Chapter 4: Computer Network

Vulnerabilities
Guide to Computer Network Security
 Sources of Vulnerabilities
There is no definitive list of all possible
sources of these system vulnerabilities
Among the most frequently mentioned
sources of security vulnerability problems in
computer networks are
– design flaws,
– poor security management,
– incorrect implementation,
– Internet technology vulnerability,
– the nature of intruder activity,
– the difficulty of fixing vulnerable systems,
– the limits of effectiveness of reactive solutions,
– social engineering
Kizza - Guide to Computer Network Securi
ty
2
 Computer Network Vulnerabilities
System vulnerabilities are weaknesses
in the software or hardware on a
server or a client that can be exploited
by a determined intruder to gain
access to or shut down a network.
A system vulnerability is a condition, a
weakness of or an absence of security
procedure, or technical, physical, or
other controls that could be exploited
by a threat
Kizza - Guide to Computer Network Securi 3
ty
 Design Flaws
The two major components of a computer
system, hardware and software, quite often
have design flaws
Hardware systems are less susceptible to
design flaws than their software counterparts
owing to less complexity and the long history
of hardware engineering.
But even with all these factors backing up
hardware engineering, design flaws are still
common.
But the biggest problems in system security
vulnerability are due to software design flaws
Kizza - Guide to Computer Network Securi 4
ty
three major factors contribute a great
deal to software design flaws:
– human factors,
– software complexity,
– trustworthy software sources

