CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Tools and Techniques to Discover Security Threats and Vulnerabilities Tutorial

1 Tools and Techniques to Discover Security Threats and Vulnerabilities

In day-to-day activities, it’s important to assess the situations you may come across before acting upon them. This is also applicable to reports of security assessment tools. We will learn about the assessment reports in this lesson, along with various tools and techniques to discover security threats and vulnerabilities in the networking world. The following screen explains the objectives covered in this lesson. After completing this lesson, you will be able to: • Interpret results of security assessment tools • Describe the use of different types of security tools • Distinguish between passive and active tools • Identify different types of assessments • Describe the use of different assessment techniques

2 Types of Security Assessment Tools

In this topic, you will learn the different types of security assessment tools. Let’s start by considering a few questions: What does it mean that port 25 is open on three out of six servers—is it as per the security policy? What does it indicate when someone says, FTP directories were found, which can result in exploitation – are these directories actually allowed for access? Now, if you really assess these assessment findings, you might find out that port 25 should not be open on those three servers. Therefore, you will take a prompt action to close the port on those servers. However, for the second question, you find that proper permissions are given for preventing unauthorized access to the FTP files. This is irrelevant, a false positive indication, and you can actually ignore it because the propped security measure is implemented, although the assessment tool did not track it. Because the automated security tools can generate several false positives, which means, identifying non-existing vulnerabilities, it becomes necessary to confirm the presence of any vulnerability or a security flaw before implementing a solution or a fix. This is particularly important if the solution or fix is expensive, or can cause interference with production. Concisely, security assessment tools test a system for exploring known vulnerabilities and weaknesses through reports, but not all mentioned suggestions or findings are relevant. Another issue with security assessment reporting is the inaccurate reported level of criticality. For example, the finding of the same FTP file vulnerability could be reported as highly critical. Therefore, it is sensible to interpret results in light of the existing environment, its existing threats; implemented solutions, and the current budget. In short, unless you know the purpose, what are you looking for, you will end up with a false sense of security.

3 Types of Tools used in Exploring the Vulnerabilities and Threats

In this topic, you will learn the different types of tools used to explore the vulnerabilities and threats. You can use several tools to perform a vulnerability scan or discover and confirm the presence of a security threat, vulnerability, or a flaw. While not all are truly tools, they are capable of finding threats and vulnerabilities related to security. The tools that we are going to explore in this lesson are protocol analyzers, vulnerability scanners, honey pots; honey nets; port scanners, and banner grabbers. A protocol analyzer refers to a network monitoring tool for passively capturing and reviewing network traffic. It can be a software application installed on a host system or a dedicated hardware device. In either situation, the analyzer is a packet-capturing tool to gather network traffic, and store it in log file or buffer memory. After capturing, the packet is analyzed with either manual scripts or complex automated tools. Such a tool works by placing the Network Interface Card or NIC into a promiscuous mode for viewing and capturing all packets, rather than only those with the local NIC’s destination MAC address, on the local network segment. In this mode, the NIC ignores the MAC addresses of packets, and gathers every packet, it detects. The tool then assesses individual packets at the binary level by automatically parsing the header contents, while displaying the packet payload in hexadecimal and ASCII forms. Protocol analyzers vary from basic raw packet-capturing tools to automated engines. Some commonly used analyzers are open-source Wireshark application for Windows and Linux, Snort for real-time analysis, and Microsoft’s Network Monitor. By monitoring, protocol analyzers help in detecting communication problems imposed by software and hardware problems. Further, they discover protocol anomalies due to malicious intent, malfunction, or improper configuration. Security administrators often use protocol analyzers for tracking a communication problem or determining the source of an attack. Protocol analyzers are also known as network sniffers. However, a sniffer can be a distinct type of product. Therefore, there is a difference between the two. A protocol analyzer might be for a specific protocol; whereas, a network sniffer monitors the traffic regardless of the network protocol in use. A sniffer is usually a packet-capturing tool, while a protocol analyzer is much more than capturing tool, as it decodes and interprets its contents. Sniffers usually come with two filters namely, capture filters and display filters. Capture filters act as rules for deciding which packets to saved and discarded, thereby keeping the number of packets to a minimum. Display filters act as search queries for showing only those packets that match your requirements. It is important to note that sniffers could also be used to collect data for illegal purposes, which is widely known as packet sniffing. However, you can make a good use of it to verify whether the data in transit is actually encrypted or not. A vulnerability scanner refers to an automated software application keeping a check on your network to detect known security holes. Such scanning involves finding out weaknesses and loopholes in applications, computers, and networks. This may sound similar to penetration testing, but while penetration testing includes trying a number of things, vulnerable scanning usually includes executing a single scanner program. A vulnerability scanner scans the system for reporting any known vulnerabilities. It relies upon a constantly updated vulnerability database containing details of attacks, scripts, probes, which run against the targeted systems in a controlled manner. At the time of scan, the scanner tool compares the patch level and the system configuration against the vulnerability database. This helps in determining whether you are following the best practices. A vulnerability scanner can be a port scanner, a web application, a network enumerator, or even a worm. However, in all situations, it tests its target against a series of known vulnerabilities. It is better to run such a scanner for exploiting loopholes, vulnerabilities, and weaknesses on your own network, before an outsider runs it against you. While vulnerability scanners do not cause harm while probing for loopholes, they can inadvertently lead to slow network performance, errors, and downtime. Therefore, it is vital to plan their use as well as the possible recovery actions. Some of the most popular vulnerability scanners are Retina, Nessus, OpenVAS, and SAINT. However, regardless of the tool in use, you are required to know five major tasks that these vulnerability scanners can perform. These are namely, testing security controls passively, identifying vulnerability, identifying lack of security controls, and identifying common misconfigurations. Let’s now learn about a port scanner, which is a type of vulnerability scanner exclusively designed for scanning ports of different systems. Just imagine a scenario wherein networking applications such as FTP and Web servers along with systems with Remote Desktop connection use different port numbers for connecting to their clients. As a network administrator, you have received few complaints regarding data hacking. Now here, as one of the critical steps for a solution, you would first find out the open ports these systems. Doing so shall help you examine the ways in which hackers are compromising a system. This is exactly where a port scanner comes into the picture. These scanners do a port scan, and help you locate all network systems and determine the open ports. They also enable you to identify the services running on a network. These tools are useful, especially for TCP/IP networks, wherein several ports are available to outsiders via the router. Taking the advantage of this configuration, a hacker can systematically query the network to find out the open ports and the running services. This process is known as port scanning, which allows obtaining a structure of your network by revealing many details about your systems, such as the host OS identity, and types of hosted services. Port scans are possible both internally and externally, which means that an attacker can be someone within your organization. If that attacker knows even a single IP address of a network system, she or he can probe all the addresses in the range and locate the other protocols or systems that are in use. Nevertheless, if used positively, port scanners are significantly beneficial vulnerability assessment tools, which you should implement before allowing an outside or inside hacker to scan your network ports.

