International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 462 ISSN 2278‐7763 Vulnerability Assessment
Laxmi Patil _____________________________________________________________________________
Department of Computer Science and Engineering REVA INSTITUTE OF TECHNOLOGY AND MANAGEMENT Bangalore, INDIA Email: [email protected] ABSTRACT
Vulnerability assessment aims at identifying weaknesses and vulnerabilities in a system design, implementation, or operation and management, which could be exploited to violet the system’s security policy. The overall scope of vulnerability assessment is to improve information and system security awareness by assessing the risks associated. Vulnerability assessment will set the guidelines to close or mitigate any risk and reinforce security processes. Furthermore it will form an auditable record of the actions performed in protecting from the most current vulnerabilities.
Keywords: Assessment, exploit, Nessus.
1. Vulnerability
In computer security, the term vulnerability is applied to a weakness in a system, which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, software misconfigurations, a computer virus or other malware (malicious software), a script code injection, or a SQL injection just to name the few. A security risk is classified as vulnerability if it is recognized as a possible means of attack. A security risk with one or more known instances of working and fully implemented attacks is classified as an exploit. Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities. Vulnerabilities existed all the time, but when Internet was at its early stage they were not as often used and exploited. Media did not report any news about hackers who are getting put in jail for ʺhackingʺ into servers and stealing vital information. Back then all nodes on the network were trusted, secure protocols such as SSH, SCP, SSL did not exist, but telnet, FTP and plain text HTTP were used to interexchange sensitive data. 1.1 Protective Measures Common exploits occur because of weaknesses found in a computing environment. These exploits are an attack against: Confidentiality ‐ being secure from unauthorized access. Example: Vulnerabilities in telnet (user names and passwords sent unencrypted from a remote connection) can allow an attack against Confidentiality. Integrity ‐ accuracy and completeness of data. Example: Vulnerabilities in sendmail (mail can be forged from any address) can allow an attack against integrity. Availability ‐ data and systems ready for use at all times by authorized users. Example: Variations in ping (request for information, can cause a denial of service attack ‐ i.e., floods, ping of death) can be an attack against Availability. 1.2 Types of vulnerabilities There are many types of vulnerabilities. Few are mentioned below. 1. Sql injection: A SQL injection attack consists of insertion or ʺinjectionʺ of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. 2. Software defect: This is the most common one will encounter. A defect can be in operating system software or application software. Defects in the OS are typically more worrisome, but an application defect can be just as troublesome. For example, a defect in a database management system (DBMS) that allows customers’ data to be viewed by unauthorized people on the Web is just as damaging as revealing that same data through an OS defect. 3. Clear text data captured: It is more true now, that the usage of wifi is a common practice. If user, password, or other data is transmitted across open networks in clear text, it can be intercepted and used. A classic example is the difference between TELNET and SSH. TELNET transmits all data including passwords and login names in clear text. Anyone on the network and have their Copyright © 2013 SciResPub. IJOART Intern
national Journal of Advancemeents in Research
h & Technology, Volume 2, Issue4, April‐2013 463 ISSN 2278‐7763 netw
work card in
n promiscuou
us mode, can
n sniff out the t
n information
n and gain access to a sy
ystem. SSH usses encryption on all traffic and iss more securee. 4. Weak W
words: Crackable or easily guessab
ble passswords are a common waay for hackerss to gain inittial access to a system
m. Cracking passwords aare much easier with
h more peo
ople having access to v
very powerfful computers than ever before; and if you can network
k a host of powerfu
ul computers to crack passwords the t
posssibilities are great. Becau
use of the fact f
that Lin
nux passswords (and
d commandss) are case sensitive, one o
uld take adv
vantage of th
his and use both b
uppercaase and lowercase w
words along with numbeers punctuatiion mark
ks and even sspaces. And cchange it ofteen, at least on
nce a mo
onth. 5. Carelessness: C
Carelessnesss is a hum
man error th
hat hack
kers exploit to
o gain access to a system that is expossed throu
ugh negligen
nce or stupidity. Two classsic examples aare usin
ng the defaault passworrd and wriiting down a passsword. 6. Denial D
of service: “A denial‐of‐servicce attack (also, DoS attack) is an attack on a ccomputer systtem or netwo
ork that causes a losss of service to
o users, typiccally the loss of netw
work connecttivity and services s
by consuming c
the band
dwidth of th
he victim neetwork or overloading the t
computational reesources of th
he victim sysstem. Examples are iinvalid packeet floods, valiid packet floo
ods, and serviice flood
ds such as HT
TTP attacks. 7. Directory D
Traaversal Direcctory Traverssal is an HTT
TP exploit which allows attacckers to access restrictted direcctories and eexecute comm
mands outsiide of the web w
serverʹs root direcctory. LIT
EY 2. Vulnerability
y Assessment Vulnerab
bility assessm
ment may bee performed on man
ny objects, no
ot only comp
puter systemss/networks. For F
mple physical buildings can c be assesssed so it wou
uld be clear c
what paarts of the building b
havee what kind of flaw
w. If the attack
ker can bypaass the security guard at the t
front door and g
get into the building b
via back door itt is defin
nitely vulnerability. If he actually does that – it is an exploit. The physical securrity is one of the mo
ost impo
ortant aspectts to be takeen into the account. If the t
attacckers have ph
hysical accesss to the serveer ‐ the serverr is not y
yours anymo
ore! Why? Because if the sserver is stoleen, the a
attacker does not need to evade IDS, d
does not need to evad
de IPS, does n
not have to figure out the way on how to dum
mp 10T of datta, it is right h
here on the server. Full diisk encryption woulld help, but it is not co
ommon use for f
servers. Make aabsolutely su
ure to do FDE (Full Diisk nown as WD
DE Encrryption) on aall your laptops, also kn
hole Disk Encrryption). Just by stating ‘yourr systems orr networks’ are a
nerable doessnʹt provide any usefu
ul informatio
on. vuln
nerability asseessment with
hout a compreehensive repo
ort is prretty much usseless. It is eaasy to use auttomatic tools to scan
n networks, m
make reports out of the to
ool and send
d it ut, but that does d
not prov
vide much vaalue as reporrt can ou
eaasily run into
o thousands of pages. It is much bettter to m
make top 10 vu
ulnerabilitiess out of all of them and ma
ake a reeport. Vulnerrability assesssment report should incclude: Id
dentification o
of vulnerabiliities and vuln
nerable system
ms It is en
nough to find
d one critical vulnerability
y and th
he whole netw
work is at risk
k, just like if o
one link is brroken in
n the chain, an
nd the whole chain is brok
ken: Fiigure 1: One ccritical vulnerrability affectt 2.1 Types of V
y Assessmen
nt The discipline of o vulnerab
bility assessment co
omprises hostt based vulneerability assessment, relatted to th
he inside configuration of host and
d network based b
ulnerability assessment, a
focused on the t
vulnerabiilities viisible and exp
ploitable on th
he network. Both kinds of vulnerability v
assessmentss are reequired for maximum m
efffectiveness, as vulnerabiilities caan be exploiteed by an entitty inside the ssecurity perim
meter (i..e. a legitim
mate user), or o initiated from f
outsidee the peerimeter, by aan unauthorissed or illegitim
mate user. Netwo
ork‐based vulnerability assessmentss are acccomplished through the use of network scan
nners. N
Network scann
ners are able to detect op
pen ports, ideentify seervices runniing on thesee ports, simu
ulate attacks, and reeveal possiblle vulnerabiilities associiated with these seervices. On the other hand, h
host‐baased vulnerab
bility asssessments arre carried out through host‐based scann
ners. Host‐b
based scann
ners are ab
ble to recog
gnize sy
ystem‐level vulnerabilities including incorrect file peermissions, registry permissions, p
and softtware co
onfiguration errors. Fu
urthermore, they t
ensure that taarget system
ms are compliant with the predefined co
ompany seccurity policcies. Unlikee network‐b
based sccanners, an ad
dministrator aaccount or an
n agent is requ
uired to
o be on the taarget system
m to allow forr the system‐‐level acccess required
d. 3. Why to perfform Vulnerrability Asseessment Organ
nizations havee a tremendo
ous opportuniity to usse information techno
ologies to increase their prroductivity. Securing S
ormation and
d communica
ations sy
ystems will be a necessary
y factor in tak
king advantaage of alll this increaased connectiivity, speed and informaation. H
However, no security s
meassure will guaarantee a risk
k free en
nvironment in which to operate. In fact, many m
orrganizations w
will need to provide easieer access by u
users Copyyright © 20
013 SciResPu
ub. IJO
OART Intern
national Journal of Advancemeents in Research
h & Technology, Volume 2, Issue4, April‐2013 464 ISSN 2278‐7763 to portions p
of their inforrmation sysstems, thereeby increeasing potenttial exposure.. Adminisstrative errorr is a prim
mary cause of vuln
nerabilities th
hat can be ex
xploited by a novice hack
ker, whether an outtsider or insider in thee organizatio
on. ulnerability assessment a
ools along wiith Routtine use of vu
mediate respo
onse to probleems identifieed will alleviaate this risk. It follow
ws, thereforee, that routin
ne vulnerability uld be a sttandard elem
ment of eveery assesssment shou
anization’s seecurity policcy. The maiin purpose of vuln
nerability asseessment is to find out whaat systems ha
ave flaw
ws and take acction in order to mitigate th
he risk. 3.1 V
Vulnerabilitty Assessmen
nt Goal The theeoretical goal of networrk scanning is elevaated security on all system
ms or establisshing a netwo
ork widee minimal op
peration stand
dard. The following diagraam show
ws how usefu
ulness is relateed to ubiquity
y: HIPS – Host‐Baseed Intrusion P
Prevention Sy
ystem NID
DS – Network
k‐Based Intrussion Detection
n System AV –
– Anti‐Virus NIPS – Network‐‐Based Intrussion Preventio
on System Figu
ure 2: Usefuln
ness ‐ Ubiquity relation PRO
WORK 4. Vulnerability
y Assessment Methodolo
ogy Thee assessment process is comprised of o four phases: disco
overy, detecction, explo
oitation, and
d analysis or recommendation
ns. The diag
gram below identifies the t
relattionships am
mong the fou
ur phases, an
nd the flow of inforrmation into the final repo
ort. Client In‐Briefin
ng‐ Prior to
o initiating an a assessment, PatchAdvisor will request a sshort briefing
g with the clieent nue to review the planned conduct of tthe to seerve as a ven
assesssment and eestablish coorrdination pro
otocols with tthe desig
gnated client point of conttact. Fiigure 3: Vulneerability assessment proceess Discovery Ph
hase ‐ The first step in
n a vulnerab
bility an
nalysis is to discover all points of co
onnectivity to
o the neetwork. Thiss includes connections to public data neetworks such
h as the Inteernet, privatee interconnecctions w
with partners,, connection
ns to the tellephone netw
work th
hrough modem dialups, an
nd Wireless L
LAN connecttivity su
uch as 802.11b
b access poin
nts. A variety of techniquees are ussed to catalog
g points of en
ntry, and the content of p
public an
nd private diirectory services is provided as outpu
ut so th
he client becom
mes aware off their existen
nce and conten
nt. Optional Postt‐Discovery Briefing O
‐ Ass communicaations teechnology evolves, connection of com
mponents beco
omes faaster and easieer. As networrks get largerr and more geographically dispeersed, it beco
omes increasingly diifficult to man
nage their gro
owth. The naatural result iss that th
here are oftten discrepaancies betweeen the netw
work co
ontent, topolo
ogy, and poiints of accesss documenteed by th
he client and the correspo
onding inform
mation discov
vered by
y an assessmeent. This brieffing is necesssary to ensuree that th
he scope of th
he assessmentt and related cost estimatees are still appropriate. However,, the primary
y intent is to keep th
he client info
ormed of ourr findings an
nd allow tim
me for in
nternal discusssion before tthe results aree presented in the ou
ut‐briefing. Detection Ph
hase ‐ Deteection and exploitation
n (as diiscussed belo
ow) are perfo
ormed from both b
externall and in
nternal persp
pectives. The external po
ortion emphaasizes th
he identification of vulnerabilitiies that allow a
nauthorized eentry into thee target enviro
onment, whille the in
nternal portio
on focuses on opportu
unities to ex
xceed au
uthorized acccess once insiide. There is, of course, a close reelationship beetween intern
nal and exterrnal results; if an ex
xternal attack
ker successfullly gains acceess to the sysstem, alll of its interrnal vulnerab
bilities becom
me exploitab
ble as w
well. In the an
nalysis phasee, internal an
nd external reesults arre combined
d to presentt a compreh
hensive view
w of vu
ulnerabilities. Copyyright © 20
013 SciResPu
ub. IJO
OART Intern
national Journal of Advancemeents in Research
h & Technology, Volume 2, Issue4, April‐2013 465 ISSN 2278‐7763 ools are used
d in the detecttion phase: Threee classes of to
Publlic Domain tools – Maany of the tools used by PatchAdvisor hav
ve been obtaiined either diirectly from tthe other security
y specialists. Interrnet or from o
prietary toolss – These aree tools that haave either beeen deveeloped by in
ndividual teaam members,, or are pub
blic dom
main tools thatt have been m
modified by o
our team. Com
mmercial toolss – For war‐d
dialing, we usse a commerccial tool such as Phon
neSweep by S
Sandstorm Teechnologies. ploitation Phaase is design
ned Explloitation Phaase ‐ The Exp
to prrovide a leveel of assessmeent beyond th
he capability of auto
omated tools.. This phase includes botth internal an
nd exterrnal simulateed attacks, refflecting vulneerability both
h to auth
horized userss exceeding their permiissions, and to outssiders penetrating via the Interneet, other da
ata netw
works, and w
wireless or diial‐in connecctions. In maany cases, manual ex
xploitation atttempts are made m
to verify that vulnerabilitties identifieed by toolss are actuaally t
identiffy “apparen
nt” exploitable, sincce many tools nerabilities bu
ut lack the cap
pability to vallidate them.
he typical scaanner architeecture seervices and/or services. Th
is shown below
w: Vulnerability database: The Nation
nal Vulnerab
bility Database is thee U.S. govern
nment reposiitory of stand
dards baased vulnerab
bility manag
gement data rrepresented using u
he Security Content C
omation Proto
ocol (SCAP). This daata enables automation a
o vulnerabillity managem
of ment, seecurity measu
urement, and
d compliancce. NVD inclludes daatabases of seecurity check
klists, security
y related softtware flaaws, miscon
nfigurations, product nam
mes, and im
mpact m
metrics. User configura
ation consolee: This is for setting, instaalling an
nd configurattion purpose. Analysis Phase ‐ Once th
he active phases p
of the t
assesssment arre compleeted, prioritized fin
nal recommendation
ns are mad
de regardin
ng specific vulnerabiliities, insecu
ure computing pracctices, config
guration man
nagement an
nd netw
work design. These recomm
mendations aare compiled in the ffinal report. SCA
Mapping the Network Another method th
hat can be u
used to locaate weak
knesses with
hin a systeem is called
d vulnerability Map
pping. This en
ntails analyzin
ng the softwaare and servicces runn
ning on the ccomputer, an
nd then matcching each to
o a know
wn vulnerabiility. Servicess can easily bee found using
g a tool such as Nmaap. The Nm
map Security Scanner is a free and op
pen ons of peoplle for netwo
ork sourrce utility ussed by millio
overy, adm
ministration, inventory, and security audiiting. Nmap uses raw IP
P packets in novel ways to determine what hosts are av
vailable on a network, wh
hat nd version) those t
hosts are a
services (applicattion name an
perating systeems they aree running, wh
hat offerring, what op
typee of packet filtters or firewa
alls are in use,, and more. The guid
delines suggeested by CERT
T will also heelp hard
den your sy
ystem confiiguration an
nd operation
nal enviironment and
d protect it against kno
own attacks. It coveers planning, configuratio
on, maintenan
nce, improviing userr awareness, aand testing. 6. S
Selecting the right scanners Scannerss alone donʹt solve the pro
oblem, scanniing shou
uld be used only as starrting point in
n vulnerability assesssment. Startt with one scanner s
but consider mo
ore than
n one. It is aa good practice to use more m
than one o
nner. This waay you can co
ompare resultt from a coup
ple of th
hem. Some scanners are more focused
d on particular Typical scann
ner architecturre Figure 4: T
Sccanning engiine: It is the machine by which we sccan n nu
umber of targ
get systems an
nd programm
ming interfacee that in
ncorporates scanning teechnologies into propriietary ap
pplications. Itt integrates proprietary p
and patented URL filltering scan
nners and industry‐leeading antivirus teechnologies for f
fast, scalable, and reliable con
ntent sccanning services to protectt against viru
uses, spywaree, and otther malwaree. Active scan knowledge base: It co
ontains currrently ru
unning scanniing informatiion. Reesult Reposiitory: The co
ompleted tarrget systems scan su
ummary is sttored in thiss repository and a
it is sen
nt for reeport generatiion. In an ideal situattion, scannerrs would no
ot be neeeded becausse everyone would main
ntain well‐pattched an
nd tested hosts, routers, an
nd gateways, workstationss and seervers. However real worlld is differen
nt, we are hum
mans an
nd we tend to forget in
nstall updatees, patch sysstems an
nd/or configu
ure systems properly. Maalicious codee will allways find a a way into your y
k! If a systeem is co
onnected to th
he network th
hat means theere is a possib
bility th
his system will be infected at some tiime in the fu
uture. Th
he chances might m
be high
her or lower depending d
n the m
maintenance leevel system has. h
The systtem will never be seecure 100%. There T
is no such s
thing ass 100% securiity, if Copyyright © 20
013 SciResPu
ub. IJO
OART Intern
national Journal of Advancemeents in Research
h & Technology, Volume 2, Issue4, April‐2013 466 ISSN 2278‐7763 well maintained it might be 99.99999999999% secure, but b
neveer 100%. orms. Top 3 tools Liinux platfo are listed
d below. according to 6.1 C
Central scans Vs local sccans The question here is: should we scan locally or centrrally? Should
d we scan thee whole netw
work at once, or shou
uld we scan network baased on sub
b domains an
nd virtu
ual LANs? wer is both i.e. i localized scanning wiith The answ
centrral scanning
g verification
n. Central scans s
give the t
overrall visibility into the netw
work. Local scans may s
ave high
her visibility into the local network. Central driv
ven scan
ns serve as the baseline. Lo
ocal driven sscans are key to vuln
nerability red
duction. Scan
nning tools should s
ort both
h methodolog
gies. #11 scanner avaiilable Nessus is the best UNIX vulnerability N
nd among thee best to run o
on Windows. N
Nessus is con
nstantly updated, with more m
than 45,000 4
pllugins. Key
y features include rem
mote and local (aauthenticated)) security cheecks, client/seerver architeecture w
with a graphiical interface,, and an em
mbedded scrip
pting laanguage for w
writing your o
own plugins or understan
nding th
he existing on
nes. SCA
S 7. Re
eporting Critical vulnerabilitiees should bee on the top of the report r
and sh
hould be listted in descen
nding order i.e. i
criticcal, then high
h, medium an
nd low. Repo
orting capability is of growing
g importancce to adm
ministrators, in docu
umentation oriented busin
ness climate w
where you mu
ust not o
only be able to do your jo
ob, but also p
provide writtten proo
of of how y
you’ve done it. In fact, respondents r
to Sunb
belt’s survey
y indicate that flexible and prioritiziing repo
orting is their number one favourite feaature. n hundreds or o thousands of A scan might return
results, but the d
data is useless unless it is organized in
n a way
y that it can b
be understoo
od. That meaans that ideaally you will to be ab
ble to sort an
nd cross‐refeerence the daata, expo
ort it to otheer programs and formats (such as CS
MHT, MDB, Excel, E
Word, and/or Lotu
us), view
w it in differeent ways, an
nd easily com
mpare it to the t
results of earlier sscans. discovers the v
y, it Dependiing on who d
can either be ex
xploited or reported.Vuln
nerabilities are a
orted in the ho
ope that the v
vendor will p
provide a timeely repo
patch or someonee will develop
p a fix. The following rrepresents tw
wo avenues for reportiing nerabilities: vuln
Traqʹs (a mod
derated mailiing list speciffic to discussiion of seecurity vulnerrabilities) Vuln
nerability rep
porting protoccol is as follow
ws: 1. Co
ontact the prroductʹs vend
dor and give tthem one weeek to reespond. If theey don’t respo
ond, then p
post to the t
Traq list. S
See http://w for f
postting informatiion. 2. If you do hearr from the veendor, give them t
what you y
o fix the vuln
nerability. Th
his conssider approprriate time to
will depend on th
he vulnerabiliity and the prroduct. RT Coordinattion Center. It is also sim
milar to Bugtrraq CER
list b
but it is done in encrypted form. 8. Vulnerability
y Assessment tools There arre many vullnerability asssessment too
ols and these tools may works on various windows an
nd #22 GFI LANguard
d: A commerrcial network
k security sca
anner or Windows. It also tries to collect Wiindows mach
hineʹs fo
seervice pack level, missin
ng security patches, wirreless acccess points, USB devicees, open shaares, open ports, p
seervices/appliccations activee on the comp
puter, key reg
gistry en
ntries, weak passwords, users and grroups, and more. m
Sccan results arre saved to an
n HTML rep
port, which caan be cu
ustomized / queried. q
It allso includes a patch man
nager, w
which detects a
and installs m
missing patch
hes. #33 Reetina: Comm
mercial vulnerrability assesssment scanneer by eE
Eye Like Nesssus, Retinaʹs function is to
o scan all the h
hosts on
n a network and report on o any vulneerability foun
nd. It w
was written by b eEye, wh
ho are well known for their seecurity research. #44 IS
SS Internet Scanner: Application‐lev
vel vulnerab
bility asssessment Intternet Scanneer started offf in ʹ92 as a a tiny op
pen source sccanner by Ch
hristopher Kllaus. Now hee has grrown ISS into
o a billion‐dolllar company
y with a myriad of seecurity produ
ucts. #55 X‐‐scan: A general g
nner for sccanning netw
work vu
ulnerabilities. It is a multti‐threaded, plug‐in p
orted vu
ulnerability scanner. s
Scan includess many feattures, in
ncluding full NASL supp
port, detectin
ng service ty
ypes, reemote OS typ
pe/version detection, weaak user/passw
word paairs, and morre. 9. Vulnerabiliity Disclosure Dates Copyyright © 20
013 SciResPu
ub. IJO
OART Intern
national Journal of Advancemeents in Research
h & Technology, Volume 2, Issue4, April‐2013 467 ISSN 2278‐7763 The timee of disclosurre of vulnerab
bility is defin
ned diffeerently in thee security com
mmunity and
d industry. Itt is most commonly rreferred to ass ʺa kind of pu
ublic disclosu
ure s
inforrmation by a certain partyʺ. p
Usuallly, of security vuln
nerability info
ormation is discussed on aa mailing list or publlished on a seecurity web ssite and resullts in a security adviisory afterwards. The timee of disclosurre is the first d
date security vuln
nerability is described on a chann
nel where the t
discllosed informaation on the v
vulnerability has to fulfil tthe follo
owing requireements: 1. Th
he informatio
on is freely av
vailable to thee public 2. Th
he vulnerabillity information is publish
hed by a trustted and independentt nnel/source chan
3. Th
he vulnerabiility has und
dergone analy
ysis by experts such
h that risk ratiing inforrmation is inccluded upon disclosure 10. F
Find Security
y Holes Befo
ore They Beccome Prob
blems Vuln
nerabilities caan be classifieed into two m
major categoriees: i) Th
hose related to
o errors madee by program
mmers in writing the code ffor the softwaare. ii) Th
hose related tto misconfigu
urations of thee software’s settin
ngs that leavee systems less secure than
n they could b
be. Vulnerab
bility scanners can identify both types. Vuln
nerability asssessment too
ols have beeen around for f
ny years. They’ve been used by netwo
ork adm
ministrators aand misused
d by hackerrs to discov
ver exploitable vulneerabilities in ssystems and networks of all ds. One of th
he early welll‐known UN
NIX scanners is kind
TAN (System
m Administrrator Tool for Analyziing Netw
works). d‐be intrud
der, In the hands off a would
nerability scan
nners becomee a means of finding victim
ms and determining
g those victiims’ weak points, p
like an t
undeercover intelligence opeerative who infiltrates the oppo
osition’s sup
pposedly seccure location
n and gatheers inforrmation that can be used tto launch a fu
ull scale attack
k. 10.1 Identifying
g and Remov
ving Vulneraabilities Many so
oftware toolss exist that can aid in the t
overy (and so
ometimes rem
moval) of vuln
nerabilities in
n a computer system
m. Though th
hese tools can provide an audiitor with a go
ood overview
w of possiblee vulnerabilities pressent, they can
nnot replace human judg
gment. Relying solelly on scannerrs will yield ffalse positivess and a limiteed‐
pe view of thee problems prresent in the ssystem. Vulnerab
