• No results found

Overview of Vulnerability Analysis

N/A
N/A
Protected

Academic year: 2020

Share "Overview of Vulnerability Analysis"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 10, October 2013)

553

Overview of Vulnerability Analysis

Kavita S. Kumavat

1

, Ranjana P. Dahake

2

, Dr. M. U. Kharat

3

1PG Student at MET’s IOE Bhujbal Knowledge City

2Assistant Professor at MET’s IOE Bhujbal Knowledge City

3Professor at MET’s IOE Bhujbal Knowledge City

Nasik, Maharashtra, India

Abstract-- In recent years most of the applications are web based and software based so it is important for these applications to communicate with other system or application in network so it increase growth of cyber-crime and associated risk are forcing most business application to be focus on information security. Vulnerability is measure issues during communication of different applications. So for secure communication it is important to detect and avoid vulnerability. Different types of vulnerabilities are detected, monitored and avoided by using Vulnerability Analysis process after that vulnerability are managed by using vulnerability management. Also vulnerability management is useful for controlling security risks.

Keywords-- VULNERABILITY ANALYSIS,BUSINESS PROCESS,

VULNERABILITY MANAGEMENT,VULNERABILITY,SECURITY.

I. INTRODUCTION

In computer security, vulnerability is a security flaws or system weakness which allows an attacker to reduce a system's information assurance [1]. It is failure of security procedures, policies and controls that allow a subject to commit an action that violates the security policy. Vulnerability is the intersection of three elements: a system flaw, access of attacker to the flaw, and attacker capability to exploit the flaw. It includes Errors in code, Mismatch between assumptions, Human violators, use of vulnerability to violate policy i.e. exploit, attacker: exploiting the vulnerability [19].

Vulnerability analysis is a process of defining, detecting, and classifying the security holes in a computer network or communications infrastructure also vulnerability analysis can forecast the proposed counter measures effectiveness and find their actual effectiveness after they are put into use [2].

There are several steps in Vulnerability analysis:  Defining and classifying computer network or

resources

 Assigning levels of importance to the resources  Detecting potential threats to each resource  Creating a method to deal with the serious

potential problems first

 Specifying and implementing ways to decrease the consequences if an attack occurs.

If vulnerability analysis found security holes as result then may be vulnerability disclosure required [7]. The person or organization that detects the vulnerability, or a industry body which is responsible such as the Computer Emergency Readiness Team (CERT), may make the disclosure [9]. If the vulnerability is not sort as a high level threat then the vendor may give a certain amount of time for fixing the problem before the vulnerability is disclosed publicly.

The next stage of vulnerability analysis is identifying potential threats [2]. Sometimes it is performed by using ethical hacking techniques. Using this technique for vulnerability assessment, security experts deliberately probe a system or network to find its weaknesses. This process provides information for the development of counter measures to prevent a genuine attack. Vulnerability Management is a cycle of different activities like identifying, classifying, remediating, and mitigating vulnerabilities [3].

II. TERMS AND DEFINITIONS

Vulnerabilities are a weakness which allows an attacker to reduce a system information assurance. Vulnerabilities are “design or implementation errors in information systems that can result in a compromise of the integrity, confidentiality and information availability over affected system on which is data is stored” [8].

Web application vulnerabilities require the use of web technology to be exploited (e.g., cross-site scripting) [12].

Classical vulnerabilities are those which can be exploited without any web technology being involved (e.g., buffer overflows).

Vulnerability analysis supports avoiding, detecting, fixing, and monitoring vulnerabilities. These vulnerability management tasks typically need patterns, for example, for static or dynamic analysis of source code [2].

A vulnerability pattern is nothing but a formal representation of vulnerability’s attributes, with which a software tool can identify the vulnerability.

(2)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 10, October 2013)

554 Vulnerability classification is mostly depends on a vulnerability type means some properties that certain vulnerabilities share [8].

III. VULNERABILITY TYPES

Normally, vulnerability is of 4 types-

 Hardware Vulnerability- It includes vulnerability cause by physical devices-adding, removing, flooding, Traffic interrupting, physical attacks etc.  Software Vulnerability- It include software based

vulnerability generated by software Deletion, modification under this logic bombs, trapdoor, Trojan horse, information leaks and Virus are come. Software Theft contains unauthorized copying [7].  Data Vulnerability-It includes data security by

using confidentiality i.e. unauthorized disclosure of a data. For more valuable data communication in the system it is important to predict data from loss or from hacking by hacking. So, mostly we use encryption mechanism for secure data transmission. Data vulnerability consists of data loss, unauthorized access, or data hack by hackers.  Web-based Vulnerability- Web applications are the

most common way to make services and data available on the Internet. Unluckily, with the greater number and complexity of these applications, there are increase in the number and complexity of vulnerabilities [15].

For Internet web applications have become the most common means to provide services. Web applications are used for most dangerous tasks and frequently handle user data which is sensitive. Unluckily, web applications are often implemented by developers with limited security skills, who often have to deal with time-to-market pressure and financial constraints. As a result, the number of web application vulnerabilities has increased sharply [17]. This is reflected in the Symantec Global Internet Security Threat Report, which was published in April 2009 [8]. The report states that, in 2008, web vulnerabilities accounted for 63% of the total number of vulnerabilities reported.

IV. VULNERABILITY CLASSIFICATION

Vulnerabilities classification is as follow:

1. Access Control Vulnerabilities:

This vulnerability cause by an error due to the lack of enforcement pertaining to function or user that is allowed or denied, object or a resource access. Direct access provided to files, objects, or processes without authentication or routing [8].

In Access control “who is allowed to do what” process is controlled. The range of this operation is from controlling physical access to a computer by keeping servers in a protected room, i.e. to identify who has access to a resource (a file, for example) and what they are permitted to do with that resource (such as read only) [9]. Access control mechanism enforced by different systems like operating system, individual application or server, networking protocol service in use. Access Control arises many security vulnerabilities by careless or improper use or by failure to use them at all.

Many security vulnerabilities in software is in terms of privileges, exploits involves attacker gaining more privilege than they should have. Privileges are nothing but permission, access rights granted by operating system, controlling user that who is allowed to read and write files, attributes of files and directories and also who can execute a program and perform restricted operations such as accessing hardware devices and making changes to network configuration [16].

Root privilege is one of the measure types of access control vulnerability by which unrestricted permission is given to the system to perform any kind of operation. Application which is running with root privileges can access everything and also change anything in system. Programming error involve in many security vulnerabilities allows attacker to obtain root privileges. Some such exploits provide access to system files that should be restricted or detecting weakness in program for example application installer that already running with root privileges. It also involves buffer overflows or race conditions in which special circumstances allow an attacker to escalate their privileges.

Many access control applications requires user authentication before granting authorization to perform an operation. This authentication can provide by requesting username and password, use of smart card, biometric scan etc. If an application calls the OS X authorization services application can provide authentication for user by interface using advantage of authentication method available on user’s system. By writing own authentication code less secure, as it might afford an attacker the opportunity to take advantage of bugs in code to bypass authentication mechanism or offer less secure authentication method than standard one used on the system.

(3)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 10, October 2013)

555 Privilege Escalation Attack comes under access control attack as in this attacker visits the web sites as normal user aiming to compromise the web servers process or exploits vulnerabilities to bypass authentication. In this the attacker issues a set of privileged (i.e. admin level) database queries to retrieve sensitive information [20].

In Direct DB attack it is possible for attacker to bypass the web server or firewalls and connect directly to database. Without sending web request an attacker could also have already taken over the web server and be submitting such queries from web server [20]. Instead of corresponding web requests for such queries, a web servers IDS could not detect anything. Also, if these database queries were inside the set of permitted queries, then it is not detected by the database IDS itself.

2. Authentication Vulnerabilities

It is a mechanism in which an error introduces due to inadequate identification mechanisms so a process or a user is not identified correctly. So, an unauthorized or less privileged user i.e. guest user, or a less privileged process gains higher privileges or weak password.

3. Boundary Condition vulnerabilities

Buffer overflow is vulnerability where for each entity like variables or constants a boundary limits are not properly mention or checked.

This can be compromised by providing data which is more than what the entity can hold. Outcome of these is in a memory spill over into other areas and thereby corrupt the instructions or code that need to be processed by the microprocessor.

Main reason of buffer overflow occurs is when an application tries to write data past the end of a buffer.

Buffer overflows can crash, can compromise data, and can provide an attack vector for further privilege escalation to compromise the system on which the application is running.

4. Input Validation Vulnerabilities

Input validation vulnerability is an error cause due to lack in verification mechanism for input data or content validation. Access to system privileged program is obtained due to poor input validation.

As a general rule, check all input received by program to make sure that the data is reasonable.

For example, a graphics file can contain image 200 by 300 pixels reasonably, but cannot contain image 200 by -1 reasonably.

Any input given by program which is from untrusted source is a potential target for an attacker to attack. Some examples of input from untrusted source includes following things-

 Text input fields

 Commands passed through a URL program launch purpose

 Graphics files, audio or video provided by user or processes and read by program

 Command line input

 Any kind of data read from an valid server over a network

 Any corrupted data read from a trusted server over a network

Hackers or Attackers look at every input source to program and attempt to pass every type of malformed data they can imagine. Sometimes program is crashes or misbehaves, then that time hackers tries to find a way to exploit the problem.

SQL injection attacks can be mitigated by input validation. However, in SQL injection attack the attacker usually exploit the vulnerability of incorrect input validation implementation, often caused by careless or inexperienced programmer or imprecise input model definitions [20].

As here in this paper we focus on the security of web based or software based business application so it is important to have brief knowledge about vulnerability analysis and vulnerability management.

V. VULNERABILITY ANALYSIS

[image:3.595.319.540.561.729.2]

Vulnerability analysis is a process of tracking, evaluating, analyzing, reporting and recovering the vulnerability present in the system [2]. Vulnerability analysis is also known as vulnerability assessment in which security holes are define, detect and classify in a software system, computer network or infrastructure. Also vulnerability analysis is measure effectiveness of proposed application.

(4)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 10, October 2013)

556 Fig 1. Shows vulnerability analysis process in which first step is evaluation of the vulnerability present in system, analyse, report it to specific group, recover, tracking is also takes place. Vulnerability analysis work is divided into two areas. First is vulnerability discovery by finding or tracking vulnerability present in the given system. Second is eliminating or avoiding this vulnerability from system.

VI. VULNERABILITY MANAGEMENT

[image:4.595.59.267.394.570.2]

Vulnerability management is the "cyclical process of detecting, classifying, remediating, and mitigating vulnerabilities (flaws)," present in software applications. Management of vulnerabilities is central method for computer security and network security [3]. Vulnerability management is often called as vulnerability scanning. Using computer program vulnerability scanner can detect vulnerability in computer application, infrastructure or network. But vulnerability management process can surrounded vulnerability scanning and also provide the functionality like remediation, risk acceptance etc.

Fig 2. Vulnerability management life cycle

Fig 2. Shows different steps in the Vulnerability Management Life Cycle are described below.

1.Discover: This is first step for vulnerability management. In this invention of all assets across the network takes place and identify host details with operating system and open services to recognize vulnerabilities. Also build up a network baseline which is useful for identifying security vulnerabilities on a regular automated schedule.

2.Prioritize Assets: This is second step in which categorize assets into various business units or groups, and also assign to assets a business value groups according to their criticality to business operation.

3.Assess: This is third step in which we can eliminate risks based on assets classification, vulnerability threat and asset criticality according to that find a baseline risk profile.

4.Report: This is the important step for measuring the level of business risk according to assets related to particular business application security policies. Report include document of monitor suspicious activity, security plan and illustrate known vulnerabilities.

5.Remediate: In this, priorities are given to different vulnerabilities and according to business risk fix vulnerabilities also reveal progress and set up controls.

6.Verify: This is step of summarization that the system threats have been removed or not. Verification for security purpose is very important step under vulnerability management.

VII. CONCLUSION

As here we have focus on vulnerability analysis in web-based and software based business application which is useful to finding, fixing and monitoring the vulnerability present in the system. There are different types of vulnerabilities present so, it is important to classify that vulnerability into different types according the criteria like access control, authentication, boundary condition, input validation vulnerabilities. After that this different types of vulnerabilities are manage by using vulnerability management cycle which include discovery of vulnerabilities, give priority to vulnerability, give assess, reporting, remediating and verify different vulnerability in the system. Thus, this paper provides all basic details related to the analysis of vulnerabilities like access control, boundary condition, input validation and authentication vulnerability.

REFERENCES

[1] West-Brown, Moira J.et.al. Handbook for computer security Incident Response Teams (CSIRTS) , 2nd ed. Apr 2003, 15 Aug

2003, CERT/CC.

[2] D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. “Multi-Module Vulnerability Analysis of Web-based Application”. In preceding of ACM conference I on Computer and communications security, pages 25-35, 2007.

[3] Williams, A and Nicollet, M: Improve IT security With Vulnerability Management, Gartner ID Number: G00127481, May 2005.

[4] Kurtz, George & Prosise, Chris. "Penetration Testing Exposed". Information Security Magazine May 9, 2000.

