- Email: [email protected]
Vulnerability Assessment Tools
vulnerabiilty assessment tools
through which all the connections to and from the honeynet are routed. Generally a high percentage of inbound and a limited amount of outbound traffic are allowed, especially when the outgoing packets have a negative payload, i.e., serving the attacker's purposes.
Applications There is a wide range of applications of honeypots. While their intrinsic value as a research tool into new attack patterns is not yet fully determined, one of the most effective practical examples regards protection from automated attacks (e.g., worm-based attacks) that may use complex scanning techniques. There are what are known as 'sticky' honeypots that slow an attack via a series of TCP-based techniques, such as the use of Windows Zero Size (check TCPDump logs for this particular field). Sticky honeypots fall into the category often called “No Interaction Honeypots”, which extinguish or slow
the attack to the point where it is rendered innocuous. Since the input is generated by an automated tool, there is no risk that the attacker will catch on to what is happening. Another example of low interaction honeypot is the Deception Toolkit. This tool deviates, right from the active fingerprinting phase, an attacker who uses mixed social engineering and information gathering techniques.
Conclusions Honeynet implementations provide solutions for almost any need. The software is highly modular and permits step by step implementation both in the architectural and the administration and monitoring phases. The management of the type of composite architecture described in this article requires four full-time people, who also have to coordinate with the worldwide honeynet project, which has very rigorous access parameters. Obviously such an
Vulnerability Assessment Tools Elspeth Wales
Complacency about the security state of a network is a recipe for disaster yet many companies are. Malicious network hacks are on the increase but preventative measures can be taken to shore them up, one of which is to conduct a vulnerability assessment that will reveal where weaknesses lie. Elspeth Wales queries experts on the latest vulnerability testing tools and uses. There are a host of vulnerability assessment scanning tools available on the market which essentially perform checks against networks, including the communication services, operating systems, routers and ports, in search of a
long list of known vulnerabilities which are compiled by each product’s vendor. According to experts it should be remembered, however, that a vulnerability assessment is only one piece of
implementation does not necessarily have to be inserted into a worldwide context. What is nevertheless recommended is total compliance with the technical and architectural parameters described in the literature, so as not to risk working in vain.
About the author Dario Forte has been active in the information security field since 1992. He teaches classes and presents lectures on Information Security Management at universities and other accredited institutions worldwide. In more than 10 years, Dario has worked with many government agencies worldwide like Nasa, US Army/Navy, supporting them in incident response and forensics procedures and solving many important hacking related investigations. Next month’s issues of Network Security brings you an exclusive on the revelations gained from the honeynet project to date.
the overall security jigsaw puzzle and they should be carried out in conjunction with other tests to ascertain the external and internal network security status. There are usually two reasons that prompt organizations to carry out a vulnerability assessment, said David Morgan, senior consultant with the ISS Xforce Security Assessment Service. These are that the company has suffered a trigger incident which has forced them down the assessment route, or they have to conduct regular tests in order to meet regulatory compliance as in the case of financial services organizations. For instance, E-commerce sites may be requested by their credit card supplier to conduct an assessment in order to demonstrate due diligence before it will be allowed to process online transactions. 15
vulnerabiilty assessment tools
Although he described hacking as being an epidemic, he said somewhat comfortingly that larger organizations which are in the limelight are taking a more proactive response through preventative measures like assessments. “The obvious targets are not getting hit so often because they have counteracted everything in advance. Therefore it is the universities or smaller, one-man businesses that are being attacked and which tend not to make such a great news story. I'm sure it is happening all the time but whether we hear about it or not is a different matter,” said Morgan. Martin Finch, managing director of security consultancy Commissum advocated conducting a vulnerability assessment as part of a full risk assessment exercise rather than as part of an IT audit. While an IT audit involves not only identifying an organization’s hardware assets but also its software, and data at the same time determining how critical it is to the business. “You then move from that to a risk assessment and identify what [data] there is of value. What are the risks that you might face, for instance, if you have important information stored on laptops being carried out of the company’s premises?” he said. Starting with a risk assessment programme is important in order that companies avoid spending a lot of money on analysis on unimportant areas yet missing those that are more important. Security analyst, Jay Heiser of security consultancy Trusecure vulnerability assessments said are an important area of the risk management equation and are becoming very complex. But, he said, you are like a dog chasing your tail if you concentrate solely on the vulnerability whereas an overall risk programme looks more at setting priorities and the overall configuration of your system and doesn't concentrate just on the numbers game of vulnerabilities. He also stressed the importance for companies to bear in mind the limitation of vulnerability assessments because they cannot prove that something is “pure” or valid.
