Intrusive vs. Non-Intrusive Vulnerability Scanning Technology



Similar documents
WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Three Ways to Secure Virtual Applications

Avoiding the Top 5 Vulnerability Management Mistakes

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

Simplifying the Challenges of Mobile Device Security

Understanding BeyondTrust Patch Management

SecureIIS Web Server Protection Guarding Microsoft Web Servers

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

IBM Managed Security Services Vulnerability Scanning:

Integrated Threat & Security Management.

WHITE PAPER. BeyondTrust PowerBroker : Root Access Risk Control for the Enterprise

Retina CS: Using Strong Certificates

WHITE PAPER. Take Back Control of Your Active Directory Auditing

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Penetration Testing. Presented by

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

How To Manage A Network Security Risk

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

NETWORK PENETRATION TESTING

Goals. Understanding security testing

Legacy Applications and Least Privilege Access Management

Finally: Achieve True Principle of Least Privilege for Server Administration in Microsoft Environments

Understanding Vulnerability Management Life Cycle Functions

McAfee Database Security. Dan Sarel, VP Database Security Products

External Supplier Control Requirements

WHITEPAPER. Nessus Exploit Integration

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

IQware's Approach to Software and IT security Issues

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

What Do You Mean My Cloud Data Isn t Secure?

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

Firewalls Overview and Best Practices. White Paper

Critical Security Controls

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

WHITE PAPER. Improving Efficiency in IT Administration via Automated Policy Workflows in UNIX/Linux

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

The Nexpose Expert System

How To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you.

October Application Control: The PowerBroker for Windows Difference

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Cyber Security Metrics Dashboards & Analytics

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Protecting Critical Infrastructure

24/7 Visibility into Advanced Malware on Networks and Endpoints

Office of Inspector General

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Building A Secure Microsoft Exchange Continuity Appliance

2011 Forrester Research, Inc. Reproduction Prohibited

UF Risk IT Assessment Guidelines

Dedicated and Distributed Vulnerability Management

PCI-DSS Penetration Testing

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

How To Audit The Mint'S Information Technology

Feedback Ferret. Security Incident Response Plan

Total Protection for Compliance: Unified IT Policy Auditing

Nessus and Antivirus. January 31, 2014 (Revision 4)

How to Justify Your Security Assessment Budget

FISMA / NIST REVISION 3 COMPLIANCE

BeyondInsight Version 5.6 New and Updated Features

Name. Description. Rationale

Network Security and Vulnerability Assessment Solutions

FIREWALL CLEANUP WHITE PAPER

The Four-Step Guide to Understanding Cyber Risk

Extreme Networks Security Analytics G2 Vulnerability Manager

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Attachment A. Identification of Risks/Cybersecurity Governance

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Continuous Network Monitoring

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

External Supplier Control Requirements

White Paper. 7 Questions to Assess Data Security in the Enterprise

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

The Value of Automated Penetration Testing White Paper

Passive Vulnerability Detection

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

ICS CYBER SECURITY RKNEAL, INC. Protecting Industrial Control Systems: An Integrated Approach. Critical Infrastructure Protection

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Transcription:

WHITE PAPER Intrusive vs. Non-Intrusive Vulnerability Scanning Technology Retina Network Security Scanner

Table of Contents The Smash-and-Grab: Taking the Low Road 3 The Smooth Caper: Taking the High Road 4 The Clear Choice 5 About BeyondTrust 7 2 2013. BeyondTrust Software, Inc.

By performing non-invasive tests, companies can avoid disruption of service while a competent vulnerability assessment is being performed. There are two methodologies used for performing vulnerability assessment regardless of patch assessment or compliance verifcation. One philosophy revolves around the need to penetrate a system to prove its vulnerability and the other uses available information to postulate the status of the vulnerability. Longstanding discussions have centered on the merits of either type of scanning, as well as their potential liabilities. In summary, since a vulnerability assessment scanner emulates an attack, each of these methods mirrors an attacker s style for compromising a host. The Smash-and-Grab: Taking the Low Road Proponents of destructive security auditing (intrusive scanning) cite the ubiquitous availability of attack scripts for vulnerability exploitation. They hypothesize that by attacking a system in the exact same manner as a potential attacker, more accurate results are best achieved. Without a doubt, there are some merits to this smash-and-grab approach. By using a script to automate an attack, a penetration scenario where machine access is attainable proves that the device was vulnerable to an attack and ultimately could be compromised. However, utilizing this approach is problematic in that the audit trail is incomplete and potentially creates more questions than answers. For example, many attack scripts available on the Internet are flawed and can result in a false sense of security in the form of a false negative. That is, they do not function as desired even if the system being targeted is truely exploitable. Unsuccessful penetration tests based on potentially bad scripts can give a false sense of security. Vulnerability assessment tools that use intrusive scripts can be harmful because they leave the system open to future attacks that would normally not be exploitable or worse, deny critical business functions from operating correctly. Smash-and-grab vulnerability testing has a propensity to disable services for the duration of the attack. This means that while a service is under attack, that service may not be available for its normal use and an entire network can be immobilized, blue screened, or worse, the attack could penetrate the network and create a new risk surface for real attacks. Finally, perhaps the biggest argument against smash-and-grab testing is that it creates a corrupt testing environment. By directly performing attacks against a system being audited, the attack script can push the system into an unknown state or completely disable it making the remote system useless for further testing and virtually eliminating the possibility of attaining detailed vulnerability reports against this device from future tests. 3 2013. BeyondTrust Software, Inc.