Kizza - Guide to Computer Network Securi 5

ty
Human Factors - Poor software performance
can be a result of:
– Memory lapses and attentional failures: For
example, someone was supposed to have removed
or added a line of code, tested, or verified but did
not because of simple forgetfulness.
– Rush to finish: The result of pressure, most often
from management, to get the product on the
market either to cut development costs or to meet
a client deadline can cause problems.
– Overconfidence and use of nonstandard or
untested algorithms: Before algorithms are fully
tested by peers, they are put into the product line
because they seem to have worked on a few test
runs.
Kizza - Guide to Computer Network Securi 6
ty
– Malice: Software developers, like any other
professionals, have malicious people in their
ranks. Bugs, viruses, and worms have been
known to be embedded and downloaded in
software, as is the case with Trojan horse
software, which boots itself at a timed location.
– Complacency: When either an individual or a
software producer has significant experience in
software development, it is easy to overlook
certain testing and other error control
measures in those parts of software that were
tested previously in a similar or related
product, forgetting that no one software
product can conform to all requirements in all
environments.
Kizza - Guide to Computer Network Securi 7
ty
Software Complexity - Professionals and
nonprofessionals who use software know the
differences between software programming and
hardware engineering. It is in these differences that
underlie many of the causes of software failure and
poor performance. Consider the following:
– Complexity: Unlike hardwired programming in which it is easy
to exhaust the possible outcomes on a given set of input
sequences, in software programming a similar program may
present billions of possible outcomes on the same input
sequence.
– Difficult testing: There will never be a complete set of test
programs to check software exhaustively for all bugs for a
given input sequence.
– Ease of programming: The fact that software programming is
easy to learn encourages many people with little formal
training and education in the field to start developing
programs, but many are not knowledgeable about good
programming practices or able to check for errors.
– Misunderstanding of basic design specifications : This affects
the subsequent design phases including coding, documenting,
and testing. It also results in improper and ambiguous
specifications of major components of the software and in ill-
chosen and poorly defined
Kizza internal
- Guide to Computer Networkprogram
Securi structures. 8
ty
Trustworthy Software Sources –
– There are thousands of software sources for the millions of
software products on the market today. However, if we were
required to name well known software producers, very few of
us would succeed in naming more than a handful. Yet we buy
software products every day without even ever minding their
sources. Most important, we do not care about the quality of
that software, the honesty of the anonymous programmer, and
of course the reliability of it as long as it does what we want it to
do.
– Even if we want to trace the authorship of the software product,
it is impossible because software companies are closed within
months of their opening. Chances are when a software product
is 2 years old, its producer is likely to be out of business. In
addition to the difficulties in tracing the producers of software
who go out of business as fast as they come in, there is also
fear that such software may not even have been tested at all.
– The growth of the Internet and the escalating costs of software
production have led many small in-house software developers to
use the marketplace as a giant testing laboratory through the
use of beta testing, shareware, and freeware. Shareware and
freeware have a high potential of bringing hostile code into
trusted systems. Kizza - Guide to Computer Network Securi 9
ty
Software Re-Use, Re-engineering, and Outlived
Design
– New developments in software engineering are
spearheading new developments such as software
re-use and software re-engineering. Software re-
use is the integration and use of software assets
from a previously developed system. It is the
process in which old or updated software such as
library, component, requirements and design
documents, and design patterns is used along
with new software.
– Both software re-engineering and re-use are hailed
for cutting down on the escalating development
and testing costs. They have brought efficiency
by reducing time spent designing or coding,
popularized standardization, and led to common
“look-and-feel” between applications. They have
made debugging easier through use of thoroughly
tested designs and code .
Kizza - Guide to Computer Network Securi 10
ty
 Poor Security Management
Security management is both a technical and an administrative
security process that involves security policies and controls that the
organization decides to put in place to provide the required level of
protection. In addition, it also involves security monitoring and
evaluation of the effectiveness of those policies.
The most effective way to meet those goals is to implement security
risk assessment through a security policy and securing access to
network resources through the use of firewalls and strong
cryptography. These and others offer the security required for the
different information systems in the organization in terms of
integrity, confidentiality, and availability of that information.
Security management by itself is a complex process; however, if it
is not well organized it can result in a security nightmare for the
organization.
Poor security management is a result of little control over security
implementation, administration, and monitoring. It is a failure in
having solid control of the security situation of the organization when
the security administrator does not know who is setting the
organization’s security policy, administering security compliance, and
who manages system security configurations and is in charge of
security event and incident handling.
Kizza - Guide to Computer Network Securi 11
ty
Good security management is made up of a number of
implementable security components that include
risk management,
information security policies and procedures,
standards, guidelines,
information classification,
security monitoring,
security education.
– These core components serve to protect the organization’s
resources.
– A risk analysis will identify these assets, discover the threats that
put them at risk, and estimate the possible damage and potential
loss a company could endure if any of these threats become real.
The results of the risk analysis help management construct a
budget with the necessary funds to protect the recognized assets
from their identified threats and develop applicable security
policies that provide direction for security activities. Security
education takes this information to each and every employee.
– Security policies and procedures to create, implement, and
enforce security issues that may include people and technology.

– Standards and guidelines to find ways, including automated

solution for creating, updating, and tracking compliance of
security policies across the organization.
Kizza - Guide to Computer Network Securi 12
ty
– Information classification to manage the
search, identification, and reduction of
system vulnerabilities by establishing
security configurations.
– Security monitoring to prevent and detect
intrusions, consolidate event logs for future
log and trend analysis, manage security
events in real-time, manage parameter
security including multiple firewall
reporting systems, and analyze security
events enterprise-wide.
– Security education to bring security
awareness to every employee of the
organization and teach them their
individual security responsibility.
Kizza - Guide to Computer Network Securi 13
ty
 Incorrect Implementation