16
Heiser described the vulnerability assessment area as being a “bit of a numbers game” in that vendors like to quote the number of vulnerabilities that their products can find. The trouble is that the number of vulnerabilities is increasing at an exponential rate, he said. Two approaches can be taken to carry out a vulnerability assessment, the company can either buy an automated tool and run it on the network themselves, providing they have a sizeable IT team knowledgeable in security, or they can appoint an independent third party consultancy to conduct one. The third way, and arguably the most effective, is a combination of both.
There is no single tool that is going to find all the relevant system vulnerabilities and characteristics Commissum’s Finch believes the skills and experience of consultants like himself come into their own after a vulnerability assessment tool has generated a report. The list of vulnerabilities discovered can run into the hundreds if not thousands but these need interpreting to sift out false positives and prioritise those vulnerabilities which are the most significant. This can be a daunting exercise for a company lacking in the necessary experience. “That is where the services of companies like ourselves come in, where we actually look at the results of the automated tools and this gives us clues as to where there may be other issues. Or we look at them and think, well, that has been flagged up or it doesn't really make sense. You then go away and investigate in a bit more depth,” he explained. Trusecure research has shown that a little less than 1% of vulnerabilities found during an assessment are actually exploited. Security consultants working at this level do not come cheap, in fact they
can command fees of up to £1000 a day. In ISS’s experience the decision about which route to take, in-house versus consultant, is usually driven by cost considerations and then by the reason for the assessment. “If you are doing it purely for compliance purposes you would tend to go down the cheaper, automated route whereas if you are really concerned at identifying all issues and being able to sleep comfortably at night you are going to go for the more thorough, reliable and expensive route,” suggested Morgan. Typically, whether an assessment is carried out in-house or by a third party, two or three different tools should be used because some are better than others at detecting certain vulnerabilities and some are more effective on different operating systems. Independent consultants tend to use a mix of their own developed assessment tools, commercially available tools such as ISS Internet scanner amongst others, and open source freeware such as Nessus which is probably the largest and best-known of this type, said Tim Orchard, manager of the Claritas penetration testing team. These freeware products, although contributed by the volunteer security community at large, are quality tested to ensure they are robust enough to use in an enterprise environment. According to Heiser, the danger of a company running a VA tool itself is that it has the potential to bring down the system. “If you don't have the experience you may not know when something is going to break or you have to leave the level of the scanners so low that it will not find all the potential vulnerabilities. There is no single tool that is going to find all the relevant system vulnerabilities and characteristics. You need to be able to use multiple tools and understand which tools work best in which situations,” he emphasised. “The tools attract attention by flagging vulnerabilities. So the tool makers want to find as many vulnerabilities as possible. But the person using the tools does not
vulnerabiilty assessment tools
understand until the report comes back whether or not those particular vulnerabilities are relevant to their organization. If you want to really concentrate on vulnerabilities it helps to have some security intelligence so that you know what those priorities are,” added Heiser. In spite of this, consultants need to use these products and where automated vulnerability assessment tools score over a manual approach is that they can perform the scanning task on a large number of machines in a fraction of the time it would take a person to do so. Orchard pointed out that the approach combining in-house run tools and external consultants is most effective because an external company hired to assess a company’ network is not going to know all the little nuances of that network, nor all the specific products that are in place. “Companies commonly deploy Cisco routers in their networks and Checkpoint firewalls so those kind of components are easy for external companies to assess, but if you have bespoke software applications and unusual types of hardware then you’re not always going to get as much value from an external company,” he commented. The consensus is that once a company has undertaken its first vulnerability assessment, subsequent tests are best carried out on at least a quarterly basis although some organizations which see themselves as being high-risk, such as online banks or other E-commerce sites, conduct them on a monthly, or even daily, basis. Organizations that frequently introduce new systems and software should conduct a vulnerability assessment more often than companies in which the IT environment remains unchanged for a period of time. Care also has to be taken when conducting a vulnerability assessment in order to avoid introducing other problems into the network. Tests have been known to crash servers, cause outages or even knock out a website. According to Orchard the risk of this can be minimized by putting certain
processes and procedures in place before testing starts. This ensures the customer is aware of the types of tests that are going to be conducted, re-establishing the boundaries of how far the tests are going to go, whether it’s to identify and enumerate vulnerabilities and stop there or whether they will try to exploit vulnerabilities which could lead to compromising a critical service. Communicating with the customer every step of the way during the testing process is key to keeping them fully informed, enabling them to make decisions about the network, he said.
