Sunday, March 7, 2010

The value of vulnerability checks

Vulnerability scanning got its start as a tool for the bad guys; now it's helping companies find exposed network ports and at-risk applications.
Brian Robinson of IT Security

For something that can be such an effective weapon against those who want to do damage to a network it’s ironic that vulnerability scanning got its start as a tool for the bad guys. Before they can get into networks hackers need to know where the most vulnerable spots are in an enterprise’s security. That means using scanning tools to trawl for such things as open network ports or poorly secured applications and operating systems.

In the past few years these intentions have been turned around, to where scanning tools now give the guys in the white hats a good idea of where the vulnerabilities are and a chance to repair them before the hackers get there.

At least they provide the potential for that. The fact is, many companies don’t seem to be taking advantage of these tools or if they do have them, they are not making much use of them. Gartner Research believes as many as 85% of the network attacks that successfully penetrate network defenses are made through vulnerabilities for which patches and fixes have already been released.


Endless Exploits

Now there is the rapidly expanding universe of Web based applications for hackers to exploit. A recent study by security vendor Acunetix claimed that as many as 70% of the 3,200 corporate and non-commercial organization Web sites its free Web based scanner has examined since January 2006, contained serious vulnerabilities and were at immediate risk of being hacked.

A total of 210,000 vulnerabilities were found, the company said, for an average of some 66 vulnerabilities per web site ranging from potentially serious ones such as SQL injections and cross-site scripting, to relatively minor ones such as easily available directory listings.

“Companies, governments and universities are bound by law to protect our data,” said Kevin Vella, vice president of sales and operations at Acunetix. “Yet web application security is, at best, overlooked as a fad.”


Patch Patrol

Vulnerability scanners seek out known weaknesses, using databases that are constantly updated by vendors to track down devices and systems on the network that are open to attack. They look for such things as unsafe code, misconfigured systems, malware and patches and updates that should be there but aren’t.

They also have several plus factors. They can be used to do a “pre-scan” scan, for example, to determine what devices and systems there are on the network. There’s nothing so vulnerable as something no-one knew was there in the first place, and it’s surprising how often those turn up in large and sprawling enterprises.

Many scanners can also be set to scan the network after patches have been installed to make sure they do what they are supposed to do. What vulnerability scanners can’t do is the kind of active blocking defense carried out by such things as firewalls, intrusion prevention systems and anti-malware products though, by working in combination with them, vulnerability scanners can make what they do more accurate and precise.


Passive Aggressive

Vulnerability scanners come as either passive or active devices, each of which have their advantages and disadvantages. Passive scanners are monitoring devices that work by sniffing the traffic that goes over the network between systems, looking for anything out of the ordinary. Their advantage is that they have no impact on the operation of the network and so can work 24 x 7 if necessary, but they can miss vulnerabilities particularly on more quiet parts of a network.

Active scanners probe systems in much the way hackers would, looking for weaknesses through the responses devices make to the traffic the scanners send to them. They are more aggressive and in some ways more thorough than passive scanners, but they can cause service disruptions and crash servers.

Many people see the two as complementary and recommend using passive and active scanners alongside each other. The passive scanners can provide the more continuous monitoring, while active scanners can be used periodically to flush out the cannier vulnerabilities.


Software vs. Hardware

The scanners can also come as either software-based agents placed directly on servers or workstations, or as hardware devices. Host-based scanners can use up processor cycles on the system, but are generally considered more flexible in the kinds of vulnerabilities they can scan. The network-based scanners are plug-and-play hardware devices that are self-contained and need less maintenance than software agents.

The focus of vulnerabilities has been changing over the past several years. On the one hand, organizations have become savvier about protecting their networks and systems, and hackers have had a harder time penetrating those defenses. At the same time, as Web-based services have become the lifeblood of many witnesses, hackers have found a goldmine of potential exploits.

That’s because Web traffic flows back and forth primarily through Port 80 on a network, which has to be kept open if those Web-bases services are to be available to a company’s customers and business partners.

It’s a hard to defend weak spot in enterprise defenses, and once hackers gain access to Web applications they can use them to get information from databases, retrieve files from root directories, or use a Web server to send malicious content in a Web page to unsuspecting users.


Interpreting the Results

Vulnerability scanning works with Web applications by launching simulated attacks against those applications and then reports the vulnerabilities it finds with recommendations on how to fix or eliminate them.

However, as powerful an addition as vulnerability scanning can be to the overall security of an enterprise, some observers advise caution in interpreting those results.

Kevin Beaver, an independent security consultant with Atlanta-based Principal Logic, LLC, says it takes a combination of the vulnerability scanner and a human knowledge of the network and context in which the scans were carried out to accurately interpret the results.

Left to themselves, he says, scanners will tend to spit information that their vendors think is important. What’s also needed is an understanding of what was being tested at the time, how it was being tested, why the vulnerability is exploitable and so on. That will show whether vulnerabilities flagged as high priority actually are important in a particular user’s environment, and therefore whether it’s worthwhile putting in the effort to remediate them.

You absolutely need vulnerability scanners, Beaver said, because they take a lot of the pain out of security assessments.

“But you cannot rely on them completely,” he said. “A good tool plus the human context is the best equation for success.”

No comments:

Post a Comment