Vulnerability Scanning & Management



Similar documents
ITEC441- IS Security. Chapter 15 Performing a Penetration Test

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Information Technology Security Review April 16, 2012

Security Testing and Vulnerability Management Process. e-governance

1 Scope of Assessment

NETWORK PENETRATION TESTING

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

An Introduction to Network Vulnerability Testing

Introduction to Laboratory Assignment 3 Vulnerability scanning with OpenVAS

Guide to Vulnerability Management for Small Companies

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Penetration Testing Workshop

Enterprise-Grade Security from the Cloud

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

!!!!!!!!!!!!!!!!!!!!!!

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

PENTEST. Pentest Services. VoIP & Web.

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

The Nexpose Expert System

Kerem Kocaer 2010/04/14

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Information Security Office

ensuring security the way how we do it

The Trivial Cisco IP Phones Compromise

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

SCP - Strategic Infrastructure Security

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Medical Device Security Health Group Digital Output

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

8 Steps for Network Security Protection

PCI Security Scan Procedures. Version 1.0 December 2004

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Basics of Internet Security

Security of IPv6 and DNSSEC for penetration testers

SECURITY. Risk & Compliance Services

A Decision Maker s Guide to Securing an IT Infrastructure

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Office of Inspector General

SAST, DAST and Vulnerability Assessments, = 4

HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Cisco Security Optimization Service

Vulnerability Assessment

Payment Card Industry (PCI) Data Security Standard

End-to-End Application Security from the Cloud

The Value of Vulnerability Management*

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8

Vulnerability analysis

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

VMware: Advanced Security

Application Security in the Software Development Lifecycle

CRYPTUS DIPLOMA IN IT SECURITY

Penetration Testing Report Client: Business Solutions June 15 th 2015

Client logo placeholder XXX REPORT. Page 1 of 37

Best Practices For Department Server and Enterprise System Checklist

Penetration Testing. Security Testing

IY2760/CS3760: Part 6. IY2760: Part 6

Chap. 1: Introduction

information security and its Describe what drives the need for information security.

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Network Security Audit. Vulnerability Assessment (VA)

City University of Hong Kong. Information on a Course offered by Department of Electronic Engineering with effect from Semester A in 2012/2013

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

SANS Top 20 Critical Controls for Effective Cyber Defense

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

WHITEPAPER. Nessus Exploit Integration

Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Effective Penetration Testing Netwerk Guardian LLC

Penetration Testing in Romania

Hardware and Software Security

Information Technology Cyber Security Policy

Cyber Essentials. Test Specification

PKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP

Security and Vulnerability Testing How critical it is?

Vinny Hoxha Vinny Hoxha 12/08/2009

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Cisco Advanced Services for Network Security

Application Security Testing

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Internet Banking System Web Application Penetration Test Report

Transcription:

Vulnerability Scanning & Management (An approach to managing the risk level of a vulnerability) Ziad Khalil 1, Mohamed Elammari 2 1 Higher Academy, 2 Rogue Wave Software Ottawa, Canada Abstract Vulnerability scanners can reveal different vulnerabilities of a particular system, along with their respective risk levels. However, the veracity of the output is highly dependent on the tool used, as sometimes the estimated risks pertaining to different vulnerabilities do not reflect the reality, irrespective of whether a vulnerability is false positive or not. The paper introduces a process that can be adopted to manage risks related to the vulnerabilities identified by vulnerability scanning, focusing on the risk rate only. The work presented is based on a manual approach to vulnerability management in order to assign the most reliable risk rates to each one. Keywords: vulnerability scanning, vulnerability management. Introduction The ISO 27002 standard defines vulnerability as A weakness of an asset or group of assets that can be exploited by one or more threats [1]. In this context, vulnerability scanning can be understood as utilization of a computer program to identify vulnerabilities in networks, computer infrastructure or applications.

In line with the above, vulnerability management is the process in which vulnerabilities are identified and corresponding risks evaluated. This evaluation allows for the vulnerabilities to be addressed, thus removing the risk. Alternatively, the management of an organization may decide to formally accept the risk [2, 6]. In the aforementioned process, vulnerability scanner is an invaluable tool, as it facilitates scanning computers, computer systems, networks or applications for security vulnerabilities [7]. Common scanning tools include Security Profile Inspector (SPI), Internet Security Scanner (ISS), Security Analysis Tool for Auditing Networks (SATAN), Tiger, Sscan, Nmap, COPS, Tripwire [8-10], and Nessus Vulnerability scanner [3]. Vulnerability Scanning This paper presents a typical vulnerability scanning process conducted on a target using Nessus Vulnerability scanner. This is one of the security activities constantly performed in an organization. As a part of this ongoing initiative, the security engineers conduct vulnerability scanning and use the results produced by the scanner to assess the identified vulnerabilities and corresponding risks. This formation is subsequently used to produce a report comprising the results yielded by the automatic scanner and their evaluation. In some cases, the security engineers will go further and manually eliminate the false positive vulnerabilities. This data can be used as a proof of concept typically complementing exploitable tools such as Metasploit Framework [11, 12]. Similarly, more than one scanner can be used simultaneously, whereby comparison of their

respective results can yield valuable information regarding the likely risk rate of each vulnerability. However, even in such cases, the automatically generated vulnerabilities and their respective risks may not reflect those the organization recognizes, since each company has its own priorities and attitudes towards risks. For example, using Nessus on one of the servers of a Telecom company to obtain vulnerability and risk results of that server produces the outcomes summarized in Figure 1. Figure 1. Nessus scan output. As can be seen from Figure 1, Nessus assesses one vulnerability as Critical, three as Medium and further three as Low. In this paper, the focus is on the vulnerability rated as Critical, along with two with Medium, and one with Low risk. The Critical vulnerability is illustrated in Figure 2.

Figure 2. Critical vulnerability based on a Nessus scan. According to the scanner assessment, the Critical vulnerability identified on this particular server could be exploited by man-in-the-middle attack, indicating an internal risk. More specifically, this vulnerability is exploitable with Core Impact [Commercial Pentest framework] not shown in the figure. The two medium vulnerabilities are illustrated in Figure 3 and Figure 4. Figure 3. Unencrypted Telnet Server (Medium Risk Vulnerability)

Figure 4. DNS Server Spoofed Request Medium Risk Vulnerability. One of the three vulnerabilities deemed to pose low risk is illustrated Figure 5. Figure 5. X Display Manager Control (Low Risk Vulnerability) Vulnerability Management Discovering vulnerabilities is clearly important; however, this information is of little value if the associated risk to the business is not evaluated accurately. This section describes an approach that can be adopted to estimate the severity of all of the risks identified by the scanning process, allowing the management to make an

informed decision regarding actions to be taken with respect to each of the risks. Clearly, having an effective and efficient risk rating system in place will save time and eliminate subjectivity in prioritizing actions to be taken. As previously noted, a vulnerability that is critical to one organization may not be very important to another. Thus, when using the data provided by the scanner, it is useful to consider a basic framework that can be customized to meet the needs of the organization [4]. Approach Risk analysis is a very diverse and complex field and there is no uniform approach. The methodology presented here is based on a widely accepted mathematical expression, which tend to be relatively simple, allowing organizations to calculate and prioritize risks quickly. However, further modifications can be applied if necessary. Risk rating depends on many factors, some of which are discussed in the following section. The main risk rating factors are: 1. Technical Impact (I) 2. Access Range (G) 3. Ease of Discover (EoD) 4. Ease of Exploit (EoE) These can be used in the Risk Rating Formula:

R= The risk rating factors could be identified by many elements, for example: 3 = High, 2 = Medium, 1 = Low Ease with which vulnerabilities can be exploited: In terms of its exploitability, a vulnerability can be rated as Vulnerability on the wild (3), Commercial tools only (2), or Required skills (1). If the exploit vulnerability is available in the wild and the vulnerability could be exploited by an automated tool, the severity of the EoE will be High and will be denoted by 3. If use of commercial tools is necessary to exploit a particular vulnerability, the risk severity will be rated as Medium (2), while Low (1) risk is assigned to a vulnerability that requires skills to be exploited. Ease with which vulnerabilities can be discovered: How easily a vulnerability can be discovered can also be rated, whereby Difficult (1), Medium (2), and Easy (3) are typically assigned. Access Range factors: Each vulnerability can also be evaluated based on its range as, for example, Remote (3), Local (2), or Authenticated (1). If the vulnerability could accessed remotely then the severity is High (3), if the access is locally only, then the severity is Medium (2), and if the access requires authentication then the severity is Low (3).

Technical Impact factors: A particular vulnerability can also be evaluated based on its technical impact, whereby Full Control (3), Denial of Service (2), and Info (1) are usually assigned. If the vulnerability can be exploited to gain full access to the system, its severity is High (3), whereas if the impact will cause a denial of service, the severity will be deemed Medium (2). Finally, if exploiting a vulnerability would result in access to information only, the severity is Low (1). Risk Factor Element Value Full Control 3 Technical Impact (I) DOS 2 Info 1 Remote 3 Access Range (G) Local 2 Authenticated 1 Wild 3 Ease of Exploit (EoE) Commercial 2 Required Skills 1 Easy 3 Ease of Discover (EoD) Medium 2 Difficult 1 Table 1. Values for Risk Factors Once a value is assigned to each factor in the formula noted above, it can be applied to each vulnerability to calculate the associated risk rate.

Note: In many extant studies, Likelihood is recognized as one of the main factors, which is here presented as EoD+EoE. The Risk Rate Scale allows for classifying risks as Low, Medium or High, with corresponding values ranging from 2 to 6, as shown below. Risk Level 2 to <3 LOW 3 to <5 MEDIUM 5 to 6 HIGH Table 2. Risk Rate Scale The risk level of the vulnerabilities identified during the scanning process will be calculated based on the formula presented earlier. Risk Analysis As the most important vulnerability, the one rated as Critical is discussed first. SunSSH > CBC Plaintext Disclosure. In order to assign a risk level to this vulnerability, the factors used in the formula will be evaluated against the vulnerability. Many resources will be used to help assign severity to the factors. The impact of the above SSH vulnerability could lead to unauthorized access, unauthorized modification and disruption of service. Therefore, the severity of the technical impact is deemed High, i.e., I = 3

The Access Range of the vulnerability is Local [5], i.e., G = 2, while Ease of Discovery is considered easy, since the vulnerability could be identified by an automated tool, i.e., EoD = 3. However, as exploiting this vulnerability requires skills, EoE = 1. From the rating presented above, the risk level of the vulnerability can be calculated as: R= R= R=2.5+2=4.5 Based on the previous classification, this risk level is Medium. While Nessus rated this vulnerability as Critical, and many extant studies considered it as posing High Risk to the organization, here it is deemed only Medium Risk. However, as previously noted, this rating is based on a default configuration and the organization's situation will determine what this vulnerability's risk will be in practice. Unencrypted Telnet Server In this section, the first vulnerability deemed of Medium Risk is analyzed in detail. The remote Telnet server transmits traffic in cleartext, which can allow man-in-the-middle attacks, whereby company employees can eavesdrop on a Telnet session to obtain confidential information.

Given the above, the technical impact of this vulnerability is considered High (3), since the attacker can use the session data to take control of the system. In addition, Access range is Local (2), while the Ease of Discovery is easy (3), since using a free tool could be used to gain access to the session. Finally, the Ease of Exploit is rated as 3. Thus, the Risk can be calculated as: R= = 2.5+3 = 5.5 Based on the previous classification, this corresponds to High Risk Level. DNS Server Spoofed Request Amplification DDoS. This section pertains to the other Medium vulnerability. Based on the Nessus report, "The remote DNS server answers to any request. The remote DNS server could be used in a distributed denial of service attack." Thus, the Technical Impact is DOS (2). The Access Range is Remote (3). The Ease of Discovery is set at 2 and the Ease of Exploit is 1. Given the data above, the Risk equals: R= = 2.5+1.5= 4 Hence, the Risk is Medium.

X Display Manager Control Protocol (XDMCP) Detection Finally, one of the Low vulnerabilities is discussed in this section. XDMCP allows a UNIX user to remotely obtain a graphical X11 login (and therefore act as a local user on the remote host). The Technical Impact is thus 3, because attackers that gain the necessary credentials can obtain full access to the system. The Access Range is Remote (1). The Ease of Discovery is set at 2 and the Ease of Exploit is 1. The Risk can thus be calculated as: R= = 2+1.5= 3.5 This value corresponds to Medium risk. Justification for the Formula As a proof of concept that can provide justification for the formula used above, another vulnerability scan was conducted against the same server using OpenVAS vulnerability scanner [13]. The scan results did not align with those produced by Nessus. However, in this work the focus is on the risk level only. One of the vulnerabilities found by OpenVAS is X Display Manager Control Protocol (XDMCP). This vulnerability was rated by Nessus as Low Risk, while OpenVAS classified it as Medium Risk, as shown below.

Figure 6. OpenVAS classifies the X Display Vulnerability as Medium Risk Having the same vulnerability assigned a different risk rate could be confusing when it comes to managing and prioritizing risks. Thus, it is advisable that each organization adopts a customized formula appropriate to its level of risk aversion. This would allow those in the decision-making positions to focus on actions to be taken, while relying on a unified method to calculate the risks. After assessing the severity of all identified risks, the organization can prioritize them and determine the course of action associated with each. As a general rule, the most severe risks should be mitigated first. Conclusion Vulnerability scanning is one of the most important activities in penetration testing, and can be accomplished easily by employing many of the commercially available vulnerability scanners. However, this reliance on automated tools may cause companies to overlook the importance of vulnerability management process. In this work, a simple method for calculating risks associated with vulnerabilities was presented, which can be adopted without any additional cost. Its simplicity will hopefully encourage a greater

number of companies to manage the vulnerabilities and their associated risks more proactively. Having a customized risk rating methodology allows security administrators and penetration testers to identify and prioritize risks, in order to make decisions regarding the appropriate course of action regarding each risk (i.e., whether to fix, mitigate, transfer or accept those risks). References [1] ISO/IEC, "Information technology Security techniques Code of practice for information security management ISO/IEC 27002. [2] Palmaers, T., Implementing a Vulnerability Management Process. SANS Institute Reading Room, 2013. [3] Deraison, R., Nessus, Retrieved from http://www.nessus.org, July 2015. [4] OWASP, Retrieved from https://www.owasp.org/index.php/owasp_risk_rating_methodology. [5] OpenSSH UseLogin Vulnerability, Retrieved from http://www.securityfocus.com/bid/1334/info, June 2015. [6] Williams, A. and Nicollet, M., Improve IT Security with Vulnerability Management, Gartner ID Number: G00127481, July 2015. [7] Pfleeger, C. P., Security in Computing, Second Edition, Prentice Hall, 1997.

[8] Middleton, B., Using the Hacker's Toolbox, Retrieved from http://www.securitymanagement.com/library/000689.html, July 2015. [9] Cheswick, W. R. and Bellovin, S. M., Firewalls and Internet Security: Repelling the Wily Hacker, Addison Wesley, 1994. [10] Quinn, S., Unix Host and Network Security Tools, Retrieved from http://csrc.nist.gov/tools/tools.htm, June 2015. [11] O'Gorman, J., Devon, K. and Mati, A., Metasploit: the penetration tester's guide. No Starch Press, 2011. [12] Rahat, M. and Anwar, Z., "SWAM: Stuxnet Worm Analysis in Metasploit," Frontiers of Information Technology (FIT), 2011. IEEE, 2011. [13] OpenVAS Developers: The Open Vulnerability Assessment System (OpenVAS), Retrieved from http://www.openvas.org/, June 2015.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information