Re: Vulnerability Scanning Problem

[Curt Wilson <curtw () SIU EDU>]

Thanks for your thoughts Russell. Nessus, Retina, etc. seem useful for
known vulns in network-facing systems, and this is important. However, I
am increasingly concerned about client-side vulns, and without
credentials to a system or an agent how do you easily test for those
(NAC/agent technologies is one possible solution). On the cheap, a SPAN
port with a passive fingerprinter might give *some* value but I'm more
interested in being able to perform something similar to what the new
Secunia software inspector performs. (I'm not affiliated with secunia)

http://secunia.com/software_inspector/

I don't like the idea of having common authentication credentials on an
array of systems for deeper host checks by a network assessment service
(risk of cracking and/or interception), but it would be really helpful
for something like the secunia app to be easily scalable across a large
and rapidly changing .edu environment.

The secunia app btw is helpful in that it clearly enumerate a variety of
client-side apps such as flash, quicktime, realplayer, java runtime, and
the like along with the various MS and office checks. Some of the apps
that it found on some systems I ran it on were not able to be easily
uninstalled (some versions of flash OCX's for instance that required
some tweaking of NTFS permissions, even as Administrator, to be
removed). Also, the various instances of Java runtime that do not
uninstall when you upgrade, leaving older versions laying around which
could potentially be leveraged for an attack (saw a paper or something
on this topic once, using a hostile applet to exploit an older version
of the JRE).

With all of the various 0days floating around, and the average .edu
end-user situation I think more needs to be done to beef up client-side
security. I know there are vendor solutions out there for this but I
always like to leverage lower costs options when possible.

Thanks for the discussions.


Russell Fulton wrote:
> Curt Wilson wrote:
> > Without some type of agent on the client I don't see how you can get a
> > good picture of client-side hosts with network-only assessment.
>
> You can't but in some senses it does not matter.  What the vulnerability
> scanner sees is what  your naive attacker will also see.  As in all
> security stuff you need to be clear about exactly what risks you are
> trying to mitigate.  I would argue that nmap combined with arp table
> mining is an effective means of determining your exposure to most
> attackers you are likely to have against general machines on the network.
>
> This may well not be adequate for machine holding sensitive data where
> you really do need privileged access to the box to get an adequate
> picture of what is going on but that should not stop you from using it
> on the 90% of the addresses that are unlikely to come under targeted attack.
>
> We are looking toward a two tiered approach to vulnerability
> assessment.  Simple minded stuff mostly based on nmap for the bulk of
> the network and much more rigorous nessus scans (including root/admin
> access) for stuff in the data centre.  This way we get the most value
> for our effort.
>
> Russell


--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc