Internet and Network Security

Case Study Assignment 5.1 Web Application Vulnerability Detection As an experienced IT Security Professional, you have been given the project to develop a demonstration model to prove you are competent to be able to utilise a wide range of security and forensic tools and techniques to discover vulnerabilities in typical web applications that your clients and customers might typically use. You are to a) Write a concise technical report (2000 words) documenting how to successfully install, configure and test a “sample” vulnerable computer system which will incorporate at least 3 of the “Top 10 OWASP Web Application Vulnerabilities” and show how both commercial vulnerability scanning tools and open source tools can be used to detect these vulnerabilities. An important part of the exercise is that you are expected to show in addition how they can be successfully mitigated against. Report should be written in a 3rd Person. b) Produce a short animated computer screen video using either commercial, open source or freeware tools of how you used a variety of commercial and/or open source tools from particular forensic toolkits or security frameworks to detect vulnerabilities from the selected vulnerable systems. A vulnerable system must be selected and justified along with a suitable penetration testing environment to be implemented. You are required to produce a virtual environment with a minimum of three virtual machines as documented above and report on at least 3 of the top 10 vulnerabilities that you can discover with both conventional penetration tools such as NMAP, Backtrack(Kali), VMARE etc and/or commercial vulnerability test tools such as SAINT, to determine the vulnerabilities and present possible mitigating actions or fixes to the top 3 issues you discover. It is required that you document your findings in terms of a test plan with evidence of how the vulnerabilities were discovered and how they should be mitigated against. The OWASP Top 10 vulnerabilities can be found at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project and are summarised over the page. Assessed work within this range attracts such marks because it demonstrates: • Analysis at a penetrating level, fluently at ease with the topic. • Arguments which are based on persuasive evidence and are lucid, coherent and convincing. • Communication which is fluent and well-organised; if written it will be highly coherent and free of solecisms. • Research which shows strong evidence of a full exploration of key issues and a critically incisive engagement with relevant secondary issues. • Presentation which is almost entirely error-free and conforms to acceptable conventions of good scholarly practice (referencing, bibliography, footnotes etc.) Report Marking Criteria 1. Evidence and Documentation of Virtual Testing Environment (10%) 2. Depth of analysis and understanding of security testing issues (including test plan) (15%) 3. Relevance of security issues found (15%) 4. Prioritisation of vulnerabilities found (!5%) 5. Research into possible exploit mitigation (15%) 6. Report Presentation/Quality (3 rd Person) (10%) Bonus Marks Examples (10%) 1. Extra Mile References used throughout reports (Harvard Referencing) 2. Supporting evidence of testing, results and operation (hint: graphs, scans and device output) 3. Professional looking documentation (formal report format) 4. Clear and concise configurations with annotation. Name Professor Course Date Abstract This report was prepared for a generic test plan with the aim of providing clients (end users, vendors, and program sponsors) with a good knowledge of the scope and extent of vulnerability testing that should be performed. Although the test specifically addresses the vulnerability testing of energy sector systems, it can be used to control other systems. These other systems are applied in other important infrastructures like water/waste sector, the transportation sector, and hazardous chemical production plants. Before a detailed vulnerability testing is done, a baseline examination is carried out to determine a beginning point for all the following testing. The baseline testing helps to determine faults that occurred during system creation, system configuration, and changes that can be potentially configured to help in improving the security of the system (Pabrai et al., 199). The resulting document is given to the System Provider, who inspects it and gives a recommendation regarding the system configuration to ensure the system is secure. The vulnerability testing is then carried out, which gives a thorough analysis of the system. Table of Contents Abstract 2 Introduction 4 Vulnerability Testing 6 Disclaimer 6 Utility Profile 6 Attacker Profile 7 System Configuration 7 Security plan 7 Testing Strategy 8 Proposed Test Cases 9 Baseline Validation; 9 Test Procedure; 9 Data Requirements; 10 The OWASP Vulnerabilities 10 Vulnerability Scoring 11 Conclusion 12 References 13 Introduction Today, the number one threat to systems and infrastructures is vulnerability. Systems vulnerabilities are nowadays discovered at an alarming rate. Malicious persons tend to analyze the vulnerabilities on a system to decide if exploit codes can be developed. When