Organizations that frequently introduce new systems and software should conduct a vulnerability assessment more often One of the latest developments in vulnerability assessment tools is the emergence of products that are specifically designed to test Web applications, such as the KaVaDo ScanDo and Sanctum Appshield solutions. James Spooner, managing director of security consultancy, Lodoga, which specialises in this area, said that the Web application is unique in that the public or anonymous users are allowed straight to the firewall because at least one port has to be left open on the firewall to get to an application. And once at the application the rules about what they can and cannot do are not particularly strict. “The one area they are wide open on is port 80, the HTTP port or 443 which is the SSL port, which have to be left open, there is no choice, or else there is no Web application and through that you can subvert the application to create vulnerabilities and risks,” he said. Web application scanners first of all go through a process of enumeration to discover every single element of a website, which could be a page, or a form,
or a field, or a hidden parameter, or a URL parameter, or it could even be things like mouse-overs or clicks. It could be pages that are active and which are changed every time you go to them, sometimes at the bigger websites generating hundreds of thousands of elements of the website. Then each of those elements needs to be assessed for vulnerabilities. The same is true for Web application scanners as it is for network scanners in that the real value of their results is only realised with manual input, checking vulnerabilities and figuring out how they come together, he said A level of operator competence is needed too, he said. “Now, if you took some of the best of breed commercial tools and ran them blindly, pressed all the quick assessment buttons, you would actually end up with some pretty bad results because what’s important is that the exploration of a website is done properly so that you haven’t created false results about what the website contains, so when the tool runs its assessment against those results it will believe that it is inducing errors which you assume are vulnerabilities. This is why the human bit is so important it involves a combination of manual skills and tools.” Network scanning tools basically looking for open ports in a network, or unsecured servers or unsecured systems, they do not reveal anything about applications. Scanning at the application level is a hugely different matter because an application attack is so subtle, pointed out Spooner, for instance which involve persistently injecting SQL queries into the application can make it vulnerable to having its validation service reduced, diminished, bypassed or stopped, or it simply doesn’t have the right validation. When used with a degree of expertise, vulnerability assessment tools can provide a real insight into a network or Web application’s weak spots but care should be taken to minimize any risk of disrupting the network in the process.
17
through which all the connections to and from the honeynet are routed. Generally a high percentage of inbound and a limited amount of outbound traffic are allowed, especially when the outgoing packets have a negative payload, i.e., serving the attacker's purposes.
Applications There is a wide range of applications of honeypots. While their intrinsic value as a research tool into new attack patterns is not yet fully determined, one of the most effective practical examples regards protection from automated attacks (e.g., worm-based attacks) that may use complex scanning techniques. There are what are known as 'sticky' honeypots that slow an attack via a series of TCP-based techniques, such as the use of Windows Zero Size (check TCPDump logs for this particular field). Sticky honeypots fall into the category often called “No Interaction Honeypots”, which extinguish or slow
the attack to the point where it is rendered innocuous. Since the input is generated by an automated tool, there is no risk that the attacker will catch on to what is happening. Another example of low interaction honeypot is the Deception Toolkit. This tool deviates, right from the active fingerprinting phase, an attacker who uses mixed social engineering and information gathering techniques.
Conclusions Honeynet implementations provide solutions for almost any need. The software is highly modular and permits step by step implementation both in the architectural and the administration and monitoring phases. The management of the type of composite architecture described in this article requires four full-time people, who also have to coordinate with the worldwide honeynet project, which has very rigorous access parameters. Obviously such an
Vulnerability Assessment Tools Elspeth Wales
Complacency about the security state of a network is a recipe for disaster yet many companies are. Malicious network hacks are on the increase but preventative measures can be taken to shore them up, one of which is to conduct a vulnerability assessment that will reveal where weaknesses lie. Elspeth Wales queries experts on the latest vulnerability testing tools and uses. There are a host of vulnerability assessment scanning tools available on the market which essentially perform checks against networks, including the communication services, operating systems, routers and ports, in search of a
long list of known vulnerabilities which are compiled by each product’s vendor. According to experts it should be remembered, however, that a vulnerability assessment is only one piece of
implementation does not necessarily have to be inserted into a worldwide context. What is nevertheless recommended is total compliance with the technical and architectural parameters described in the literature, so as not to risk working in vain.
