TNETWORK SECURITY TESTING

Shirley M. Radack, Editor

Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

 

Securing and operating today’s complex systems is challenging and demanding.  Mission and operational requirements to deliver services and applications swiftly and securely have never been greater.  Organizations, having invested precious resources and scarce skills in various necessary security efforts such as risk analysis, certification, accreditation, security architectures, policy development, and other security efforts, can be tempted to neglect or insufficiently develop a cohesive, well-thoughmprehensive and systematic out  operational security testing program.

 

This guide guide stresses the need for an effective security testing program within fFfederal agencies.  Testing serves several purposes.:.  One, no matter how well a given system may have been developed, the nature of today’s complex systems with large volumes of code, complex internal interactions, interoperability with uncertain external components, unknown interdependencies coupled with vendor cost and schedule pressures, means that exploitable flaws will always be present andor will surface over time.  Accordingly, security testing must fill the gap between the state of the art in system development as it is and actual operation of these systems.  Two, security testing is important for understanding, calibrating, and documenting the operational security posture of an organization. Aside from development of these systems, the operational and security demands must be met in a fast- changing threat and vulnerability environment.  Attempting to learn and repair the state of your security during a major attack, for example, may be too late as the is very expensive in damage in cost and reputation, could be extremely highand is largely ineffective.  Three, security testing is an essential component of improving the security posture of your organization overall.  Organizations that have an organized, systematic, comprehensive, on-going, and priority- driven security testing regimen are in a much better position to make prudent investments to enhance the security posture of their systems. 

 

NIST Guideline on Network Security Testing

 

NIST recently issued Special Publication (SP) 800-42, Guideline on Network Security Testing, to assist organizations in testing their Internet- connected and operational systems.  The guide provides an approach to adopting effective procedures that can help organizations uncover unknown vulnerabilities, institute security controls, and prevent incidents and attacks.  Written by John Wack, Miles Tracy, and Murugiah Souppaya, NIST SP 800-42 discusses introduces three aspects of network security testing:

 

·        How network security testing fits into the system development life cycle and the organizational roles and responsibilities related to security testing,.

·        Available testing techniques, their strengths and weaknesses,; and theand recommended frequencies for testing, and;

·        Strategies for deploying network security testing, including how to prioritize testing activities when resources are limited and how to avoid duplication of effort in adopting techniques that are appropriate to the organization’s mission and security objectives.

 . 

In addition to the basic information about establishing programs to implement network security testing, the guideline provides references, explanations of the terminology used, descriptions of available testing tools, and recommendations on how to use selected tools.

 

This ITL bulletin summarizes the publication, which is available at

http://csrc.nist.gov/publications/nistpubs/index.html.

 

Security Testing and the System Development Life Cycle

 

Organizations should evaluate their systems security at different stages of system development.  Security evaluation activities include, but are not limited to, risk assessment, certification and accreditation  (C&A), system audits, and security testing at appropriate periods during a system’s life cycle. These activities are directed toward ensuring that the system is being developed and operated in accordance with the organization’s security policy. 

 

The Security Test and Evaluation (ST&E) process is an examination or analysis of the protective measures that are placed on an information system once it is fully integrated and operational. The process will help to uncover design, implementation, and operational flaws, determine the adequacy of security mechanisms, and assess whether the system is implemented as documented.  ST&E addresses computer security, communications security, emanations security, physical security, personnel security, administrative security, and operations security. 

 

Network security testing is conducted after the system has been developed, installed, and integrated during the its Implementation and Operational stages. Security testing provides information for other system development life cycle activities such as risk analysis and contingency planning.  The results of testing can help to identify vulnerabilities, demonstrate progress in meeting security requirements, and indicate needs for system improvement.  Therefore, security testing provides information for other system development life cycle activities such as risk analysis and contingency planning.   Security testing results should be made available for staff members involved in other information technology and security- related areas.

 

Tools for Network Security Testing

 

Network security testing should be conducted on a regular basis while systems are running in their operational environments to provide information about the integrity of an organization's networks and associated systems.  Some testing techniques are predominantly manual, requiring an individual to initiate and conduct the test.  Other tests are highly automated and require less human involvement.  The staff members who set up and conduct the security testing activities must have solid security and networking knowledge.

