Vulnerability
Assessment
Scanning
for vulnerabilities is an essential part
of asset assurance and configuration
management - knowning what is out there
and how it is configured. This is most
often done in an automated fashion to
minimize the workload of the IT staff
and because the checks can be hard to do
manually by hand. In corporations,
vulnerability scanning is an important
part of the audit process that can
verify if corporate policies are being
enforced and if procedures are being
followed. This is also used as part of
the risk assessment in the Risk
Management process to identify assets,
vulnerabilities and potential threats.
There is
generally two different approaches to
this, either by using Whitebox
Scanning as a privileged
administrator that has full access to
the systems including registry settings
and files or by using Blackbox
Scanning as an unprivileged user
seeing what "everyone" else would see
(including attackers).
Blackbox Scanning:
The concept
behind Blackbox Scannning is to
discover the security holes before the
attacker does and with focus on those
holes the attackers can use only - the
real entries into the system or network.
Often one would scan for only critical
holes that could lead to system
compromise or remote execution of code.
Sometimes one would only scan for the
SANS top 20 list (link)
with the most used vulnerabilities used
by attackers. Another option is also to
do a full scan with for all
vulnerabilities the scanner supports to
ensure knowledge of the system will not
lead to false assumption of what is on
the system or network, thereby
discovering unknown systems or services
whether they are legit or not.
A general
problem with Blackbox Scanning is
that since the task is done unprivileged
the only way to ensure that a system is
not vulnerable to certain exploits or
attacks is to actually try the exploit
against the system or use a similar
intrusive technique to get reliable
results. Often, the only way to test
whether or not a system is vulnerable to
a Denial of Service (DoS)
attackes is to do a DoS attack against
it. Therefore Blackbox Scanning often is
unreliable and may risk rendering the
target system unstable or crash the
system fully. This scanning technique
can often not say for certain that a
system is properly patched against an
exploit, it can only tell us that the
system appears to be patched and does
not seems to be vulnerable.
So when is
the Blackbox Scanning technique
usefull one might ask. A general
guideline can be to scan for unknown
systems and services, to scan for
vulnerabilities that has not been
patched due to other concerns but are
mitigated some other way and to scan as
verification that the mitigation against
common threats like the SANS top 20 list
of mostly used vulnerabilities by
attackers has been implemented. Also,
many of these tools can scan for
vulnerabilities in applications and try
to guess login credentials, e.g. SQL
injection vulnerability in the code of a
website or try to get access to a
restricted website. This may discover
badly coded webpages or web-users with
weak passwords.
Whitebox Scanning:
The concept
behind Whitebox Scanning is
to have full administrative access to
the systems and verify configurations,
installations and settings. This will
first verify installation of security
patches, servicepacks and software.
Secondly, the configuration of services
and the system can be examined. Finally,
things like number of administrator
accounts, password changes, guest
accounts, registry security settings,
etc. can be checked. So, since
Whitebox Scanning has full access to
the systems, the results are mostly very
accurate and the risk of rendering the
system unstable or craching the system
is very small as this technique does not
need to try out the exploits but can
verify that the patches has been
installed by looking in the registry and
checking file versions.
Whitebox
Scanning also has some issues, since
the tools to perform the scanning with
often are vendor or system specific,
requires full access and because of the
way checks are performed. This means
that there in mixed environments must be
used several different tools and
competence build in these different
tools. Also, as full access is required
there might be some challenges due to
lockdown of the servers against normally
unneeded or potentionally dangerous
ports and protocols, e.g.
NetBios access, SNMP access, etc. Finally, since the
checks are done by looking in the
registry and by looking at file
versions, this does not necessarily mean
that the new files from a patch has been
loaded into memory and the system may
require a reboot first to do this. So
the problems could be more demanding
tasks and false results indicating a
system is protected when it is not. This
last issue is with the latest operating
system less of an issue as reboots are
required less frequently, Microsoft is
currently researching a lot in hot
patches that will be applied to files in
memory while at the same time cold
patching the files on disk.
The
Whitebox Scanning technique can as a
guide benefit mostly when verifying the
patch management process, when auditing
system settings, configurations and
installations or when accuracy of each
vulnerability check is more important
than the accuracy of the whole check.
Often only scanning for a single (or a
few) vulnerability on all clients, one
can quickly identify hosts that have had
problems installing a patch recently
deployed. Examining local settings,
configurations and installations is
powerfull when audits are performed to
see if the clients and servers (as well
as networking equipment) are following
corporate policies. The ability to
perform accurate scans for one or more
specific vulnerabilties can be important
when virus or worm threats are faced,
especially if the antivirus product is
yet unable to detect and remove the
virus or internet worm - then it is very
important to ensure that the systems are
not vulnerable to the exploit these
threats uses.
More
Information:
You can
watch some archived webcasts from
Microsoft on the topic of Security
Assessment here:
