ElliottBlumenstein_CST610_Project_1_SARS (2)
docx
keyboard_arrow_up
School
University of Maryland *
*We aren’t endorsed by this school
Course
610
Subject
Information Systems
Date
Jan 9, 2024
Type
docx
Pages
13
Uploaded by afeeblemind
CST 610 Project 1
Cyberspace and Cybersecurity Foundations
Security Assessment
Report Prepared By: Elliott Blumenstein
Version 1.0
CST610
Page ii
Table of Contents
Table of Contents
.......................................................................................................................
ii
1.
Executive Summary
..........................................................................................................
3
2.
Assessment Scope
.............................................................................................................
3
3.
Assessment Methodology
.................................................................................................
3
4.
Detailed Findings
..............................................................................................................
3
5.
Conclusion
.........................................................................................................................
3
CST610
Page 3
1.
Executive Summary
FIC Bank is a small credit union looking to improve their IT infrastructure and technical risk. The company requires us to identify all available services and vulnerabilities in those services and document the findings. Within this SAR, the company will better understand its IT infrastructure and how to prevent or reduce the amount of vulnerabilities. The task was to initiate a vulnerability scan of the bank’s IP address. The scan will look for critical, high, medium, low, and information vulnerabilities. Also, I searched through Windows Powershell to learn how many ports were open, what service was using said ports, and what version was running. Using the Nessus Basic Scan, several vulnerabilities were found. The five critical and four high vulnerabilities are the most important to resolve and create a plan to reduce those kinds of vulnerabilities in the future. Six medium and one low vulnerability were detected and will be resolved. There needs to be a standard that needs to be implemented on the technical, management, and operational level. Each level must implement a plan to assist FIC Bank’s IT infrastructure. The SAR will provide details on the vulnerabilities and how to resolve them. 2.
Assessment Scope
The security assessment will evaluate FIC Bank’s technical infrastructure and provide recommendations to enhance and protect the technical infrastructure. The scope of this SAR will look
into the hardware, software, policies on the technical infrastructure, security protocols, etc. Looking through the IP address, we can see what is open, what is closed, and how many ports there are. Also, we will see if there are any filtered ports. We can tell if a port is filtered by requesting a packet from the host but they will not respond due to the request being filtered and/or blocked by a firewall. To find out the information about the ports, we used an application to access the IP address of the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CST610
Page 4
various systems and then used Nmap commands to provide the information needed. These commands provide us with several answers. For example, Nmap 10.138.9.1/24 has 12 open ports and 988 closed ports. This gives us an indicator that IP address 10.138.9.31 has 1000 ports
that are filtered. With the 12 open ports, we know there are 12 different services. We will use more commands to understand better what is on the network and our course of action. After using Powershell, the Nessus scan tool will point out any vulnerabilities, whether that is upgrading software or restricting access. Our scope is to apply what we find in each program to provide FIC Bank with a plan of action to improve its technical stature. 3.
Assessment Methodology
The first step was addressing FIC Bank and what they wanted from this security assessment
.
This will provide a base of what is needed from the assessment and what we can provide. Using what
the FIC Bank wants to know, our next step is accessing the IP address of all the systems. This will entail using Nmap commands to view what ports are open, closed, and filtered. After we use the different commands, Nessus will be used to scan any vulnerabilities using the IP addresses. This scan will give us a basic understanding of where we must look and what we can recommend to the client. The scan will show the levels of vulnerabilities that we must prioritize for their system to function and protect the bank's customers from any threats.
The last step is to implement a plan of action according to the management, operation, and technical aspects. Creating this will allow FIC Bank to reduce the amount of threats and limit the risk
of vulnerabilities. This assessment will give FIC Bank a better understanding of what needs to be done in case of a breach.
CST610
Page 5
4.
Detailed Findings
Action: ipconfig
Result: the IP address was provided
Using ipconfig in Powershell will allow users to view your system's IP address (IPv4), 10.138.9.167. The client can use their IP address to troubleshoot network issues, trace emails or devices, or enable remote access to the network.
CST610
Page 6
Action: nmap 10.138.9.1/24
Result: Provide port information
This command will allow the client to view the ports that can receive packets (port is open), receive a
response that no application is running (port is closed), and/or a packet was sent. Still, the host did not respond and is not listening (the port is filtered).