4 Working of Port Scanners

A port scanner probes or test packets to the ports of a target system for detecting the status of those ports. Usually, a port can be either open or closed. If a legitimate connection request is sent to an open TCP port in the form of an SYN flagged packet, you can expect a standard response in the form of an SYN/ACK flagged packet. However, in case the TCP port is closed, this response is now in the form of an RST packet. However, in case of a firewall, the firewall itself filters the responses of closed ports, due to which no packet is obtained by the probing system. This is precisely what is called filtering. Therefore, a port scanner has direct proof of whether a port is closed or open. Although such a form of probing functions effectively, it generates traffic. This traffic gets logged by the firewall or target system. Apart from scanners and monitors, you can ensure security by establishing traps for all those internal and external hackers or intruders. This is done by building honeypots, which works by fooling all unauthorized users so that you can catch or track them. Falling in between the detection and prevention tools, a honeypot is usually a computer designated as a target for attacks. It’s a common network component in the security infrastructure, which is placed on the private network or in a demilitarized zone or DMZ. A honeypot is often set as a buffer network between a non-reliable network, such as the Internet or DMZ, and the private network. The honeypot appears as a real system to the hacker, but does not have any valid or valuable data or resources. It acts as a fictitious environment to lure attackers and intruders so that they stay away from the private secured network. Therefore, the purpose of a honeypot is to allow itself to surrender to an attack. Ideally, you can visualize a honeypot by thinking about Winnie the Pooh, who has stuck several times to the jugs while getting honey from them. By getting stuck, Winnie or the attacker has almost incapacitated himself. Further, he can now be quickly found by anyone who is trying to find him. While the hacker spends time in hacking into the honeypot, a host-based Intrusion Detection System or IDS on the honeypot notifies you about the existence of the hacker once you log on. This means, you can gain information about how the hacker’s identity, the resource being attacked, and the attack mechanism or tool in use. So, a honeypot system not only pulls the attackers away from a confidential network, but also allows administrators to obtain knowledge about the attack strategy. Moreover, elaborate honeypots can contain data and software application enticing a hacker to probe significantly for taking over the system. A honeypot may be in the form of a padded cell. While honeypot is a distracting network being always active, a padded cell is a controlled component being activated only when an intrusion is detected. Usually, honeypots are not secured because they are set up to lure the hacker. However, you should not make it too easy for the attacker to compromise the honeypot, as that can make the hacker to sense the trap easily. Therefore, the best bet is to challenge the attacker by hardening the honeypot through security controls. When a honeypot system becomes larger, it is commonly known as Honeynet. Honeynet is actually an entire network consisting of two or more networked honeypots used turn by turn for monitoring or recreating more diverse networks. Honeynet is often a medium for facilitating IDSs. As the name suggests, a banner grabber looks at the header or banner information messages to know more about the systems. It captures the welcome message or initial response from a network service. Usually, a banner shows the application's or host’s identity along with other details such as the version and the operating system on which it is running. In short, banners have all the information required for breaching the security if used negatively, or overcoming security loopholes if used positively. Can we now associate banner grabbing to port scanning? Well, after a port scan, you can perform a banner grab to find out which software is running on each open port. Here, banner grabbing connects to each port and gathers response from the server in the form of a ready message indicating the software version running on the system. You can get hold of banners with Telnet or tools such as NMAP. Most of the tools that we have discussed till now are either active or passive. This classification indicates how a tool responds to suspicious activity, for example, whether it takes some remedial action or just logs the activity. Do you recall a tool discussed above, which we explored as a passive one? Well, it was the protocol analyzer. The difference between a passive and active tool is just like the difference between a camera and security guard. A security camera just records whatever happens, and is unable to react to anything, while a guard can take a quick action. This is exactly the case with these tools. Let’s check out such differences now. A passive tool records what occurs, while an active one takes action. A passive tool monitors for suspicious activity, and logs it or sends a notification when such activity takes place. This means it does nothing to protect the network from that activity, and is known as a detective tool or control. However, an active security tool will not only log the activity or send its notification, but also take a quick action to protect the system or network. For instance, an active tool can disconnect an attacked system from a network, so that it does not accept any more traffic. This is why such tools are referred as preventive tools or Network Intrusion Prevention Systems or IPS. While a passive tool can only record the event details, ignore the attack, and launch analysis engines; an active tool can change the settings, reboot devices, open or close ports, terminate sessions, disconnect the systems, divert attacks to honeypots, restart services, and restore data. Last, a passive tool is unnoticed by the event or the subject of the event, as it has no impact on the event. However, an active tool affects the event due to which it can be detected by the subjects of the event. Before we move ahead, can you guess an active tool that we have already discussed? Well, it is Honeypot!