bilities have been found in every majjor operrating system
m including Windows, W
M OS, vario
Mac ous form
ms of UNIX aand Linux, OpenVMS, O
and others. The T
y way to reduce the chan
nce of a vuln
nerability being used
d against a system is th
hrough consstant vigilance, (e.g. applyiing inclu
uding carefu
ul system maintenance m
ware patchess), best practiices in deploy
yment (e.g. the t
use o
of firewalls an
nd access con
ntrols) 11. V
Vulnerabilitty Causes nagement Flaaws: Paassword Man
The computer user usees weak passswords that could c
bee discovered by brute forrce. The com
mputer user stores s
he password on the com
mputer wheree a program
m can acccess it. Ussers re‐use passwords between many m
prrograms and websites. Fu
undamental O
Operating Sy
ystem Design
n Flaws: The operatting system d
designer choo
oses to enforcee sub op
ptimal policies on userr/program management. m
For ex
xample opera
ating systemss with policiees such as deefault peermit grant every program
m and every user full acceess to th
he entire com
mputer. This operating sy
ystem flaw alllows viiruses and malware m
to ex
xecute commaands on behaalf of th
he administrator. So
oftware Bugss: The progrrammer leav
ves an explo
oitable bug in a so
oftware prog
gram. The software s
g may allow
w an atttacker to misuse an appllication throu
ugh (for exam
mple) by
ypassing acceess control ch
hecks or execcuting comm
mands on
n the systeem hosting the appliccation. Also the prrogrammerʹs failure to ch
heck the sizee of data bu
uffers, w
which can then
n be overflow
wed, causing corruption o
of the stack or heap areas of meemory (inclu
uding causing
g the co
omputer to ex
xecute code p
provided by th
he attacker).
Unchecked Usser Input: The program assum
mes that all user u
input is safe. c
user input can allow a
Prrograms thaat do not check un
nintended direct d
executtion of com
mmands or SQL statements (kn
nown as Bufffer overflows,, SQL injectio
on or otther non‐valid
dated inputs)). EX
SULTS 122. Implemen
ntion N
Nessus Scanni
ing Features Nessu
us scans targeet systems bassed on host n
name, IP
P address, su
ubnet, or IP
P address raange. It initially in
nvestigates the system by cconnecting to
o the target sy
ystem an
nd simulatin
ng various application protocols. For ex
xample, if Nessus is checking for f
web seerver vu
ulnerabilities,, it then prettends to be a a web browseer by seending HTTP protocols. Similaarly, if it was testing for W
Windows fileseerver vu
ulnerabilities,, it then preteends to be a W
Windows client by seending SMB p
protocols. Firstly
y we need to d
download thee tool and wee sh
hould be regisstered to Tenable site. Afteer installing aand seending the req
quest to locallhost on port no: 8834, we get lo
ogin page Copyyright © 20
013 SciResPu
ub. IJO
OART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 468 ISSN 2278‐7763 1. The login page 2. After login we need to add policies by selecting add policies tab Copyright © 2013 SciResPub. IJOART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 469 ISSN 2278‐7763 3. Selecting the plugins in policy 4. Adding the new scan by selecting newly added policies and targets.
Copyright © 2013 SciResPub. IJOART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 470 ISSN 2278‐7763 5. Report page after scan completion 6. Vulnerability summary Copyright © 2013 SciResPub. IJOART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 471 ISSN 2278‐7763 Conclusion
Network based vulnerability assessment tools and host based vulnerability assessment tools are extremely useful tools in determining what vulnerabilities might exist on a particular device in the network. However, these tools are not useful if the vulnerability knowledge base is not kept current. Also, when using these tools, they can only take a snapshot of what the systems are at a particular point of time. System administrators will continually update code on the target systems and will continuously add/delete services and configure the system. All found vulnerabilities should be promptly patched, especially critical ones. [8]
us‐download‐agreement [9]SANS GIAC Security Essentials Training Manual [10]BugTraq: FAQ
forums/bugtraq/faq.html References
essment [2] [3] [4] [5] [6] [7]‐types‐of‐
vulnerabilities/ Copyright © 2013 SciResPub. IJOART 
Random flashcards

20 Cards


17 Cards


46 Cards

African nomads

18 Cards

Create flashcards