« Version 4.1 - 7.5 Common RFC and BCP | Main | Version 4.1 - 7.7 Risk Assessment »

Version 4.1 - 7.6 Security audit and validation

I know this entire 7.x section is only worth about 8 questions, but this section is a bit thin on the study guides. Hopefully, you have some experience with at least -being- audited, which may help on this section. Audit is big in both security and business. Many business people think that compliance (passing audit) IS security. But audits only check for compliance with a baseline security level. As a security professional, you should strive to be as secure as you can while simultaneously enabling business processes. This means meeting and then going above the baseline.

One of the items mentioned in the study materials is nmap. OMG. Really? If you are not a pentester, you should not be using nmap on your production network. Period. If you want to use it in a lab environment to check your device before deployment, fine. But not on the production network. Especially if you're not an expert user and are checking something very specific. But you should be familiar with the tool.

nmap [ ...] [ ] { }

Nmap divides ports into six states: open, closed, filtered, unfiltered, open|filtered, or closed|filtered.

The other tool mentioned in the study guide is Nessus. Nessus is a proprietary vulnerability scanner developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment.

Nessus allows scans for the following types of vulnerabilities:
# Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
# Misconfiguration (e.g. open mail relay, missing patches, etc.).
# Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
# Denials of service against the TCP/IP stack by using malformed packets
# Preparation for PCI DSS audits

Again, this is not a toy. It is a tool - and should be used properly and in an authorized manner. You should be familiar with the tool and what it can do (and not do). But practically speaking, you shouldn't be using this to "test" your network.

What I didn't find in the guides were the OBVIOUS audit and validation tools from Cisco!

Here is the manual for Auditing Device Configurations for Compliance using Cisco Prime.

You can also check Configuration Management with CiscoWorks. With all the obsolete software and devices that actually ARE listed in the blueprint, I'm surprised that this isn't mentioned.

There is also Configuration Management software from SolarWinds, AlgoSec and Tufin.

Mainly, your scanners send specific packets and analyze the response (like nmap). Nessus has a bunch of scripts that actually attempt to exploit vulnerabilities. Based on the response from the target, it detects whether or not a vulnerability exists on the target. Configuration management tools (which also check for and validate specific security controls) usually use some preconfigured template and check for the presence or absence of configuration strings.

Note: AlgoSec can check firewalls (and other devices) against a preconfigured baseline and can also check for compliance with many of the standards listed in 7.2.


Powered by
Movable Type 3.2