Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Transcription

1 WHITE PAPER Intrusive vs. Non-Intrusive Vulnerability Scanning Technology Retina Network Security Scanner

2 Table of Contents The Smash-and-Grab: Taking the Low Road 3 The Smooth Caper: Taking the High Road 4 The Clear Choice 5 About BeyondTrust BeyondTrust Software, Inc.

3 By performing non-invasive tests, companies can avoid disruption of service while a competent vulnerability assessment is being performed. There are two methodologies used for performing vulnerability assessment regardless of patch assessment or compliance verifcation. One philosophy revolves around the need to penetrate a system to prove its vulnerability and the other uses available information to postulate the status of the vulnerability. Longstanding discussions have centered on the merits of either type of scanning, as well as their potential liabilities. In summary, since a vulnerability assessment scanner emulates an attack, each of these methods mirrors an attacker s style for compromising a host. The Smash-and-Grab: Taking the Low Road Proponents of destructive security auditing (intrusive scanning) cite the ubiquitous availability of attack scripts for vulnerability exploitation. They hypothesize that by attacking a system in the exact same manner as a potential attacker, more accurate results are best achieved. Without a doubt, there are some merits to this smash-and-grab approach. By using a script to automate an attack, a penetration scenario where machine access is attainable proves that the device was vulnerable to an attack and ultimately could be compromised. However, utilizing this approach is problematic in that the audit trail is incomplete and potentially creates more questions than answers. For example, many attack scripts available on the Internet are flawed and can result in a false sense of security in the form of a false negative. That is, they do not function as desired even if the system being targeted is truely exploitable. Unsuccessful penetration tests based on potentially bad scripts can give a false sense of security. Vulnerability assessment tools that use intrusive scripts can be harmful because they leave the system open to future attacks that would normally not be exploitable or worse, deny critical business functions from operating correctly. Smash-and-grab vulnerability testing has a propensity to disable services for the duration of the attack. This means that while a service is under attack, that service may not be available for its normal use and an entire network can be immobilized, blue screened, or worse, the attack could penetrate the network and create a new risk surface for real attacks. Finally, perhaps the biggest argument against smash-and-grab testing is that it creates a corrupt testing environment. By directly performing attacks against a system being audited, the attack script can push the system into an unknown state or completely disable it making the remote system useless for further testing and virtually eliminating the possibility of attaining detailed vulnerability reports against this device from future tests BeyondTrust Software, Inc.

4 The Smooth Caper: Taking the High Road Disciplined attackers often chose to get as much information about a target as possible, using deductive logic to pinpoint potential weaknesses within an organization and information technology assets. Proponents of this stealth and smooth caper methodology rely on the wealth of information from networked systems and infer an even larger amount of information by making logical connections and assumptions based on the available data. This includes everything from social engineering to knowing the applications and vendors a business relies on. With this information, known vulnerabilities and weakness are easy targets for the attacker to attempt an exploit. In contrast to intrusive scanning techniques, information technology administrators can utilize non-invasive or non-intrusive tests to locate potentially exploitable systems before they become problematic. By performing non-invasive tests, companies can avoid disruption of service while a comprehensive vulnerability assessment is being performed. Attackers utilize comparable techniques to gently probe for vulnerabilities without creating systematic downtime and potentially setting off IPS, IDS, and firewall alert sensors. Organizations can employ the same non-intrusive technology to gather large amounts of information and a follow a best practice dissection of vulnerability data to determine the risk to an environment. This process is often repeated in cycles to further refine and reinforce the findings. Likewise, the same process is used to verify that remediation efforts were successful and the vulnerability is no longer a threat. By getting a clear picture of the complete architecture, a business can better identify weaknesses in the network, in corporate policies, and proactively prevent intrusions and business interruptions. When selecting non-intrusive vulnerability assessment solution, administrators need to be cautious in their use of scanning with freeware and tools that are not rigorously tested and supported. Using these products can be dangerous and result in accidental smash-and-grab testing that can disable a network unintentionally. As an example, an audit that was thought to be safe was actually intrusive. Consider the RFPoison attack check used by some scanning tools. While BeyondTrust s Retina Network Security Scanner (RNSS) passively probed machines to determine if they would be vulnerable to this attack, other vendors approached this audit with an intrusive check and classified the RFPoison audit as a dangerous plugin. This audit was originally introduced as non-intrusive and not flagged as dangerous. Unfortunately this led to the accidental blue screening of machines by auditors using these tools. Imagine scanning your environment with an allegedly safe audit, and the results cripple the entire environment. In contrast, RNSS does not include any dangerous audits in its checks and auditors can successfully identify and patch a host without any appreciable risk to the environment. RFPoison susceptible machines could have been identified without business interruption. Tools that rely on intrusive scans carry a risk that BeyondTrust Digital Security solutions do not bare. The only potential downside associated with noninvasive scanning is in the way the information is analyzed after performing a scan. Intrusive systems provide immediate results after a targeted attack; successful or non successful. Non intrusive solutions require the results to be correlated and the status interpolated based on the retrieved data. A solid reporting, analysis, and remediation process is needed to turn the results into functional business benefits. Scanning tools that simply provide an unmanageable list of vulnerabilities without proper details and corrective actions tend to complicate the process. RNSS provides complete reporting, data export, and the ability to use a central management console to aggregate results for any size environment. In addition, all data is stored in a database for further interrogation and exportable in near real time to a SIM, NMS, or call center BeyondTrust Software, Inc.

5 The Clear Choice Unquestionably, non-intrusive scanning offers quantifiable benefits and dramatically less risk than the unpredictable smash-and-grab methodology of intrusive scanning. Most organizations are ill equipped to properly manage an intrusive penetration test scenario; especially those without replicated test networks. The potential damage created by intrusive scanning could outweigh the benefits of an actual detection if the auditors are not careful. Furthermore, the comprehensive audit and remediation trail created by non-intrusive scanning will create a reliable and hardened infrastructure in a much quicker timeframe. Quantifiable and repeatable results will come with a definitive action plan to correct the vulnerability and assist with any patch assessment and compliance requirements. The bottom line in opting for a non-intrusive testing is quite simple: Except in extreme cases, locating a vulnerability and fixing it is far more important than proving its exploitability. As a result, administrators and engineers can defend their critical assets without putting them in the line of fire from potentially disruptive tests. By giving network support staff timely and accurate information about existing vulnerabilities, remediation time can be vastly improved and accurate security states assessed without creating any unnecessary additional security risks or business interruptions. As with all security processes and regulatory compliances, this should be repeated often to keep administrators abreast of the organization s current network vulnerability status and threat level. For a free trial of Retina Network Security Scanner (RNSS), please visit the BeyondTrust website at BeyondTrust Software, Inc.

6 About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES [email protected] EMEA HEADQUARTERS Suite 345 Warren Street London W1T 6AF United Kingdom Tel: + 44 (0) Fax: + 44 (0) [email protected] CONNECT WITH US Facebook.com/beyondtrust Linkedin.com/company/beyondtrust BeyondTrust Software, Inc.