`Int. J. Network Mgmt 2002; 12: 135 – 144 (DOI: 10.1002/nem.433)
`
`Identifyingenterprisenetworkvulnerabilities
`Ł
`ByJudithM.Myerson
`
`Introduction
`
`T his article is the third of
`
`the series
`on risk assessment. In the first article,
`we briefly discuss frame relay network
`versus leased lines, network management life cycle
`and a risk management program. We show how
`coordinated denial-of-service can attack a network.
`The second article looks at whether to identify
`assets or threats as the first step in risk assessment.
`In future articles, we will cover safeguards and the
`cost effectiveness of implementing them.
`In this article, we will talk about identifying vul-
`nerabilities in an enterprise network environment.
`As vulnerabilities are inherent in distributed net-
`works, the world cannot afford to have network
`resources adversely affected by coordinated denial
`or service and other Internet attacks.
`According to CERT® Coordination Center
`(CERT/CC), the number of vulnerability reports
`rose from 171 in 1988 to 1090 by 2000 and 633
`by the first quarter of 2001. As we enter 2002, we
`will see more than 2500 database entries. The data
`base will grow to accommodate new reports, as
`enterprise network systems become more complex,
`widespread and more susceptible to attack.
`Regardless of its size, a distributed network
`introduces the need to focus attention first on
`physical security and then the risk of unauthorized
`access to a system that, particularly runs unneces-
`sary services, has not periodically removed tem-
`porary files or has not been configured properly.
`Hackers have used dialup telephones, network
`technologies and password guesswork to gain
`illegal system access. They exploit weaknesses in
`software access controls to enter different systems.
`In another instance, many network system
`administrators (and Internet software developers)
`
`leave their machines up and running and accessible
`by distributed networks 24 hours a day, seven days
`a week. They give hackers many more opportuni-
`ties to break into a system (or an entire suite of
`systems). Network intruders, in addition, are con-
`stantly updating their attack technology in order
`to compromise or destroy corporate information
`systems across the geographical borders.
`One way of protecting your corporate informa-
`tion systems is to reduce, mitigate or eliminate
`the risks of actual threats from occurring. To do
`so, you need a good risk management program
`and should treat it as number one priority when
`you consider a security policy on network man-
`agement. If you already have the program in place,
`review and update it to reflect more flexibility
`in identifying assets, threats, vulnerabilities and
`safeguards in response to emerging and improved
`network technologies.
`
`Risk Assessment Variables
`Although Myerson’s book1 targets the audi-
`ence of software engineering professionals, risk
`management processes for software engineering
`models can be applied to their network engineer-
`ing counterparts. The first part of risk management
`is risk assessment that determines what kinds of
`controls are needed to protect an organization’s
`information systems and resources not just ade-
`quately but cost effectively. The other part covers
`economic analysis and reiterative processes. Eco-
`nomic analysis looks at the cost effectiveness of
`implementing safeguards while reiterative pro-
`cesses are a series of feedback to prior steps in
`risk assessment.
`The risk assessment process consists of five
`variables: assets, threats, vulnerabilities, risks, and
`
`Judith M. Myerson was in the official capacity as the ADP Security Office/Manager for the US Department of the Navy for several years and is
`the author of numerous articles and reports.
`Ł
`
`Correspondence to: Judith M. Myerson, Post Office Box 7677, Philadelphia, PA. 19101-7677, USA.
`E-mail: jmyerson@bellatlantic.net
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Published online 7 February 2002
`
`EX1026
`Apple v. MPH
`IPR2019-00824
`
`
`
`136
`
`J. M. MYERSON
`
`T he risk assessment process consists of five
`
`variables: assets, threats, vulnerabilities,
`risks, and controls. All can change over time.
`
`controls. All can change over time. Assets are
`updated or upgraded; and, new threat
`types
`appear. Vulnerabilities multiply and so on.
`From the first article previously referenced, we
`obtained definitions for these variables. An asset
`is defined as any resource needed to plan, design,
`build, and operate the networks that the security
`professionals are trying to protect. It includes
`tangible (software, hardware, personnel, software,
`manuals, databases, applications and facility) and
`intangible assets (plans, organizations, external
`factors and technical factors). These professionals
`determine how much each asset
`is worth in
`today’s market. Methods of valuation depends
`on asset type (depreciation costs, expensed items,
`salaries).
