The ins and outs of network vulnerability assessments. A veritable how-to-use this valuable tool in the information security arsenal.

1. Maximum Assurance: Key Decision Points for Network Vulnerability Assessments from the Maximum Assurance Series

2. Objective The Maximum Assurance presentations are intended to unambiguously define and provide guidance on key decision points for Security Assessment activities that an organization may use to gain assurance to their security posture Terms Used to Communicate Activities Methodology (actions/steps/rationale) Scope (matching activity to objective) Key Decision Points Value Proposition (Assurance level)

3. Quick Overview: Network Vulnerability Assessment (NVA) Systematic examination of network attached devices (e.g., computer, router) to identify vulnerabilities in design/ configuration that may cause negative impact Vulnerabilities generally result from default configuration weakness, configuration errors, security holes in applications, missing patches NVA’s are often the first step in a Penetration Test but may also be used as a stand-alone test NVA’s provide significant value for both public and private networks/systems NVA’s are conducted by a network scanner (a purpose built computer) and generally include very little human involvement NVA’s are a good way to rapidly assess the efficacy of your vulnerability management program (e.g., patch/configuration management) NVA’s are prone to false positives NVA’s can provide a staggeringly high amount of information in a moderate or larger environment

4. Discrete Components of an NVA An NVA actually incorporates a number of discrete steps: Scoping – What network segments should I analyze? Discovery – What devices are out there? Port Scanning – What “ports” on the devices are “open” and willing to converse on? Vulnerability Detection – For the “services” (generally OS layer applications (e.g., telnet)) discovered are there problems with the configuration or version of that software that make it vulnerable? Advanced Techniques – Credentialed Scanning, Content Scans, etc. Reporting – Communicating the results of the NVA – preferably in a manner that is: Readily understood by management and technical resources Easily interpreted Actionable

5. Key Decision Points: Scoping Scoping (which/how many systems/network segments) and Extent/Rigor (what level of sampling and how in depth the scan is) is always based on objective of the test and should be proportional to risk Significant benefit to sampling across system types, network segments by function/geography to reduce data overload but gain representative data Scanning a statistically relevant lower number of systems with greater depth maximizes assurance Leverage the information gained in the statistical sampling across the entire environment during the mitigation phase If warranted, post mitigation run a secondary “confirmatory” scan across a different or wider sampling to confirm the efficacy of the mitigation efforts and provide a higher level of assruance.

6. Key Decision Points: The Discovery Phase Black/Grey/White Hat Posture: Unless one of the objectives of the activity is to validate that obfuscation/cloaking efforts are successful there are significant benefits to White Hat (providing the group conducting the scan the addresses to be scanned) It is less time consuming/expensive It is more accurate For example, many VA Scanners will do a simple “ping” test to discover hosts which will miss any Windows XP desktop running the Windows Firewall

7. Key Decision Points: Port Scanning Ports are “addresses” that different services (applications) listen/process input on By default, many Vulnerability Scans will only be run on those ports that are commonly used or assigned ports (0 thru 1024) This approach saves time but will miss vulnerabilities in any applications using other ports including malware and back-doors as there are 65,535 ports By default, many Vulnerability Scans will only be run on TCP ports This approach saves time but will miss vulnerabilities associated with all services that respond on UDP as well If you run a high risk environment, will be scanning through a firewall, or are testing your incident response – you may want to incorporate more advanced port scanning methods (e.g., TCP FIN scans) to maximize the level of assurance that you achieve from your testing

8. Key Decision Points: Vulnerability Detection Operating Systems and applications/versions are inferred by the answers the host gives to the scanner By default, most scanners are set to “trust” the answers and act accordingly This can significantly reduce the assurance provided as the hosts may (un) intentionally give the vulnerability scanner bad information (e.g., I'm running an Apache Web Server -when it is actually running IIS) as a trusting scanner will not look for IIS Vulnerabilities at that point Running in a “don’t trust the answers you get mode” increases the accuracy/assurance that you receive from an NVA Scanners only scan based on the library of OS, application, and vulnerability signatures that it is aware of Use a well regarded scanner and ensure that it is updated immediately before the scan takes place Some vulnerability checks have a higher probability of negatively impacting systems so defining if these checks should be run is critical

9. Key Decision Points: Vulnerability Detection If one of the objectives of a vulnerability scan is to gauge the effectiveness of an organizations Incident Detection and Incident Response Programs or Intrusion Prevention systems By default, most scanners are set to maximize speed Open as many connections to as many machines in the shortest time frame possible This makes them very “noisy” and easily detected /blocked Where assurance regarding Incident Detection /Prevention is intended a phased approach initiated from a a covert modality (intended to hide scanning activities by spreading them over greater periods of time and employing cloaking/evasive countermeasures) and gradually decrementing the evasiveness level is required For maximum assurance it is best to run Vulnerability Assessments with the IPS system in place and disabled Assurance that the IPS is operating as intended Assurance that if the IPS should fail or be evaded that the other security mechanisms are operating as intended

10. Key Decision Points: Advanced Techniques Key new capabilities introduced in ‘08 & ‘09 Credentialed Scans Content Scans Passive Scans

11. Key Decision Points: Credentialed Scanning Credentialed scans run as an administrative level user Much more accurate – Applications/version can be exactly determined Much greater depth – Can see patch history, system logging settings, full password settings) Can measure compliance against a standard (e.g., CIS, PCI, or corporate) Greater time/cost to run generally offset by the reduction in false positives and simplified remediation

12. Key Decision Points: Content Scanning Because a Credentialed scans run as an administrative level user we can extend it to look at the “content” Does the machine contain? Credit Card Data, Pornography, Medical Records, Social Security Numbers, Customer Records, Intellectual Property Can measure compliance against relevant standards HIPAA, PCI, Sarbanes Oxley, Identify Theft Regulations Greater time/cost to run generally offset by the increased assurance

13. Key Decision Points: Passive Scanning Standard NVA’s are “active” in that they are based on inquiry and response NVA’s can crash services or systems In “mission critical” environments (e.g., a power plant or bank trading floor) this risk may not be acceptable Passive Scanning does not “inject” any traffic into the network – it just listens (sniffs) to existing traffic Provides assurance in an environment without any risk of disrupting service Only identifies vulnerabilities for services that are actively communicating Greater time/cost to run generally offset by gathering assurance where it was previously not feasible