1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007

2 What is a vulnerability? Vulnerability – a flaw or weakness in an operating system or application, which could lead to unauthorized access Exploit (n.) – a tool or technique that takes advantage of a security vulnerability

3 Three Flavors of Vulnerabilities Coding Errors –Example: Buffer Overflows Implementation Errors –Example: Open File shares Human Errors –Example: Social Engineering, malware Analogy –Rear gas tank on Ford Pinto –Mechanic neglect –Filling up the gas tank

4 Common Vulnerabilities Information Leaks Buffer overflows Special characters Authentication flaws Race conditions

5 Hacker Methodology: Anatomy of an Attack Foot Printing Foot Printing Scanning / Probing Scanning / Probing Gaining Access Gaining Access Escalating Privilege Escalating Privilege Exploiting Installing Backdoors Installing Backdoors Denial of Service Denial of Service

6 Vulnerability Assessments Why would you want to do this? Consideration: –Dangerous!!! These tools are usually designed to not crash anything, but it’s possible. Don’t make assumption that it won’t hurt, and make sure appropriate contacts are ready in case of problems. Permission –People get really touchy about someone scanning their network even if it’s not malicious. An administrator will shoot first, and examine supposed motives later.

7 The Plan Vulnerability Assessment vs. Scanning vs. Pentesting When to Scan? –Time and Frequency Where to Scan from? –Inside or Outside the network

8 The Plan Goals –Find the vulnerabilities! You need to find them all, miscreants only need one. Exploit or not Exploit –Why would you want to exploit the hole? –Why wouldn’t you want to exploit the hole? –Is it really necessary?

9 The Findings Interpretation and reporting the findings –Manual Verification False positives are a big problem. False negatives are a bigger problem. Some reported holes aren’t a problem in your environment –Compiling reports Use pre-canned, vendor reports Business Unit/Sector

10 Minimizing the Total Cost of Security $ Business Risk Annual Loss Expectancy Security Spending Cost of Countermeasures Total Cost of Security $ Diminishing Returns

11 Three Common Logic Errors in Risk Decision Making World is Flat Vulnerability Single Computer Binary Best Practices World is Round Risk Community of Computers Analog, Synergistic Essential Practices

12 The Findings –Vendor Severity Ratings Vulnerabilities will come in a number of classes –Remote vs Local –Information leak –DOS –Command Execution –System prioritization Business Criticality Severity of Findings Current Level of protection Risk = Asset(value) x Vulnerability(severity) x Threat(likelihood)

13 Tool Types Ping Scanner Protocol Scanner Port Scanner OS Scanner Patch Scanner Web / CGI Scanner Web Hole Scanner Host based Scanner Vulnerability Scanner

14 Commercial Tools ISS –Internet Security Scanner Foundstone –FoundScan / Foundstone Enterprise Qualys –On-demand Scanning (1 IP free) Watchfire –Web application Scanner

15 Open Source Tools Nessus –Full Vulnerability Scanner Nmap –Ping Sweeps, Port scans, OS discovery Nikto –Web / CGI scanner X-probe –OS Fingerprinting Enum –Open File shares

16 Nmap Port Scanning Ping Sweeping OS Detection Service/version Detection Firewall/IDS Evasion and Spoofing

17 Nessus Full Vulnerability Scanner Ping Sweeping Port Detection (incorporates Nmap) OS and version detection –Some Licensing restrictions

18 Recommended Reading Hacking Exposed – The Book and the web site Open Source Security Tools: Practical Guide to Security Applications Web sites: – – Art of Intrusion – Kevin Mitnick Shadow Crew Podcasts Spam Kings – Brian McWilliams

19 Recommended Reading Nmap Guide Underground Economy-Priceless CYMRU