`A threat is defined as a potential harm to the
`system, including enterprise-wide network fail-
`ures, local disk damage and facility destruction.
`It is an event that can happen at any time. The
`degree of potentially threatening the asset could be
`very slight or very severe. The threat that actually
`occurs is a result of either accidental or deliber-
`ate acts. Some safeguards, however, cannot com-
`pletely eliminate threats such as natural disasters,
`espionage, sabotage, loss of personnel and theft.
`A vulnerability is a weakness that would allow
`a threat to happen or materialize. According to
`Russell,2 it is a point where the computer [network]
`system is susceptible to attack. Hamilton3 considers
`vulnerabilities ‘as weaknesses in the organization
`that allows the threat to affect the organization
`by triggering a loss.’ Examples include adminis-
`tration, scripts, operating systems access controls,
`accountability, compliance, training, location of
`building, and proximity of airports. Most times,
`it takes more than one vulnerability for the threat
`to occur.
`A risk is the probability that a particular security
`threat will exploit a system vulnerability. The
`impact of risk on each asset varies—from very little
`to very high. High risk means a threat would more
`likely to occur when adequate and cost-effective
`controls are not in place. Depending on the asset’s
`
`value, the company could lose money (tangible) or
`reputation (intangible) when the threat occurs.
`An adequate safeguard is a security control
`which, when in place, is used to reduce or mit-
`igate the organization’s loss if a threat occurs or to
`eliminate the threat altogether, if possible. Imple-
`menting the controls costs money and should show
`an acceptable return on investment. Controls must
`be periodically checked or tested to ensure they are
`functioning properly. If found, system deficiencies
`must be corrected with new or improved safe-
`guards. Examples of safeguards include biometric
`controls, use of encryption, awareness programs,
`audit trails and visitor controls.
`
`Identifying Vulnerabilities
`Identifying vulnerabilities is a two step-process.
`The first step is to identify the vulnerabilities by
`the assets. When identifying assets, you should
`consider which ones are tangible and which others
`are intangible. For an asset, vulnerabilities differ
`from one system to another and from one facility
`to another. The second step is to identify the
`vulnerabilities by their classes.
`
`—First Step: Vulnerabilities by Asset—
`
`Traditional assets include hardware, software,
`communications, human resources, facility, data
`mechanisms, disaster recovery procedures and
`organizational resources. Each asset has a different
`set of vulnerabilities, as shown in the following
`sample checklists.
`
`Hardware
`ž Inadequate access control
`ž Inadequate hardware maintenance
`ž Unauthorized repair personnel
`ž No training on emergency shutdown proce-
`dures
`ž Hardware alteration
`ž Hardware failure
`ž System left on and unattended 24 hours, 7 days
`a week
`
`Software
`ž Use of unapproved software
`ž No software inventory
`ž Unauthorized inspection of software
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`IDENTIFYING ENTERPRISE NETWORK VULNERABILITIES
`
`137
`
`ž Poor software/application documentation
`ž Unauthorized software
`ž Virus detection software not used every day
`ž Noncompliance with copyright laws
`ž Noncompliance with license agreements
`ž Poor configuration management controls
`Network
`ž Packet jitters
`ž Network congestion
`ž Incompatible blocksizes
`ž Remote scheduling problems
`ž Cache holding userids
`ž Defective Service of Level Agreements
`ž Lack or inadequate network tools
`ž Sensitive directories not secured
`ž Access to servers via client scripts
`Communications
`ž Security modems/firewalls not installed
`ž Encryption devices not used
`ž Logging of all access attempts not turned on
`ž Poor password management program
`ž Inadequate configurations of dialup access
`configurations
`ž Inadequate audit
`trail
`review of system
`activity
`ž Lack or no reporting system on invalid access
`attempts
`ž Electromagnetic
`emitted (by
`emanations
`the computers or networks that can be
`intercepted)
`ž Cables not shielded
`Human Resources
`ž Inadequate personnel security policies
