1 / 19

Chris Triolo Spring 2007

Chris Triolo Spring 2007. Colorado University Guest Lecture: Vulnerability Assessment. What is a vulnerability?. Vulnerability – a flaw or weakness in an operating system or application, which could lead to unauthorized access

Download Presentation

Chris Triolo Spring 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chris Triolo Spring 2007 Colorado University Guest Lecture: Vulnerability Assessment

  2. What is a vulnerability? • Vulnerability – a flaw or weakness in an operating system or application, which could lead to unauthorized access • Exploit (n.) – a tool or technique that takes advantage of a security vulnerability

  3. Three Flavors of Vulnerabilities • Coding Errors • Example: Buffer Overflows • Implementation Errors • Example: Open File shares • Human Errors • Example: Social Engineering, malware • Analogy • Rear gas tank on Ford Pinto • Mechanic neglect • Filling up the gas tank

  4. Common Vulnerabilities • Information Leaks • Buffer overflows • Special characters • Authentication flaws • Race conditions

  5. Installing Backdoors Exploiting Escalating Privilege Gaining Access Scanning / Probing Foot Printing Denial of Service Hacker Methodology:Anatomy of an Attack

  6. Vulnerability Assessments • Why would you want to do this? • Consideration: • Dangerous!!! These tools are usually designed to not crash anything, but it’s possible. Don’t make assumption that it won’t hurt, and make sure appropriate contacts are ready in case of problems. • Permission • People get really touchy about someone scanning their network even if it’s not malicious. An administrator will shoot first, and examine supposed motives later.

  7. The Plan • Vulnerability Assessment vs. Scanning vs. Pentesting • When to Scan? • Time and Frequency • Where to Scan from? • Inside or Outside the network

  8. The Plan • Goals • Find the vulnerabilities! You need to find them all, miscreants only need one. • Exploit or not Exploit • Why would you want to exploit the hole? • Why wouldn’t you want to exploit the hole? • Is it really necessary?

  9. The Findings • Interpretation and reporting the findings • Manual Verification • False positives are a big problem. False negatives are a bigger problem. • Some reported holes aren’t a problem in your environment • Compiling reports • Use pre-canned, vendor reports • Business Unit/Sector

  10. Minimizing the Total Cost of Security $ Total Cost of Security Business Risk Annual Loss Expectancy Security Spending Cost of Countermeasures $ Diminishing Returns

  11. World is Flat Vulnerability Single Computer Binary Best Practices World is Round Risk Community of Computers Analog, Synergistic Essential Practices Three Common Logic Errors in Risk Decision Making

  12. The Findings • Vendor Severity Ratings • Vulnerabilities will come in a number of classes • Remote vs Local • Information leak • DOS • Command Execution • System prioritization • Business Criticality • Severity of Findings • Current Level of protection Risk = Asset(value) x Vulnerability(severity) x Threat(likelihood)

  13. Tool Types • Ping Scanner • Protocol Scanner • Port Scanner • OS Scanner • Patch Scanner • Web / CGI Scanner • Web Hole Scanner • Host based Scanner • Vulnerability Scanner

  14. Commercial Tools • ISS • Internet Security Scanner • Foundstone • FoundScan / Foundstone Enterprise • Qualys • On-demand Scanning (1 IP free) • Watchfire • Web application Scanner

  15. Open Source Tools • Nessus • Full Vulnerability Scanner • Nmap • Ping Sweeps, Port scans, OS discovery • Nikto • Web / CGI scanner • X-probe • OS Fingerprinting • Enum • Open File shares

  16. Nmap • Port Scanning • Ping Sweeping • OS Detection • Service/version Detection • Firewall/IDS Evasion and Spoofing • http://www.insecure.org

  17. Nessus • Full Vulnerability Scanner • Ping Sweeping • Port Detection (incorporates Nmap) • OS and version detection • http://www.nessus.org • Some Licensing restrictions

  18. Recommended Reading • Hacking Exposed – The Book and the web site • Open Source Security Tools: Practical Guide to Security Applications • Web sites: • http://packetstormsecurity.nl/ • http://neworder.box.sk/ • Art of Intrusion – Kevin Mitnick • Shadow Crew Podcasts • Spam Kings – Brian McWilliams

  19. Recommended Reading • Nmap Guide • Underground Economy-Priceless CYMRU

More Related