Vulnerability assessment

The environments in which we all work have become more complicated as the years have passed, and one of the outcomes is that they are far more difficult to test for vulnerabilities. Since many years ago when Dan Farmer and Wietse Venema wrote their seminal paper, "Improving the security of your site by breaking into it," the process of security testing has both improved and become more difficult.

Today, unlike when Farmer and Venema wrote their paper, we actively invite strangers into our networks. Well, not exactly all the way in, but far enough to cause concern if the perimeter is not very secure. Never before has the notion of layered security been more important.

Recently, I performed some testing on a web application. I knew the application had some holes, but my main concern was whether the holes could be reached from an attacker's location, wherever that might be. To do that, I needed to test vulnerabilities in the infrastructure.

The tools we looked at this month do exactly that: they enable testing of the infrastructure. By that I mean the network and the platforms on it. This introduces the concept of reachability. If applications are exposed to the outside, simple vulnerabilities become potential disasters. That means that the platforms they sit on and the routes to those platforms must be protected. Sometimes that's easier to talk about than it is to do.

That's where this month's products come into play. If the best you can do is to monitor an application and its platform closely, it is important to know what, exactly, you are monitoring for.

This month's crop of tools helps define the environment by demonstrating vulnerabilities, confirming them, and helping you decide their severity. With that in mind, you can consider credible threats that play against those vulnerabilities. Vulnerability analysis, then, becomes an important part of risk analysis. In fact, more and more SIMs and SEMs are accepting vulnerability data.
 
Selecting tools
Generally speaking, I favor a multi-step process for vulnerability analysis. First, I want to get a good picture of the network infrastructure I am going to analyze. This is an important first step because I know that I am going to get some false positives and some results that are not reasonable in terms of reachability of the target. Some parts of the infrastructure are more sensitive than others. All of these issues militate for understanding the test environment.

Next, I want to do a bit of reconnaissance. For that I want a good vulnerability assessment tool. This gives me the lay of the land. If there are too many high or critical vulnerabilities, this is where I stop until they are fixed. If there are a lot of vulnerabilities, you may be sure that penetration testing will succeed. You have learned nothing.

Finally, I want to run a penetration test focusing on the results of the vulnerability testing. A word about "ethical hacking" is in order here. That's an oxymoron intended to give pen testers a marketing mystique. There simply is no such thing given today's understanding of hacking. What we are doing is penetration testing, the operative word being "testing." That implies rigor, structure, planning, repeatability and thoroughness. Hacking is none of those things. If you are not performing your testing this way, you are wasting your time. The good news is that today's crop of tools supports a professional approach to vulnerability analysis.

So, what you want is a solid vulnerability assessment tool that stays current with vulnerabilities and is fairly easy to use. Ease of use offers the benefit of repeatability because you can perform a set of tests, and the next time you want to perform the same tests you can be pretty certain you're repeating your earlier tests. For that, scripting is a must. Building scripts or macros aids the repeatability process.

In addition, you want a penetration tool that can test a vulnerability all the way to penetration. The best way to ensure this is to be able to plant an agent on the target as a result of the penetration that allows direct access to the target. Rarely do you find both of these tools in the same product. However, there is a trend toward this mix and, although there are very few today, I expect that there will be a good deal more in the near future.