`ž Inadequate training on new employees on
`ethical responsibilities
`ž No
`denying
`on
`checkout
`procedures
`access to departing or transferred person-
`nel/contractors
`ž Training of personnel/contracts on new risk
`management processes
`Facility
`ž No installation of cipher
`puter/network areas
`ž Lack of visitor controls
`ž Lack of monitoring devices to detect unautho-
`rized intrusions
`ž No inspection of fire extinguishers
`ž No emergency lighting
`ž No fire or smoke alarms
`
`locks to com-
`
`ž No protection against power failure and
`fluctuation
`ž No protection against damage in computer
`and network areas
`ž Dirty working environment
`Data Mechanisms
`ž No protection of disks against magnetism and
`electromagnetic interference
`ž Magnetic media not marked with appropriate
`labels according to data sensitivity
`ž No protection of master diskettes with
`write/protect tabs
`ž Boot-up passwords not activated
`ž No procedures on files and programs disposal
`according to data sensitivity
`ž No protection against accidental or intentional
`lockups in computer or network processing
`ž No protection against loss of replicated data
`ž No procedures on preventing sensitive data
`being appended to other files
`Disaster Recovery
`ž No loaner equipment
`ž Copy of disaster recovery procedures not
`stored off-site
`ž Recovery procedures not tested periodically
`ž Backup files and application programs stored
`in-house
`ž Spare equipment not available for backup
`operations
`ž Personnel not trained on disaster recovery
`responsibilities
`ž No agreement with an off-site facility
`Organizational Resources
`ž Inadequate implementation of equal employ-
`ment opportunity and employee incentive
`programs
`ž Inadequate security policies
`ž Poor staffing requirements
`ž No review of procurement documents to
`ensure compliance with security practices
`
`—Second Step: Vulnerabilities by
`Class—
`
`There are different ways of grouping vulnera-
`bilities by class. CISCO, for example, declare three
`vulnerability classes in their Vulnerability Statistics
`Report. They are the Denial of Service, Reconnais-
`sance and Access from the Outside (or Access
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`138
`
`J. M. MYERSON
`
`with the Network). (See Section 6 on the CISCO
`Vulnerability Classes.)
`For this article, we consider the Denial of Service,
`Modification and Destruction vulnerability classes
`for each threat category. A group of vulnerabilities
`identified by an asset may be applicable, to more
`than one class. The number of vulnerabilities varies
`from one threat type to another. This means it
`may take, say, 25 vulnerabilities to make a threat
`happen while a hacker needs no more than five
`vulnerabilities to begin attacking a system.
`The following are some examples of vulnera-
`bility classes. Each example lists vulnerabilities
`associated with a threat.
`Example 1. Threat: Unauthorized Access Sys-
`tem (Insiders) Vulnerability classes:
`Modification
`and
`Coordinated
`Denial of Service
`The hacker takes advantage of certain vulnera-
`bilities. They are (1) full audit trial is not imple-
`mented, (2) security breaks are not logged onto
`system console, (3) departing employees’ system
`access privileges are not immediately revoked,
`and (4) individual passwords are not unique or
`contain few characters.
`These vulnerabilities apply to software, data and
`files, and network assets and come under as a
`group modification and denial of service classes.
`What this means is that the insiders with improper
`credentials gain access to modify system files, alter
`hardware components or completely deny service
`to thousands of users by sending viruses or filling
`up the system with useless and corrupted files.
`Example 2. Threat: Power Failure/Fluctuation
`Vulnerability Class: Denial
`of
`Service
`The following are vulnerabilities that can make the
`power to fail or fluctuate: (1) emergency lighting
`is not adequate, (2) the system does not utilize
`emergency power systems, (3) software modules
`being developed are not backed up offsite, (4) mas-
`ter power switches are inappropriately identified,
`and (5) system personnel are inadequately trained
`in computer/network emergency shutdown.
`These vulnerabilities are applicable to hardware,
`software, data, and network assets.
`Example 3. Threat: Disgruntled Employees Vul-
`nerability Class: Destruction, Modi-
`fication and Denial of service
`
`Disgruntled employees could modify, destroy
`or deny service depending on what skills they
`have and what motives they have in carrying
`out
`their
`intentions. Possible vulnerabilities
`include:
`(1) procedures
`for
`the termination
`of accounts are not written,
`(2) procedures
`for changing lock/cipher combination are not
`written, (3) userids/passwords are not changed
`periodically, and (4) terminated employees’ access
`to software development project is not revoked.
`All three classes—modification, destruction and
`denial of service—are applicable.
`
`Common Vulnerabilities and
`Exposures Database
`The Infosysec website (http://www.infosys-
`sec.com) maintains the Common Vulnerabili-
`ties and Exposures (CVE) Database on direc-
`tory and script form vulnerabilities. As of 14
`May 2001, a search reveals 186 entities or
`candidates for directory vulnerabilities and 36
`entities or candidates for script form vulnera-
`bilities. For additional
`information on vulner-
`abilities, visit CERT/CC’s Fixes, Quick Fixes
`and Vulnerabilities (http://www.cert.org/nav/
`index(cid:2)red.html). Alternatively, enter ‘‘vulnerabili-
`ties’’ in the search field on Microsoft’s home page
`(http://www.microsoft.com).
`
`—Directory Vulnerabilities—
`
`The following are some entries on directory
`vulnerabilities in the CVE Database. For a complete
`list, go to http://www.infosyssec.com.
`
`CVE-2001-0009. Directory traversal vulnerability
`in Lotus Domino 5.0.5 web server allows remote
`attackers to read arbitrary files via a .. (dot dot)
`attack.
`CVE-2001-0054. Directory traversal vulnerability
`in FTP Serv-U before 2.51 allows remote attackers
`to escape the FTP root and read arbitrary files
`by appending a string such as ‘‘/..%20’’ to a CD
`command, a variant to a .. (dot dot) attack.
`CVE-2001-0179. Allaire Jrun 3.0 allows remote
`attackers to list contents of the WEB-INF directory,
`and the web.xml file in the WEB-INF directory, via
`a malformed URL that contains a ‘‘.’’
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`IDENTIFYING ENTERPRISE NETWORK VULNERABILITIES
`
`139
`
`CVE-2000-1171. Directory traversal vulnerability
`in cgiforum.pl script on CGIForum 1.0 allows
`remote attackers to ready arbitrary files via a ..
`(dot dot) attack in the ‘‘the section’’ parameter.
`CVE-2000-0474. Real Networks RealServer 7.x
`allows remote attackers to cause a denial of
`service via a malformed request for a page in
`the viewsource directory.
`CVE-2000-0505. The Apache 1.3x HTTP server
`for Windows platforms allows remote attackers to
`list directory.
`CVE-2000-0631. An administrative script from
`IIS 3.0 included in IIS 4.0 and 5.0 allows remote
`attackers to cause a denial of service by accessing
`the script without a particular argument aka the
`‘Absent Directory Browser Argument’ vulnera-
`bility.
`CVE-2000-0854. When a Microsoft Office 2000
`document is launched, the directory of that doc-
`ument
`is first used to locate DLL’s such as
`riched20.dll and msi.dll which could allow an
`attacker to execute artibrary commands by insert-
`ing a Torjan Horse DLL into the same directory as
`the document.
`CVE-2000-0883. The default configuration of
`mod(cid:2)perl for apache as installed on Mandrake
`Linux 6.1 through 7.1 sets the /perl/ directory to
`be browseable which allows remote attackers to
`list the contents of that directory.
`installation of
`CVE-2000-0925. The default
`SmartWin CyberOffice Shopping Cart 2 (aka
`CyberShop) installs the (cid:2)private directory with
`world readable permission, which allows remote
`attackers to obtain sensitive information.
`CVE-2000-0951. A misconfiguration in IIS 5.0
`with Index Server enabled and the Index properly
`set allows remote attackers to list directories in the
`web root via a Web Distributed Authoring and
`Versioning (WebDAV) search.
`
`—Script Form Vulnerabilities—
`
`The script form attack occurs when there is a
`break-in and modification of client scripts allowing
`hackers to exploit vulnerabilities. The following are
`some entries on script form vulnerabilities.
