Project report 2: EVALUATION OF TOOLS FOR CYBER SECURITY By Piyali Basak Indian Institute of Technology, Kanpur Guided by Dr. N.P. Dhavale Deputy General Manager, Strategic Business Unit, Institute for Development and Research in Banking Technology, Hyderabad
ABSTRACT: Security and reliability are most important when it comes to Banking. IDRBT S SBU (Strategic Business Unit) plays an important role for secure and reliable banking operations. This project is related to test and enhance the security at IDRBT servers itself. Three Cyber security tools (Nessus, Retina, OpenVAS) have been compared to test security of four servers and about 254 client machines. A comparison is made on the reports generated by these tools on the basis of severity of vulnerabilities obtained and their corresponding remediation steps. INTRODUCTION: Cyber Security includes not only access control lists, firewalls, intrusion protection systems, flow throttling, deep packet inspection, signatures, and similar terms but also security event correlation, application traffic flow analytics, and intrusion detection. Cyber Security specializes in the area of network behavior analysis. Here we will concern only with Network Security which is the protection of all data that leaves or enters the local PC or local server from the network. The networks are computer networks, both public and private, that are used every day to conduct transactions and communications among businesses, government agencies and individuals. The networks are comprised of "nodes", which are "client" terminals (individual user PC s) and one or more "servers" and/or "host" computers. They are linked by communication systems, some of which might be private, such as within a company and others which might be open to public access. The obvious example of a network system that is open to public access is the Internet, but many private networks also utilize publiclyaccessible communications. Today, most companies' host computers can be accessed by their employees whether in their offices over a private communications network, or from their homes or hotel rooms while on the road through normal telephone lines. Network security involves all activities that organizations, enterprises, and institutions undertake to protect the value and ongoing usability of assets and the
integrity and continuity of operations. An effective network security strategy requires identifying threats and then choosing the most effective set of tools to combat them. Who is vulnerable: Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various government agencies Multinational corporations ANYONE ON THE NETWORK OBJECTIVES: The objective of the project is to Find user-friendly, efficient and consistent cyber security software Compare them in terms of their 1. Technical Functionality 2. Audit compliance 3. Reporting. PROCEDURES: We explored Nessus, Retina, OpenVAS because they are identified as user friendly for installation and configuration. Other software like Snort and Saint are not user and installed but not able to analyze thoroughly. Microsoft Baseline Security Analyzer gives information about security states of the system but no additional information for further exploring the tool. Due to unavailability of time we could not explored all the following tools Qualys Guard, Nexpose and Core Impact. However feature wise and products will help in accessing the vulnerabilities.
Nessus: Nessus is proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks. Version used: 5.2 Availability : free of charge for personal use, but now a pay-for subscriptionbased service. Nessus 5.2, scanning for 40,000 plugins covering a large range of both local and remote flaws provides customers with Targeted email notifications: When scans are complete, Nessus can send an email with a summary of scan results and remediation recommendations to your selected recipients. Remediation recommendations: Nessus provides an actionable list to help with remediation efforts, summarizing the actions to take to remediate the largest quantity of vulnerabilities on your network. Increased intelligence: Nessus 5.2 offers the ability to store attachments in the scan reports.scan results contain remote screenshots via RDP and VNC, as well as pictures of scanned websites. Expanded platform support and integration: Scanning of IPv6 targets is supported on all operating systems, including Windows, and Nessus runs on Windows 8 and Windows Server 2012. Openvas: OpenVAS (Open Vulnerability Assessment System, initially GNessUs) is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution. Version used: 5.0 Availability : free of charge for personal use.
OpenVAS is an open source vulnerability scanner that can test a system for security holes using a database of over 28 0000 test plugins. The complete OpenVAS suite consists of a number of components that provide a framework for management of a complete vulnerability management solution with many more important features. Architecture Overview: The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools. The core of this SSL-secured service-oriented architecture is the OpenVAS Scanner. The scanner very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served with daily updates via the OpenVAS NVT Feed or via a commercial feed service. OpenVAS Manager: It is the central service that consolidates plain vulnerability scanning into a full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS Transfer Protocol) and itself offers the XML-based, stateless OpenVAS Management Protocol (OMP). OVAL Support: The Open Vulnerability and Assessment Language (OVAL),in OpenVAS, is a standard that can be used - among other things - to describe known vulnerabilities and tests that can be used to assess whether a vulnerability is present on a target system. Retina: Acknowledged as the fastest security scanner on the market today, Retina is designed to identify known and unknown vulnerabilities, and report possible security holes within a network's internet, intranet, and extranet environments. Version used: 5.10.0 Availability : free of charge for personal use, but now a pay-for subscriptionbased service. Retina was created with a simple-to-navigate graphical user interface. It has an auto-update feature that provides continuous updates for its modules using an
Internet connection. Retina is extremely fast.. Apart from this Retina have more powerful features like: Non- intrusive scanning engine: Optimizes network performance and scan network devices, operating systems, applications, and databases, without impacting availability or performance. NMAP Technology: Retina is the first and only commercial scanner to license and incorporate the NMAP Fingerprints Database. This allows Retina to have superior OS detection, particularly for remote scans. eeye was actually the first company to port NMAP to the NT platform. Smart Reporting: Produce fully documented network audit reports based on Retina's security scans. A comparative is study is made in the following table.