The Smooth Caper: Taking the High Road Disciplined attackers often chose to get as much information about a target as possible, using deductive logic to pinpoint potential weaknesses within an organization and information technology assets. Proponents of this stealth and smooth caper methodology rely on the wealth of information from networked systems and infer an even larger amount of information by making logical connections and assumptions based on the available data. This includes everything from social engineering to knowing the applications and vendors a business relies on. With this information, known vulnerabilities and weakness are easy targets for the attacker to attempt an exploit. In contrast to intrusive scanning techniques, information technology administrators can utilize non-invasive or non-intrusive tests to locate potentially exploitable systems before they become problematic. By performing non-invasive tests, companies can avoid disruption of service while a comprehensive vulnerability assessment is being performed. Attackers utilize comparable techniques to gently probe for vulnerabilities without creating systematic downtime and potentially setting off IPS, IDS, and firewall alert sensors. Organizations can employ the same non-intrusive technology to gather large amounts of information and a follow a best practice dissection of vulnerability data to determine the risk to an environment. This process is often repeated in cycles to further refine and reinforce the findings. Likewise, the same process is used to verify that remediation efforts were successful and the vulnerability is no longer a threat. By getting a clear picture of the complete architecture, a business can better identify weaknesses in the network, in corporate policies, and proactively prevent intrusions and business interruptions. When selecting non-intrusive vulnerability assessment solution, administrators need to be cautious in their use of scanning with freeware and tools that are not rigorously tested and supported. Using these products can be dangerous and result in accidental smash-and-grab testing that can disable a network unintentionally. As an example, an audit that was thought to be safe was actually intrusive. Consider the RFPoison attack check used by some scanning tools. While BeyondTrust s Retina Network Security Scanner (RNSS) passively probed machines to determine if they would be vulnerable to this attack, other vendors approached this audit with an intrusive check and classified the RFPoison audit as a dangerous plugin. This audit was originally introduced as non-intrusive and not flagged as dangerous. Unfortunately this led to the accidental blue screening of machines by auditors using these tools. Imagine scanning your environment with an allegedly safe audit, and the results cripple the entire environment. In contrast, RNSS does not include any dangerous audits in its checks and auditors can successfully identify and patch a host without any appreciable risk to the environment. RFPoison susceptible machines could have been identified without business interruption. Tools that rely on intrusive scans carry a risk that BeyondTrust Digital Security solutions do not bare. The only potential downside associated with noninvasive scanning is in the way the information is analyzed after performing a scan. Intrusive systems provide immediate results after a targeted attack; successful or non successful. Non intrusive solutions require the results to be correlated and the status interpolated based on the retrieved data. A solid reporting, analysis, and remediation process is needed to turn the results into functional business benefits. Scanning tools that simply provide an unmanageable list of vulnerabilities without proper details and corrective actions tend to complicate the process. RNSS provides complete reporting, data export, and the ability to use a central management console to aggregate results for any size environment. In addition, all data is stored in a database for further interrogation and exportable in near real time to a SIM, NMS, or call center. 4 2013. BeyondTrust Software, Inc.

The Clear Choice Unquestionably, non-intrusive scanning offers quantifiable benefits and dramatically less risk than the unpredictable smash-and-grab methodology of intrusive scanning. Most organizations are ill equipped to properly manage an intrusive penetration test scenario; especially those without replicated test networks. The potential damage created by intrusive scanning could outweigh the benefits of an actual detection if the auditors are not careful. Furthermore, the comprehensive audit and remediation trail created by non-intrusive scanning will create a reliable and hardened infrastructure in a much quicker timeframe. Quantifiable and repeatable results will come with a definitive action plan to correct the vulnerability and assist with any patch assessment and compliance requirements. The bottom line in opting for a non-intrusive testing is quite simple: Except in extreme cases, locating a vulnerability and fixing it is far more important than proving its exploitability. As a result, administrators and engineers can defend their critical assets without putting them in the line of fire from potentially disruptive tests. By giving network support staff timely and accurate information about existing vulnerabilities, remediation time can be vastly improved and accurate security states assessed without creating any unnecessary additional security risks or business interruptions. As with all security processes and regulatory compliances, this should be repeated often to keep administrators abreast of the organization s current network vulnerability status and threat level. For a free trial of Retina Network Security Scanner (RNSS), please visit the BeyondTrust website at www.beyondtrust.com 5 2013. BeyondTrust Software, Inc.

About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES 1.800.234.9072 sales@beyondtrust.com EMEA HEADQUARTERS Suite 345 Warren Street London W1T 6AF United Kingdom Tel: + 44 (0) 8704 586224 Fax: + 44 (0) 8704 586225 emeainfo@beyondtrust.com CONNECT WITH US Twitter: @beyondtrust Facebook.com/beyondtrust Linkedin.com/company/beyondtrust www.beyondtrust.com 6 2013. BeyondTrust Software, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information