Project in a computer system. Application programs usually require

Project 2: SAR

CYB 610

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

Waise Sekander

University of Maryland University College
















purpose of this security assessment report presents the results of security
assessments of the information technology infrastructure which include: people,
processes, policies and information systems (NIST, 2010).  The SAR, alongside the system security report
and plan of actions are essential documents for the organization. These
documents are used to deliver the vital feedback of the current security state
and posture of the system, which will allow us to make a risk-based decision deciding
whether the system should stop operating or continue normal operations.

The SAR,
provides the overall state of security detailing the infrastructure’s capability
to deliver the security objectives when protecting the data which is being
transmitted, stored, or processed.

captures a real-time assessment of the security state of the information system,
which allows the organization to support continuous monitoring activities, and
is updated whenever subsequent security assessments are completed.  The SAR
should be described with updated versions each time there is a change and these changes should be detailed within
the SAR. This SAR will consist of the following sections to prevent a
security breach:  Operating System
Overview, Operating System Vulnerabilities, Assessment Methodologies, Risk, Comparative
Analysis of Assessment Tools and Recommendations.

System (OS)

Operating system:  is software that manages computer hardware and
software resources and provides common services for computer programs. The
operating system is an essential component of the system software in a computer
system. Application programs usually require an operating system to function. (Bearnes,
2014) The operating system permits coordination of key
tasks, such as the managing of memory and processing as it makes tasks possible
and builds a base for applications to run on. It provides a platform for users
to interact with hardware through the use of a graphic user interface, or GUI,
an end user can interact with the operating system and by extension of the

Embedded operating systems are designed to run
as efficiently as possible, expending the least amount of resources to complete
various tasks as well as to work with specialized applications and hardware to complete
specific tasks.

A central focus in web architecture is the
requirement of the user, in making sure a site meets the needs of a client and
has a strong usability as the priority of the user is to gain easy access to
needed information.

Role in OS

The users interact with hardware, through the
use of a graphic user interface, or GUI, in which an end user can interact with
the operating system and by hardware extensions.

and OS Applications

Kernel: Is the central component of most computer operating
systems, it abstracts the hardware to user
programs and communicates to hardware both directly and through drivers. It is also a bridge between applications and the
actual data processing is done at the hardware level. (Wienand, 2016) Kernel
applications are the central module of operating systems that loads first and
always remain in the main memory. It’s important for the kernel to be small
since it stays in the memory while still providing all essential services
required by other parts of the operating systems and applications. The kernel
code is usually loaded into a protected area of the memory to prevent it from
being overwritten by programs and other parts of the operating systems. The
kernel is also responsible for memory management, process, disc and task
management, by connecting the system hardware to the application software. On
the other hand, the applications make use of the OS by making requests for
services through a defined application program interface (API). In addition to
that users can communicate directly with the OS though the user interface such
as command line or a graphical user interface (GUI).

Types of OS

Cloud computing: Cloud
computing refers to the use of remote servers over the Internet (instead of via
local servers or devices) for the purpose of sharing resources. According to
the National Institute of Standards and Technology (Wienand, 2016)

Network architecture: Also
known as the fourth technology piece

Web architecture: Blends
a mix of functional, technical, and aesthetic needs, a typical Web application
involves four tiers:

Information systems
architecture: Information system architecture is the definition of the sum total of
the components that make up an organizational information system. This
encompasses many different parts and can include both technological aspects
such as technical framework, and product technologies as well as organizational
aspects, such as policy or business processes. (cite lti.umc information

 OS Vulnerabilities


in Windows involve a
lack of malware protection, lack of personal firewall protection, weak or
nonexistent drive encryption, weak Windows security policy settings, weak or
nonexistent passwords, and unaccounted-for
systems running unknown, and unmanaged, services e.g. IIS and SQL Server Express.
(Beaver, 2008)

Linux Vulnerabilities

Linux is an open-source operating systems
starting with a Linux kernel, which is then modified by a team of volunteer
developers. There is no one set of Linux vulnerabilities, each have their own
features and must be assessed on that basis. (Haogang et al., 2011) These vulnerabilities are based on
the kind of programming mistake the developers make, since it can be exploited
in several ways.