[5] Department of Defense (DoD), “Procedures for performing a failure mode, effects and criticality analysis,” November 1980, MIL-STD-1629A.

[6] “Symantec global internet security threat report 2008,” Symantec, April 2009.

(5)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 10, October 2013)

557

[8] NIST, “National vulnerability database (NVD),” 2009. [Online]. Available: http://nvd.nist.gov/

[9] Open Security Foundation (OSF), “Open Source Vulnerability Database (OSVDB),” http://osvdb.org, 2009.

[10] Lutz Lowis and Rafael Accorsi, Member, IEEE “Vulnerability Analysis in SOA-based Business Processes” IEEE Transactions Services computing-VOL.-60, NO.-2., Aug.-2011 E-mail:flowis,accorsig@iig.uni-freiburg.de

[11] Willy Jimenez, Amel Mammar, Ana Cavalli “Software vulnerability, prevention and detection Methods: A Review “Telecom SudParis., 9, Rue Charles Fourier. 91000 Evry, France {name.lastname}@it-sudparis.eu

[12] Gary Wassermann, Zhendong Su” Static Detection of Cross-Site Scripting Vulnerabilities” University of California, Davis {wassermg,su}@cs.ucdavis.edu

[13] Kanneganti, Ramarao; Chodavarapu, Prasad. SOA Security. 2008. [14] C. Anley. Advanced SQL injection in SQL server applications.

http://www.ngssoftware.com/papers/ advanced_sql_injection.pdf.,2002.

[15] Fangqi Sun, Liang Xu and Zhendong Su” Static Detection of Access Control Vulnerabilities in Web Applications ” University of Caliornia,Davis {fqsun,leoxu,su}@ucdavis.edu

[16] Lutz Lowis and Rafael Accorsi ”On a Classification Approach for SOA Vulnerabilities” Department of Telematics, Albert-Ludwig University of Freiburg, Freiburg, Germany. Email: { lowis, accorsi }@iig.uni-freiburg.de

[17] Ho-Gil Song, Yukyong Kim and Kyung-Goo Doh “Automatic Detection of Access Control Vulnerabilities in Web Applications by URL Crawling and Forced Browsing” SureSoft Technologies, Inc., Seoul, Korea hgsong@suresofttech.com Hanyang University ERICA, Ansan, Korea. doh@hanyang.ac.kr

[18] Autobench,http://www.xenoclast.org/autobench/, 2011.

[19] “Common Vulnerabilities and Exposures,” http://www.cve.mitre. org/, 2011.

[20] Meixing Le, Angelos Stavrou, and Brent ByungHoon Kang “DoubleGuard: Detecting Intrusions in Multitier Web Applications” IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 4, JULY/AUGUST 2012

AUTHOR’S PROFILE

Kavita S. Kumavat She is post graduate student of computer engineering at MET Bhujbal Knowledge City, Nasik under University of Pune. Her areas of interest include Computer Networks Security.

R. P. Dahake She is currently working as Assistant Professor in Department of Computer Engineering, MET’s IOE Bhujbal Knowledge City, Nasik, Maharashtra, India. She has completed her Post Graduation in Computer Engineering from Govt. College of Engineering Aurangabad Maharashtra.She has presented papers at National and International conferences and also published papers in National and International Journals on various aspects of Computer Engineering and Networks. Her areas of interest include Computer Networks Security and Embedded Systems.

Figure

Fig 1.  Vulnerability Analysis
Fig 2. Vulnerability management life cycle

References

Related documents

These treat- ments resulted in mortality which was not significantly different than that of the controls in the 1-m bioassay (Table 1; Scheffrahn et al., 1997) and destructive

Organists can easily finger four notes within a oneoctave spread, but when we play jazzy extended and altered chords on only three strings, as in this example, we have to sacrifice

In a cocktail shaker, combine Dekuyper Apple Pucker, vodka and pineapple juice with ice.. Shake and strain into a

This tension can be seen in the CEDAW: “[w]hile the provision of the CEDAW that calls for the broad elimination of discrimination suggests that sex-selective abortions should

Table of Contents 1 General Information 1.1 Purpose 1.2 Scope 1.3 Name of Company 1.4 Location 1.5 Brief Description 1.6 Approach 1.7 Points of Contact 2 Considerations 2.1

The goal of a Digital Front Door is to provide patients with a single entry point to access a suite of self-service tools, health information, and virtual care.. Patients have come

[r]

Figure 6-24 First year production (as a percentage of electricity demand in the study area) from wind turbines (A), solar panels (B) and both technologies (C) in each scenario