Port
Protocol
Service
Common Name or Use
22
TCP
SSH
Secure Shell
135
TCP
MSRPC
Microsoft Remote Procedure Call
139
TCP
NETBIOS-SSN
Network BIOS Session Service
445
TCP
MICROSOFT-DS
Used by Server Message Block; network protocol used in Windows networks for sharing resources over a network
1947
TCP
SENTINELSRM
Software license protection system
3389
TCP
VMRDP
Virtual Machine Remote Desktop Protocol
2179
TCP
MS-WBT-SERVER
Microsoft Web Based Terminal Server
5800
TCP
VNC-HTTP
Virtual Network Computing remote desktop protocol for use over HTTP
5900
TCP
VNC
Virtual Network Computing
6000
TCP
X11
X server that accepts remote TCP connections
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CST610
Page 7
8000
TCP
HTTP-ALT
Alternate HTTP port
8089
TCP
UNKNOWN
Splunk server
Action: nmap –A Result: The command scanned several IP addresses, and the scan was aggressive. It gave us a thorough breakdown of each port open on several IP addresses
PS C:\Users\Administrator> nmap -A 10.138.9.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2023-10-20 19:34 Coordinated Universal Time
Nmap scan report for 10.138.9.31
Host is up (0.00s latency).
All 1000 scanned ports on 10.138.9.31 are filtered
MAC Address: 02:3A:44:3E:65:F5 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.00 ms 10.138.9.31
Nmap scan report for 10.138.9.113
Host is up (0.0010s latency).
All 1000 scanned ports on 10.138.9.113 are filtered
MAC Address: 02:91:C2:5A:FE:1B (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 1.00 ms 10.138.9.113
Nmap scan report for 10.138.9.167
Host is up (0.0000070s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 68:08:42:e3:35:8f:f7:3f:2e:f2:9d:fb:28:23:11:36 (RSA)
| 256 fe:77:12:93:8b:6d:a9:38:7f:16:4b:b9:5e:d9:03:74 (ECDSA)
|_ 256 fc:f2:93:f4:de:45:de:38:2d:ae:39:ad:0d:27:b8:ae (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1947/tcp open http Aladdin/SafeNet HASP license manager 18.00
|_http-server-header: HASP LM/18.00
| http-title: Site doesn't have a title (text/html).
CST610
Page 8
|_Requested resource was /_int_/index.html
2179/tcp open vmrdp?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=EC2AMAZ-O8AHUB0
| Not valid before: 2023-07-11T00:05:50
|_Not valid after: 2024-01-10T00:05:50
|_ssl-date: 2023-10-20T19:36:15+00:00; 0s from scanner time.
5800/tcp open vnc-http Ultr@VNC (Name ec2amaz-o8ahub0; resolution: 2256x1536; VNC TCP port: 5900)
|_http-title: [ec2amaz-o8ahub0]
5900/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| Ultra (17)
|_ VNC Authentication (2)
6000/tcp open X11 VcXsrv X server
8000/tcp open http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.138.9.167:8000/en-US/account/login?return_to=%2Fen-US
%2F
8089/tcp open ssl/http Splunkd httpd (free license; remote login disabled)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-server-header: Splunkd
|_http-title: Site doesn't have a title (text/xml; charset=UTF-8).
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2022-06-22T15:11:02
|_Not valid after: 2025-06-21T15:11:02
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Vista SP1 (90%), Microsoft Windows 10 1703 (90%), Microsoft Windows Longhorn (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 Update 1 (88%), Windows Server 2012 R2 (88%), Microsoft Windows Server 2016 build 10586 - 14393 (88%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (88%), Microsoft Windows 10 1607 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 0 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap –A, as stated above, is an aggressive and advanced scan. This command allows us to see OS detection or, at least best guess, the service running on an open port and what version of
CST610
Page 9
that service, network distance, and tracerouting. For example, IP 10.138.9.167 has 988 closed ports
and 12 open ports (highlighted in yellow). Port 22/TCP shows that it is open, running SSH service, and the version is OpennSSH for_Windows_7.7 (protocol 2.0). Highlighted in green is the network
distance, which is 0 hops. But IP address 10.138.9.113 has a network distance of 1 hop. This means
that it took one router for the packet to pass through. Action: Nessus Basic Scan
Result: Provided the vulnerabilities we needed, the threat level of the vulnerabilities, and how to remedy the vulnerabilities
Vulnerability
Status
Port/Plug-In Output
Solution
Codemeter < 7.10a
Critical
TCP/22352
Upgrade to Codemeter 7.10a or later
Codemeter runtime buffer over-read
Critical
TCP/22350/ codemeter_network_server
Upgrade Codemeter Runtime to version 7.21a or
later CodeMeter Runtime Predictable Encryption
Key
Critical
TCP/22350/ codemeter_network_server
Upgrade CodeMeter Runtime to version 7.10a or
later.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CST610
Page 10
X Server Unauthenticated Access: Screenshot
Critical
TCP/6000/X11
Restrict access to this port by using ‘xhost’ command
X11 Server Unauthenticated Access
Critical
TCP/6000/X11
Restrict access to this port by using ‘xhost’ command
CodeMeter < 6.90 License forging Vulnerability
High
TCP/22353
Upgrade to CodeMeter 6.9 or Later
CodeMeter < 7.10 Information Exfiltration Vulnerability
High
TCP/22352
Upgrade to CodeMeter 7.10
or later
SSL Medium Strength Cipher Suites Supported (SWEET32)
High
TCP/3389/MSRDP
Reconfigure the
affected application if possible to avoid use of medium strength ciphers.
Splunk Free Detection
High
TCP/8000
Either limit incoming traffic
to this port or upgrade to Splunk Enterprise.
SMB Signing not required
Medium
TCP/445/CIFS
Enforce message signing
in the host's configuration.
SSL Certificate Cannot Be Trusted
Medium
TCP/3389/MSDRP
Purchase or generate a proper SSL certificate for this service.
SSL Self-Signed Certificate
Medium
TCP/3389/MSDRP
Purchase or generate a proper SSL certificate for this service.
CST610
Page 11
Splunk Information Disclosure Vulnerability (SP-
CAAAP5E)
Medium
TCP/8000
Consult your vendor for a patch or a workaround.
TLS Version 1.0 Protocol Detection
Medium
TCP/3389/MSDRP
Enable support for TLS 1.2 and
1.3, and disable support for TLS
1.0.
TLS Version 1.1 Protocol Deprecated
Medium
TCP/3389/MSDRP
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1
X Server Detection
Low
TCP/6000/X11
Restrict Access to this port.
5.
Conclusion
FIC Bank has 16 vulnerabilities: five critical, four high, six mediums, and one low. The main priority will be the critical and high vulnerabilities. “Vulnerability scanning is an examination
of information system security, including systems connected to the internet, applications, and online network equipment components, through the detection of vulnerabilities and security vulnerabilities” (Liwei Wang, 2021, p. 30). Vulnerability scanning is a proactive assessment that allows us to see any weaknesses that can be exploited. It lets us see information about services, ports, packet types, etc. FIC Bank has several vulnerabilities that can exploit the small business like
multiple memory corruption vulnerabilities existing where the packet perser mechanism does not verify length fields. As a result, an attacker could send specially crafted packets to gain access. The
solution would be to upgrade the web application.
The main types of vulnerabilities that can be detected are out-of-date or unpatched software, missing or weak authorization credentials, system misconfigurations, and missing or poor
data encryption. On FIC Bank network, several vulnerabilities could be exposed to outdated
CST610
Page 12
software or systems. Some remote servers were easily accessible, and the solution would be to reduce access. There was some missing patchwork as well.
Some of the vulnerabilities could be exploited into unauthenticated vulnerability scans, which means that these scans can be used without any credentials. Authenticated scans are scans when credentials are used to access them, like having a username and password to Nessus.
Nessus scanning tool was used to find vulnerabilities in FIC Bank’s IT infrastructure, but more scanning tools can be used. Nmap is an open-source scanner that can be used for network discovery, monitoring host or service uptime, and inventory. Acunetix is a web-based scanner that has advanced crawl technology. In a way, we used Nmap commands to find the networks and ports. Vulnerability scanning do have limitation no matter if they are widely popular or open-
sourced. These scans could provide false-positive results which we would have to figure out what is correct. There could be deeper issues that the scan couldn’t detect, penetration test might have to be administered. However, it is a cost-effective test that allows small companies like FIC Bank to see what vulnerabilities are presented. This will alleviate any exploitation. Update or upgrade their software and systems. Use firewalls on their ports that are open. That will allow filtered ports to remove threats that might try and expose weaknesses.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CST610
Page 13
References
Liwei Wang, R. A. (2021). An empirical study on vulnerability assessment and penetration detection for highly sensitive networks.
Retrieved from Journal of Intelligent Systems: https://doi.org/10.1515/jisys-2020-0145