Documente Academic
Documente Profesional
Documente Cultură
There are two methodologies used for performing vulnerability assessment regardless
of patch assessment or compliance verifcation. One philosophy revolves around the
need to penetrate a system to prove its vulnerability and the other uses available
information to postulate the status of the vulnerability. Longstanding discussions have
centered on the merits of either type of scanning, as well as their potential liabilities.
In summary, since a vulnerability assessment scanner emulates an attack, each of
these methods mirrors an attacker’s style for compromising a host.
Without a doubt, there are some merits to this smash-and-grab approach. By using a
script to automate an attack, a penetration scenario where machine access is attainable proves that the device was vulnerable
to an attack and ultimately could be compromised. However, utilizing this approach is problematic in that the audit trail is
incomplete and potentially creates more questions than answers. For example, many attack scripts available on the Internet are
flawed and can result in a false sense of security in the form of a false negative.
That is, they do not function as desired even if the system being targeted is truely exploitable. Unsuccessful penetration tests
based on potentially bad scripts can give a false sense of security. Vulnerability assessment tools that use intrusive scripts can
be harmful because they leave the system open to future attacks that would normally not be exploitable or worse, deny critical
business functions from operating correctly. Smash-and-grab vulnerability testing has a propensity to disable services for the
duration of the attack. This means that while a service is under attack, that service may not be available for its normal use and
an entire network can be immobilized, blue screened, or worse, the attack could penetrate the network and create a new risk
surface for real attacks.
Finally, perhaps the biggest argument against smash-and-grab testing is that it creates a corrupt testing environment. By directly
performing attacks against a system being audited, the attack script can push the system into an unknown state—or completely
disable it—making the remote system useless for further testing and virtually eliminating the possibility of attaining detailed
vulnerability reports against this device from future tests.
Retina Network Security Scanner
®
When selecting non-intrusive vulnerability assessment solution, administrators need to be cautious in their use of scanning
with freeware and “tools” that are not rigorously tested and supported. Using these products can be dangerous and result in
accidental smash-and-grab testing that can disable a network unintentionally. As an example, an audit that was thought to be
safe was actually intrusive. Consider the RFPoison attack check used by some scanning tools. While eEye’s Retina Network
Security Scanner (RNSS) passively probed machines to determine if they would be vulnerable to this attack, other vendors
approached this audit with an intrusive check and classified the RFPoison audit as a “dangerous plugin". This audit was originally
introduced as non-intrusive and not flagged as "dangerous". Unfortunately this led to the accidental blue screening of machines
by auditors using these tools. Imagine scanning your environment with an allegedly safe audit, and the results cripple the entire
environment. In contrast, RNSS does not include any dangerous audits in its checks and auditors can successfully identify and
patch a host without any appreciable risk to the environment. RFPoison susceptible machines could have been identified without
business interruption. Tools that rely on intrusive scans carry a risk that eEye Digital Security solutions do not bare.
The only potential downside associated with noninvasive scanning is in the way the information is analyzed after performing a
scan. Intrusive systems provide immediate results after a targeted attack; successful or non successful. Non intrusive solutions
require the results to be correlated and the status interpolated based on the retrieved data. A solid reporting, analysis, and
remediation process is needed to turn the results into functional business benefits. Scanning tools that simply provide an
unmanageable list of vulnerabilities without proper details and corrective actions tend to complicate the process. RNSS provides
complete reporting, data export, and the ability to use a central management console to aggregate results for any size environ-
ment. In addition, all data is stored in a database for further interrogation and exportable in near real time to a SIM, NMS,
or call center.
Retina Network Security Scanner
®
Except in extreme cases, locating a vulnerability and fixing it is far more important than proving its exploitability.
As a result, administrators and engineers can defend their critical assets without putting them in the line of fire from potentially
disruptive tests. By giving network support staff timely and accurate information about existing vulnerabilities, remediation
time can be vastly improved and accurate security states assessed without creating any unnecessary additional security risks
or business interruptions. As with all security processes and regulatory compliances, this should be repeated often to keep
administrators abreast of the organization’s current network vulnerability status and threat level.
For a free trial of Retina Network Security Scanner (RNSS), please visit the eEye Website at: www.eEye.com