Vulnerability Scanning

This month's topic is about how to approach security vulnerability scanners and how they fit into a full ISO 17799 based security assessment.

I am often on my security soapbox talking about how good security testing tools are an absolute necessity for information security success. This is especially true for operating system, web application and database vulnerability scanners. Security testing tools are quick and efficient and they can root out security weaknesses in your Operating Systems (OS) and applications that can take even the most seasoned security expert days or weeks to find. But you've got to take what they find and what they rank as vulnerabilities with a grain of salt. What vulnerability scanners find isn't always reality, they have to be interpreted and analyzed correctly.

Vulnerability scanners return information that the vendors think are important. The problem is that many of the vulnerabilities found and ranked as high, medium or low priority may not really apply to your environment. A glitzy report containing security weaknesses looks good, but it is likely not in your organization's best interest. I will sometimes come across issues that are flagged as "Level 5" or "Critical Priority", that really have no immediate impact in the environment that I am performing the test.

They have included the following issues:

• Windows shares that are accessible only when logged into the Operating Systems or network protocol problems that have no known patch or fix;
  
  
• Default manual pages and other "readme" files found on Web servers that are of no value to an attacker;
  
  
• Cross-site scripting and SQL injection vulnerabilities that don't really exist;
  
  
• Essential network protocols such as RPC and ICMP.
  
  

Separating fact from fiction is all about context and what was being tested at the time, where it was being tested from, how it was being tested, who you were logged in as, why the vulnerability is exploitable, and whether or not there is a viable fix. This is where you can educate others on the fact that you can't lock everything down completely. There will always be a certain level of security risk that must be accepted by the owner.

With this in mind, here are some tips to incorporate in your daily routine:

1. If your scanning tool flags something as a serious issue but it is not exploitable by a security framework suite like Metasploit or Core Impact, then it's probably not as urgent or as critical as first perceived;
   
   
2. Know your network infrastructure and application environment. Work on knowing how everything on your network (routers, firewalls, workstations, servers, applications and databases) works together. This means creating and maintaining that ever elusive network diagram and change control plan;
   
   
3. Use a good set of vulnerability scanning tools (i.e., one for operating systems, one for Web applications and one for databases);
   
   
4. Focus on the urgent and important vulnerabilities that the scanners discover. Fix the vulnerabilities on your most critical systems that can be exploited with serious consequences right now;
   
   
5. Always work toward enhancing your technical skills. Read articles and books, listen to webinars and attend seminars and conferences. This knowledge will help you understand the risk that these vulnerabilities can have on your infrastructure;
   
   

There you have it. No matter how sophisticated your security scanning tools are and no matter what the vendors say, you're still going to need to get involved and use your knowledge of your network and information security in general to determine which issues need to be addressed and which ones don't apply. You need good tools but in the end there's no better tool than the human element and good old-fashioned security experience.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.

Regards,

Michael Desrosiers
Founder & Principal Consultant
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business
(O)508-995-4933
(C)774-644-0599
mdesrosiers@m3ipinc.com
http://www.m3ipinc.com

1 comment

More Articles by Michael Desrosiers

Click here to add your comments




Fri Aug 24 02:37:40 2007:   TonyLawrence


This reminded me of something I wrote some time ago: http://aplawrence.com/CS/security.html

That was about security consultants misidentifying threats,, a similar problem..




Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.