Incorrect implementation very often is a result

of incompatible interfaces. Two product
modules can be deployed and work together
only if they are compatible. That means that
the module must be additive, that is the
environment of the interface needs to remain
intact.
An incompatible interface, on the other hand,
means that the introduction of the module
has changed the existing interface in such a
way that existing references to the interface
can fail or behave incorrectly.
Kizza - Guide to Computer Network Securi
ty
14
Incompatibility in system interfaces
may be cause by a variety of conditions
usually created by things such as:
– Too much detail
– Not enough understanding of the
underlying parameters
– Poor communication during design
– Selecting the software or hardware
modules before understanding the
receiving software
– Ignoring integration issues
– Error in manual entry
Kizza - Guide to Computer Network Securi 15
ty
 Internet Technology
Vulnerability
The fact that computer and telecommunication
technologies have developed at such an amazing
and frightening speed and people have
overwhelmingly embraced both of them has
caused security experts to worry about the side
effects of these booming technologies.
Internet technology has been and continues to be
vulnerable. There have been reports of all sorts of
loopholes, weaknesses, and gaping holes in both
software and hardware technologies.
No one knows how many of these vulnerabilities
there are both in software and hardware. The
assumption is that there are thousands. As history
has shown us, a few are always discovered every
day by hackers
Kizza - Guide to Computer Network Securi 16
ty
Although the list spans both hardware and software,
the problem is more prevalent with software. In fact
software vulnerabilities can be put into four
categories:
– Operating system vulnerabilities: Operating
systems are the main sources of all reported
system vulnerabilities.
– Port-based vulnerabilities: Besides operating
systems, network service ports take second place is
sourcing system vulnerabilities. For system
administrators, knowing the list of most vulnerable
ports can go a long way to help enhance system
security by blocking those known ports at the
firewall.
– Application software based errors
– System protocol software such as client and server
browser. Kizza - Guide to Computer Network Securi
ty
17
 Changing Nature of Hacker
Technologies and Activities

It is ironic that as “useful” technology develops so

does the “bad” technology. What we call useful
technology is the development in all computer and
telecommunication technologies that are driving the
Internet, telecommunication, and the Web. “Bad”
technology is the technology that system intruders
are using to attack systems. Unfortunately these
technologies are all developing in tandem.
In fact there are times when it looks like hacker
technologies are developing faster that the rest of
the technology. One thing is clear, though: hacker
technology is flourishing.
Kizza - Guide to Computer Network Securi 18
ty
 Difficulty of Fixing Vulnerable Systems
It is difficult to fix known system vulnerabilities. There is concern
about the ability of system administrators to cope with the number
of patches issued for system vulnerabilities. As the number of
vulnerabilities rises, system and network administrators face a
difficult situation. They are challenged with keeping up with all the
systems they have and all the patches released for those systems.
Patches can be difficult to apply and might even have unexpected
side effects as a result of compatibility issues [2].
Beside the problem of keeping abreast of the number of
vulnerabilities and the corresponding patches there are also logistic
problems between the time a vendor releases a security patch, and
the time a system administrator fixes the vulnerable computer
system.
There are several factors affecting the quick fixing of patches.
Sometimes it is the logistics of the distribution of patches. Many
vendors disseminate the patches on their Web sites; others send
e-mail alerts. However, sometimes busy systems administrators
do not get around to these e-mails and security alerts until
sometime after. Sometimes it can be months or years before the
patches are implemented on a majority of the vulnerable
computers.
Kizza - Guide to Computer Network Securi 19
ty
Limits of Effectiveness of Reactive
Solutions
Because just a small percentage of all attacks is reported,
this indicates a serious growing system security problem.
Urgent action is needed to find an effective solution to this
monstrous problem.
The security community, including scrupulous vendors, have
come up with various solutions, some good and others not. In
fact, in an unexpected reversal of fortunes one of the new
security problems is to find a “good” solution from among
thousands of solutions and to find an “expert” security option
from the many different views.
Are we reaching the limits of our efforts, as a community, to
come up with a few good and effective solutions to this
security problem? There are many signs to support an
affirmative answer to this question.

Kizza - Guide to Computer Network Securi 20

ty
It is clear that we are reaching the limits of effectiveness of our
reactive solutions. Richard D. Pethia gives the following reasons:
– The number of vulnerabilities in commercial off-the-shelf software
is now at the level that it is virtually impossible for any but the
best resourced organizations to keep up with the vulnerability
fixes.
– The Internet now connects more than 109,000,000 computers
and continues to grow at a rapid pace. At any point in time, there
are hundreds of thousands of connected computers that are
vulnerable to one form of attack or another.
– Attack technology has now advanced to the point where it is easy
for attackers to take advantage of these vulnerable machines and
harness them together to launch high-powered attacks.
– Many attacks are now fully automated, thus reducing the
turnaround time even further as they spread around
cyberspace.
– The attack technology has become increasingly complex and in
some cases intentionally stealthy, thus reducing the turnaround
time and increasing the time it takes to discover and analyze the
attack mechanisms in order to produce antidotes.
– Internet users have become increasingly dependent on the
Internet and now use it for many critical applications so that a
relatively minor attack has the potential to cause huge damages.

Kizza - Guide to Computer Network Securi 21

ty
 Social Engineering
Social engineering is an outside hacker's use
of psychological tricks on legitimate users of
a computer system, in order to gain the
information (usernames and passwords) one
needs to gain access to the system.
Social engineering is a diversion, in the
process of system attack, on people’s
intelligence to utilize two human
weaknesses: first no one wants to be
considered ignorant and second is human
trust. Ironically these are two weaknesses
that have made social engineering difficult
to fight because no one wants to admit
falling for it. This has made social
engineering a critical system security hole.
Kizza - Guide to Computer Network Securi
ty
22
 Vulnerability Assessment
Vulnerability assessment is a process that works
on a system to identify, track, and manage the
repair of vulnerabilities on the system.
The assortment of items that are checked by this
process in a system under review varies depending
on the organization. It may include all desktops,
servers, routers, and firewalls.
Most vulnerability assessment services will provide
system administrators with:
– network mapping and system finger printing of all known
vulnerabilities
– a complete vulnerability analysis and ranking of all
exploitable weaknesses based on potential impact and
likelihood of occurrence for all services on each host
– prioritized list of misconfigurations.
Kizza - Guide to Computer Network Securi 23
ty
A final report is always produced
detailing the findings and the best way
to go about overcoming such
vulnerabilities.
This report consists of:
– prioritized recommendations for
mitigating or eliminating weaknesses,
– based on an organization’s operational
schedule, it also contains
recommendations of further
reassessments of the system within given
time intervals or on a regular basis.
Kizza - Guide to Computer Network Securi 24
ty
Vulnerability Assessment Services
Due to the massive growth of the number of
companies and organizations owning their own
networks, the growth of vulnerability monitoring
technologies, the increase in network intrusions and
attacks with viruses, and world-wide publicity of such
attacks, there is a growing number of companies
offering system vulnerability services
Among the services are:
– Vulnerability Scanning - to provide a comprehensive security
review of the system including both the perimeter and
system internals. The aim of this kind of scanning is to spot
critical vulnerabilities and gaps in the system’s security
practices. Comprehensive system scanning usually results in
a number of both false positives and negatives. It is the job
of the system administrator to find ways of dealing with these
false positives and negatives. The final report produced after
each scan consists of strategic advice and prioritized
recommendationsKizza
ty to ensure critical holes are addressed first.
- Guide to Computer Network Securi 25
Vulnerability Assessment and Penetration
Testing - a hands-on testing of a system for
identified and unidentified vulnerabilities.
All known hacking techniques and tools are
tested during this phase to reproduce real-
world attack scenarios. One of the outcomes
of these real-life testings is that new and
sometimes obscure vulnerabilities are
found, processes and procedures of attack
are identified, and sources and severity of
vulnerabilities are categorized and
prioritized based on the user-provided risks.

Kizza - Guide to Computer Network Securi 26

ty
Advantages of Vulnerability Assessment
Services
They can, and actually always do, provide
and develop signatures and updates for new
vulnerabilities and automatically include
them in the next scan. This eliminates the
need for the system administrator to
schedule periodic updates.
Probably the best advantage to an
overworked and many times resource
strapped system administrator is the
automated and regularly scheduled scan of
all network resources. They provide, in
addition, a badly needed third-party
“security eye.” thus helping the
administrator to provide an objective yet
independent security evaluation
Kizza - Guide to Computer Network Securi
ty
27