Vulnerability Assessment Methodology Today s networks are typically comprised of a variety of components from many vendors. This adds to the difficulties faced by the system administration staff, as they must familiarize themselves with specific security concerns created by each product, and remain current as new security flaws are discovered. Even the most conscientious vendors do not always release patches for a given vulnerability before illegal tools for its exploitation become widely available. In some cases, legacy systems and networks exist that are not being supported or updated. While many current security products (and practitioners) promise comprehensive results, they focus on TCP/IP vulnerabilities to the exclusion of existing facilities such as Netware, DECNET, or X.25 networks. PatchAdvisor personnel offer experience with a wide variety of platforms and protocols, and our assessments address all relevant vulnerabilities, whether on TCP/IP or non- TCP/IP networks. System administrators require a structured technical assessment of problem areas relating to network security, covering all of the computer hardware platforms, operating system technology, and communication protocols in use on their networks. More than a penetration test, this assessment must be a management tool that includes both a baseline of vulnerabilities and specific recommendations for improvement. Our report process has been refined over many client assessments to meet exactly this need. The Assessment Process - The assessment process is comprised of four phases: discovery, detection, exploitation, and analysis/recommendations. The diagram below identifies the relationships among the four phases, and the flow of information into the final report.
Vulnerability Assessment Process Customer Briefing Discovery from all sources Network Information Optional Discovery Briefing Discovery Phase External Detection Internal Detection Detection Phase External Exploitation Internal Exploitation Exploitation Phase Analysis and Recommendations Post-Assessment Briefing Report Analysis Phase Client In-Briefing- Prior to initiating an assessment, PatchAdvisor will request a short briefing with the client to serve as a venue to review the planned conduct of the assessment and establish coordination protocols with the designated client point of contact. As discussed below, one of the by-products of the Exploitation Phase is an implicit test of the organization s detection capability. This in-briefing allows the assessment team to work with the point of contact so that any internal detection of the assessment activities is handled properly. Discovery Phase - The first step in a vulnerability analysis is to discover all points of connectivity to the network. This includes connections to public data networks such as the Internet, private interconnections with partners, connections to the telephone network through modem dialups, and Wireless LAN connectivity such as 802.11b access points. A variety of techniques are used to catalog points of entry, and the content of public and private directory services is provided as output so the client becomes aware of their existence and content. Typical activities in the Discovery Phase include WHOIS queries to determine network administration information, PING sweeps of target networks to ascertain composition and architecture, RF-spectrum analysis to locate potential Wireless Access Points, and off-hours wardialing of client exchanges to locate all dial-up and back-door access points. If available, Simple Network Management Protocol (SNMP) information is also obtained in order to provide the most complete network and host information possible.
When the Discovery Phase is complete, PatchAdvisor has a documented description of the target environment that will be used in both the external and internal portions of the assessment. If there are any major discrepancies, a briefing is held prior to execution of the Detection Phase of the assessment. Optional Post-Discovery Briefing - As communications technology evolves, connection of components becomes faster and easier. While this clearly benefits network personnel and users by speeding the deployment of reliable network connections, it also makes it easier for end users to create their own network segments, shared file systems, and dial-in connections. As networks get larger and more geographically dispersed, it becomes increasingly difficult to manage their growth. The natural result is that there are often discrepancies between the network content, topology, and points of access documented by the client and the corresponding information discovered by an assessment. When these discrepancies are significant (i.e., a substantial number of new hosts or dial-in access points), PatchAdvisor will conduct a briefing with the client point of contact. This briefing is necessary, in part, to ensure that the scope of the assessment and related cost estimates are still appropriate. However, the primary intent is to keep the client informed of our findings and allow time for internal discussion before the results are presented in the out-briefing. Detection Phase - Detection and exploitation (as discussed below) are performed from both external and internal perspectives. The external portion emphasizes the identification of vulnerabilities that allow unauthorized entry into the target environment, while the internal portion focuses on opportunities to exceed authorized access once inside. There is, of course, a close relationship between internal and external results; if an external attacker successfully gains access to the system, all of its internal vulnerabilities become exploitable as well. In the analysis phase, internal and external results are combined to present a comprehensive view of vulnerabilities. PatchAdvisor will identify potential vulnerabilities in network services running on discovered hosts, as well as inherent vulnerabilities in equipment and operating systems. Having discovered the network content and points of connectivity, an exhaustive search of hosts and available network services is conducted to pinpoint possible vulnerabilities. Information is gathered on each network host, including the operating system type and version, hardware platform, and active services. Particular attention is paid to high-risk services such as FTP, SENDMAIL, POP3, IMAP, WWW, etc. Services running on unregistered ports are also noted. Three classes of tools are used in the detection phase: Public Domain tools Many of the tools used by PatchAdvisor have been obtained either directly from the Internet or from other security specialists. Such tools are generally highly focused and may have testing algorithms that are superior in their specific area of focus. Each public domain tool undergoes extensive testing in our labs to ensure that its behavior is consistent and that it causes no damage to the client environment. Proprietary tools These are tools that have either been developed by individual team members, or are public domain tools that have been modified by our team. Like the public domain tools, they are generally focused on a small set of vulnerabilities, and may be used to crosscheck some outputs of the commercial tools. Commercial tools For war-dialing, we use a commercial tool such as PhoneSweep by Sandstorm Technologies. We may also use some best in class specialty tools such as Hyena (by Adkins Resources) and SNMP-Sweep (by Solar Winds).
