Security professionals use a variety of assessment tools to help them assess the effectiveness of security controls. In this video, learn the basics of vulnerability assessment tools, including the difference between active and passive tools, the use of protocol analyzers, and the purpose of honeypots and honeynets.
- [Instructor] Security professionals use a variety of assessment tools to help them assess the effectiveness of security controls. Let's take a few minutes to talk about the different types of tools and then dive into using protocol analyzers to see the inner workings of network activity. Vulnerability assessment tools come in two forms, and both play an important role in enterprise security. First, passive tools simply observe activity and provide security administrators with reports on system configuration. They often monitor network traffic or observe system activity.
The key is that they don't actually interact with systems. They just watch. Active tools, on the other hand, do interact with the systems they assess. This might be as innocuous as checking for open ports or it might be more intrusive, such as testing exploits against known vulnerabilities. Active tools are much riskier to use because they can disrupt normal system operation. The important thing to remember, however, is that if an active tool can disrupt your server, so can an attacker.
Honeypots are a type of passive tool that simply sits on a network and waits. Security administrators design honeypots to look very appealing to hackers. They might have obvious vulnerabilities that show up on a security scan, names like credit card server, or contain data such as files called employee social security database. The reality is that the server doesn't contain any sensitive information. Honeypots are meant to serve as decoys to attract hacker attention and distract them from other real servers.
Honeypots are also highly instrumented. They have no other purpose, so there should be no legitimate activity on the honeypot. Anytime someone interacts with the server, it's probably an attacker. Activity is immediately reported to security administrators and carefully monitored. Honeynets are a variation on honeypots. They are entire networks set up as decoys for attackers. They're sometimes also called dark nets because they typically remain unused or dark. Anyone trying to connect to the honeynet is likely performing reconnaissance for an attack.
Honeynets quickly identify other compromised systems in the LAN when those systems start trying to connect to the honeynet. Some honeynets also exist on the public internet and are used to create DNS blacklists of known malicious IP addresses. Finally, protocol analyzers help us peer into the contents of network traffic. This is often very important when diagnosing a network problem or investigating a security incident. Protocol analyzers allow us to see the actual packets exchanged on the network and dig deep into the details of those packets.
They do, however, introduce privacy concerns because they provide deep insight into the activity of individual users on the network. The use of protocol analyzers should be carefully restricted. The most common protocol analyzer is a free tool called Wireshark. Let's take a look at Wireshark in use. I'm going to go ahead and start a network capture in Wireshark. As you can see, the screen is quickly filling with all of the traffic taking place on this server. Each line in the Wireshark window corresponds to a single network packet.
I'm now going to open up a web browser and visit the Lynda.com homepage. All of the traffic associated with this webpage is being captured by Wireshark. When I return to the Wireshark window, you see that it's still full. We've actually captured over 3,000 packets so far. Trying to find the Lynda.com traffic within this would be finding a needle in a haystack, so what I'm going to do is add a filter to remove all the extraneous traffic not related to that connection.
I'm going to go up to the filter window and the way I'm going to construct this filter is by searching for all traffic on TCP port 80. That's the common port used for web communications, so I'm going to type in TCP.port eq 80 and as soon as I type in a valid filter, notice that the background of that window changed from red to green. Now, I'm going to go ahead and click the apply button and the traffic is filtered down to only the traffic associated with port 80.
There's still a lot here, so what I'm going to do next is do a search. I'm going to choose find packet. I'm going to specify a string and then type in the string, lynda. When I click find, the packets are then filtered down to only those that contain the word Lynda in them. If I want to look inside the details of the packet, I can see header information in the second window for the packet that's highlighted above. I can also look in the bottom window and see the payload of that packet. An easier way to reconstruct some of these packets is to right click on one of them and choose follow TCP stream.
This reassembles all of the packets associated with a single connection in one place where I can view them together, and as you can see, this is a packet associated with the Lynda.com website and I could look through and analyze this to find out what was actually happening during this network connection. As a security professional, you should be familiar with the use of honeypots, honeynets and protocol analyzers to help identify intruders on a network, contain hacker attacks, and dig deep into network data flows.
- Using security assessment tools
- Scanning for vulnerabilities
- Threat assessment techniques
- Performing penetration testing
- Reviewing monitor logs
- Performing code reviews
- Performing fuzz testing and misuse case testing
- Analyzing coverage
- Assessing disaster recovery sites and backups
- Testing BC/DR plans
- Collecting security process data and metrics
- Auditing and control management