun server room.
240 Managing Network Vulnerability Assessment
Lock cabinets with NT servers and key them so that only authorized
individuals have the necessary keys.
Install an Identification and Authentication system to verify not only the
account in use, but also who logged in as that account.
Lock the power distribution cabinet so that only authorized personnel can
disable power internal to the computer room.
Physically secure the core network equipment so that someone cannot
shut down the network.
Implement a cable management system so that physical access to core
network devices is not required for troubleshooting physical network
problems.
Install more cameras to provide full coverage of the computer room.
Store camera images for future reference as evidence in the event of an
incident.
Computer room space should not be used as a staging area for deployment
hardware.
Finding 2: Violations of Physical Security Procedures
Physical security is described as the “guns, guards, gates, dogs, cameras, and
bombs” part of security. It is designed to provide a physical, deterrent control
to the behavior of individuals. Your Company observed several critical viola-
tions of physical security. They were as follows:
The front door was unlocked late on the evening of XXX at approximately
XXX with no one present at the front guard counter for over 15 minutes.
The computer room was unmanned several evenings during the week of
XXX while operators were out smoking, leaving only Your Company
personnel in the computer room or, in one observed case, no one was
present while Your Company personnel waited for several minutes for the
operator to return from a break.
Visitor bags were not checked or examined upon entry/exit.
Urgency Rating*****
Risk
These violations could result in the introduction of materials or the removal
of information from CLIENT. Part of CLIENT’s security trust model is to rely
on human intervention in the event of problems, with the absence of operators
or guards, no human response was available.
Recommendations
Enforcement of existing policy and procedures.
Sample NVA Report 241
Finding 3: Physical Access to Critical Workspaces
Various workspaces contain critical media and data, such as the operating
system disks for Solaris or the NT recovery disks. In addition, confidential
data is also stored in user workspaces. Your Company noticed several work-
spaces without locking drawers or covers in which critical information and
data was stored.
Urgency Rating*****
Risk
The potential exists for critical data to be stolen or for users to bypass system
controls with access to critical operating system media.
Recommendations
Provide sufficient locked space for employees with critical or sensitive data
or media.
Telecommunications and Network Security
Finding 1: SNMP
SNMP (Simple Network Management Protocol) is a protocol that was devel-
oped to ease the management of network devices. However, the protocol was
not developed with security in mind. It utilizes community strings to determine
which devices belong in a specific community, and SNMP devices can now
require a password before accepting commands. However, Your Company
discovered that these precautions were not in place at CLIENT. Using a tool
called SolarWinds, Your Company was able to use SNMP to map the entire
network and to also gain the full status of the core network devices. Further,
Your Company would have been able to order the devices to show continuous
updates that would have consumed significant cycles of CPU power on the
devices and slowed network traffic through the core devices. Finally, Your
Company was able to determine that little work would have been required
to fully access almost all network switches and issue SNMP commands to alter
their configurations.
Urgency Rating*****
Risk
Using SNMP, an attack can discover the entire layout of a network as well as
request the device to continually update the attacker on its status. This will
result in the device spending CPU cycles to send the updates and can slow
network traffic. Some devices can also be reconfigured by SNMP.
242 Managing Network Vulnerability Assessment
Recommendations
Disable all MIB extensions not necessary for management or monitoring of
devices, and select community strings and passwords that are cryptographically
secure.
Finding 2: TCP Sequence Prediction
When computers communicate using TCP/IP, they utilize a series of numbers
known as TCP Sequence Numbers. These numbers tell the communicating
computers in what order the conversation is progressing so that a connection
can be formed. If an attacker can guess the TCP Sequence Numbers of a
device, the attacker can then initiate a man-in-the-middle attack, in which the
attacker proceeds to place himself in the middle of the conversation, effectively
pretending to be invisible. Almost all NT machines were able to have their
TCP Sequence Numbers guessed.
Urgency Rating*****
Risk
Successful guessing of the TCP Sequence allows an attacker to insert himself
into the middle of the conversation and eventually knocks one of the devices
out of the conversation, stealing its identity.
Recommendations
Install the appropriate service packs and patches to all NT devices.
Finding 3: Outside Availability of Telnet
Devices outside the corporate firewall responded to Telnet from the Your
Company test machine, located outside of the firewall as well. The devices
were:
XXX.XXX.XX.XXX
XXX.XXX.XX.X
XXX.XXX.XXX.XX
XXX.XXX.XX.X
Urgency Rating****
Risk
As described above, Telnet sends usernames and passwords in cleartext.
Because these devices were available for Telnet outside the firewall, and
attacker could attempt to use brute force to guess the passwords and proceed
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.