5 Types of Assessment

In this topic, you will learn the types of assessment, namely vulnerability, threat, and risk. Security is not only restricted to access permissions and firewalls but it expands itself to the assessment of different business areas for finding the risks, threats, and vulnerabilities associated with them. Assessments refer to security evaluations performed skillfully on a regular basis. If you are a security administrator of an organization, you must always ask yourself – where is the system weak? The answer to this question is, always the existing vulnerabilities for which you may or may not have implemented proper remedial measures. So, vulnerability assessment refers to identifying the loopholes, flaws, weaknesses, errors, perils, or areas of exposure, which can break security protection of a network, system, software, computer, and server. In simple words, a vulnerability assessment helps you identify the configuration areas, which make your system susceptible to an attack or security breach. This assessment is done with the help of vulnerability scanners. For example, such a tool may check the patching status on the system to inform about missing patches. It may also report user accounts with no passwords, unused accounts, and too many administrative accounts. It is vital to note that vulnerability assessments only check for weak areas; they do not exploit the system by performing any attack. This means that such assessments are passive by nature. When any kind of vulnerability exists, threats exist to exploit it. Any vulnerability contributes to the occurrence of a specific harm when a threat is realized. So, what is threat? Well, to know what threat is, ask yourself two questions. First, what are the probable dangers associated with a risk? Second, what are the mediums and source of a potential attack? The answers to these questions are possible threats, which can be physical, logical, or technical. In simple words, a threat can be any tool or person to take advantage of an existing vulnerability. There are can be many types of threat such as environmental, technological, political, economical, and social. You need to identify all such threats to the organizational assets by conducting threat assessment. During the assessment, you will find different threats for just one asset, but you have to prioritize them. Although existing, a threat shall no longer pose a danger if you patch the associated vulnerabilities by using countermeasures, restrict physical access, and train or educate the users to act smartly in favor of security. To know what risk is, ask yourself – what’s the probable hazard under consideration? This can be perhaps the likelihood of a damage or attack being successful. In simple words, risk refers to the possibility that something may occur to damage systems or disclose data or other resources. Therefore, assessing risks is essential for sustaining a secure environment. Not all risks to an IT infrastructure come from computers. In fact, several risks are from non-technical sources. Therefore, it is essential to identify all possible risks to the organizational assets while performing risk assessment or evaluation. Risk assessment, also known as risk analysis, not only identifies different risks but also finds solutions to alleviate, control, or eliminate those risks. It is also vital to bear in mind that IT security, also known as technical or logical security, offers protection only from technical or logical attacks. For defense against physical attacks, physical tools or protections are mandatory. You should thoroughly analyze an environment and evaluate each risk along with its probability of occurring, cost of the damage, and the cost of its countermeasures. If represented diagrammatically, risk occurs when both threat to an asset and vulnerability exists. For a risk to occur successfully, three ingredients are sufficient or necessary. These are vulnerability, threat capability and accessibility to the system or an asset itself. The co-occurrence of these ingredients result in successful attacks. You can consider threat assessment as a part of risk assessment. Before we move onto the last topic for this lesson, let’s now find out the difference between likelihood and threat, when it comes to calculating risk. Likelihood refers to the measurement of the possibility a threat will be realized within a specific period. Within the scope of risk assessment, the measurement of likelihood is on a yearly basis. Now, let’s see the difference between threat and likelihood. A threat is an application or an individual that takes advantage of an existing vulnerability. Whereas, likelihood refers to the potential of a threat triggering damage or harm within a given period. Risk calculations weigh a probable threat against its likelihood in a given environment. NIST suggests viewing likelihood as a score indicating the probability of threat instigation. In this way, likelihood can be stated in qualitative or quantitative terms.

