Lecturer # 3

Chapter 3
Vulnerability Assessment
and Mitigating Attacks

Security+ Guide to Network Security Fundamentals, FOURTH Edition

and Security Certified, CCNA, security 210-260, 2015
prepared by: Dr. Tahani Allam
2-3-2023
 Objectives

• Define vulnerability assessment and explain why it is

important.
• Explain the differences between vulnerability
scanning and penetration ‫ االختراق‬testing.
• Describe the security implications – ‫اآلثار االمنية‬
‫ التداعيات‬of integration with third parties.
• List techniques for mitigating ‫ الحد‬and deterring ‫الردع‬
attacks.

Security+ Guide to Network Security Fundamentals 2

Define vulnerability assessment and
explain why it is important
 What Is Vulnerability Assessment?

• First step any security protection plan begins with

assessment of vulnerabilities.
• Vulnerability assessment - Systematic and
methodical evaluation of exposure of assets to
attackers, forces of nature, and any other entity that
could cause potential harm.
• Variety of techniques and tools can be used in
evaluating the levels of vulnerability.

Security+ Guide to Network Security Fundamentals 4

 Vulnerability Assessment Elements

• Vulnerability assessment involves:

1. Identify what needs to be protected (asset
identification) ‫تحديد االصول‬
2. What pressures are against those assets
(threat evaluation) ‫تقييم التهديد‬
3. How susceptible current protection is
(vulnerability appraisal). ‫تقييم الضعف‬
4. What damages could result from the
threats (risk assessment).
5. Analysis of what to do about it (risk
mitigation)‫التخفيف من المخاطر‬

Security+ Guide to Network Security Fundamentals 5

 Vulnerability Assessment Actions and
Steps

Security+ Guide to Network Security Fundamentals 6

Vulnerability Assessment Elements

1. Asset Identification

• Asset identification - Process of inventorying items

with economic value.
• Common assets
– People
– Physical assets
– Data
– Hardware
– Software

Security+ Guide to Network Security Fundamentals 7

Vulnerability Assessment Elements

Asset’s Relative Value

• After an inventory of the assets has been taken, it is

important to determine each item’s relative value.
• Value based on:
– Asset’s criticality to organization’s goals.
– How much revenue asset generates.
– How difficult to replace asset.
– Impact of asset unavailability to the organization.
• Assets can be ranked using a number scale.

Security+ Guide to Network Security Fundamentals 8

Vulnerability Assessment Elements

2. Threat Evaluation

• Threat evaluation - List potential threats from threat

agent.
• Threat agents are not limited to attackers.
• Also, include natural disasters like fire or
severe weather.

Security+ Guide to Network Security Fundamentals 9

Vulnerability Assessment Elements

Threat Modeling
• Threat modeling – the goal is to better understand
who the attackers are, why they attack and what type
of attacks might occur.
• Attack tree - Provides a visual representation of
potential attacks as inverted tree structure.
• Attack tree displays
– Goal of attack
– Types of attacks that could occur
– Techniques used in attacks

Security+ Guide to Network Security Fundamentals 10

Vulnerability Assessment Elements
Attack Tree For Stealing A Car Stereo (Figure 15-1)

Security+ Guide to Network Security Fundamentals 11

Vulnerability Assessment Elements
Attack Tree For Logging Into Restricted Account (Figure
15-2)

Security+ Guide to Network Security Fundamentals 12

Vulnerability Assessment Elements

3. Vulnerability Appraisal
• Vulnerability appraisal - Determine current
weaknesses as snapshot of current organization
security.
• Every asset should be viewed in light of each
threat. ‫النظر لكل أصل في ضوء التهديد‬
• Catalog each vulnerability.
• Risk assessment
– Determine damage resulting from attack
– Assess likelihood that vulnerability is a risk to
organization

Security+ Guide to Network Security Fundamentals 13

Vulnerability Assessment Elements

4. Risk Assessment
• Risk assessment - Determine damage resulting from
attack and assess likelihood that vulnerability is risk
to organization.
• Determining damage from attack first requires
realistic look at several different types of attacks that
might occur.
• Based upon vulnerabilities recognized in vulnerability
appraisal, a risk assessment of impact can then be
undertaken.
• Not all vulnerabilities pose the same risk.

Security+ Guide to Network Security Fundamentals 14

Vulnerability Impact Scale (Table 15-2)

Security+ Guide to Network Security Fundamentals 15

Vulnerability Assessment Elements

5. Risk Mitigation

• Risk mitigation - Determine what to do about risks

• Risk can never be entirely eliminated; would cost too
much or take too long.
• Some risks must be accepted by default and degree
of risk must always be assumed
• Question is not, “How can we eliminate all risk?” but
“How much acceptable risk can we tolerate?”
• Once “toleration” level is known, steps can be taken
to mitigate risk.

