Security+: Discovering Security Threats and Vulnerabilities (SY0-401) [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
One of the best strategies to avoiding security incidents is taking a systematic, disciplined, pragmatic approach to discovering and treating Threats and Vulnerabilities. With a mature process, it is possible to streamline phases such as identifying, assessing, classifying, remediating and mitigating security weaknesses, allowing both proactive and reactive actions regarding security controls and successfully adding real protection to your organization.
Understanding the many different Security Threats and Vulnerabilities, what tools are necessary for their detection and the best way to access/report them are a few of the topics that COMPTIA’s Security+ candidates must be prepared to demonstrate a good deal of knowledge of during the examination.
What tools are necessary for Discovering Security Threats and Vulnerabilities?
Before we start discussing the tools that are commonly used for detecting security threats and vulnerabilities there is one point of note: Interpretation is the key.
You see, most software will work by gathering information and generating some form of output (e.g., logs or even a complete report) or taking direct action as soon as an issue is detected. Provided you have a grasp of the software you are using, the process itself is quite simple, but the interpretation of results is the main task of a good security professional. For example, during a port scan you may find that a host is responding on port 80. Is it a security risk? Maybe! The point is you cannot prove that without further context and consideration.
A very good piece of advice is never to blindly trust any sort of tool. You are the security intelligence and should have a good deal of knowledge of the inner works of your network, computer systems, and any other form of technology currently being analyzed. Your role is to define what kind of action should be taken once an alert arises. Should it just be ignored due to being a false alarm? Should you take preventive action as soon as possible due to the severity level? Those are the kinds of questions a good security professional should be able to answer on the spot.
Protocol analyzer: A protocol analyzer is a tool capable of capturing and analyzing network traffic. Once you have mapped what may be defined as the standard behavior of your network, a protocol analyzer will help you detect any deviation, from employee misbehavior (i.e. unauthorized internet use) to a malware using an infected host for communication.
Vulnerability scanner: A vulnerability scanner is an information gathering tool that can analyze targets, such as operational systems, network devices and web applications, and check for information on missing patches and security updates, improper configurations and unsafe code. This way it is possible to determine existing weaknesses or vulnerabilities.
Honeypots: A honeypot can be summarized as a lure/trap for hackers, crackers and cybercriminals that are trying to exploit vulnerabilities on your network. It is basically an ordinary device, similar to other hosts used in your real environment, which is positioned in such a way that it may attract attackers. Since it has no meaningful information, even if it is fully compromised during an attack, there will be no harm done. The idea is to collect information on how attacks, successful or otherwise, are being done, including their sources and the kind of exploitation used. This way, you can take preventive action (i.e., blocking an IP) and avoid future problems.
Honey nets: The honey net concept is quite similar to a honeypot, it is just a matter of scale. Instead of a single host, imagine an entire network designed with the purpose of being attacked or even compromised. Again, since there is nothing of value for hackers or crackers, you benefit from understanding the true nature of attacks and can use this information to harden your real environment.
Port scanner: A port scanner is a tool capable of probing a single host or an entire network in order to identify active computers and open ports, and help in discovering which services published (i.e., if a host is responding on port 80, it is more than likely to be a webserver). This technique is widely used by attackers as a first step to identify potential targets. Security professionals use the same approach, but the idea is finding and fixing weaknesses.
Banner grabbing: After performing a port scan and discovering open ports, the usual next step is performing a deeper inspection and collecting more meaningful information about a target. Grabbing a banner can help detect information such as operational system or software version. Some services such as HTTP or FTP are a gold mine for this sort of information, as lots of administrators forget to change default settings.
Types of tools (Passive vs. active): The security tools that are used for detecting threats and vulnerabilities can be classified as either active or passive. It all relates to the level of “noise” created by using the tool, for instance a port scanner or a vulnerability scanner will create lots of noise (i.e., network traffic, probing) and can be easily detected. On the other hand, a passive tool such as a protocol analyzer will work by listening and capturing information, so there is little to zero noise. In most cases, a security professional is trying to avoid detection, so noise is not really a problem, but if you are doing penetration testing it is important to consider the tools you are using in order to avoid detection.
What Assessment Types do I need to know?
There are three basic types of assessments: Risk, Threat and Vulnerability.
Risk assessment: A Risk can be defined as a function of the likelihood of a specific threat source exploiting a potential vulnerability, resulting in an impact for the organization. A risk assessment should involve determining what the acceptable level of risk is, and measuring the current risk level. Once you have this information, it is possible to determine the best course of action (i.e., implementing the necessary security controls) that will bring risk to an acceptable level.
Threat assessment: A threat assessment is used to determine the credibility and seriousness of a potential threat or threat source, as well as the likelihood that it will be carried out in the future. The idea is finding out what threats are real in the context of the organization and the best way to treating them.
Vulnerability assessment: A vulnerability assessment is to detect weaknesses on specific information assets (e.g., servers, web applications, databases, network appliances) and defining the best way to correct the situation (e.g., applying a patch or update, changing a configuration, creating a new security control).
What Assessment Techniques do I need to know?
There are many assessment techniques that can help addressing risks, threats and vulnerabilities. It is important to note that these techniques may vary according to platform and device.
Baseline Reporting: A baseline can be defined as a specific moment an element is measured for future comparison, so Baseline Reporting is the comparison of the present state of a system to its baseline. This process can be very important to differentiate what is normal from an anomaly. From a security perspective a baseline comparison can help provide valuable information, since in most cases any “unusual occurrence” must be checked to confirm it is not the result of an attack or vulnerability.
Code Review: One of the best ways to identify vulnerabilities is performing a code review. From a security perspective, the best approach is to execute a code review at the end of each development phase. This will allow you to detect and correct any security issue before the software is actually in the production environment.
Determine the attack surface: An attack surface refers to the amount of code, services, user-interaction fields, interfaces and any other asset in your environment that can become the target of an attack. The idea itself is quite simple: the smaller the attack surface you have, the less exposed you are. But to reduce your attack surface to the appropriate level, it is first necessary to identify just how broad it really is.
Architecture review: Assessing a system architecture means understanding the entire system, including the interdependences/interconnections of its subcomponents. This enables you to understand how a faulty component can affect the entire system and taking proactive measures to harden any weakness. It is also very important to ensure the architecture is consistent with the company goals, especially regarding maintaining the appropriate level of tolerable risk while being flexible enough to absorb change.
Design review: While this may sound similar to an architecture review, design refers to the components of architecture at micro level. This assessment technique encompasses understanding several different design elements such as compatibility, modularity, reusability and, quite obviously, security. Similar to a code review, this is no one-time assignment, a design review should be considered a lifecycle process which is performed several times as components evolve or are replaced. This will help in dealing with the ever evolving threat landscape and changing organizational goals.
Need some help?
Discovering Security Threats and Vulnerabilities is an essential topic Security+ candidates should feel confident in in order to perform well during the certification exam.
If you still have doubts about the necessary tools, types and techniques for executing assessments, maybe you should consider reinforcing your knowledge and “learn by doing.” How about putting those concepts into actual practice? Take a look at our Security+ boot camp, and rest assured it is the most effective way for a successful examination.