exploit codes are developed, susceptible targets are prone to serious attack. At this point, if an organization does not continuously scan their systems for vulnerabilities and make repairs, they face high possibilities of being compromised (Pabrai et al., 96). Organizations are advised to develop the habit of rapidly updating and deploying vulnerability checks on their systems. This ensures that the customers identify and rectify available risks from any threats. So to do away with the numerous threats encountered, systems administrators are advised to scan often their networks for vulnerabilities and in case of any, adjustments should be made immediately. Vulnerabilities Identification With the rise of attack cases on systems and networks, organizations are advised always to know how a networks or system is threatened before acquiring or securing them. In history, attackers have greatly advanced with others even forming groups. Thus, individuals, companies, and industries are susceptible to attacks. The following are steps one can consider before acquiring a system; 1. Identify vulnerabilities. Before an organization secures a system, they should try and identify vulnerabilities in operating systems, database, web applications, and desktop application and network devices. 2. Once any form of vulnerability is detected and identified in a system or a network security, intruders should fix them exploitation. 3. It is wise for organizations to demonstrate compliance with the government’s industrial regulations. This helps prevent common system vulnerability. Vulnerability Scanners Before acquiring a system, an organization should perform configuration audits with policies, usually defined by DISA and USGCB. Alternatively, it exploits vulnerabilities detected by the scanner. To avoid attacks, scanners are employed to detect vulnerability; hence assisting is various ways such as; 1. The vulnerability scanner shows one how to fix any form of vulnerabilities detected as well as showing where to begin remediation efforts. One is also able to assess both internal and external assessments. 2. The scanner shows if a network is compliant with PCI security standards. Besides, the scanner performs both authenticated and unauthenticated scans for databases, operating systems, and web applications. 3. The vulnerability scanner helps you in designing and generating vulnerability assessment reports easy and quickly. 4. One is given the option of storing vulnerability data either remotely or locally. Automatic updates with new vulnerability checks are also provided on a daily basis. 5. The scanners allow one to schedule and manage scans across large enterprises. Content scanning for data can be performed; furthermore, one can add their custom checks and vulnerability signatures. Vulnerability Testing Before a vulnerability test is conducted, a baseline examination is done on the system immediately it is delivered. This is used as the basis of all the subsequent tests performed on the system. The baseline tests help to detect any faults that may have occurred during the development of the system or system configuration. They also help to detect changes that can be made to the system configuration to increase its security. The obtained document is handed to the System Provider, who inspects the report, gives recommendations regarding the system configuration, and thus helps to create a security profile for the system (Carr et al. 156). The test plan is in line with in-depth vulnerability testing and it involves baseline scanning to ensure that the vendor's recommendations are fulfilled as stated in the baseline report. This testing gives a functional security testing by way of an in-depth security analysis of the system. Disclaimer Performing a test to check the vulnerability of the control systems is taken as an experimental task thus there is no well agreed and defined method of testing. The testing process is therefore evolving, and it may change from the proposed plan while being implemented. Other factors such as the funding organization's need, available resources and the vulnerability results obtained during testing may also affect the implementation (Ahuja 321). Utility Profile The Test Bed offers a sample utility environment on which the system can be tested. For this system, in the established utility profile for the plan, the system is in charge of crucial gadgets in the power transmission grid for a certain area. This part of a transmission area is a connection for the transfer of power between two main areas. The utility manages the transfer of produced power upstream to supply an area with insufficient production capacity downstream. An influence on the procedures of this utility can result in a great impact on the power grid downstream from the regulation point (Kizza 543). Attacker Profile The attacker in this test plan has sufficient knowledge of the system. The attacker profile has been chosen from someone who can adequately access the system. He has used different techniques to penetrate the firewalls and can directly access the main network for the system. The goals of the attacker are to affect certain areas of the transmission system by controlling crucial parts and gadgets. System