Security professionals use a variety of assessment tools to help them assess the effectiveness of security controls. In this video, learn the basics of vulnerability assessment tools, including the difference between active and passive tools, the use of protocol analyzers, and the purpose of honeypots and honeynets.
- [Instructor] Security professionals use a variety of assessment tools to help them assess the effectiveness of security controls. Let's take a few minutes to talk about the different types of tools and then dive in to using protocol analyzers to see the inner workings of network activity. Vulnerability assessment tools come in two forms and both play an important role in enterprise security. First, passive tools simply observe activity and provide security administrators with reports on system configuration. They often monitor network traffic or observe system activity.
The key is that they don't actually interact with systems. They just passively test security controls by watching activity. Active tools on the other hand do interact with the systems they assess to identify both vulnerabilities and the potential lack of security controls. This might be as innocuous as checking for open ports or it might be more intrusive such as checking exploits against known vulnerabilities. Active tools are much riskier to use because they can disrupt normal system operation.
The important thing to remember however is that if an active tool can disrupt your server, so can an attacker. Vulnerability assessment tools may also be used to conduct configuration compliance scanning. In this mode the assessment tool may reach out to systems, retrieve their configurations, and then compare those configurations to a security standard noting any deviations from the standard and flagging them for remediation. Honeypots are a type of passive tool that simply sits on a network and waits.
Security administrators design honeypots to look very appealing to hackers. They might have obvious vulnerabilities that show up on a security scan, names like credit card server, or contain data such as files called employee social security database. The reality is that the server doesn't contain any sensitive information. Honeypots are meant to serve as decoys to attract hacker attention and distract them from other real servers. Honeypots are also highly instrumented. They have no other purpose so there should be no legitimate activity on the honeypot.
Anytime someone interacts with the server, it's probably an attacker. Activity is immediately reported to security administrators and carefully monitored. Honeynets are a variation on honeypots. They are entire networks setup as decoys for attackers. They're also sometimes called dark nets because they typically remain unused or dark. Anyone trying to connect to the honeynet is likely performing reconnaissance for an attack. Honeynets quickly identify other compromised systems on the land when those systems start trying to connect to the honeynet.
Some honeynets also exist on the public internet and are used to create DNS blacklists of known malicious IP addresses. Finally, protocol analyzers help us peer into the contents of network traffic. This is often very important when diagnosing a network problem or investigating a security incident. Protocol analyzers allow us to see the actual packets exchanged on the network and dig deep into the details of those packets. They do however introduce privacy concerns because they provide deep insight into the activity of individual users on the network.
The use of protocol analyzers should be carefully restricted. The most common protocol analyzer is a free tool called Wireshark. Let's take a look at Wireshark in use. I'm going to go ahead and start a network capture in Wireshark. As you can see, the screen is quickly filling with all of the traffic taking place on this server. Each line in the Wireshark window corresponds to a single network packet. I'm now going to open up a web browser and visit the Lynda.com home page.
All of the traffic associated with this webpage is being captured by Wireshark. When I return to the Wireshark window, you see that it's still full. We've actually captured over 3,000 packets so far. Trying to find the lynda.com traffic within this would be finding a needle in a haystack. So what I'm going to do is add a filter to remove all the extraneous traffic not related to that connection. I'm going to go up to the Filter window and the way I'm going to construct this filter is by searching for all traffic on TCP port 80.
That's the common port used for web communications. So I'm going to type in TCP.port eq 80. And as soon as I type in a valid filter, notice that the background of that window changed from red to green. Now I'm going to go ahead and click the Apply button and the traffic is filtered down to only the traffic associated with port 80. There's still a lot here so what I'm going to do next is do a search. I'm going to choose Find Packet. I'm going to specify a string and then type in the string Lynda.
When I click Find, the packets are then filtered down to only those that contain the word Lynda in them. If I want to look inside the details of the packet, I can header information in the second window for the packet that's highlighted above. I can also look in the bottom window and see the payload of that packet. An easier way to reconstruct some of these packets is to right click on one of them and choose Follow TCP stream. This reassembles all of the packets associated with a single connection in one place where I can view them together.
And as you can see, this is a packet associated with the lynda.com website, and I could look through and analyze to find out what was actually happening during this network connection. As a security plus professional, you should be familiar with the use of honeypots, honeynets, and protocol analyzers to help identify intruders on a network, contain hacker attacks, and dig deep into network data flows.
Looking for study partners?Join the CompTIA Security+ SY0-501 Exam study group
The CompTIA Security+ exam is an excellent entry point for a career in information security. The latest version, SY0-501, expands coverage of cloud security, virtualization, and mobile security. This course prepares exam candidates for the critical Threats, Attacks, and Vulnerabilities domain of the exam. By learning about malware, networking and application security exploitations, and social engineering, you'll be prepared to answer questions from the exam—and strengthen your own organization's systems and defenses. Author Mike Chapple, an IT leader with over 15 years of experience, also covers the processes for discovering and mitigating threats and attacks, and conducting penetration testing and scanning for vulnerabilities. Visit certmike.com to join one of his free study groups.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities