Chris Triolo

1
Colorado University Guest Lecture Vulnerability
Assessment

• Chris Triolo
• Spring 2007

2
What is a vulnerability?

• Vulnerability a flaw or weakness in an
  operating system or application, which could lead
  to unauthorized access
• Exploit (n.) a tool or technique that takes
  advantage of a security vulnerability

3
Three Flavors of Vulnerabilities

• Coding Errors
• Example Buffer Overflows
• Implementation Errors
• Example Open File shares
• Human Errors
• Example Social Engineering, malware
• Analogy
• Rear gas tank on Ford Pinto
• Mechanic neglect
• Filling up the gas tank

4
Common Vulnerabilities

• Information Leaks
• Buffer overflows
• Special characters
• Authentication flaws
• Race conditions

5
Hacker MethodologyAnatomy of an Attack
6
Vulnerability Assessments

• Why would you want to do this?
• Consideration
• Dangerous!!! These tools are usually designed to
  not crash anything, but its possible. Dont
  make assumption that it wont hurt, and make sure
  appropriate contacts are ready in case of
  problems.
• Permission
• People get really touchy about someone scanning
  their network even if its not malicious. An
  administrator will shoot first, and examine
  supposed motives later.

7
The Plan

• Vulnerability Assessment vs. Scanning vs.
  Pentesting
• When to Scan?
• Time and Frequency
• Where to Scan from?
• Inside or Outside the network

8
The Plan

• Goals
• Find the vulnerabilities! You need to find them
  all, miscreants only need one.
• Exploit or not Exploit
• Why would you want to exploit the hole?
• Why wouldnt you want to exploit the hole?
• Is it really necessary?

9
The Findings

• Interpretation and reporting the findings
• Manual Verification
• False positives are a big problem. False
  negatives are a bigger problem.
• Some reported holes arent a problem in your
  environment
• Compiling reports
• Use pre-canned, vendor reports
• Business Unit/Sector

10
Minimizing the Total Cost of Security

Total Cost of Security
Business Risk Annual Loss Expectancy
Security Spending Cost of Countermeasures

Diminishing Returns
11
Three Common Logic Errors in Risk Decision Making

• World is Flat
• Vulnerability
• Single Computer
• Binary
• Best Practices

• World is Round
• Risk
• Community of Computers
• Analog, Synergistic
• Essential Practices

12
The Findings

• Vendor Severity Ratings
• Vulnerabilities will come in a number of classes
• Remote vs Local
• Information leak
• DOS
• Command Execution
• System prioritization
• Business Criticality
• Severity of Findings
• Current Level of protection
• Risk Asset(value) x Vulnerability(severity) x
  Threat(likelihood)

13
Tool Types

• Ping Scanner
• Protocol Scanner
• Port Scanner
• OS Scanner
• Patch Scanner
• Web / CGI Scanner
• Web Hole Scanner
• Host based Scanner
• Vulnerability Scanner

14
Commercial Tools

• ISS
• Internet Security Scanner
• Foundstone
• FoundScan / Foundstone Enterprise
• Qualys
• On-demand Scanning (1 IP free)
• Watchfire
• Web application Scanner

15
Open Source Tools

• Nessus
• Full Vulnerability Scanner
• Nmap
• Ping Sweeps, Port scans, OS discovery
• Nikto
• Web / CGI scanner
• X-probe
• OS Fingerprinting
• Enum
• Open File shares

16
Nmap

• Port Scanning
• Ping Sweeping
• OS Detection
• Service/version Detection
• Firewall/IDS Evasion and Spoofing
• http//www.insecure.org

17
Nessus

• Full Vulnerability Scanner
• Ping Sweeping
• Port Detection (incorporates Nmap)
• OS and version detection
• http//www.nessus.org
• Some Licensing restrictions

18
Recommended Reading

• Hacking Exposed The Book and the web site
• Open Source Security Tools Practical Guide to
  Security Applications
• Web sites
• http//packetstormsecurity.nl/
• http//neworder.box.sk/
• Art of Intrusion Kevin Mitnick
• Shadow Crew Podcasts
• Spam Kings Brian McWilliams

19
Recommended Reading

• Nmap Guide
• Underground Economy-Priceless CYMRU