h e d a te ] Project report 2:
EVALUATION OF TOOLS FOR
CYBER SECURITY
By
Piyali Basak
Indian Institute of Technology, Kanpur
Guided by
Dr. N.P. Dhavale
Deputy General Manager, Strategic Business Unit,
Institute for Development and Research in Banking Technology, Hyderabad
ic k t h e d a te ]
ABSTRACT:
Security and reliability are most important when it comes to Banking. IDRBT’S SBU (Strategic Business Unit) plays an important role for secure and reliable banking operations. This project is related to test and enhance the security at IDRBT servers itself. Three Cyber security tools (Nessus, Retina, OpenVAS) have been compared to test security of four servers and about 254 client machines. A comparison is made on the reports generated by these tools on the basis of
severity of vulnerabilities obtained and their corresponding remediation steps
.
INTRODUCTION:
Cyber Security includes not only access control lists, firewalls, intrusionprotection systems, flow throttling, deep packet inspection, signatures, and similar terms but also security event correlation, application traffic flow analytics, and intrusion detection. Cyber Security specializes in the area of network behavior analysis.
Here we will concern only with Network Security which is the protection of all
data that leaves or enters the local PC or local server from the network.
The networks are computer networks, both public and private, that are used every day to conduct transactions and communications among businesses, government agencies and individuals. The networks are comprised of "nodes", which are "client" terminals (individual user PC s) and one or more "servers" and/or "host" computers. They are linked by communication systems, some of which might be private, such as within a company and others which might be open to public access. The obvious example of a network system that is open to public access is the Internet, but many private networks also utilize publicly-accessible communications. Today, most companies' host computers can be accessed by their employees whether in their offices over a private communications network, or from their homes or hotel rooms while on the road through normal telephone lines.
Network security involves all activities that organizations, enterprises, and institutions undertake to protect the value and ongoing usability of assets and the
h e d a te ]
integrity and continuity of operations. An effective network security strategy requires identifying threats and then choosing the most effective set of tools to combat them.
Who is vulnerable:
• Financial institutions and banks
• Internet service providers
• Pharmaceutical companies
• Government and defense agencies
• Contractors to various government agencies
• Multinational corporations
• ANYONE ON THE NETWORK
OBJECTIVES:
The objective of the project is to
• Find user-friendly, efficient and consistent cyber security software
• Compare them in terms of their
1. Technical Functionality
2. Audit compliance
3. Reporting.
PROCEDURES:
We explored Nessus, Retina, OpenVAS because they are identified as user friendly for installation and configuration. Other software like Snort and Saint are not user and installed but not able to analyze thoroughly. Microsoft Baseline Security Analyzer gives information about security states of the system but no additional information for further exploring the tool.
Due to unavailability of time we could not explored all the following tools – Qualys Guard, Nexpose and Core Impact. However feature wise and products will help in accessing the vulnerabilities.
ic k t h e d a te ]
Nessus:
Nessus is proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks.
Version used: 5.2
Availability : free of charge for personal use, but now a pay-for subscription-based service.
Nessus 5.2, scanning for 40,000 plugins covering a large range of both local and remote flaws provides customers with
• Targeted email notifications: When scans are complete, Nessus can send an
email with a summary of scan results and remediation recommendations to your selected recipients.
• Remediation recommendations: Nessus provides an actionable list to help
with remediation efforts, summarizing the actions to take to remediate the largest quantity of vulnerabilities on your network.
• Increased intelligence: Nessus 5.2 offers the ability to store attachments in
the scan reports .Scan results contain remote screenshots via RDP and VNC, as well as pictures of scanned websites.
• Expanded platform support and integration: Scanning of IPv6 targets is
supported on all operating systems, including Windows, and Nessus runs on Windows 8 and Windows Server 2012.
Openvas:
OpenVAS (Open Vulnerability Assessment System, initially GNessUs) is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.
Version used: 5.0
h e d a te ]
OpenVAS is an open source vulnerability scanner that can test a system for security holes using a database of over 28’0000 test plugins. The complete OpenVAS suite consists of a number of components that provide a framework for management of a complete vulnerability management solution with many more important features.
• Architecture Overview: The Open Vulnerability Assessment System
(OpenVAS) is a framework of several services and tools. The core of this
SSL-secured service-oriented architecture is the OpenVAS Scanner. The
scanner very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served with daily updates via the OpenVAS NVT Feed or via a commercial feed service.
• OpenVAS Manager: It is the central service that consolidates plain
vulnerability scanning into a full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS Transfer Protocol) and itself offers the XML-based, stateless OpenVAS Management Protocol (OMP).
• OVAL Support: The Open Vulnerability and Assessment Language (OVAL) ,in
OpenVAS , is a standard that can be used - among other things - to describe known vulnerabilities and tests that can be used to assess whether a vulnerability is present on a target system.
Retina:
Acknowledged as the fastest security scanner on the market today, Retina is designed to identify known and unknown vulnerabilities, and report possible security holes within a network's internet, intranet, and extranet environments.
Version used: 5.10.0
Availability : free of charge for personal use, but now a pay-for subscription-based service.
Retina was created with a simple-to-navigate graphical user interface. It has an auto-update feature that provides continuous updates for its modules using an
ic k t h e d a te ]
Internet connection. Retina is extremely fast. . Apart from this Retina have more powerful features like:
• Non- intrusive scanning engine: Optimizes network performance and scan
network devices, operating systems, applications, and databases, without impacting availability or performance.
• NMAP Technology: Retina is the first and only commercial scanner to
license and incorporate the NMAP Fingerprints Database. This allows Retina to have superior OS detection, particularly for remote scans. eEye was actually the first company to port NMAP to the NT platform.
• Smart Reporting: Produce fully documented network audit reports based
on Retina's security scans.
h e d a te ]
Software Nessus OpenVAS Retina
Network Discovery: Port scanners: TCP scan UDP scan SYN scan ˣ SNMP scan ˣ Netstat SSH scan Target scan:
Single IP, IP Range
Subnet with CIDR notation
Hostname
System Discovery:
OS detection
Get Reverse DNS ˣ
Get NetBIOS name ˣ ˣ
Get MAC Address ˣ
Enumerate Hardware ˣ ˣ
Features:
ic k t h e d a te ]
Web Application Scanning
Vulnerability scanning
Fixing Vulnerability ˣ
Exportable Reports
Software cost free for
15days,profe ssinal feed-$1500USD/y ear
Free free for
15days,professio nal feed-$150.00
: available ˣ : not available
To have a comparative overview we use these three tools to scan different machines in IDRBT.
Scanned Machines IP address: 176.16.0.1-176.16.0.254
Date of scan : 17th June’13
Cyber Security Tool Nessus OpenVAS Retina
No. of Machines scanned 107 107 107
No. of machines found to
have Vulnerabilities 30 31
1 *
Time taken to scan 55mins 1hr 10mins 25mins
Retina is extremely fast. It can scan a class-C network in 25 minutes.
*Retina cannot give vulnerability details of all the scanned machines in its trial version.
h e d a te ]
Results of Nessus:
The following graph shows different risk level for each host obtained from the scan result of Nessus. Clearly it is found that 172.16.0.14 host is most vulnerable followed by the hosts 172.16.0.7 and 172.16.0.9.Severity level is determined by the CVSS (Common vulnerability scoring system).
Hosts 1 2 5 7 9 10 13 1415 16 18 20 21 2224 2627 31 33 34 36 3738 41 42 43 44 4546 47 48 100 80 60 40 20 0 D a ta low. medium. high. critical . Variable
Risk level for each Host
The following graph shows the vulnerabilities by different categories. It is found
ic k t h e d a te ]
category Web server windows database SMTP problem Misclleneous
40 30 20 10 0 D a ta high critical Variable
Overview of risk by category
Results of OpenVAS:
The following graph shows security holes found for each host by OpenVAS.From the graph it is clear that 172.16.0.14 and 172.16.0.9 are more vulnerable than others. It does not provide severity level of the risk like Nessus.
h e d a te ] 176. 16.0 .43 176. 16.0 .48 176. 16.0 .50 176. 16.0 .15 176. 16.0 .6 176. 16.0 .47 176. 16.0 .44 176. 16.0 .41 176. 16. 0 .9 176. 16.0 .42 176. 16.0 .14 176. 16.0 .7 176. 16.0 .45 176. 16.0 .21 176. 16.0 .57 176. 16.0 .51 176. 16.0 .38 176. 16.0 .37 176. 16.0 .36 176. 16.0 .31 176. 16.0 .27 176. 16.0 .26 176. 16.0 .24 176. 16.0 .18 176. 16.0 .16 176. 16. 0 .13 176. 16.0 .10 176. 16.0 .5 176. 16.0 .2 176. 16.0 .1 35 30 25 20 15 10 5 0 Hosts S e c u ri ty h o le s f o u n d
Security holes found for each host by OpenVAS
Results of Retina:
Like Nessus and OpenVAS, Retina cannot scan as much system at a time in its trial version as this is beyond the license of the software. Hence for that we need to buy the software. Next we run the tools for different server machines of IDRBT and get an idea which vulnerability is more risky in terms of category and severity level. We checked for the following three IDRBT server machines:
IDRBT Library server IDRBT DNS server IDRBT Mail server IDRBT proxy server
Performance of Nessus:
The following graphs show the risk for above three server system in terms of category and severity level as well. Library web server is found to be most vulnerable.
ic k t h e d a te ]
Category General Service detection windows Misclleneous FTP
6 5 4 3 2 1 0 D a ta Low Medium High C ritical Variable
Overview of risk level for different categories for IDRBT DNS web server(172.16.0.141)
Category General windows SMTP problems DNS Misclleneous 10 8 6 4 2 0 D a ta Low Medium High C ritical Variable
h e d a te ]
Category SNMP web server windows SMTP problems FTP
3.0 2.5 2.0 1.5 1.0 0.5 0.0 D a ta Low Medium High C ritical Variable
Overview of risk level for different categories for IDRBT proxy server(172.16.0.200)
Category gene ral win dow s serv ice d etec tion Win dow s CGI a buse s web serv ers data base 30 25 20 15 10 5 0 D a ta Low Medium High C ritical Variable
Overview of risk level for different categories for IDRBT library web server(172.16.0.14)
ic k t h e d a te ]
Performance of Retina:
Retina scanned for each machine in a very short time and also provided with the remediation report and final scanning report as well. The following graph shows the most affected ports.
TCP 3339 443 7778 1521 18 16 14 12 10 8 6 4 2 0 D a ta Low Medium High Variable
Severity level for mostly affected ports
Port details:
TCP 3339 port details: Port 3339 is one of the specified default ports used by Oracle Database or Oracle Application servers. Port 3339 is used to allow database admin to remotely control and monitor database applications under a closed-network group or in a wide-area network via TCP/UDP connection.
TCP 443 port details: Hypertext Transfer Protocol over TLS/SSL (HTTPS).
TCP 7778 port details: Port 7778 is used to allow clients/users access to remote servers on the Internet. Oracle HTTP Server admin listens to port 7778 by default when port 7777 is unavailable. For this application, the pieces of data passing through this port include request access for non-SSL HTTP server.
h e d a te ]
TCP 1521 port details: Oracle SQL defaults to listening at this port.
From the graph it is clear that port TCP 3339 and 7778 are vulnerable compared to others. category. acco unts netb ios Win dow s IP s ervi ces data base Web ser ver 12 10 8 6 4 2 0 acco unts netb ios Wind ows IP se rvice s data base Web ser ver
IDRBT Library server
D
a
ta
IDRBT Proxy server
Low Medium High Variable
Panel variable: server
Level of severity for more two affected servers
Performance of OpenVAS:
We run OpenVAS for the same server system but only for the library web server Security holes are found.
Next we compare these tools in terms of their remediation steps for corresponding vulnerabilities found in Library web server. Retina is unable to provide risk management solution in its trial version whereas in comparison with Nessus OpenVAS gives instruction to update higher version of patches and software for the same vulnerability. So here we mainly concentrate on critical and high risk vulnerabilities specific results and remediation steps. The number in the
ic k t h e d a te ]
used to make a program which runs to read a desired string from a file and counts the number of its occurrence.
Vulnerabilities found by Nessus:
Vulnerability
Remediation step
• Buffer Overflow.(6)
• Unsupported version of Oracle
Database server .(2)
• Remote code execution attack.(3)
• Running an older Apache web
server version causing DoS attack and Cross-site Encryption.(2)
• Upgrade Apache web server
version of 1.3.29 or later.
• Upgrade to a version of Oracle
database.
• Upgrade Apache Web server
version 1.3.26.
• Upgrade Apache Web server
version 1.3.27 or later.
Vulnerabilities found by Retina:
Vulnerability
Category
Severity Level
• Weakness exists in mod_ssl used
by an attacker causing execution of strings logged via HTTPS.
• TNS Listener is showing no
designated password.
• Arbitrary code execution.
• A DoS risk exists within the
Apache version 1.3.27 and prior.
• Web server • Database • Web server
•
Web server • Critical • Critical • High • Highh e d a te ]
Vulnerabilities found by OpenVAS:
Vulnerability
Remediation step
•
Running a 1.3.27 older Apacheversion subject to diff flaws.(2)
•
Arbitrary code can be run on theremote host.(3)
•
Buffer overflow attack.(5)•
Remote code executionvulnerability.(3)
•
Upgrade to Apache web serverversion 1.3.27 or newer.
•
Disable SOAP feature by editing.•
Upgrade to version 1.3.37 orlater.
•
Upgrade to mod_ssl version2.8.19 or newer.
Upgrading Apache web server to latest version 1.3.37, detected by OpenVAS, will lead remediation of all kinds of vulnerabilities causing from its older version.
SOFTWARE USED:
Java, Minitab. Java code:
import java.io.*; public class Test1 {
public static void main(String [] args) { // The name of the file to open.
String fileName = " ",searchstring=""; // This will reference one line at a time String line = null;
int count=0; try {
ic k t h e d a te ]
// FileReader reads text files in the default encoding.
BufferedReader br=new BufferedReader(new
InputStreamReader(System.in)); System.out.println("Enter File Path:"); fileName=br.readLine();
FileReader fileReader = new FileReader(fileName);
// Always wrap FileReader in BufferedReader. System.out.println("Enter Search String:"); searchstring=br.readLine();
BufferedReader bufferedReader = new BufferedReader(fileReader);
while((line = bufferedReader.readLine()) != null) { // System.out.println(line);
if(line.equalsIgnoreCase(searchstring)) {++count;
} }
System.out.println(searchstring+" count is : "+count); // Always close files.
bufferedReader.close(); System.out.println("Bye"); }
h e d a te ] System.out.println(
"Unable to open file '" + fileName + "'");
}
catch(IOException ex) { System.out.println( "Error reading file '" + fileName + "'");
// Or we could just do this: // ex.printStackTrace(); }
} }
CONCLUSION:
1. Nessus can scan multiple machines with all vulnerability details, machine
information and gives proper solution.
2. OpenVAS checks for security holes but does not provide with machine
information.
3. Retina being a fast vulnerability scanner scans a system and gives
remediation report and scan report as well, but cannot give vulnerability details of all the scanned machines in its trial version.