l

Retina® Network Security Scanner

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology
Retina Network Security Scanner
®

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

By performing non-invasive tests companies can avoid disruption of service while

a competent vulnerability assessment is being performed.

There are two methodologies used for performing vulnerability assessment regardless
of patch assessment or compliance verifcation. One philosophy revolves around the
need to penetrate a system to prove its vulnerability and the other uses available
information to postulate the status of the vulnerability. Longstanding discussions have
centered on the merits of either type of scanning, as well as their potential liabilities.
In summary, since a vulnerability assessment scanner emulates an attack, each of
these methods mirrors an attacker’s style for compromising a host.

The Smash-and-Grab: Taking the Low Road

Proponents of destructive security auditing (intrusive scanning) cite the ubiquitous
availability of attack scripts for vulnerability exploitation. They hypothesize that by
attacking a system in the exact same manner as a potential attacker, more accurate
results are best achieved.

Without a doubt, there are some merits to this smash-and-grab approach. By using a
script to automate an attack, a penetration scenario where machine access is attainable proves that the device was vulnerable
to an attack and ultimately could be compromised. However, utilizing this approach is problematic in that the audit trail is
incomplete and potentially creates more questions than answers. For example, many attack scripts available on the Internet are
flawed and can result in a false sense of security in the form of a false negative.

That is, they do not function as desired even if the system being targeted is truely exploitable. Unsuccessful penetration tests
based on potentially bad scripts can give a false sense of security. Vulnerability assessment tools that use intrusive scripts can
be harmful because they leave the system open to future attacks that would normally not be exploitable or worse, deny critical
business functions from operating correctly. Smash-and-grab vulnerability testing has a propensity to disable services for the
duration of the attack. This means that while a service is under attack, that service may not be available for its normal use and
an entire network can be immobilized, blue screened, or worse, the attack could penetrate the network and create a new risk
surface for real attacks.

Finally, perhaps the biggest argument against smash-and-grab testing is that it creates a corrupt testing environment. By directly
performing attacks against a system being audited, the attack script can push the system into an unknown state—or completely
disable it—making the remote system useless for further testing and virtually eliminating the possibility of attaining detailed
vulnerability reports against this device from future tests.
Retina Network Security Scanner
®

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

By performing non-invasive tests companies can avoid disruption of service while

a competent vulnerability assessment is being performed.

The Smooth Caper: Taking the High Road

Disciplined attackers often chose to get as much information about a target as possible,
using deductive logic to pinpoint potential weaknesses within an organization and
information technology assets. Proponents of this stealth and smooth caper metho-
dology rely on the wealth of information from networked systems and infer an even
larger amount of information by making logical connections and assumptions based
on the available data. This includes everything from social engineering to knowing
the applications and vendors a business relies on. With this information, known
vulnerabilities and weakness are easy targets for the attacker to attempt an exploit.

In contrast to intrusive scanning techniques, information technology administrators

can utilize non-invasive or non-intrusive tests to locate potentially exploitable systems
before they become problematic. By performing non-invasive tests, companies can
avoid disruption of service while a comprehensive vulnerability assessment is being
performed. Attackers utilize comparable techniques to gently probe for vulnerabilities
without creating systematic downtime and potentially setting off IPS, IDS, and firewall alert sensors. Organizations can employ
the same non-intrusive technology to gather large amounts of information and a follow a best practice dissection of vulnera-
bility data to determine the risk to an environment. This process is often repeated in cycles to further refine and reinforce the
findings. Likewise, the same process is used to verify that remediation efforts were successful and the vulnerability is no longer
a threat. By getting a clear picture of the complete architecture, a business can better identify weaknesses in the network, in
corporate policies, and proactively prevent intrusions and business interruptions.

When selecting non-intrusive vulnerability assessment solution, administrators need to be cautious in their use of scanning
with freeware and “tools” that are not rigorously tested and supported. Using these products can be dangerous and result in
accidental smash-and-grab testing that can disable a network unintentionally. As an example, an audit that was thought to be
safe was actually intrusive. Consider the RFPoison attack check used by some scanning tools. While eEye’s Retina Network
Security Scanner (RNSS) passively probed machines to determine if they would be vulnerable to this attack, other vendors
approached this audit with an intrusive check and classified the RFPoison audit as a “dangerous plugin". This audit was originally
introduced as non-intrusive and not flagged as "dangerous". Unfortunately this led to the accidental blue screening of machines
by auditors using these tools. Imagine scanning your environment with an allegedly safe audit, and the results cripple the entire
environment. In contrast, RNSS does not include any dangerous audits in its checks and auditors can successfully identify and
patch a host without any appreciable risk to the environment. RFPoison susceptible machines could have been identified without
business interruption. Tools that rely on intrusive scans carry a risk that eEye Digital Security solutions do not bare.

The only potential downside associated with noninvasive scanning is in the way the information is analyzed after performing a
scan. Intrusive systems provide immediate results after a targeted attack; successful or non successful. Non intrusive solutions
require the results to be correlated and the status interpolated based on the retrieved data. A solid reporting, analysis, and
remediation process is needed to turn the results into functional business benefits. Scanning tools that simply provide an
unmanageable list of vulnerabilities without proper details and corrective actions tend to complicate the process. RNSS provides
complete reporting, data export, and the ability to use a central management console to aggregate results for any size environ-
ment. In addition, all data is stored in a database for further interrogation and exportable in near real time to a SIM, NMS,
or call center.
Retina Network Security Scanner
®

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

By performing non-invasive tests companies can avoid disruption of service while

a competent vulnerability assessment is being performed.

The Clear Choice

Unquestionably, non-intrusive scanning offers quantifiable benefits and dramatically less risk than the unpredictable
smash-and-grab methodology of intrusive scanning. Most organizations are ill equipped to properly manage an intrusive
penetration test scenario; especially those without replicated test networks. The potential damage created by intrusive
scanning could outweigh the benefits of an actual detection if the auditors are not careful. Furthermore, the comprehensive
audit and remediation trail created by non-intrusive scanning will create a reliable and hardened infrastructure in a much
quicker timeframe. Quantifiable and repeatable results will come with a definitive action plan to correct the vulnerability and
assist with any patch assessment and compliance requirements.

The bottom line in opting for a non-intrusive testing is quite simple:

Except in extreme cases, locating a vulnerability and fixing it is far more important than proving its exploitability.

As a result, administrators and engineers can defend their critical assets without putting them in the line of fire from potentially
disruptive tests. By giving network support staff timely and accurate information about existing vulnerabilities, remediation
time can be vastly improved and accurate security states assessed without creating any unnecessary additional security risks
or business interruptions. As with all security processes and regulatory compliances, this should be repeated often to keep
administrators abreast of the organization’s current network vulnerability status and threat level.

For a free trial of Retina Network Security Scanner (RNSS), please visit the eEye Website at: www.eEye.com

About eEye Digital Security

eEye Digital Security is pioneering a new class of security products integrated threat management. This next-generation of security
detects vulnerabilities and threats, prevents intrusions, protects all of an enterprise’s key computing resources, from endpoints to
network assets to web sites and web applications, all while providing a centralized point of security management and network
visibility. eEye’s research team is consistently the first to identify new threats in the wild, and our products leverage that research to
deliver on the goal of making network security as easy to use and reliable as networking itself. Founded in 1998 and headquartered
in Orange County, California, eEye Digital Security protects more than 9,000 corporate and government organizations worldwide,
including half of the Fortune 100. For more information, please visit www.eEye.com

To learn more, please visit www.eeye.com

or call 866.282.8276