Vulnerability Assessment Methodology
Today’s networks are typically comprised of a variety of components from many vendors. This adds to the difficulties faced by the system administration staff, as they must familiarize themselves with specific security concerns created by each product, and remain current as new security flaws are discovered. Even the most conscientious vendors do not always release patches for a given vulnerability before illegal tools for its exploitation become widely available. In some cases, legacy systems and networks exist that are not being supported or updated. While many current security products (and practitioners) promise “comprehensive” results, they focus on TCP/IP vulnerabilities to the exclusion of existing facilities such as Netware, DECNET, or X.25 networks. PatchAdvisor personnel offer experience with a wide variety of platforms and protocols, and our assessments address all relevant vulnerabilities, whether on TCP/IP or non-TCP/IP networks.
System administrators require a structured technical assessment of problem areas relating to network security, covering all of the computer hardware platforms, operating system technology, and communication protocols in use on their networks. More than a “penetration test”, this assessment must be a management tool that includes both a baseline of vulnerabilities and specific recommendations for improvement. Our report process has been refined over many client assessments to meet exactly this need.
Discovery from
all sources
Analysis and RecommendationsExternal
Exploitation
External
Detection
Report
Network InformationVulnerability Assessment Process
Customer
Briefing
Optional
Discovery
Briefing
Internal
Detection
Internal
Exploitation
Post-Assessment BriefingDiscovery
Phase
Detection
Phase
Exploitation
Phase
Analysis
Phase
Client In-Briefing- Prior to initiating an assessment, PatchAdvisor will request a short briefing with the client to serve as a venue to review the planned conduct of the assessment and establish coordination protocols with the designated client point of contact. As discussed below, one of the by-products of the Exploitation Phase is an implicit test of the organization’s detection capability. This in-briefing allows the assessment team to work with the point of contact so that any internal detection of the assessment activities is handled properly.
Discovery Phase - The first step in a vulnerability analysis is to discover all points of connectivity to the network. This includes connections to public data networks such as the Internet, private interconnections with partners, connections to the telephone network through modem dialups, and Wireless LAN connectivity such as 802.11b access points. A variety of techniques are used to catalog points of entry, and the content of public and private directory services is provided as output so the client becomes aware of their existence and content.
When the Discovery Phase is complete, PatchAdvisor has a documented description of the target environment that will be used in both the external and internal portions of the assessment. If there are any major discrepancies, a briefing is held prior to execution of the Detection Phase of the assessment.
Optional Post-Discovery Briefing - As communications technology evolves, connection of components becomes faster and easier. While this clearly benefits network personnel and users by speeding the deployment of reliable network connections, it also makes it easier for end users to create their own network segments, shared file systems, and dial-in connections. As networks get larger and more geographically dispersed, it becomes increasingly difficult to manage their growth. The natural result is that there are often discrepancies between the network content, topology, and points of access documented by the client and the corresponding information discovered by an assessment. When these discrepancies are significant (i.e., a substantial number of new hosts or dial-in access points), PatchAdvisor will conduct a briefing with the client point of contact. This briefing is necessary, in part, to ensure that the scope of the assessment and related cost estimates are still appropriate. However, the primary intent is to keep the client informed of our findings and allow time for internal discussion before the results are presented in the out-briefing.
Detection Phase - Detection and exploitation (as discussed below) are performed from both external and internal perspectives. The external portion emphasizes the identification of vulnerabilities that allow unauthorized entry into the target environment, while the internal portion focuses on opportunities to exceed authorized access once inside. There is, of course, a close relationship between internal and external results; if an external attacker successfully gains access to the system, all of its internal vulnerabilities become exploitable as well. In the analysis phase, internal and external results are combined to present a comprehensive view of vulnerabilities.
PatchAdvisor will identify potential vulnerabilities in network services running on discovered hosts, as well as inherent vulnerabilities in equipment and operating systems. Having discovered the network content and points of connectivity, an exhaustive search of hosts and available network services is conducted to pinpoint possible vulnerabilities. Information is gathered on each network host, including the operating system type and version, hardware platform, and active services. Particular attention is paid to “high-risk” services such as FTP, SENDMAIL, POP3, IMAP, WWW, etc. Services running on unregistered ports are also noted.
Three classes of tools are used in the detection phase:
• Public Domain tools – Many of the tools used by PatchAdvisor have been obtained either directly from the Internet or from other security specialists. Such tools are generally highly focused and may have testing algorithms that are superior in their specific area of focus. Each public domain tool undergoes extensive testing in our labs to ensure that its behavior is consistent and that it causes no damage to the client environment.
• Proprietary tools – These are tools that have either been developed by individual team members, or are public domain tools that have been modified by our team. Like the public domain tools, they are generally focused on a small set of vulnerabilities, and may be used to crosscheck some outputs of the commercial tools.
When the Detection Phase is complete, PatchAdvisor will have developed the most comprehensive list of possible vulnerabilities in the environment. The list includes output files from multiple tools, many of which are included in the Report as appendices.