Security+ Guide to Network Security Fundamentals 16

 Baseline Reporting
• Baseline - Imaginary line by which an element is
measured or compared; can be seen as standard.
• IT baseline is checklist against which systems can be
evaluated and audited for security posture‫الوضع االمني‬
• Baseline reporting - Comparison of present state of
system to its baseline.
• Deviations include not only technical issues but also
management and operational issues.

Security+ Guide to Network Security Fundamentals 17

 Software Programing Vulnerabilities
• It is important to minimize software vulnerabilities
while software is being developed instead of after
released.
• This improvement (that minimizes vulnerabilities) is
difficult for the following reasons:
– Size and complexity
– Lack of formal specifications
– Ever-changing attacks

Security+ Guide to Network Security Fundamentals 18

 Assessment Tools

• Many tools available to perform vulnerability

assessments:
1. Port scanners
2. Banner grabbing tools
3. Protocol analyzers
4. Vulnerability scanners
5. Honeypots and honeynets
• Tools can likewise used by attackers to uncover
vulnerabilities to be exploited

Security+ Guide to Network Security Fundamentals 19

Port scanners
Assessment Tools

Ports
• TCP/IP networks exchange information between
program running on one system (process), and
same/corresponding process running on remote
system.
• Port number - TCP/IP uses a numeric value as
identifier to applications and services on systems.
• Each packet/datagram contains source port and
destination port.
• Identifies both originating application/service on
local system and corresponding application/service
on remote system.
Security+ Guide to Network Security Fundamentals 21
Assessment Tools

Port Categories

• Port numbers 16 bit length so have decimal value

from 0 - 65,535.
• TCP/IP divides port numbers into three categories:
• Well-known port numbers (0–1023) –
Reserved ‫ محجوز‬for most universal
applications.
• Registered port numbers (1024–49151) -
Other applications that not as widely used.
• Dynamic and private port numbers (49152–
65535) - Available for use by any application.
Security+ Guide to Network Security Fundamentals 22
Assessment Tools

Port Security

• Because port numbers are associated with

applications and services, if attacker knows specific
port is accessible could indicate what services are
being used.
• Port security - Implement by disabling unused
application/service ports to reduce number of threat
vectors.

Security+ Guide to Network Security Fundamentals 23

Assessment Tools

Port Scanner

• Port scanner - Software can be used to search

system for port vulnerabilities.
• Port scanners typically used determine state of port
to know what applications/services are running.
• Three port states:
– Open - Application/service assigned to port is
listening for any instructions.
– Closed - No process is listening at this port.
– Blocked - Host system does not reply to any inquiries
to this port number.

Security+ Guide to Network Security Fundamentals 24

Assessment Tools

Port Scanner (Figure 15-4)

Security+ Guide to Network Security Fundamentals 25

Banner grabbing tools
Assessment Tools

Banner Grabbing Tools

• Banner - Message that a service transmits when

another program connects to it.
• Banner grabbing - the process of using a program
to intentionally gather this information
• Banner grabbing can be used as assessment tool to
perform inventory on services and systems
operating on a server.
• Can be done by using a tool such as Telnet to
create connection with host and then querying each
port.

Security+ Guide to Network Security Fundamentals 27

Protocol Analyzers
Assessment Tools

Protocol Analyzers

• Protocol analyzers - a hardware or a software that

captures packets to decode and analyze contents
• Common uses for protocol analyzers:
– Used by network administrators for troubleshooting
– Characterizing network traffic
– Security analysis

• Example: Wireshark.

Security+ Guide to Network Security Fundamentals 29

Vulnerability Scanners
Assessment Tools

Vulnerability Scanners
• Vulnerability scanner - Generic term for range of
products that look for vulnerabilities in networks or
systems.
• Intended to identify vulnerabilities and alert network
administrators to these problems.
• Most vulnerability scanners maintain database that
categorizes and describes vulnerabilities that it can
detect.

Security+ Guide to Network Security Fundamentals 31

Assessment Tools
Vulnerability scanner (Figure 15-6)

Security+ Guide to Network Security Fundamentals 32

Assessment Tools

Vulnerability Scanners’ Capabilities

• Alert when new systems are added to network

• Detect when an application is
compromised ‫ اختراق‬or subverted ‫تخريبه‬
• Detect when an internal system begins to port scan
other systems.
• Detect which ports are served and which ports are
browsed for each individual system.
• Identify which applications and servers host or
transmit sensitive data.
• Maintain log of all interactive network sessions.
Security+ Guide to Network Security Fundamentals 33
Honeypots and Honeynets
Assessment Tools

Honeypots and Honeynets

• Honeypot - Computer protected by minimal security
and intentionally configured with vulnerabilities and
contains bogus data files ‫ملفات زائفة‬.
• Goal is trick attackers into revealing their
techniques.
• Honeynet - Network set up with intentional
vulnerabilities and honeypots.

Security+ Guide to Network Security Fundamentals 35

Vulnerability Scanning vs.
Penetration Testing
 Vulnerability Scanning vs.
Penetration Testing

• Two important vulnerability assessment procedures:

– Vulnerability scanning
– Penetration testing
• Similar and therefore often confused
• Both play an important role in uncovering
vulnerabilities

Security+ Guide to Network Security Fundamentals 37

 Vulnerability Scanning

• Vulnerability scan - Automated software searches

a system for known security weaknesses.
• Creates report of potential exposures.
• Should be conducted on existing systems and as
new technology is deployed.
• Usually performed from inside security perimeter.

Security+ Guide to Network Security Fundamentals 38

 Penetration Testing

• Penetration testing - Designed to exploit ‫استغالل‬

system weaknesses.
• Relies on tester’s skill, knowledge, cunning.
• Usually conducted by independent contractor.
• Tests usually conducted outside the security
perimeter and may even disrupt ‫ تعطيل‬network
operations.
• End result is penetration test report.

Security+ Guide to Network Security Fundamentals 39

 Penetration Testing Techniques

• Black box test - Tester has no prior knowledge of

network infrastructure.
• White box test - Tester has in-depth knowledge of
network and systems being tested.
• Gray box test - Some limited information has been
provided to the tester.

Security+ Guide to Network Security Fundamentals 40

 Describe the security
implications ‫ دواعي أمنية‬of integration
with third parties
 Third-Party Integration

• Increasing number of organizations use third-party

vendors to create partnerships.
• Third-party integration - Risk of combining
systems and data with outside entities, continues to
grow.
• On-boarding - Start-up relationship between
partners
• Off-boarding - Termination of agreements.

Security+ Guide to Network Security Fundamentals 42

Mitigating and Deterring Attacks
‫التخفيف من حدة الهجمات وردعها‬
 Mitigating and Deterring Attacks

• Standard techniques for mitigating and deterring

attacks:
1. Creating a security posture
2. Selecting and configuring controls
3. Hardening
4. Reporting

Security+ Guide to Network Security Fundamentals 44

Mitigating and Deterring Attacks

1. Creating a Security Posture

• Security posture ‫ الموقف االمني‬describes strategy

regarding security.
• Elements of security posture:
– Initial baseline configuration
– Continuous security monitoring
– Remediation ‫العالج‬

Security+ Guide to Network Security Fundamentals 45

Mitigating and Deterring Attacks

2. Selecting Appropriate Controls

• Selecting appropriate controls to use is key to

mitigating and deterring attacks
• Many different controls can be used
• Common controls that are important to meet
specific security goals

Security+ Guide to Network Security Fundamentals 46

Mitigating and Deterring Attacks

Appropriate Controls For Different

Security Goals (Table 15-9)

Security+ Guide to Network Security Fundamentals 47

Mitigating and Deterring Attacks

2. Configuring Controls
• Key to mitigating and deterring attacks is proper
configuration and testing of the controls
• One category of controls is those either detect or
prevent attacks
• Another example of configuring controls regards
what occurs when a normal function is interrupted
by failure: does safety take priority or does security?

Security+ Guide to Network Security Fundamentals 48

Mitigating and Deterring Attacks

3. Hardening

• Hardening - Eliminate as many security risks as

possible
• Techniques to harden systems:
– Protecting accounts with passwords
– Disabling unnecessary accounts
– Disabling unnecessary services
– Protecting management interfaces and applications

Security+ Guide to Network Security Fundamentals 49

Mitigating and Deterring Attacks

5. Reporting

• Providing information regarding events that occur.

• Alarms or alerts - Sound warning if specific situation
is occurring (Example: alert if too many failed
password attempts).
• Reporting can provide information on trends ‫اتجاهات‬
• Can indicate a serious impending situation
(Example: multiple user accounts experiencing
multiple password attempts)

Security+ Guide to Network Security Fundamentals 50

Thanks
Enjoy...