When the Detection Phase is complete, PatchAdvisor will have developed the most comprehensive list of possible vulnerabilities in the environment. The list includes output files from multiple tools, many of which are included in the Report as appendices. Exploitation Phase - The Exploitation Phase is designed to provide a level of assessment beyond the capability of automated tools. This phase includes both internal and external simulated attacks, reflecting vulnerability both to authorized users exceeding their permissions, and to outsiders penetrating via the Internet, other data networks, and wireless or dial-in connections. In many cases, manual exploitation attempts are made to verify that vulnerabilities identified by tools are actually exploitable, since many tools identify apparent vulnerabilities but lack the capability to validate them. PatchAdvisor uses a combination of public domain and proprietary tools in the Exploitation Phase. These tools are selected based upon the vulnerabilities identified in the Detection Phase. During attacks, techniques are sequenced from quietest to noisiest, providing an opportunity to test the detection capabilities of any installed intrusion detection systems, users, and system administrators. A wide range of external attack scenarios are simulated, combining discovered information with known vulnerabilities to provide the most realistic possible threat profile. The results of a successful attack will be pre-determined by consultation with the client point of contact. In most instances we can establish susceptibility to potentially harmful vulnerabilities without running an actual attack, thus avoiding any damage to data or interruption of service. However, if requested by the client, denial of service attacks can be run against a designated target. Such tests are closely coordinated with client system administrators, and are typically conducted during designated third-shift hours. Analysis Phase - Once the active phases of the assessment are completed, prioritized final recommendations are made regarding specific vulnerabilities, insecure computing practices, configuration management and network design. These recommendations are compiled in the final report. The content of the report is discussed in a following section. Post-Assessment Briefing - PatchAdvisor will deliver an out-briefing after each assessment. This briefing provides a forum for presentation and interactive discussion of key issues from the assessment, and includes a discussion of the techniques used to compromise the target system, common attacks on public systems, as well as a direct question and answer session with the assessment team. Our experience shows that this is often a vital part of the assessment process; most clients take full advantage of this opportunity for technical interchange. Report Content and Format - The format of the report varies somewhat based upon the scope of work and the content of the target environment. Reports are delivered in printed form, as well as electronic form in PDF format. A sample Table of Contents is shown below to provide a sense of the organization and typical content. Vulnerability Assessment Report Sample Table of Contents 1 Executive Summary 1.1 Scope of Work 1.2 Summary of Vulnerability Findings 1.2.1 External Vulnerabilities 1.2.2 Internal Vulnerabilities 2 Report Process Overview 2.1 Background 2.2 Report Process
2.2.1 Discovery Phase - Network Mapping 2.2.2 Exploitation Phase - Vulnerability Analysis 2.2.3 Recommendations and Summary 3 Network Mapping 3.1 Domain Name Service 3.2 Wireless Networks 3.3 Modem Dial-ups 4 Vulnerability Analysis 4.1 Introduction 4.2 TCP/IP Services 4.2.1 File Transfer Protocol (FTP) [TCP Port 21] 4.2.2 Telnet [TCP Port 23] 4.2.3 Simple Mail Transfer Protocol (SMTP) [TCP Port 25] 4.2.4 Domain Name Service (DNS) [TCP/UDP Port 53] 4.2.5 Trivial File Transfer Protocol (TFTP) [TCP Port 69] 4.2.6 Finger [TCP Port 79] 4.2.7 Hypertext Transport Protocol (HTTP) [TCP Port 80] 4.2.8 Remote Procedure Call Portmapper [TCP/UDP Port 111] 4.2.8.1 Remote Users Daemon (rusersd) [RPC Service] 4.2.8.2 Remote Execution Daemon (rexd) [RPC Service] 4.2.8.3 Write All Daemon (walld) [RPC Service] 4.2.8.4 Remote Status Daemon (rstatd) [RPC Service] 4.2.8.5 Selection Service (selection_svc) [RPC Service] 4.2.8.6 Network File System Daemon (nfsd) [RPC Service] 4.2.8.7 Remote Procedure Call Status Daemon (RPC.statd) [RPC Service] 4.2.8.8 Network Information Service Daemon (ypserv) [RPC Service] 4.2.8.9 NIS Password Daemon (yppasswdd) [RPC Service] 4.2.8.10 NIS Update Daemon (ypupdated) [RPC Service] 4.2.9 Network Basic Input/Output System (NetBIOS) [TCP/UDP Ports 137, 138 & 139] 4.2.10 Simple Network Management Protocol (SNMP) [UDP Port 161] 5. Operational Recommendations 5.1 Configuration Management 5.2 User Authentication 5.3 Passwords 5.4 Network Design APPENDICIES Appendix A: Appendix B: Appendix C: Appendix D: DNS Zone Transfer Information Compromised Account Information NFS Vulnerability Information NetBIOS Vulnerability Information
Vulnerability Database PatchAdvisor s vulnerability database is a powerful companion tool provided with our vulnerability assessment report. Security managers and administrators will find it to be a valuable resource for managing the remediation process. All systems identified during an assessment are entered into the database. The database offers an easy to use graphical menu system. Security administrators can select from various views to easily determine vulnerabilities on a single system or across the enterprise. Using the database, administrators can track the vulnerability remediation process, quickly determine system policy compliance, identify rogue systems and, as new vulnerabilities arise, security administrators will be able to use this information to determine how vulnerable the environment is to new attacks.
Technical Team - Our technical team members have significant expertise in the large-scale network security arena. They have performed network vulnerability assessments and provided emergency incident response and law enforcement liaison services in a variety of environments. Combined, our team has written or contributed to over 7 books on information security and the Internet, have presented at over 80 professional conferences and have provided expert commentary for programs such as 60 Minutes, and have been featured on television world-wide on stations such as CNN, MSNBC, BBC and NHK. Our technical team members have performed hundreds of assessments of systems for government, commercial, and international clients. Our engagements have ranged from the assessment of a dual-dmz Internet-based electronic commerce application network, its servers and firewalls, to the complete assessment of a worldwide multi-billion dollar corporation with over 60,000 live IP addresses. This latter organization had a mixed TCP/IP, IPX, and SNA network including administrative networks, design systems, manufacturing floor networks, field office networks and manufacturing networks in cities around the world.
The matrix below shows a breakdown of our experience by industry sector: INDUSTRY SECTOR Design Review Vulnerability Assessment Incident Response Training ISP Telecom Education Medical Finance Energy Government Summary PatchAdvisor provides exceptional technical vulnerability assessments and invaluable management tools to our clients. Our reports provide executive summary, full network host identification, a wealth of vulnerability information, and comprehensive results of internal and external exploitation attempts as well as prioritized recommendations for remedial actions. Administrators will be able to take immediate steps to reduce vulnerabilities in their environment upon receiving our report. Management will be able to understand the current vulnerability state of the network and make critical decisions on how to address enterprise-wide issues based on prioritized recommendations. Our database provides an additional tool that will assist with tracking and reporting on remediation efforts. Armed with these outputs administrators and managers will be able to take immediate action as well as develop a roadmap towards an effective security program for their environment.