About the author Dario Forte has been active in the information security field since 1992. He teaches classes and presents lectures on Information Security Management at universities and other accredited institutions worldwide. In more than 10 years, Dario has worked with many government agencies worldwide like Nasa, US Army/Navy, supporting them in incident response and forensics procedures and solving many important hacking related investigations. Next month’s issues of Network Security brings you an exclusive on the revelations gained from the honeynet project to date.
the overall security jigsaw puzzle and they should be carried out in conjunction with other tests to ascertain the external and internal network security status. There are usually two reasons that prompt organizations to carry out a vulnerability assessment, said David Morgan, senior consultant with the ISS Xforce Security Assessment Service. These are that the company has suffered a trigger incident which has forced them down the assessment route, or they have to conduct regular tests in order to meet regulatory compliance as in the case of financial services organizations. For instance, E-commerce sites may be requested by their credit card supplier to conduct an assessment in order to demonstrate due diligence before it will be allowed to process online transactions. 15
vulnerabiilty assessment tools
Although he described hacking as being an epidemic, he said somewhat comfortingly that larger organizations which are in the limelight are taking a more proactive response through preventative measures like assessments. “The obvious targets are not getting hit so often because they have counteracted everything in advance. Therefore it is the universities or smaller, one-man businesses that are being attacked and which tend not to make such a great news story. I'm sure it is happening all the time but whether we hear about it or not is a different matter,” said Morgan. Martin Finch, managing director of security consultancy Commissum advocated conducting a vulnerability assessment as part of a full risk assessment exercise rather than as part of an IT audit. While an IT audit involves not only identifying an organization’s hardware assets but also its software, and data at the same time determining how critical it is to the business. “You then move from that to a risk assessment and identify what [data] there is of value. What are the risks that you might face, for instance, if you have important information stored on laptops being carried out of the company’s premises?” he said. Starting with a risk assessment programme is important in order that companies avoid spending a lot of money on analysis on unimportant areas yet missing those that are more important. Security analyst, Jay Heiser of security consultancy Trusecure vulnerability assessments said are an important area of the risk management equation and are becoming very complex. But, he said, you are like a dog chasing your tail if you concentrate solely on the vulnerability whereas an overall risk programme looks more at setting priorities and the overall configuration of your system and doesn't concentrate just on the numbers game of vulnerabilities. He also stressed the importance for companies to bear in mind the limitation of vulnerability assessments because they cannot prove that something is “pure” or valid.
16
Heiser described the vulnerability assessment area as being a “bit of a numbers game” in that vendors like to quote the number of vulnerabilities that their products can find. The trouble is that the number of vulnerabilities is increasing at an exponential rate, he said. Two approaches can be taken to carry out a vulnerability assessment, the company can either buy an automated tool and run it on the network themselves, providing they have a sizeable IT team knowledgeable in security, or they can appoint an independent third party consultancy to conduct one. The third way, and arguably the most effective, is a combination of both.
There is no single tool that is going to find all the relevant system vulnerabilities and characteristics Commissum’s Finch believes the skills and experience of consultants like himself come into their own after a vulnerability assessment tool has generated a report. The list of vulnerabilities discovered can run into the hundreds if not thousands but these need interpreting to sift out false positives and prioritise those vulnerabilities which are the most significant. This can be a daunting exercise for a company lacking in the necessary experience. “That is where the services of companies like ourselves come in, where we actually look at the results of the automated tools and this gives us clues as to where there may be other issues. Or we look at them and think, well, that has been flagged up or it doesn't really make sense. You then go away and investigate in a bit more depth,” he explained. Trusecure research has shown that a little less than 1% of vulnerabilities found during an assessment are actually exploited. Security consultants working at this level do not come cheap, in fact they
can command fees of up to £1000 a day. In ISS’s experience the decision about which route to take, in-house versus consultant, is usually driven by cost considerations and then by the reason for the assessment. “If you are doing it purely for compliance purposes you would tend to go down the cheaper, automated route whereas if you are really concerned at identifying all issues and being able to sleep comfortably at night you are going to go for the more thorough, reliable and expensive route,” suggested Morgan. Typically, whether an assessment is carried out in-house or by a third party, two or three different tools should be used because some are better than others at detecting certain vulnerabilities and some are more effective on different operating systems. Independent consultants tend to use a mix of their own developed assessment tools, commercially available tools such as ISS Internet scanner amongst others, and open source freeware such as Nessus which is probably the largest and best-known of this type, said Tim Orchard, manager of the Claritas penetration testing team. These freeware products, although contributed by the volunteer security community at large, are quality tested to ensure they are robust enough to use in an enterprise environment. According to Heiser, the danger of a company running a VA tool itself is that it has the potential to bring down the system. “If you don't have the experience you may not know when something is going to break or you have to leave the level of the scanners so low that it will not find all the potential vulnerabilities. There is no single tool that is going to find all the relevant system vulnerabilities and characteristics. You need to be able to use multiple tools and understand which tools work best in which situations,” he emphasised. “The tools attract attention by flagging vulnerabilities. So the tool makers want to find as many vulnerabilities as possible. But the person using the tools does not
