Ashutosh Jha's Page

Assessing Vulnerabilities

After finding potential security holes, test whether they are vulnerabilities.

Before you test, perform some manual searching. You can research hacker

message boards, Web sites, and vulnerability databases, such as these:

 

•  Common Vulnerabilities and Exposures (cve.mitre.org/cve)
•  CERT/CC Vulnerability Notes Database (www.kb.cert.org/vuls)
•  NIST ICAT Metabase (icat.nist.gov/icat.cfm)

 

These sites list practically every known vulnerability. If you can’t find a vulnerability

documented on one of these sites, search the vendor’s site. 

 

This is the SANS Top 20 Internet Security Vulnerabilities consensus list, which is

compiled and updated by information-security authorities.

If you’re not keen on researching your potential vulnerabilities and can jump

right into testing, you have a couple of options:

 

•  Manual assessment: You can assess the potential vulnerabilities by connecting

to the ports that are exposing the service or application and

poking around. You should manually assess certain vulnerabilities (such

as in Web applications). The vulnerability reports in the preceding databases

often disclose how to do this — at least generally. If you have a lot

of free time, performing these tests manually may be for you.

•  Automated assessment: If you’re like me, you’ll assess vulnerabilities

automatically when you can. Manual assessments are a great way to

learn, but people usually don’t have the time for most manual steps.

Some test for vulnerabilities on specific platforms (such as Windows and UNIX) and

types of networks (either wired or wireless). They test for specific system

vulnerabilities — some even focus on the SANS Top 20 list. Versions of these

tools can map the business logic within an application; others can help software

developers test for code flaws. The drawback to these tools is that they

find only individual vulnerabilities, not correlating vulnerabilities. However,

this is changing with the advent of event-correlation applications.

Many people love the Nessus tool (www.nessus.org). However, it’s not best

for beginners or without a Linux or UNIX server.

 

One of the best ethical hacking weapons is a vulnerability-assessment tool

called QualysGuard by Qualys (www.qualys.com). It’s both a port scanner

and vulnerability-assessment tool. You don’t even need a computer to run it.

QualysGuard — which has its roots in Nessus — is an application service

provider-based commercial tool. Just browse to the Qualys Web site, log in,

and enter the IP address of the systems you want to test. You schedule the

assessment; it runs, then generates excellent reports, such as these:

 

•  An executive report containing information like the partial screen

capture of a QualysGuard report.

•  A technical report of detailed explanations of the vulnerabilities and

specific countermeasures.

 

Like most good security tools, you pay for QualysGuard — it’s not the least

expensive tool — but you get what you pay for. Some newer products offer

similar technical capabilities while adding convenience.

Assessing vulnerabilities with a tool such as QualysGuard requires follow-up

expertise. Study the reports to base your recommendations on the tested

systems.

Tags: hack, linux, manual, vulnerability, window
Posted in Introduction | No Comments »