Configuration In line with Siyan, before a vulnerability test is conducted, the system should be configured and observed to ensure that it is working properly. This is an equivalent of Factory Acceptance Testing for other tangible equipment. Security plan A good system installation should have a comprehensive security plan that involves personal, physical and cyber security. This can be achieved by establishing procedures, policies and methods to protect the gadgets, to manage users, user groups password requisitions, password management, password expiration, data integrity, data protection and disaster recovery. The security plan should also involve strategies for personal system modules use and virus management. The system should be configured in such a way that a component cannot perform more than it is intended to perform (Siyan 278). There was no security plan that was included while configuring the system in baseline testing. This was so done to help detect any faults in the system that may have occurred during its development. Using this method, the system can be tested in the worst case, the most vulnerable condition and determine the flaws that need to be altered in the default configuration. A good security plan must be created and followed by this round of testing. This is documented in the final report of the system. Testing Strategy The chief objective of vulnerability testing is to show the ability of an attacker to bypass the existing aspects of the system with an aim of causing functional disruption or damaging the system. This helps to establish the susceptibility of the system to any attack, whether from inside or outside an organization (Oppliger 341). To accomplish the objective of testing, the implementation of vendor’s recommendations made during the baseline testing is verified to check whether they were carried out as they were stated. A security system test is also carried out on the whole system. A test of the system is performed at the switch level indicating that the attacker bypasses any firewalls and is working on the same network part and the system. Although part of the testing is, the implementation of the security measures carried out as a result of baseline recommendations, most of the testing is tasked to test certain targets or working modules of the system. To test the system effectively, it should be divided into several Targets of Evaluation (TOEs) where each target has a particular test case. Each TOE has a priority according to the level of performance it gives to the system and its functional impact on the system. Every test case is given a significant amount of time depending on the priority level of the TOE. There is, however, no guarantee that the targets will be completed in the allocated time. In the cases where they are not completed, the status is documented together with the steps that have been achieved and the proposed way forward. This also involves the projected difficulty in finishing the work and suggestions to hinder attack (Oppliger 591). Proposed Test Cases According to Stallings, the time allocations and testing period for every test case are considered in this part and negotiated as a portion of the total testing task. Both the vendor and the funding organization take part in the negotiation. The chosen test cases start with a validation of the vendor provided, baseline recommendations and carrying out of a security plan that is followed by the functional testing in the TOEs list. Baseline Validation; Baseline testing detects possible security vulnerabilities and suggests a change to the baseline test report of the system. The vendor gives configuration recommendations for the system to improve the system security profile. The system is then taken through configuration changes that carry out the recommendations of the vendor and fulfills the security plan. The validation testing looks at the given system, and the security-driven configuration compares them, validates the usefulness of the variations, and record the outcomes. Baseline validation is also important to give the testing team the needed information for TOE testing (Pardoe 284). Test Procedure; an essential information technology (IT) appraisal of the Vendor's framework is the first step required in assembling the obliged information to perform every resulting test. This fundamental IT appraisal incorporates port checking, weakness examining, system mapping, secret key breaking, and system sniffing. Weakness outputs, including port sweeps, will be keep running on each of the PCs. Vulnerabilities found will be contrasted with those found in pattern testing. Every single vulnerability reported will be confirmed however much as could reasonably be expected and incorporated into the report to the Vendor. The Vendor's principal investigator (PI) is in charge of the general framework setup and operational status. Amid this experiment, the PI's essential obligation is to actualize the test group's security approach and arrange the framework to Vendor's determinations. The Vendor's PI likewise expect all obligation regarding restoring the framework to operational status, ought to the testing influence the framework in any capacity (Pardoe 474). The essential