6 Different Assessment Techniques for Threats, Vulnerabilities, and Risk

In this topic, you will learn the different assessment techniques, namely baseline reporting, code reviewing, determining attack surface, reviewing architecture, and reviewing designs. Let’s consider a scenario wherein one of your network servers is slow since two days with a performance reporting of 90% CPU utilization. However, you have also ensured to use the system as per the norm. You now need to find out what is responsible for the slow performance of your system. Baseline reporting records the system’s baseline such as the system facts, and how it performs under normal working conditions, and then comparing it to the current performance data. In a scenario, you can use a recorded baseline, which may show a normal CPU usage of 35%. When you compare, it becomes clear that some resource dominates the CPU time, due to which the system is slow. Therefore, baseline reporting checks to ensure that systems operate within their norms. It can even pinpoint the breach of rules quickly. You can use the technique of baseline reporting in security incidents such as a malware attack or a denial of service, wherein the system is not performing up to the mark. It is a fact that most security problems arise due to the developers’ programming the applications in an unsecure manner. For example, a critical security rule for validating any data sent to the application is not implemented. This allows a hacker to easily attack the system on which the application is running, such as a buffer overflow or a SQL injection attack. To avoid such attacks and prevent rule breaches for secured coding, you need to review the code. The purpose of this review is to look at all the written codes for existing loopholes. The review should also assess the changes in code occurring at any point in time. While examining the code, it is recommended to look for errors in logic or flaws in programming, which are often responsible for improper or no authentication, SQL injection, and cross-site request forgery. There are two options to look at the source code and find application weaknesses. First, you can choose manual assessment, wherein you read the code. Second, you can opt for an automated tool to scan the code for threats. Irrespective of the option you choose, it is wise to take time to ensure the code reviews are done regularly by testers and not by developers, especially of the in-house developed applications. Another technique for assessing security is to identify the attack surface of a system. This surface is a set of installed applications, protocols, and services available to users who are authenticated, and more prominently, even those who are not authenticated. That is, an attack surface faces the outside, and is subject to become an attack victim. Hence, smaller the surface, less likely it is to get attacked. As a security professional, it is critical that you help reduce a system’s attack surface by removing unwanted software and services, turn off unwanted functions, add authentication, and reduce privileges. This is known as Attack Surface Reduction or ASR, aimed to minimize the probability of exploitation by alleviating or limiting potential damage. It is vital to note the concept of attack surface extends beyond an application to servers or anywhere where the problem exists. Therefore, you can have a network attack surface, system attack surface, organization attack surface, and so on. You can also review the system’s architecture for assessing the security of a network or a system. Through such an architectural approach, you use a control framework to look into the foundational infrastructure in terms of its resistance to forcible entry and dismissal. This is likely to strengthen Crime Prevention Through Environmental Design or CPTED, which motivates designers to boost security via building elements. Such an approach is compliant to security regulatory standards, such as International Organization for Standardization or ISO. Cisco’s SAFE is an example of an architectural approach. Another example of architectural security is the three-ring architecture of computer processors, which is responsible for executing applications. Applications running in the lower rings such as ring zero have more privileges than those in higher rings. Moreover, applications running in a ring can access resources available in that ring or in the higher rings. So, core Operating System code executing in ring 0 can access any resource in rings 1, 2, and 3, but those running on the system in ring 3 cannot access core resources or code, and corrupt them. Therefore, it is best to have an architecture that implements a modular security control framework. Performing design reviews before and after a plan is implemented is another technique for assessing security. Reviewing a design involves examining the ports and protocols in use, access control mechanisms, segmentation, and rules. Incorporating assessments of information access control across all security areas is recommended. It is critical to identify security concerns from the beginning so that you can claim a secure design status. After completing the security solution for a network or an application, you need to review the design to ensure what was required as solution is been implemented. Because, design assessments are more granular than architectural assessments, and design reviews should be done more frequently.

8 Summary

Let us summarize the topics covered in this lesson. • It is critical to interpret the assessment findings in light of the existing environment, the existing threats and the implemented solutions, and the current budget. • A protocol analyzer is a passive monitoring tool for capturing and reviewing network traffic. • A vulnerability scanner scans a target system for known weaknesses, loopholes, or vulnerabilities by using a dedicated database. • A honeypot is a fake environment designed to look real to the intruders to allure them away from the real production network. • Different types of assessments can be performed such as vulnerability, threat, and risk assessment. • Different assessment techniques are used to determine security issues such as baseline reporting, code reviewing, architecture reviewing, and design reviewing. With this we conclude this lesson, ‘Using Appropriate Tools and Techniques to Discover Security Threats and Vulnerabilities.’ The next lesson is, ‘Explaining the Proper Use of Penetration Testing versus Vulnerability Scanning.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*