`
`CVE-2000-0860. The file upload capability in
`PHP versions 3 and 4 allows remote attackers to
`read arbitrary files by setting hidden form fields
`
`whose names match the names of internal PHP
`script variables.
`CVE-2000-0878. The mail to CGI script allows
`remote attacker to execute arbitrary commands via
`shell metacharacters in the emailadd form field.
`CVE-2000-0926. SmartWin CyberOffice Shop-
`ping Cart 2 (aka CyberShop) allows remote attack-
`ers to modify price information by changing the
`‘Price’ hidden from variable.
`CVE-2000-1187. Buffer overflow in the HTML
`parser for Netscape 4.75 and earlier allows remote
`attackers to execute arbitrary commands via shell
`metacharacters in the MAIL TO form variable.
`CVE-2001-0089. Internet Explorer 5.0 through 5.5
`allows remote attackers to read arbitrary files form
`the client via the INPUT TYPE element in an HTML
`form aka the ‘FILE Upload via Form’ vulnerability.
`CVE-2001-0096. FrontPage Server Extensions
`(FPSE) in IIS 4.0 and 5.0 allow remote attackers
`to cause a denial of service via a malformed
`form, aka the ‘Malformed Web Form Submission’
`vulnerability.
`
`Email Viewer Vulnerabilities
`One good example of a possible script form
`attack not yet addressed is an email viewer
`that allows you to login to your email account
`anytime, anywhere. With this viewer, you can
`read and send e-mail from any computer with an
`Internet connection and a Web browser. To login,
`you supply your userid and password in fields
`provided by a client script. Then the system greets
`you with new mail that you can read and provides
`you with space to write messages. When you are
`done, you logout of the viewer and then the system.
`Next day, you reboot your computer and go back
`to the email viewer’s welcome screen. You find you
`do not have to reenter your userid. The system has
`kept it for you, if no one else has entered own userid
`replacing yours. The password is left blank. Now,
`suppose somebody wants to use the viewer before
`you do, sees your userid and correctly guess your
`password. When this happens, this person goes
`into your email account with bad intentions by
`sending junk mail to millions of users or tying up
`the network system with viruses or corrupted files.
`What’s wrong?
`If you take a look at the source, you would
`find the following HTML tags in the hformih/formi
`block, as shown below:
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`140
`
`J. M. MYERSON
`
`hINPUT TYPE D ‘‘text’’ NAME D ‘‘alias’’
`VALUE D myname@tmsn.com SIZE D ‘‘25’’i
`hINPUT TYPE D ‘‘password’’ NAME D ‘‘pw’’
`SIZE D ‘‘18’’i
`It is obvious when you enter your name, the client
`side script picks it up as the value of the text
`input type. The password you enter is passed on
`to the server-side script. That’s why the password
`is always blank when you start the email viewer.
`
`Cisco Vulnerability Classes
`CISCO divides vulnerability security assess-
`ments into three groups. They are Public Internet,
`Corporate Internet and Remote or Dial-Up Access.
`The first two groups are further broken down
`into three vulnerability classes as defined by the
`Cisco Secure Consulting Services: Denial of Ser-
`vice, Reconnaissance, and Attack from the Outside
`(or Attack within the Network).
`
`—Public Internet Vulnerabilities—
`
`CISCO found the top five most vulnerable
`services in order of importance. They are RPC
`network services (TCP port 111), Web service (TCP
`port 80), SMTP NETWORK SERVICE, SNMP, FTP
`network service. For each vulnerability class, a
`short discussion is provided.
`ž Denial of Service. This type of vulnerabil-
`ity is primarily caused by allowing access
`to unnecessary services or simple network
`misconfigurations. Examples include running
`outdated, unnecessary services, such as legacy
`services that are not used in today’s IT envi-
`ronments, BOOTP network services that is
`used for DHCP over the Internet, a buffer
`overflow associated with some versions of the
`FTP server.
`ž Reconnaissance. Remote users can gather infor-
`mation about network devices that could aid
`in compromising assets. Requesting informa-
`tion from the RPC portmapper, using SMTP
`network service to send email, and allowing
`Network File System on any resources acces-
`sible from the Internet are some of the things
`what these users could do. Some use sample
`pages that come with Cold Fusion to allow
`
`a remote user gather information about your
`server.