undertaking for the testing group is to perform the framework examination tests expected to deliver the information for Baseline acceptance. The objective is to perform the same tests as those performed in the pattern test and after that give a point by point data on the progressions executed in Vendor's framework. Data Requirements; preceding running this experiment, the test group will get complete system outlines and point-by-point framework design data. Yield information from the setup, port, and defenselessness sweeps will be contrasted, and yield from the same outputs performed on the first gauge framework. This yield information is additionally utilized as a part of the ensuing TOE testing because it gives the itemized surveillance data required by the analyzers (Pabrai 289). An effective test will look at the upgraded security arrangement against the discoveries recorded in the benchmark report. This will survey regardless of whether the suggested arrangement changes executed as a benchmark's consequence report have been tended to in the designed framework and test the general security of the Vendor's framework. The OWASP Vulnerabilities The Open Web Application Security Project (OWASP) is a free and open source guide aimed to help organizations to create, buy and maintain applications that are trustworthy. Attackers can use different ways to harm a business or organization application. OWASP has given the ten most common ways through which attackers can attach an application. Although most of the paths have been covered in the test, there are three which have been covered comprehensively (Kizza 578). These include injections, broken authentication and session management and cross-site scripting. Injections occur when untrusted data is sent as part of a query or command. The attacker’s data causes the execution of undesired commands thus accessing of data by unauthorized people. The broken authentication and session management allow attackers to illegally access keys, passwords or they can perform other actions while cheating their identity. The cross-site flaw happens when an application sends untrusted data to a web browser without the necessary validation (Kizza 480). These problems have been considered in the test through the several tests performed by the attacker, and thus the test can be said to be successful. The application is correctly installed, configured, and it is secure since several security checks have been performed, and all the vulnerable flaws have been corrected. Vulnerability Scoring While directing defenselessness evaluations, it is critical to characterize an arrangement of measurements with which to score or rank the significance of the found vulnerabilities. The Department of Homeland Security's National Infrastructure Advisory Council (NIAC) built up a typical scoring framework to assess vulnerabilities found in an assortment of data frameworks. They will likely give an arrangement of measurements to assessing helplessness' danger to a data framework. This scoring framework, which is still in draft structure, is known as the Common Vulnerability Scoring System (CVSS) (Kizza 651). The INL Test Team does not embrace any single instrument or strategy for scoring or positioning vulnerabilities. It perceives the significance of characterizing an arrangement of measurements that are utilized, and can be reused, to evaluate the finding of a helplessness appraisal. Because of this need, (enter scoring technique here) has been chosen for scoring the vulnerabilities found amid helplessness testing. As an exceptional note, it is not the plan of any testing led by the SCADA Test Bed to give and general security positioning of a SCADA/EMS framework. The positioning of vulnerabilities found in Vulnerability testing is exclusively for the Vendor's utilization in guiding future enhancements to the Vendor's framework (Kizza 539). Conclusion Vulnerability testing is very crucial for any system. Before a system is purchased, a baseline testing should first be conducted before it is installed to ensure that it does not have any errors making it prone to attacks. If the system passes the baseline testing, it should be well installed and configured before it is used. It is important to test the system severally to ensure that data is secure. The attacker chosen to test the system should have full knowledge of the system to ensure that it is thoroughly tested. References Ahuja, V. (1996). Network and Internet security. Boston, AP Professional. Carr, H. H., & Snyder, C. A. (2007). Data communications and network security. Boston, McGraw-Hill Irwin. Kizza, J. M. (2001). Computer network security and cyber ethics. Jefferson, N.C., McFarland. Oppliger, R. (1998). Internet and Intranet security. Boston, Artech House. Pabrai, U. O., & Gurbani, V. K. (1996). Internet and TCP/IP network security: securing protocols and applications. New York, McGraw-Hill. Pardoe, T. D., & Snyder, G. F. (2005). Network security. Clifton Park, NY, Thomson/Delmar Learning. Siyan, K. S., & Hare, C. (1995). Internet firewalls and network security. Indianapolis, Ind, New Riders Pub. Stallings, W. (2003). Cryptography and network security: principles and practice. Upper Saddle River, N.J., Prentice Hall.