Missing pointer checks: The
kernel omits access_ok checks or misuses “faster” operations such as get_user,
which does not validate the value of the user-provided pointers or index
variables to ensure that they point to user-space memory only. (Haogang et al.,

Buffer overflow: The
kernel incorrectly checks the upper or lower bound when accessing a buffer,
allocates a smaller buffer than it is supposed to, uses unsafe sting
manipulation functions, or defines local variables which are too large for the
kernel stack. (Haogang et al., 2011)

Integer overflow: The
kernel performs an integer operation incorrectly, resulting in an integer
overflow, underflow, or sign error.  (Haogang
et al., 2011)

Uninitialized data: The
kernel copies the contents of a kernel buffer to user space without zeroing
unused fields, thus leaking potentially sensitive information to user processes,
such as variables on the kernel stack.  (Haogang
et al., 2011)

Memory mismanagement: This
category includes vulnerabilities in kernel memory management, such as
extraneous memory consumption, memory leak, double free, and user-after-free
errors. (Haogang et al., 2011)

MAC Vulnerabilities

MAC vulnerabilities include the default
configuration (http) which is unsafe and leads to RCE over MITM attack inside
un-trusted environment and the risk of
parsing file://, ftp:// and other protocols inside the Web View
component. (Radek, 2016) As MAC products continue to increase in popularity
with the growing number of mobile products specifically the iPad and iPhone, a
growing number of vulnerabilities have been located. Users often fail to take
the necessary precautions to safeguard their security, with the perception of
MAC being a secure operating system.

Mobile Device Vulnerabilities

Wired and non-wired device communication mechanisms (e.g.,
cellular, Wi-Fi, Bluetooth, GPS, etc.) expose mobile devices to a distinct set
of threats. ESIM
introduces a new set of threats even though it gives
users more flexibility in choosing or switching among networks. Supply chain
threats are difficult to mitigate because of the continuing development
process, if the device firmware contains vulnerabilities. (Sablemen,
2016) Mobile devices are the subject of many security topics due
to it being easily susceptible to an attack. Data not stored properly, malware
and lack of encryption are some of the factors that contribute to mobile
vulnerabilities. It is necessary for mobile device users to understand the best
practice for downloading apps are as well as granting permissions to external
application installations. To access data on an unlocked smart phone running a
poorly written app, the file must be extracted of the mobile application then a
query. This will give you information about the data stored in that app, which
can be a major problem if the database connects to a back-end system. Sensitive
data and external connections should be encrypted at the mobile device’s level
to avoid these vulnerabilities.

Windows & Linux Intrusion Methods

Eavesdropping: Network communications occur in an unsecured
or “clear text” format, which allows an attacker who has gained
access to data paths in your network to “listen in” or interpret
(read) the traffic. (“Common types of network”, 2016)

Data modification:
Attackers modify the data in the packet without the knowledge of the sender or
receiver. (“Common types of network”, 2016)

Identity spoofing: The
use of the IP address of a computer is to identify a valid entity; identity
spoofing can make IP addresses to be falsely assumed. After gaining access to
the network with a valid IP address, the attacker can modify, reroute, or
delete your data. The attacker can also conduct attacks, like Password-Based,
Denial-of-Service, Man-in-the-Middle Attack, Compromised-Key, Sniffer, and
Application-Layer Attack. (“Common types of network”, 2016)


Accepting Risk

cost-benefit analysis determines the cost to mitigate risk is higher than cost
to bear the risk, then the best response is to accept and continually monitor
the risk. (ERM, 2010)

Transferring Risk

If the
activities with low probability of occurring, but with a large financial
impact. The best response is to transfer a portion or all of the risk to a
third party by purchasing insurance, hedging, outsourcing, or entering into
partnerships. (ERM, 2010)

Mitigating Risk

The activities with a high
likelihood of occurring, but financial impact is small. The best response is to
use management control systems to reduce the risk of potential loss. (ERM,

Eliminating Risk

activities with a high likelihood of loss and large financial impact. The best
response is to avoid the activity. (ERM, 2010)

Security Tools

As the technology world
continues to advance, so do the levels of information security threats. An
advance in network systems means, IT departments and organizations need to
develop powerful tools to deal with security issues.

