Educause Security Discussion mailing list archives
Re: Vulnerability Scanning Problem
From: Curt Wilson <curtw () SIU EDU>
Date: Wed, 13 Dec 2006 13:32:49 -0600
Thanks for your thoughts Russell. Nessus, Retina, etc. seem useful for known vulns in network-facing systems, and this is important. However, I am increasingly concerned about client-side vulns, and without credentials to a system or an agent how do you easily test for those (NAC/agent technologies is one possible solution). On the cheap, a SPAN port with a passive fingerprinter might give *some* value but I'm more interested in being able to perform something similar to what the new Secunia software inspector performs. (I'm not affiliated with secunia) http://secunia.com/software_inspector/ I don't like the idea of having common authentication credentials on an array of systems for deeper host checks by a network assessment service (risk of cracking and/or interception), but it would be really helpful for something like the secunia app to be easily scalable across a large and rapidly changing .edu environment. The secunia app btw is helpful in that it clearly enumerate a variety of client-side apps such as flash, quicktime, realplayer, java runtime, and the like along with the various MS and office checks. Some of the apps that it found on some systems I ran it on were not able to be easily uninstalled (some versions of flash OCX's for instance that required some tweaking of NTFS permissions, even as Administrator, to be removed). Also, the various instances of Java runtime that do not uninstall when you upgrade, leaving older versions laying around which could potentially be leveraged for an attack (saw a paper or something on this topic once, using a hostile applet to exploit an older version of the JRE). With all of the various 0days floating around, and the average .edu end-user situation I think more needs to be done to beef up client-side security. I know there are vendor solutions out there for this but I always like to leverage lower costs options when possible. Thanks for the discussions. Russell Fulton wrote:
Curt Wilson wrote:Without some type of agent on the client I don't see how you can get a good picture of client-side hosts with network-only assessment.You can't but in some senses it does not matter. What the vulnerability scanner sees is what your naive attacker will also see. As in all security stuff you need to be clear about exactly what risks you are trying to mitigate. I would argue that nmap combined with arp table mining is an effective means of determining your exposure to most attackers you are likely to have against general machines on the network. This may well not be adequate for machine holding sensitive data where you really do need privileged access to the box to get an adequate picture of what is going on but that should not stop you from using it on the 90% of the addresses that are unlikely to come under targeted attack. We are looking toward a two tiered approach to vulnerability assessment. Simple minded stuff mostly based on nmap for the bulk of the network and much more rigorous nessus scans (including root/admin access) for stuff in the data centre. This way we get the most value for our effort. Russell
-- Curt Wilson IT Network Security Officer Southern Illinois University Carbondale 618-453-6237 GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Current thread:
- Vulnerability Scanning Problem Logan, Kimberly (loganks) (Dec 11)
- <Possible follow-ups>
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 11)
- Re: Vulnerability Scanning Problem Wang Cheng (Dec 11)
- Re: Vulnerability Scanning Problem Wyman Miles (Dec 12)
- Re: Vulnerability Scanning Problem Graham Toal (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 12)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 13)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 13)
- Re: Vulnerability Scanning Problem Mike Wiseman (Dec 13)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 13)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 15)
- Re: Vulnerability Scanning Problem Randy Marchany (Dec 15)