`ž Access from the Outside. CISCO treats this
`vulnerability type as the most dangerous
`major class. Remote users can review data,
`modify or delete data, cause disruption,
`or further compromise your network, For
`example vulnerabilities include:
`(1) weak
`user authentication (hackers can easily guess
`passwords), (2) mail relay function of Internet
`SMTP servers that allow email spamming and
`mail relaying to other email destinations, and
`(3) allowing anonymous access to the FTP
`service.
`
`—Corporate Intranet Vulnerabilities—
`
`CISCO found that every network interface had
`some form of vulnerability associated with a
`Intranet network. Examples include:
`ž Denial of Service Vulnerabilities. They are caused
`by running outdated unnecessary services.
`These are legacy services and most often are
`not used in today’s IT environments. Some
`FTP servers allow PASVcommands. BOOTP
`network service is used for DHCP and should
`never permit access from the Internet. The FTP
`network service buffer overflows.
`ž Reconnaissance Vulnerabilities. Remote users
`can compromise your network and gather
`information about your devices. They can
`request information about the RPC network
`services that are configured to run on the
`remote network device. Users are also allowed
`to send the finger service to obtain a list of valid
`users with accounts on the server. An SNMP
`server is set to ‘‘public’’ as a community name.
`ž Access from within the Network. A user can
`review data, modify or delete data, cause
`disruption, or further compromise a network.
`This is due to weak user authentication,
`mail relay function if Internet SMTP servers
`that allow for remote email spamming and
`mail relaying to other email destinations. The
`user can ‘‘pipe ‘‘the contents of a specially
`formatted email message to another program
`on the system.
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`IDENTIFYING ENTERPRISE NETWORK VULNERABILITIES
`
`141
`
`Threat Data Sheet Examples
`Examples of what vulnerabilities can be ex-
`ploited to launch a threat against part or all
`system assets and how the vulnerabilities as a
`group are applied to vulnerability classes are best
`illustrated with a threat data sheet sample. Each
`data sheet shows a short list of vulnerabilities
`for illustrative purposes. A vulnerability statement
`must be short and clearly stated. If the vulnerability
`is ambiguous, it must be clarified.
`
`T he list of vulnerabilities can be short or
`
`long depending on what the threat is,
`what assets are being threatened and how
`complex and sensitive the network system is.
`
`The list of vulnerabilities can be short or long
`depending on what the threat is, what assets are
`
`Threats Data Sheet
`
`Type
`Scope
`
`Natural Disaster
`Facility about one mile from Atlantic River subject to frequent high
`tides
`Twice a year
`None
`
`Average Frequency
`Historical Damage
`Vulnerabilities
`1. Flood warning alarms are deficient.
`2. An agreement with an off-site facility for backup operations does not exist.
`3. Main computer/network area is located on the first floor in a 15-story building.
`4. Backup tapes and disk packs are stored in the basement.
`Safeguards
`1.
`2.
`3.
`4.
`
`I M P A C T R A T I N G S
`Vulnerability Classes
`Modification
`Destruction
`
`DenialofService
`
`Assets
`Hardware
`Software
`Physical
`Human resources
`Office administration
`Data and files
`Network
`
`Table 1. Sample data worksheet on flood threat
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`142
`
`J. M. MYERSON
`
`Threats Data Sheet
`
`Intentional
`Systems spans to three countries
`Three times a year
`None
`
`Type
`Scope
`Average Frequency
`Historical Damage
`Vulnerabilities
`1. Cryptographic systems are not in secure areas.
`2. Network congestion is due to inadequate diagnostic and monitoring tools.
`3. Network systems are improperly configured.
`4. Flaws in operating systems—are upgraded or newly installed.
`
`Safeguards
`1.
`2.
`3.
`4.
`
`Assets
`Hardware
`Software
`Physical
`Human resources
`Office administration
`Data and files
`Network
`
`I M P A C T R A T I N G S
`Vulnerability Classes
`Modification
`Destruction
`
`DenialofService
`
`Table 2. Sample data worksheet on denial of service threat
`
`being threatened and how complex and sensitive
`the network system is. Some vulnerabilities may be
`applicable to a network system, but not to another.