Intrusion detection system (IDS): An Intrusion Prevention
System is a network device/software that goes deeper than a firewall to
identify and block network threats by assessing each packet based on the
network protocols in the application layer, the context of the communication
and tracking of each session. (Rajesh, 2009)

Network based intrusion
detection system: A network based Intrusion Prevention System sits in-line on
the network monitoring the incoming packets based on certain prescribed rules
(which can be tweaked by the security administrator) and if any bad traffic is
detected, the same is dropped in real-time. It is useful to detect and prevent
attacks like DoS/DDoS attacks, brute force attacks, vulnerability detection,
protocol anomaly detection and prevention of zero day unknown attacks. IPS
technologies are mostly session based and traffic flow is examined based on
session flow. (Rajesh, 2009)

Intrusion prevention system (IPS):  An Intrusion Prevention
System is a network device/software that goes deeper than a firewall to
identify and block network threats by assessing each packet based on the
network protocols in the application layer, the context of the communication
and tracking of each session. (Rajesh, 2009)

Signature based threat
detection: Intrusion detection/prevention systems contain
a large repository of signatures that help identify attacks by matching attempts
to known vulnerability patterns. (Rajesh, 2009)

Anomaly threat detection: Anomaly
detection techniques protect against first strike or unknown threats by
comparing the network traffic to a baseline to identify abnormal and
potentially harmful behavior. (Rajesh, 2009)

Passive network monitoring: Identifies abnormal behavior/deviation of
certain security threshold parameters and reports the same by generating
reports/alerts about the device communications to the security administrator.
(Rajesh, 2009)

Vulnerability Assessment Methodology

assessment is an examination of weaknesses that can possibly exist within a
system. Vulnerabilities pose a threat since they can be exploited, causing
potential financial and reputation loss.
The four-step process for assessing vulnerability include: Scope, which
determines, which systems will be assessed; Focus, after the scope has been
determined, an appropriate time to conduct the assessment should be determined.

Assess, the systems are tested for vulnerabilities, which allows for the
company to take the proper steps to secure its systems, and finally, Respond,
the vulnerability assessment report forms the basis for any corrective
measures, empowering management to decide the next action to take in securing
the systems (“Vulnerability Assessment and Management,” 2017)

Microsoft Baseline Security Analyzer

an easy-to-use tool that helps to determine the security state of an
organization in accordance with Microsoft security recommendations and offers
specific remediation guidance. Built on the Windows Update Agent and Microsoft
Update infrastructure, MBSA ensures consistency with other Microsoft management


The Open
Vulnerability Assessment System provides an open-source suite of tools and
services to support vulnerability scanning, detection, and management for networks. The central tool in this
SSL-secured, service-oriented architecture is its OpenVAS scanner that executes
the network vulnerability tests. (OpenVAS, 2016).

Assessment Tool Comparative Analysis

MBSA had administrative vulnerabilities present. More than 2 Administrative
accounts were found e.g. Administrator, StudentFirst, StudentUser, Triton, and
nx. Also, 19 out of 20 user accounts had non-expiring passwords. Weak passwords
were being used in Windows accounts. Linux OpenVAS had administrative
vulnerabilities existing such as weak encryption and MAC algorithms that were
supported. Weak passwords were being used in Linux accounts as well.



MBSA and
OpenVAS present solutions and how to perform them, for each of the
vulnerabilities discovered. It presents specific vulnerabilities affecting the
system in order to alert the user of an issue.


OpenVAS provides
detailed information concerning the impact of attackers while MBSA does not
indicate the impact of attackers based on the vulnerability. OpenVAS briefly
displays the exact software that was affected, the method which was used to
detect the vulnerability as well as vulnerability insight. MBSA also presents
the updates that are missing and which caused the vulnerability.










