Vulnerability assessment best practices for enterprises

Measure Twice, Cut Once

Vulnerability Scanners and Scanning Parameters

Before continuing the discussion, I need to define a vulnerability scanner: a software application that assesses security vulnerabilities in networks or host systems and produces a set of scan results. However, because both administrators and attackers can use the same tool for fixing or exploiting a system, administrators need to conduct a scan and fix problems before an attacker can do the same scan and exploit any vulnerability found.

The benefits of a vulnerability scanner are, first, that it allows early detection and handling of known security problems. By employing ongoing security assessments using vulnerability scanners, it is easy to identify security vulnerabilities that may be present in the network, from both the internal and external perspective.

Second, a new device or even a new system might be connected to the network without authorization. A vulnerability scanner can help identify rogue machines that might endanger overall system and network security.

Third, a vulnerability scanner helps verify the inventory of all devices on the network. The inventory includes the device type, operating system version and patch level, hardware configurations, and other relevant system information. This information is useful in security management and tracking.

Vulnerability scanners have several drawbacks: (1) They can only assess a "snapshot in time" in terms of a system's or network's security status. Therefore, scanning needs to be conducted regularly because new vulnerabilities can emerge or system configuration changes can introduce new security holes. (2) They can only report vulnerabilities according to the plugins installed in the scan database. They cannot determine whether the response is a false negative or a false positive. Human judgment is always needed in analyzing the data after the scanning process. (3) They are designed to discover known vulnerabilities only. They cannot identify other security threats, such as those related to physical, operational, or procedural issues.

Vulnerability scanners can be divided broadly into two groups: network-based scanners that run over the network and host-based scanners that run on the target host itself.

Network-Based Scanners

A network-based scanner is usually installed on a single machine that scans a number of other hosts on the network. It helps detect critical vulnerabilities, such as misconfigured firewalls, vulnerable web servers, risks associated with vendor-supplied software, and risks associated with network and systems administration.

Different types of network-based scanners include: port scanners that determine the list of open network ports in remote systems, web server scanners that assess the possible vulnerabilities in remote web servers (e.g., potentially dangerous files or CGIs), and web application scanners that assess the security aspects of web applications running on web servers (e.g., cross-site scripting and SQL injection). It should be noted that web application scanners cannot provide comprehensive security checks on every aspect of a target web application. Additional manual checking (e.g., whether a login account is locked after a number of invalid login attempts) might be needed to supplement the testing of web applications.

One of the most popular network-based scanners is Nessus. Nessus is a network scanning tool that was developed by Tenable Network Security. This software offers a variety of functionalities, such as vulnerability scanning, system configurations auditing, malware detection, and web application scanning.

Nessus supports the widest range of systems and devices and includes the latest security tests for available security patches, disclosed vulnerabilities, and common worms. This software enhances network inventory with advanced features like asset discovery, multi-network scanning support, and automated scans. If you are interested in trying Nessus, you can find it at: http://www.tenable.com/products/nessus-vulnerability-scanner.

Another popular network-based scanner is BeyondTrust's Retina Network Security Scanner. BeyondTrust's Retina Network Security Scanner is a vulnerability assessment solution program that offers continuous observation to strengthen enterprise security by identifying IT asset vulnerability and sensitive data across detersive environments. It also covers priority-based risk assessment from small to large environments by realizing optimal network performance and scanning network devices, operating systems, applications, and databases without affecting the network availability or performance.

Retina NSS can be deployed as a standalone vulnerability scanner or distributed throughout an environment. It can also be integrated with Retina CS for enterprise deployments. To know the required system and hardware specs to run this tool, visit the following link for a free trial: http://www.beyondtrust.com/Modal/trial/retina-network-security-scanner.

Host-Based Scanners

A host-based scanner is installed on the host to be scanned and has direct access to low-level data, such as specific services and configuration details of the host's operating system. It can therefore provide insight into risky user activities, such as using easily guessed passwords or even no password. It can also detect signs that an attacker has already compromised a system, including looking for suspicious file names, unexpected new system files or device files, and unexpected privileged programs. Host-based scanners can also perform baseline (or filesystem) checks. Network-based scanners cannot perform this level of security check because they do not have direct access to the filesystem on the target host.

A database scanner is an example of a host-based vulnerability scanner. It performs detailed security analysis of the authorization, authentication, and integrity of database systems and can identify potential security exposures in database systems, ranging from weak passwords and security misconfigurations to Trojan horses.

Nessus and Retina can be used locally to conduct host-based scanning. One other free tool that can assist with host-based scanning is Nmap. Nmap includes the following features:

  • Active port scanning: allows you to scan and discover open ports on specific networks/hosts.
  • Host discovery: lets you identify potential hosts that are responding to network requests.
  • OS detection: used to discover the operating system name and version, along with network details where the host is running.
  • Application version detection: nmap can also determine what applications are running, along with the version numbers.

Download Nmap at: https://nmap.org/.

Deployment Practices

Whether a network-based scanner is located in front of or behind the firewall will have an effect on the scan result. Scanning an internal network from outside the firewall will only detect services that are available to the outside, but not vulnerabilities within the internal network that cannot be seen because of the protections provided by the firewall. On the other hand, scanning DMZ hosts from the inside might not provide a complete picture of the security position. Therefore, both external and internal scanning should be conducted to build a more complete picture.

Network-based port scanning detects which ports are available (i.e., being listened to by a service). Because open ports could imply security weaknesses, port scanning is one of the basic reconnaissance techniques used by attackers. Therefore, security scanning should always include port scanning. However, some vulnerability scanners have a predefined default port range set (e.g., from port 0 to 15000). System administrators should be aware of these default settings and ensure all necessary ports are scanned.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Tested – Tenable Nessus v6
    To ensure your servers and workstations are well protected against attacks on your network, you need a professional security scanner. In version 6, Tenable has substantially expanded its Nessus vulnerability scanner. We pointed the software at a number of test computers.
  • Open Source Security Information and Event Management system
    Systems, network, and security professionals face a big problem managing disparate security data from a variety of sources. OSSIM gives IT security professionals the capacity to cut through the noise and gain wisdom and foresight in defending and managing their networks.
  • Security issues when dealing with Docker images
    Although developers appreciate Docker's ease of use and flexibility, many admins are worried about vulnerabilities. We look at various approaches to securing container images and the price to be paid.
  • Managing Port Scan Results with Dr. Portscan

    Regularly scanning the ports on your own network prevents intruders from sneaking in, but if you have dozens or hundreds of servers, you’ll need professional help: Dr. Portscan to the rescue.

  • BackTrack Linux: The Ultimate Hacker's Arsenal

    Penetration Testing and security auditing are now part of every system administrator's "other duties as assigned." BackTrack Linux is a custom distribution designed for security testing for all skill levels from novice to expert.

comments powered by Disqus