 

Testing techniques are available for network mapping, vulnerability scanning, password cracking, penetration testing, war dialing, war driving, file integrity checking, and virus scanning.  Often, several of these testing techniques are used together to gain a more comprehensive assessment of the overall status of network security.  For example, penetration testing usually includes network scanning and vulnerability scanning to identify vulnerable hosts and services that may be targeted for later penetration.  Some vulnerability scanners incorporate password cracking. None of the tests by themselves will provide a complete picture of the network or its security posture.  After tests are completed, all test results should be documented, and system owners should be informed of the results to ensure that vulnerabilities are patched or mitigated. 

 

The currently availableSeveral techniques for network testing are described in detaiintroducedl in SP 800-42., and the strengths and weaknesses of each test technique are summarized in tables.  The following table summarizes the types of testing and the strengths and weaknesses of each test techniqueand baseline frequencies for running the tests. 

 

Type of Test

Strengths

Weaknesses

Network Scanning

          Fast (as compared to vulnerability scanners or penetration testing)

          Efficiently scans hosts, depending on number of hosts in network

          Many excellent freeware tools available

          Highly automated (for scanning component)

          Low cost

          Does not directly identify known vulnerabilities (although will identify commonly use Trojan ports [e.g., 31337, 12345, etc.])

          Generally used as a prelude to penetration testing not as final test

          Requires significant expertise to interpret results

 

Vulnerability Scanning

          Can be fairly fast depending on number of hosts scanned

          Some freeware tools available

          Highly automated (for scanning)

          Identifies known vulnerabilities

          Often provides advice on mitigating discovered vulnerabilities

          High cost (commercial scanners) to low (freeware scanners)

          Easy to run on a regular basis

          Has high false positive rate

          Generates large amount of traffic aimed at a specific host (which can cause the host to crash or lead to a temporary denial of service)

          Not stealthy (e.g., easily detected by IDS, firewall and even end-users [although this may be useful in testing the response of staff and altering mechanisms])

          Can be dangerous in the hands of a novice (particularly DoS attacks)

          Often misses latest vulnerabilities

          Identifies only surface vulnerabilities

Penetration Testing

          Tests network using the methodologies and tools that attackers employ

          Verifies vulnerabilities

          Goes beyond surface vulnerabilities and demonstrates how these vulnerabilities can be exploited iteratively to gain greater access

          Demonstrates that vulnerabilities are not purely theoretical

          Can provide the realism and evidence needed to address security issues

          Social engineering allows for testing of procedures and the human element network security

          Requires great expertise

          Very labor intensive

          Slow, target hosts may take hours/days to “crack”

          Due to time required not all hosts on medium or large sized networks will be tested individually

          Dangerous when conducted by inexperienced testers

          Certain tools and techniques may be banned or controlled by agency regulations (e.g., network sniffers, password crackers, etc.)

          Expensive

          Can be organizationally disruptive

Password Cracking

          Quickly identifies weak passwords

          Provides clear demonstration of password strength or weakness

          Easily implemented

          Low cost

          Potential for abuse

          Certain organizations restrict use

Log Reviews

          Provides excellent information

          Only data source that provides historical information

          Cumbersome to manually review

          May filter out important information

File Integrity Checkers

          Reliable method of determining whether a host has been compromised

          Highly automated

          Low cost

          Does not detect any compromise prior to installation

          Checksums need to be updated when system is updated

          Checksums need to be protected (e.g., read only CD-Rom) because they provide no protection if they can be modified by an attacker

Virus Detectors

          Excellent at preventing and removing viruses

          Low/Medium cost

          Require constant updates to be effective

          Some false positive issues

          Ability to react to new, fast replicating viruses is often limited

War Dialing

          Effective way to identify unauthorized modems

          Legal and regulatory issues especially if using public switched network

          Slow

War Driving

          Effective way to identify unauthorized wireless access points

          Possible legal issues if other organization’s signals are intercepted

          Requires some expertise in computing, wireless networking and radio engineering

 

Test Type

Category 1 Frequency

Category 2 Frequency

Benefit

Network Scanning

Continuously to Quarterly

Semi-Annually

Enumerates the network structure and determines the set of active hosts, and associated software

Identifies unauthorized hosts connected to a network

Identifies open ports

Identifies unauthorized services

Vulnerability Scanning

Quarterly or bi-monthly (more often for certain high risk systems), when the vulnerability database is updated

Semi-Annually

Enumerates the network structure and determines the set of active hosts, and associated software

Identifies a target set of computers to focus vulnerability analysis

Identifies potential vulnerabilities on the target set

Validates that operating systems and major applications are up to date with security patches and software versions

Penetration Testing

Annually

Annually

Determines how vulnerable an organization's network is to penetration and the level of damage that can be incurred

Tests IT staff's response to perceived security incidents and their knowledge of and implementation of the organization's security policy and system’s security requirements

Password Cracking

Continuously to same frequency as expiration policy

Same frequency as expiration policy

Verifies that the policy is effective in producing passwords that are more or less difficult to break

Verifies that users select passwords that are compliant with the organization's security policy

Log Reviews

Daily for critical systems, e.g., firewalls

Weekly

Validates that the system is operating according to policies

Integrity Checkers

Monthly and in case of suspected incident

Monthly

Detects unauthorized file modifications

Virus Detectors

Weekly or as required

Weekly or as required

Detects and deletes viruses before successful installation on the system

War Dialing

Annually

Annually

Detects unauthorized modems and prevents unauthorized access to a protected network

War Driving

Continuously to weekly

Semi-annually

Detects unauthorized wireless access points and prevents unauthorized access to a protected network

 

Category 1 systems are generally critical to the organizational mission, whereas category 2 systems are generally those systems that pose less risk.  Mission critical systems should generally be tested before general staff and related systems, such as desktop, standalone and mobile client systems, are tested.  Mission critical systems include.

 

·Firewalls, both internal and external

·Routers and switches

·Related network-perimeter security systems such as intrusion detection systems

·Web servers, email servers, and other application servers

·Other servers such as for Domain Name Service (DNS) or directory servers or file servers.

·Other selected high-priority applications

 

The following table summarizes the baseline frequencies for running the tests: 

 

Test Type

Category 1 Frequency

Category 2 Frequency

Benefit

Network Scanning

Continuously to Quarterly

Semi-Annually

          Enumerates the network structure and determines the set of active hosts, and associated software

          Identifies unauthorized hosts connected to a network

          Identifies open ports

          Identifies unauthorized services

Vulnerability Scanning

Quarterly or bi-monthly (more often for certain high risk systems), when the vulnerability database is updated

Semi-Annually

          Enumerates the network structure and determines the set of active hosts, and associated software

          Identifies a target set of computers to focus vulnerability analysis

          Identifies potential vulnerabilities on the target set

          Validates that operating systems and major applications are up to date with security patches and software versions

Penetration Testing

Annually

Annually

          Determines how vulnerable an organization's network is to penetration and the level of damage that can be incurred

          Tests IT staff's response to perceived security incidents and their knowledge of and implementation of the organization's security policy and system’s security requirements

Password Cracking

Continuously to same frequency as expiration policy

Same frequency as expiration policy

          Verifies that the policy is effective in producing passwords that are more or less difficult to break

          Verifies that users select passwords that are compliant with the organization's security policy

Log Reviews

Daily for critical systems, e.g., firewalls

Weekly

          Validates that the system is operating according to policies

Integrity Checkers

Monthly and in case of suspected incident

Monthly

          Detects unauthorized file modifications

Virus Detectors

Weekly or as required

Weekly or as required

          Detects and deletes viruses before successful installation on the system

War Dialing

Annually

Annually

          Detects unauthorized modems and prevents unauthorized access to a protected network

War Driving

Continuously to weekly

Semi-annually

          Detects unauthorized wireless access points and prevents unauthorized access to a protected network

 

Category 1 systems are generally those systems whose operation is critical to the organizational mission.  Category l systems include:

 

·        Firewalls, both internal and external,

·        Routers and switches,

·        Related network-perimeter security systems such as intrusion detection systems,

·        Web servers, e-mail servers, and other application servers,

·        Other servers such as for Domain Name Service (DNS) or directory servers or file servers, and

·        Other selected high-priority applications and systems.

 

Category 2 systems include general staff and related systems, e.g., desktop, standalone and mobile client systems.  While the security of these systems is important, Category 1 systems should generally be tested more frequently than Category 2 systems.

 

Deployment Strategies

 

The goal of security testing is to maximize the benefit to the organization as a whole.  The guideline recommends that organizations adopt consistent approaches to network security  testing,; using levels of security testing that are appropriate to organizational missions and security objectives.

 

The types and frequency of testing during the operational and maintenance phase (both for minimum and comprehensive testing) should be ranked according to a priority order, based on the security category, cost of conducting the tests, and the expected overall benefits to the organization's systems.  The decision about what to test for during the implementation phase normally involves a single system.  The same decision during the operational and maintenance phase is becomes more complicated because of internal and external connections. To maximize the value of testing, the prioritization process should consider the interconnectivity of systems. Senior managers  should be involved in the prioritization process to ensure that the organizational perspective is considered.

 

The basic steps that organizations should take in developing a priority ranking for their network testing activities include:

 

·                    Determine the security category for the organization’s information systems. Federal Information Processing Standards ( FIPS) Publication 1199, Standards for Security Categorization of Federal Information and Information Systems, covers this important step.  It defines three levels of potential impact on organizations (or on individuals) should certain adverse events occur.  These are events that could jeopardize the information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.  Security categories are to be used in conjunction with vulnerability and threat information to assess the risk that an organization incurs when operating an information system. FIPS 199 is available as a pre-publication final document on NIST’s web pagesat http://csrc.nist.gov/publications.

 

·                    Determine the cost of performing each test for each system.  Costs vary depending upon the size and complexity of the system to be tested, the level of human interaction required for each test, the feasibility of selecting a sample for the tests, and the size of the sample. 

 

·                    Identify the benefits of each test type per system to assure that the cost of testing does not exceed its value to the organization.  These benefits can include knowledge gained about systems and networks, and reduced chances for intrusion or business disruption. 

 

·                    Prioritize systems for testing, based on security category, cost of testing, and benefits.  The prioritized list should include the resources required for conducting each type of test for each system under consideration.  The starting point for determining minimum required resources should be minimum testing for those systems with the highest level of impact.  If resources are not available for minimum testing for the highest impact systems, additional resources should be requested. 

 

Summary of NIST Recommendations

 

·                    Make network security testing a routine and integral part of the system and network operations and administration. .  Organizations should conduct routine tests of systems and verify that systems have been configured correctly with the appropriate security mechanisms and policy.  Routine testing prevents many types of incidents from occurring in the first place.  The additional costs for performing this testing will likely be offset by the reduced costs in incident response. 

 

·                    Test the most important systems first.   In general, systems that should be tested first include those systems that are publicly accessible, that is, routers, firewalls, web servers, e-mail servers, and certain other systems that are open to the public, are not protected behind firewalls, or are mission- critical systems.  Organizations can then use various metrics to determine the importance or criticality of other systems in the organization and then test those systems as well.

 

·                    Use caution when testing.  Certain types of testing, including network scanning, vulnerability testing, and penetration testing, can mimic the signs of attack.   Testing should be done in a coordinated manner, with the knowledge and consent of appropriate officials.

 

·                    Ensure that security policy accurately reflects the organization’s needs.  The policy must be used as a baseline for comparison with testing results.  Without an appropriate policy, the usefulness of testing is drastically limited.  For example, discovering that a firewall permits the flow of certain types of traffic may be irrelevant if there is no policy that states what type of traffic or what type of network activity is permitted. When there is a policy, testing results can be used to improve the policy.

 

·                    Integrate security testing into the risk management process.   Testing can uncover unknown vulnerabilities and misconfigurations.  As a result, testing frequencies may need to be adjusted to meet the prevailing circumstances,.  such as F; for example, when new controls are added to vulnerable systems or other configuration changes are made because of a new threat environment.  Security testing reveals crucial information about an organization’s security posture and its ability to surmount external attacks or to avoid significant financial costs or damage to its reputation as a result of internal malfeasance.  In some cases, the results of the testing may indicate that the policy and the security architecture should be updated.

 

·                    Ensure that system and network administrators are trained and capable.   The staff members recruited for network system testing may already be involved in system administration.  While system administration is an increasingly complex task, the numbers of trained system administrators generally has not kept pace with the increase in computing systems.  Competent system administration may be the most important security measure an organization can employ, and organizations should ensure they have sufficient staff members with the required skill level to perform system administration and security testing correctly.

 

·                    Ensure that systems are kept up-to-date with patches. As a result of security testing, it may become necessary to patch many systems. Applying patches in a timely manner can sharply reduce the organization’s exposure to vulnerabilities. 

·Ensure that systems are kept up-to-date with patches.  As a result of security testing, it may become necessary to patch many systems. Applying patches in a timely manner can sharply reduce the organization’s exposure to vulnerabilities.  Organizations should centralize their patching efforts to ensure that more systems are patched as quickly as possible and immediately tested.

 

 

·                    Look at the big picture.  The results of routine testing may indicate that the organization should readdress its systems security architecture.  Some organizations may need to step back and undergo a formal process of identifying the security requirements for many of its systems, and then begin to redesign or adapt its security architecture accordingly.  This process will result in improved efficiency of operations and fewer costs related to incident response operations.

 

·                    Understand the capabilities and limitations of vulnerability testing.  Vulnerability testing may result in many false positive scores, or it may not detect certain types of problems that are beyond the detection capabilities of the tools.  Penetration testing is an effective complement to vulnerability testing, aimed at uncovering hidden vulnerabilities.  However, it is resource intensive, requires much expertise, and can be expensive.  Organizations should assume that they are vulnerable to attack regardless of how well their testing scores indicate.

 

Useful References

The following NIST Special Publications (SPs) and Federal Information Processing Standards Publication (FIPS) provide useful information about planning, implementing, and maintaining secure information systems. These publications are available on NIST’s web pages:at

http://csrc.nist.gov/publications/ 

 

NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995, provides guidance on general security procedures.

NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996, describes common practices for the security of information systems. 

NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998, provides details on developing and updating security plans. 

NIST SP 800-26, Security Self-Assessment Guide for IT Systems, November 2001, provides details on self-assessment. 

 

NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001, presents system-level security principles to be considered in the design, development, and operation of information systems. 

 

NIST SP 800-30, Risk Management Guide for Information Technology Systems, January 2002, discusses the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

 

NIST SP 800-31, Intrusion Detection Systems (IDS), November 2001, discusses hardware and software systems that monitor events occurring in a computer system or network. 

NIST SP 800-34, Contingency Planning Guide for Information Technology (IT) Systems, June 2002, gives information on developing and implementing IT contingency plans. 

NIST SP 800-40, Procedures for Handling Security Patches, September 2002, provides guidance on developing and implementing an organizational patch and vulnerability approach.

 

NIST SP 800-41, Guideline on Firewalls and Firewall Policy, January 2002, presents information about the use of firewalls and development of firewall policies. 

NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002, provides guidance on improving the security of wireless systems and mobile devices.

NIST SP 800-40, Procedures for Handling Security Patches, September 2002, provides guidance on developing and implementing an organizational patch and vulnerability approach.

 

NIST, SP 800-61 (Draft), Computer Security Incident Handling Guide, September 2003, discusses forming incident response teams, establishing incident response policies and procedures, and handling incidents. 

NIST SP 800-64, Security Considerations in the Information System Development Life Cycle, October 2003, presents a framework for incorporating security into all phases of the system development life cycle.

FIPS 199 (Pre-publication Final), Standards for Security Categorization of Federal Information and Information Systems, December, 2003.  http://csrc.nist.gov/publications/drafts/draft-fips-pub-199.pdf

 

 

Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.