Exploitation Phase - The Exploitation Phase is designed to provide a level of assessment beyond the capability of automated tools. This phase includes both internal and external simulated attacks, reflecting vulnerability both to authorized users exceeding their permissions, and to outsiders penetrating via the Internet, other data networks, and wireless or dial-in connections. In many cases, manual exploitation attempts are made to verify that vulnerabilities identified by tools are actually exploitable, since many tools identify “apparent” vulnerabilities but lack the capability to validate them.
PatchAdvisor uses a combination of public domain and proprietary tools in the Exploitation Phase. These tools are selected based upon the vulnerabilities identified in the Detection Phase. During attacks, techniques are sequenced from “quietest” to “noisiest”, providing an opportunity to test the detection capabilities of any installed intrusion detection systems, users, and system administrators. A wide range of external attack scenarios are simulated, combining discovered information with known vulnerabilities to provide the most realistic possible threat profile.
The results of a “successful” attack will be pre-determined by consultation with the client point of contact. In most instances we can establish susceptibility to potentially harmful vulnerabilities without running an actual attack, thus avoiding any damage to data or interruption of service. However, if requested by the client, denial of service attacks can be run against a designated target. Such tests are closely coordinated with client system administrators, and are typically conducted during designated third-shift hours.
Analysis Phase - Once the active phases of the assessment are completed, prioritized final recommendations are made regarding specific vulnerabilities, insecure computing practices, configuration management and network design. These recommendations are compiled in the final report. The content of the report is discussed in a following section.
Post-Assessment Briefing - PatchAdvisor will deliver an out-briefing after each assessment. This briefing provides a forum for presentation and interactive discussion of key issues from the assessment, and includes a discussion of the techniques used to compromise the target system, common attacks on public systems, as well as a direct question and answer session with the assessment team. Our experience shows that this is often a vital part of the assessment process; most clients take full advantage of this opportunity for technical interchange.
Report Content and Format - The format of the report varies somewhat based upon the scope of work and the content of the target environment. Reports are delivered in printed form, as well as electronic form in PDF format. A sample “Table of Contents” is shown below to provide a sense of the organization and typical content.
Vulnerability Assessment Report
Sample Table of Contents
1 Executive Summary 1.1 Scope of Work
1.2 Summary of Vulnerability Findings 1.2.1 External Vulnerabilities 1.2.2 Internal Vulnerabilities 2 Report Process Overview
2.2.1 Discovery Phase - Network Mapping 2.2.2 Exploitation Phase - Vulnerability Analysis 2.2.3 Recommendations and Summary
3 Network Mapping
3.1 Domain Name Service 3.2 Wireless Networks 3.3 Modem Dial-ups 4 Vulnerability Analysis 4.1 Introduction 4.2 TCP/IP Services
4.2.1 File Transfer Protocol (FTP) [TCP Port 21] 4.2.2 Telnet [TCP Port 23]
4.2.3 Simple Mail Transfer Protocol (SMTP) [TCP Port 25] 4.2.4 Domain Name Service (DNS) [TCP/UDP Port 53] 4.2.5 Trivial File Transfer Protocol (TFTP) [TCP Port 69] 4.2.6 Finger [TCP Port 79]
4.2.7 Hypertext Transport Protocol (HTTP) [TCP Port 80]
4.2.8 Remote Procedure Call Portmapper [TCP/UDP Port 111] 4.2.8.1 Remote Users Daemon (rusersd) [RPC Service] 4.2.8.2 Remote Execution Daemon (rexd) [RPC Service] 4.2.8.3 Write All Daemon (walld) [RPC Service]
4.2.8.4 Remote Status Daemon (rstatd) [RPC Service] 4.2.8.5 Selection Service (selection_svc) [RPC Service] 4.2.8.6 Network File System Daemon (nfsd) [RPC Service]
4.2.8.7 Remote Procedure Call Status Daemon (RPC.statd) [RPC Service] 4.2.8.8 Network Information Service Daemon (ypserv) [RPC Service] 4.2.8.9 NIS Password Daemon (yppasswdd) [RPC Service]
4.2.8.10 NIS Update Daemon (ypupdated) [RPC Service]
4.2.9 Network Basic Input/Output System (NetBIOS) [TCP/UDP Ports 137, 138 & 139]
4.2.10 Simple Network Management Protocol (SNMP) [UDP Port 161] 5. Operational Recommendations 5.1 Configuration Management 5.2 User Authentication 5.3 Passwords 5.4 Network Design APPENDICIES
Vulnerability Database – PatchAdvisor’s vulnerability database is a powerful companion tool provided with our vulnerability assessment report. Security managers and administrators will find it to be a valuable resource for managing the remediation process.
Technical Team - Our technical team members have significant expertise in the large-scale
network security arena. They have performed network vulnerability assessments and provided emergency incident response and law enforcement liaison services in a variety of environments. Combined, our team has written or contributed to over 7 books on information security and the Internet, have presented at over 80 professional conferences and have provided expert
commentary for programs such as 60 Minutes, and have been featured on television world-wide on stations such as CNN, MSNBC, BBC and NHK.
The matrix below shows a breakdown of our experience by industry sector:
