Product Group Tests
Vulnerability assessment (2008)August 01, 2008
For its solid performance, good value and its venerable pedigree, we rate eEye's Retina Security Management appliance our Best Buy.
Our Recommended choice is the Rapid7 NeXpose appliance as it provides vulnerability assessment and risk analysis in one box.
These solutions help make security assessments easier by searching for weak spots in your systems and in some cases even perform penetration testing. Peter Stephenson reports
Since Farmer and Venema wrote their seminal paper, "Improving the Security of Your Site by Breaking into it", in 1993, the process of security testing has both improved and become more challenging. Today, we actively invite strangers into our networks. Well, not exactly all the way in, but far enough to cause concern if the perimeter is not very secure. Never before has the notion of layered security been more important.
I recently performed some testing on a web application. I knew the application had some holes, but my main concern was whether these could be reached from an attacker's location, wherever that might be. To do that, I needed to test vulnerabilities in the infrastructure.
The tools we looked at this month do exactly that: they enable testing of the infrastructure, meaning the network and the platforms on it. This introduces the concept of reachability. If applications are exposed to the outside, simple vulnerabilities become potential disasters, therefore the platforms they sit on and the routes to those platforms must be protected. Sometimes that's easier said than done. That's where the products in this group come into play. If the best you can do is to monitor an application and its platform closely, it is important to know what exactly you are monitoring for.
Vulnerability assessment tools help define the environment by demonstrating vulnerabilities, confirming them and helping you decide their severity. You can then consider credible threats that play against those vulnerabilities. Analysing vulnerabilities becomes an important part of risk analysis as, in a general sense, threats against vulnerabilities that produce impacts constitute risks. In fact, more and more SIMs and SEMs are accepting vulnerability data.
How one uses these tools is important, too. What, for example, is the role of penetration testing relative to vulnerability assessment? We saw tools that are very competent vulnerability assessment tools, penetration testing tools and combinations of both. How do you decide which one(s) you need?
Selecting the right tools
Generally speaking, I favour a multi-step process for vulnerability analysis. First, I want to get a good picture of the network infrastructure I am going to analyse. This is an important initial step because I know I am going to get some false positives and results that are not reasonable in terms of reachability of the target. Some parts of the infrastructure are more sensitive than others. All of these issues militate for understanding the test environment.
Next I want to do a bit of reconnaissance. For that I need a good vulnerability assessment tool. This gives me the lay of the land. If there are too many high or critical vulnerabilities, this is where I stop until they are fixed. If there are a lot of vulnerabilities you may be sure that penetration testing will succeed. You have learned nothing.
Finally, I want to run a penetration test focusing on the results of the vulnerability testing. A word about "ethical hacking" is in order here. That's an oxymoron intended to give pen testers a marketing mystique. There simply is no such thing, given today's understanding of hacking. What we are doing is penetration testing, the operative word being "testing". That implies rigour, structure, planning, repeatability and thoroughness. Hacking is none of those things. If you are not performing your testing this way you are wasting your time. The good news is that today's crop of tools supports a professional approach to vulnerability analysis.
So, what you want is a solid vulnerability assessment tool that stays current with vulnerabilities and is fairly easy to use. Ease of use offers the benefit of repeatability, because you can perform a set of tests and, the next time you want to conduct the same tests, you can be pretty certain you're repeating your earlier tests. For that scripting is a must. Building scripts or macros aids repeatability.
In addition, you want a tool that can test a vulnerability all the way to penetration. The best way to ensure this is to be able to plant an agent on the target as a result of the penetration that allows direct access to the target. Rarely do you find both of these tools in the same product. However, there is a trend toward this mix and, although there are very few today, I expect that there will be quite a few more in the near future.
Mike Stephenson contributed to this review