Software Nessus OpenVAS Retina Network Discovery: Port scanners: TCP scan UDP scan SYN scan SNMP scan Netstat SSH scan ˣ ˣ Target scan: Single IP, IP Range Subnet with CIDR notation Hostname System Discovery: OS detection Get Reverse DNS ˣ Get NetBIOS name ˣ ˣ Get MAC Address ˣ Enumerate Hardware ˣ ˣ Features: Unlimited scan ˣ
Web Application Scanning Vulnerability scanning Fixing Vulnerability Exportable Reports Software cost ˣ free for 15days,profe ssinal feed- $1500USD/y ear Free free for 15days,professio nal feed-$150.00 : available ˣ : not available To have a comparative overview we use these three tools to scan different machines in IDRBT. Scanned Machines IP address: 176.16.0.1-176.16.0.254 Date of scan : 17 th June 13 Cyber Security Tool Nessus OpenVAS Retina No. of Machines scanned 107 107 107 No. of machines found to 30 31 1 * have Vulnerabilities Time taken to scan 55mins 1hr 10mins 25mins Retina is extremely fast. It can scan a class-c network in 25 minutes. *Retina cannot give vulnerability details of all the scanned machines in its trial version.
Results of Nessus: The following graph shows different risk level for each host obtained from the scan result of Nessus. Clearly it is found that 172.16.0.14 host is most vulnerable followed by the hosts 172.16.0.7 and 172.16.0.9.Severity level is determined by the CVSS (Common vulnerability scoring system). Risk level for each Host 100 80 Variable low. medium. high. critical. 60 0 Hosts 1 40 20 48 47 46 45 44 43 42 41 38 37 36 34 33 31 27 26 24 22 21 20 18 16 15 14 13 10 9 7 5 2 Data The following graph shows the vulnerabilities by different categories. It is found that most of the risks are found in Web server.
Overview of risk by category 40 Variable high critical 30 Data 20 10 0 category Web server windows database SMTP problem Misclleneous Results of OpenVAS: The following graph shows security holes found for each host by OpenVAS.From the graph it is clear that 172.16.0.14 and 172.16.0.9 are more vulnerable than others. It does not provide severity level of the risk like Nessus.
Security holes found for each host by OpenVAS 35 30 Security holes found 25 20 15 10 5 0 176.16.0.1 176.16.0.2 Results of Retina: 176.16.0.5 176.16.0.10 176.16.0.13 16.0.16 176.16.0.18 176.16.0.24 176.16.0.26 176.16.0.27 16.0.31 176.16.0.36 176.16.0.37 176.16.0.38 176.16.0.45 176.16.0.51 176.16.0.57 176.16.0.21 Hosts 176.16.0.7 176.16.0.14 176.16.0.42 176.16.0.9 176.16.0.41 176.16.0.44 176.16.0.47 176.16.0.6 176.16.0.15 176.16.0.50 176.16.0.48 176.16.0.43 Like Nessus and OpenVAS, Retina cannot scan as much system at a time in its trial version as this is beyond the license of the software. Hence for that we need to buy the software. Next we run the tools for different server machines of IDRBT and get an idea which vulnerability is more risky in terms of category and severity level. We checked for the following three IDRBT server machines: IDRBT Library server IDRBT Mail server IDRBT DNS server IDRBT proxy server Performance of Nessus: The following graphs show the risk for above three server system in terms of category and severity level as well. Library web server is found to be most vulnerable.
Overview of risk level for different categories for IDRBT DNS web server(172.16.0.141) 6 5 Variable Low Medium High Critical 4 Data 3 2 1 0 Category General Service detection windows Misclleneous FTP Overview of risk level for different categories for IDRBT mail server(172.16.0.42) 10 8 Variable Low Medium High Critical 6 4 2 0 Category General windows Data SMTP problems DNS Misclleneous
Overview of risk level for different categories for IDRBT proxy server(172.16.0.200) 3.0 2.5 Variable Low Medium High Critical 2.0 Data 1.5 1.0 0.5 0.0 Category SNMP web server windows SMTP problems FTP Overview of risk level for different categories for IDRBT library web server(172.16.0.14) 30 25 20 Variable Low Medium High Critical Data 15 10 5 Category 0 database webservers CGI abuses Windows service detection windows general Clearly IDRBT Library server and Proxy Server are more vulnerable for web servers, windows, SNMP mainly.
Performance of Retina: Retina scanned for each machine in a very short time and also provided with the remediation report and final scanning report as well. The following graph shows the most affected ports. Severity level for mostly affected ports 18 16 14 Variable Low Medium High 12 Data 10 8 6 4 2 0 TCP 3339 443 7778 1521 Port details: TCP 3339 port details: Port 3339 is one of the specified default ports used by Oracle Database or Oracle Application servers. Port 3339 is used to allow database admin to remotely control and monitor database applications under a closed-network group or in a wide-area network via TCP/UDP connection. TCP 443 port details: Hypertext Transfer Protocol over TLS/SSL (HTTPS). TCP 7778 port details: Port 7778 is used to allow clients/users access to remote servers on the Internet. Oracle HTTP Server admin listens to port 7778 by default when port 7777 is unavailable. For this application, the pieces of data passing through this port include request access for non-ssl HTTP server.
TCP 1521 port details: Oracle SQL defaults to listening at this port. From the graph it is clear that port TCP 3339 and 7778 are vulnerable compared to others. Level of severity for more two affected servers Web server database IP services Windows netbios accounts 12 10 IDRBT Library server IDRBT Proxy server Variable Low Medium High Data 8 6 4 2 category. 0 Web server database IP services Windows netbios accounts Panel variable: server Performance of OpenVAS: We run OpenVAS for the same server system but only for the library web server Security holes are found. Next we compare these tools in terms of their remediation steps for corresponding vulnerabilities found in Library web server. Retina is unable to provide risk management solution in its trial version whereas in comparison with Nessus OpenVAS gives instruction to update higher version of patches and software for the same vulnerability. So here we mainly concentrate on critical and high risk vulnerabilities specific results and remediation steps. The number in the brackets denotes the number of occurrence of that particular vulnerability. Java is
used to make a program which runs to read a desired string from a file and counts the number of its occurrence. Vulnerabilities found by Nessus: Vulnerability Buffer Overflow.(6) Unsupported version of Oracle Database server.(2) Remediation step Upgrade Apache web server version of 1.3.29 or later. Upgrade to a version of Oracle database. Remote code execution attack.(3) Running an older Apache web server version causing DoS attack and Cross-site Encryption.(2) Upgrade Apache Web server version 1.3.26. Upgrade Apache Web server version 1.3.27 or later. Vulnerabilities found by Retina: Vulnerability Category Severity Level Weakness exists in mod_ssl used by an attacker causing execution of strings logged via HTTPS. TNS Listener is showing no designated password. Arbitrary code execution. A DoS risk exists within the Apache version 1.3.27 and prior. Web server Database Web server Web server Critical Critical High High
Vulnerabilities found by OpenVAS: Vulnerability Running a 1.3.27 older Apache version subject to diff flaws.(2) Arbitrary code can be run on the remote host.(3) Buffer overflow attack.(5) Remote code execution vulnerability.(3) Remediation step Upgrade to Apache web server version 1.3.27 or newer. Disable SOAP feature by editing. Upgrade to version 1.3.37 or later. Upgrade to mod_ssl version 2.8.19 or newer. Upgrading Apache web server to latest version 1.3.37, detected by OpenVAS, will lead remediation of all kinds of vulnerabilities causing from its older version. SOFTWARE USED: Java, Minitab. Java code: import java.io.*; public class Test1 { public static void main(string [] args) { // The name of the file to open. String filename = "",searchstring=""; // This will reference one line at a time String line = null; int count=0; try {
// FileReader reads text files in the default encoding. BufferedReader br=new BufferedReader(new InputStreamReader(System.in)); System.out.println("Enter File Path:"); filename=br.readline(); FileReader filereader = new FileReader(fileName); // Always wrap FileReader in BufferedReader. System.out.println("Enter Search String:"); searchstring=br.readline(); BufferedReader bufferedreader = new BufferedReader(fileReader); while((line = bufferedreader.readline())!= null) { // System.out.println(line); } if(line.equalsignorecase(searchstring)) {++count; } System.out.println(searchstring+" count is : "+count); // Always close files. bufferedreader.close(); System.out.println("Bye"); } catch(filenotfoundexception ex) {
System.out.println( "Unable to open file '" + filename + "'"); } catch(ioexception ex) { System.out.println( "Error reading file '" + filename + "'"); // Or we could just do this: // ex.printstacktrace(); } } } CONCLUSION: 1. Nessus can scan multiple machines with all vulnerability details, machine information and gives proper solution. 2. OpenVAS checks for security holes but does not provide with machine information. 3. Retina being a fast vulnerability scanner scans a system and gives remediation report and scan report as well, but cannot give vulnerability details of all the scanned machines in its trial version. 4. Nessus is more comprehensive Network Vulnerability scanning tool.