`A test of security controls may be conducted to
`determine what new vulnerabilities by the asset are
`found, what their significance are, and what vul-
`nerability classes are applicable. It includes exam-
`ining log files and all machines on the local network
`as well as checking for emanations, compliance
`with regulations, unauthorized services, packet
`
`sniffers and system and network configurations.
`Based on the results, ways of correcting deficien-
`cies are recommended and the cost effectiveness of
`implementing safeguards is then determined.
`For this article, the sections on safeguards and
`impact ratings are blank. Safeguard examples and
`various approaches to calculating impact ratings
`will be covered in future articles.
`Tables 1–4 give sample worksheets on flood,
`denial of service, script form and directory threats.
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`IDENTIFYING ENTERPRISE NETWORK VULNERABILITIES
`
`143
`
`Threats Data Sheet
`
`Intentional and accidental
`Proliferation of client scripts
`400 times a year
`None
`
`Type
`Scope
`Average Frequency
`Historical Damage
`Vulnerabilities
`1. No mechanism for checking identical entries by a legitimate user.
`2. Hackers can view the client-side source.
`3. Hackers intentionally enter wrong email addresses to fill up the system.
`4. Hackers see a userid in an email viewer and correctly guess the password.
`5. Remote attackers read files from the client via INPUT TYPE in an HTML form.
`
`Safeguards
`1.
`2.
`3.
`4.
`
`Assets
`Hardware
`Software
`Physical
`Human resources
`Office administration
`Data and files
`Network
`
`I M P A C T R A T I N G S
`Vulnerability Classes
`Modification
`Destruction
`
`DenialofService
`
`Table 3. Sample data worksheet on script form threat
`
`Conclusion
`
`of risk management processes will be considered
`in future articles.
`
`A good risk management program is important,
`as vulnerabilities are inherent in network systems.
`As technologies emerge or evolve, we will see
`new vulnerabilities, new safeguards, and new
`ways of calculating return on investments not yet
`addressed. Detailed discussions on other aspects
`
`References
`1. Myerson M. Risk Management Processes for Software
`Engineering Models, Artech House Publications:
`Boston, MA, 1997.
`2. Russell. D, Gengemi GT. Computer Security Risks,
`O’Reilly Associates: Sebastopol, CA, 1991.
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`
`
`144
`
`J. M. MYERSON
`
`Threats Data Sheet
`
`Intentional and accidental
`Directories part of all file systems
`400 times a year
`None
`
`Type
`Scope
`Average Frequency
`Historical Damage
`Vulnerabilities
`1. No mechanism for checking identical entries by a legitimate user or hacker.
`2. Hackers can view the client-side source.
`3. Hackers intentionally enter wrong email addresses to fill up the system.
`4. Hackers see a userid in an email viewer and correctly guess the password.
`Safeguards
`1.
`2.
`3.
`4.
`
`I M P A C T R A T I N G S
`Vulnerability Classes
`Modification
`Destruction
`
`DenialofService
`
`Assets
`Hardware
`Software
`Physical
`Human resources
`Office administration
`Data and files
`Network
`
`Table 4. Sample data worksheet on directory form threat
`
`3. Hamilton CR. New trends in risk management.
`In Consultant’s Corner, CRCPress
`(Auerbach
`Publications): Spring 1998.
`
`Infosyssec Website, http://www.infosyssec.com
`Microsoft Website, http://www.microsoft.com
`Peltier TR. Information Security Risk Analysis, CRC Press
`(cid:2)
`(Auerbach Publications): 2001.
`
`—Further Reading—
`
`CERT/CC Website, http://www.cert.org
`Cisco Website, http://www.cisco.com
`
`If you wish to order reprints for this or any
`other articles in the International Journal of
`Network Management, please see the Special
`Reprint instructions inside the front cover.
`
`Copyright © 2002 John Wiley & Sons, Ltd.
`
`Int. J. Network Mgmt 2002; 12:135 – 144
`
`