MBSA 2.3







of date security updates
of date Service Pack

– Security Updates for Micrsosoft Visual C++ 2010 (KB2467173)
– SP1 (KB2538242)


Microsoft Security updates by accessing Microsoft Update.
and install the latest Update Rollups and Service Packs.


Account Passwords
-Windows Firewall

Accounts Administrator, StudentFirst, StudentUser, Triton, nx
out of the 20 accounts have passwords that are set to “Never Expire”


the list of members in the local Administrators and Domain Admins groups to
ensure all users with admin access are justified.
accounts having passwords that do not expire should be reviewed to determine
why the option is set, and whether they should be removed.

System Information




auditing to monitor event log for unauthorized access.

Information Services














Explorer zones have secure settings for all users.











OpenVAS Results:





Weak Encryption Algorithms Supported – The remote SSH server is configured to
allow weak encryption algorithms.

4.3 – Medium

the weak encryption algorithms.

for SSL Weak Ciphers – This routine search for weak SSL ciphers offered by a

 4.3 –

configuration of this services should be changed so that it does not support
the listed weak ciphers anymore.

SSLv2 and SSLv3 Protocol Detection – It was possible to detect the usage of
the deprecated SSLv2 and/or SSLv3 protocol on this system.

4.3 – Medium

-It is
recommended to disable the deprecated SSLv2 and/or SSLv3 protocols
affects all services providing an encrypted communication using the SSLv2
and/or SSLv3 protocols.

SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability
host is installed with OpenSSL and is prone to information disclosure vulnerability.

4.3 – Medium

released a patch to address this vulnerability, the only way to fix POODLE is
to disable SSL v3.0.

Protocol Version Supported
remote SSH server is configured to allow weak MD5 and/or 96 – bit MAC

2.6 –

the weak MAC algorithms.



evaluations of operating systems regularly, helps to avoid the insiders from
taking any inappropriate action of infringement. Employing a system monitoring
program where the HR person can replay the behavior of an insider is
invaluable. Combine that with data loss prevention technology where the rules
can be set and based on those rules, block content that you do not want to
leave the network.

intrusion detection and prevention procedures for all mission-critical systems
and systems that are accessible via the Internet, such as Web servers, e-mail
systems, active directory server, etc or other systems that are deemed mission
critical.  Performing regular
vulnerability assessments will help out in spotting many anomalies and
incidents therefore preventing security breaches. It should be done weekly
against every system in their network, both internal and external within the


organization in particular
understands that security can never be 100%, however it is important that all
professionals practice due diligence when it comes to providing adequate
security for their information and information systems. We use operating
systems that are Windows and Linux based, so it’s important that we understand
their particular vulnerability concerns and deal with the issues accordingly.
Regular security assessments are necessary for the organization and also,
implementing identity management procedures would prevent unauthorized access
to the system and increase security overall, in order to prevent security














Bearnes, B. (2014, June
15). Reading: Operating System. Retrieved January 30, 2018, from

Reading: Operating System

Beaver, K. (2008, September) The 10 most common
Windows security vulnerabilities. Retrieved from:

Common Types of Network Attacks. (2016).
Retrieved from

ERM Initiative Faculty. (2010,
December 1) A Four-Step Approach To Strategy Execution. Retrieved from

Haogang C, Yandong M, Xi W, Dong Z, Nickolai Z,
and Kaashoek M.F. (2011). Linux kernel vulnerabilities: state-of-the-art
defenses and open problems. Retrieved from

Institute of Standards and Technology (NIST) (2010).  Guide for applying the risk management
framework to federal information systems. 
NIST Special Publication 800-37
Revision 1.   Retrieved from

(2016). About OpenVAS software. Retrieved January 11, 2018, from

Radek. (2016, January 29). There’s a lot of
vulnerable OS X applications out there. Retrieved from

Rajesh, K. (2009, October 8). An overview of
IPS – Intrusion Prevention System and types of Network Threats. Retrieved from

Vulnerability Assessment and Management.
(2017). Retrieved from

Wienand, I. (2016). Computer Science from the Bottom Up: The operating system. Retrieved from

Reading: Operating System