vulnerabiilty assessment tools
understand until the report comes back whether or not those particular vulnerabilities are relevant to their organization. If you want to really concentrate on vulnerabilities it helps to have some security intelligence so that you know what those priorities are,” added Heiser. In spite of this, consultants need to use these products and where automated vulnerability assessment tools score over a manual approach is that they can perform the scanning task on a large number of machines in a fraction of the time it would take a person to do so. Orchard pointed out that the approach combining in-house run tools and external consultants is most effective because an external company hired to assess a company’ network is not going to know all the little nuances of that network, nor all the specific products that are in place. “Companies commonly deploy Cisco routers in their networks and Checkpoint firewalls so those kind of components are easy for external companies to assess, but if you have bespoke software applications and unusual types of hardware then you’re not always going to get as much value from an external company,” he commented. The consensus is that once a company has undertaken its first vulnerability assessment, subsequent tests are best carried out on at least a quarterly basis although some organizations which see themselves as being high-risk, such as online banks or other E-commerce sites, conduct them on a monthly, or even daily, basis. Organizations that frequently introduce new systems and software should conduct a vulnerability assessment more often than companies in which the IT environment remains unchanged for a period of time. Care also has to be taken when conducting a vulnerability assessment in order to avoid introducing other problems into the network. Tests have been known to crash servers, cause outages or even knock out a website. According to Orchard the risk of this can be minimized by putting certain
processes and procedures in place before testing starts. This ensures the customer is aware of the types of tests that are going to be conducted, re-establishing the boundaries of how far the tests are going to go, whether it’s to identify and enumerate vulnerabilities and stop there or whether they will try to exploit vulnerabilities which could lead to compromising a critical service. Communicating with the customer every step of the way during the testing process is key to keeping them fully informed, enabling them to make decisions about the network, he said.
Organizations that frequently introduce new systems and software should conduct a vulnerability assessment more often One of the latest developments in vulnerability assessment tools is the emergence of products that are specifically designed to test Web applications, such as the KaVaDo ScanDo and Sanctum Appshield solutions. James Spooner, managing director of security consultancy, Lodoga, which specialises in this area, said that the Web application is unique in that the public or anonymous users are allowed straight to the firewall because at least one port has to be left open on the firewall to get to an application. And once at the application the rules about what they can and cannot do are not particularly strict. “The one area they are wide open on is port 80, the HTTP port or 443 which is the SSL port, which have to be left open, there is no choice, or else there is no Web application and through that you can subvert the application to create vulnerabilities and risks,” he said. Web application scanners first of all go through a process of enumeration to discover every single element of a website, which could be a page, or a form,
or a field, or a hidden parameter, or a URL parameter, or it could even be things like mouse-overs or clicks. It could be pages that are active and which are changed every time you go to them, sometimes at the bigger websites generating hundreds of thousands of elements of the website. Then each of those elements needs to be assessed for vulnerabilities. The same is true for Web application scanners as it is for network scanners in that the real value of their results is only realised with manual input, checking vulnerabilities and figuring out how they come together, he said A level of operator competence is needed too, he said. “Now, if you took some of the best of breed commercial tools and ran them blindly, pressed all the quick assessment buttons, you would actually end up with some pretty bad results because what’s important is that the exploration of a website is done properly so that you haven’t created false results about what the website contains, so when the tool runs its assessment against those results it will believe that it is inducing errors which you assume are vulnerabilities. This is why the human bit is so important it involves a combination of manual skills and tools.” Network scanning tools basically looking for open ports in a network, or unsecured servers or unsecured systems, they do not reveal anything about applications. Scanning at the application level is a hugely different matter because an application attack is so subtle, pointed out Spooner, for instance which involve persistently injecting SQL queries into the application can make it vulnerable to having its validation service reduced, diminished, bypassed or stopped, or it simply doesn’t have the right validation. When used with a degree of expertise, vulnerability assessment tools can provide a real insight into a network or Web application’s weak spots but care should be taken to minimize any risk of disrupting the network in the process.
17