Document 14681195
advertisement
International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 462 ISSN 2278‐7763 Vulnerability Assessment Laxmi Patil _____________________________________________________________________________ Department of Computer Science and Engineering REVA INSTITUTE OF TECHNOLOGY AND MANAGEMENT Bangalore, INDIA Email: laxmi.patil7@gmail.com ABSTRACT Vulnerability assessment aims at identifying weaknesses and vulnerabilities in a system design, implementation, or operation and management, which could be exploited to violet the system’s security policy. The overall scope of vulnerability assessment is to improve information and system security awareness by assessing the risks associated. Vulnerability assessment will set the guidelines to close or mitigate any risk and reinforce security processes. Furthermore it will form an auditable record of the actions performed in protecting from the most current vulnerabilities. Keywords: Assessment, exploit, Nessus. INTRODUCTION 1. Vulnerability In computer security, the term vulnerability is applied to a weakness in a system, which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, software misconfigurations, a computer virus or other malware (malicious software), a script code injection, or a SQL injection just to name the few. A security risk is classified as vulnerability if it is recognized as a possible means of attack. A security risk with one or more known instances of working and fully implemented attacks is classified as an exploit. Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities. Vulnerabilities existed all the time, but when Internet was at its early stage they were not as often used and exploited. Media did not report any news about hackers who are getting put in jail for ʺhackingʺ into servers and stealing vital information. Back then all nodes on the network were trusted, secure protocols such as SSH, SCP, SSL did not exist, but telnet, FTP and plain text HTTP were used to interexchange sensitive data. 1.1 Protective Measures Common exploits occur because of weaknesses found in a computing environment. These exploits are an attack against: Confidentiality ‐ being secure from unauthorized access. Example: Vulnerabilities in telnet (user names and passwords sent unencrypted from a remote connection) can allow an attack against Confidentiality. Integrity ‐ accuracy and completeness of data. Example: Vulnerabilities in sendmail (mail can be forged from any address) can allow an attack against integrity. Availability ‐ data and systems ready for use at all times by authorized users. Example: Variations in ping (request for information, can cause a denial of service attack ‐ i.e., floods, ping of death) can be an attack against Availability. 1.2 Types of vulnerabilities There are many types of vulnerabilities. Few are mentioned below. 1. Sql injection: A SQL injection attack consists of insertion or ʺinjectionʺ of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. 2. Software defect: This is the most common one will encounter. A defect can be in operating system software or application software. Defects in the OS are typically more worrisome, but an application defect can be just as troublesome. For example, a defect in a database management system (DBMS) that allows customers’ data to be viewed by unauthorized people on the Web is just as damaging as revealing that same data through an OS defect. 3. Clear text data captured: It is more true now, that the usage of wifi is a common practice. If user, password, or other data is transmitted across open networks in clear text, it can be intercepted and used. A classic example is the difference between TELNET and SSH. TELNET transmits all data including passwords and login names in clear text. Anyone on the network and have their Copyright © 2013 SciResPub. IJOART Intern national Journal of Advancemeents in Research h & Technology, Volume 2, Issue4, April‐2013 463 ISSN 2278‐7763 netw work card in n promiscuou us mode, can n sniff out the t login n information n and gain access to a sy ystem. SSH usses encryption on all traffic and iss more securee. 4. Weak W passw words: Crackable or easily guessab ble passswords are a common waay for hackerss to gain inittial access to a system m. Cracking passwords aare much easier with h more peo ople having access to v very powerfful computers than ever before; and if you can network k a host of powerfu ul computers to crack passwords the t posssibilities are great. Becau use of the fact f that Lin nux passswords (and d commandss) are case sensitive, one o shou uld take adv vantage of th his and use both b uppercaase and lowercase w words along with numbeers punctuatiion mark ks and even sspaces. And cchange it ofteen, at least on nce a mo onth. 5. Carelessness: C Carelessnesss is a hum man error th hat hack kers exploit to o gain access to a system that is expossed throu ugh negligen nce or stupidity. Two classsic examples aare usin ng the defaault passworrd and wriiting down a passsword. 6. Denial D of service: “A denial‐of‐servicce attack (also, DoS attack) is an attack on a ccomputer systtem or netwo ork that causes a losss of service to o users, typiccally the loss of netw work connecttivity and services s by consuming c t the band dwidth of th he victim neetwork or overloading the t computational reesources of th he victim sysstem. Examples are iinvalid packeet floods, valiid packet floo ods, and serviice flood ds such as HT TTP attacks. 7. Directory D Traaversal Direcctory Traverssal is an HTT TP exploit which allows attacckers to access restrictted direcctories and eexecute comm mands outsiide of the web w serverʹs root direcctory. LIT TERARTUR RE SURVE EY 2. Vulnerability y Assessment Vulnerab bility assessm ment may bee performed on man ny objects, no ot only comp puter systemss/networks. For F exam mple physical buildings can c be assesssed so it wou uld be clear c what paarts of the building b havee what kind of flaw w. If the attack ker can bypaass the security guard at the t front door and g get into the building b via back door itt is defin nitely vulnerability. If he actually does that – it is an exploit. The physical securrity is one of the mo ost impo ortant aspectts to be takeen into the account. If the t attacckers have ph hysical accesss to the serveer ‐ the serverr is not y yours anymo ore! Why? Because if the sserver is stoleen, the a attacker does not need to evade IDS, d does not need to evad de IPS, does n not have to figure out the way on how to dum mp 10T of datta, it is right h here on the server. Full diisk encryption woulld help, but it is not co ommon use for f servers. Make aabsolutely su ure to do FDE (Full Diisk nown as WD DE Encrryption) on aall your laptops, also kn (Wh hole Disk Encrryption). Just by stating ‘yourr systems orr networks’ are a nerable doessnʹt provide any usefu ul informatio on. vuln Vuln nerability asseessment with hout a compreehensive repo ort is prretty much usseless. It is eaasy to use auttomatic tools to scan n networks, m make reports out of the to ool and send d it ut, but that does d not prov vide much vaalue as reporrt can ou eaasily run into o thousands of pages. It is much bettter to m make top 10 vu ulnerabilitiess out of all of them and ma ake a reeport. Vulnerrability assesssment report should incclude: Id dentification o of vulnerabiliities and vuln nerable system ms It is en nough to find d one critical vulnerability y and th he whole netw work is at risk k, just like if o one link is brroken in n the chain, an nd the whole chain is brok ken: Fiigure 1: One ccritical vulnerrability affectt 2.1 Types of V Vulnerability y Assessmen nt The discipline of o vulnerab bility assessment co omprises hostt based vulneerability assessment, relatted to th he inside configuration of host and d network based b vu ulnerability assessment, a f focused on the t vulnerabiilities viisible and exp ploitable on th he network. Both kinds of vulnerability v assessmentss are reequired for maximum m efffectiveness, as vulnerabiilities caan be exploiteed by an entitty inside the ssecurity perim meter (i..e. a legitim mate user), or o initiated from f outsidee the peerimeter, by aan unauthorissed or illegitim mate user. Netwo ork‐based vulnerability assessmentss are acccomplished through the use of network scan nners. N Network scann ners are able to detect op pen ports, ideentify seervices runniing on thesee ports, simu ulate attacks, and reeveal possiblle vulnerabiilities associiated with these seervices. On the other hand, h host‐baased vulnerab bility asssessments arre carried out through host‐based scann ners. Host‐b based scann ners are ab ble to recog gnize sy ystem‐level vulnerabilities including incorrect file peermissions, registry permissions, p and softtware co onfiguration errors. Fu urthermore, they t ensure that taarget system ms are compliant with the predefined co ompany seccurity policcies. Unlikee network‐b based sccanners, an ad dministrator aaccount or an n agent is requ uired to o be on the taarget system m to allow forr the system‐‐level acccess required d. 3. Why to perfform Vulnerrability Asseessment Organ nizations havee a tremendo ous opportuniity to usse information techno ologies to increase their prroductivity. Securing S info ormation and d communica ations sy ystems will be a necessary y factor in tak king advantaage of alll this increaased connectiivity, speed and informaation. H However, no security s meassure will guaarantee a risk k free en nvironment in which to operate. In fact, many m orrganizations w will need to provide easieer access by u users Copyyright © 20 013 SciResPu ub. IJO OART Intern national Journal of Advancemeents in Research h & Technology, Volume 2, Issue4, April‐2013 464 ISSN 2278‐7763 to portions p of their inforrmation sysstems, thereeby increeasing potenttial exposure.. Adminisstrative errorr is a prim mary cause of vuln nerabilities th hat can be ex xploited by a novice hack ker, whether an outtsider or insider in thee organizatio on. ulnerability assessment a to ools along wiith Routtine use of vu imm mediate respo onse to probleems identifieed will alleviaate this risk. It follow ws, thereforee, that routin ne vulnerability uld be a sttandard elem ment of eveery assesssment shou orga anization’s seecurity policcy. The maiin purpose of vuln nerability asseessment is to find out whaat systems ha ave flaw ws and take acction in order to mitigate th he risk. 3.1 V Vulnerabilitty Assessmen nt Goal The theeoretical goal of networrk scanning is elevaated security on all system ms or establisshing a netwo ork widee minimal op peration stand dard. The following diagraam show ws how usefu ulness is relateed to ubiquity y: HIPS – Host‐Baseed Intrusion P Prevention Sy ystem NID DS – Network k‐Based Intrussion Detection n System AV – – Anti‐Virus NIPS – Network‐‐Based Intrussion Preventio on System Figu ure 2: Usefuln ness ‐ Ubiquity relation PRO OPOSED W WORK 4. Vulnerability y Assessment Methodolo ogy Thee assessment process is comprised of o four phases: disco overy, detecction, explo oitation, and d analysis or recommendation ns. The diag gram below identifies the t relattionships am mong the fou ur phases, an nd the flow of inforrmation into the final repo ort. Client In‐Briefin ng‐ Prior to o initiating an a assessment, PatchAdvisor will request a sshort briefing g with the clieent nue to review the planned conduct of tthe to seerve as a ven assesssment and eestablish coorrdination pro otocols with tthe desig gnated client point of conttact. Fiigure 3: Vulneerability assessment proceess Discovery Ph D hase ‐ The first step in n a vulnerab bility an nalysis is to discover all points of co onnectivity to o the neetwork. Thiss includes connections to public data neetworks such h as the Inteernet, privatee interconnecctions w with partners,, connection ns to the tellephone netw work th hrough modem dialups, an nd Wireless L LAN connecttivity su uch as 802.11b b access poin nts. A variety of techniquees are ussed to catalog g points of en ntry, and the content of p public an nd private diirectory services is provided as outpu ut so th he client becom mes aware off their existen nce and conten nt. Optional Postt‐Discovery Briefing O B ‐ Ass communicaations teechnology evolves, connection of com mponents beco omes faaster and easieer. As networrks get largerr and more geographically dispeersed, it beco m omes increasingly diifficult to man nage their gro owth. The naatural result iss that th here are oftten discrepaancies betweeen the netw work co ontent, topolo ogy, and poiints of accesss documenteed by th he client and the correspo onding inform mation discov vered by y an assessmeent. This brieffing is necesssary to ensuree that th he scope of th he assessmentt and related cost estimatees are still appropriate. However,, the primary y intent is to keep th he client info ormed of ourr findings an nd allow tim me for in nternal discusssion before tthe results aree presented in the ou ut‐briefing. Detection Ph D hase ‐ Deteection and exploitation n (as diiscussed belo ow) are perfo ormed from both b externall and in nternal persp pectives. The external po ortion emphaasizes th he identification of vulnerabilitiies that allow a un nauthorized eentry into thee target enviro onment, whille the in nternal portio on focuses on opportu unities to ex xceed au uthorized acccess once insiide. There is, of course, a close reelationship beetween intern nal and exterrnal results; if an ex xternal attack ker successfullly gains acceess to the sysstem, alll of its interrnal vulnerab bilities becom me exploitab ble as w well. In the an nalysis phasee, internal an nd external reesults arre combined d to presentt a compreh hensive view w of vu ulnerabilities. Copyyright © 20 013 SciResPu ub. IJO OART Intern national Journal of Advancemeents in Research h & Technology, Volume 2, Issue4, April‐2013 465 ISSN 2278‐7763 ools are used d in the detecttion phase: Threee classes of to Publlic Domain tools – Maany of the tools used by PatchAdvisor hav ve been obtaiined either diirectly from tthe other security y specialists. Interrnet or from o Prop prietary toolss – These aree tools that haave either beeen deveeloped by in ndividual teaam members,, or are pub blic dom main tools thatt have been m modified by o our team. Com mmercial toolss – For war‐d dialing, we usse a commerccial tool such as Phon neSweep by S Sandstorm Teechnologies. ploitation Phaase is design ned Explloitation Phaase ‐ The Exp to prrovide a leveel of assessmeent beyond th he capability of auto omated tools.. This phase includes botth internal an nd exterrnal simulateed attacks, refflecting vulneerability both h to auth horized userss exceeding their permiissions, and to outssiders penetrating via the Interneet, other da ata netw works, and w wireless or diial‐in connecctions. In maany cases, manual ex xploitation atttempts are made m to verify that vulnerabilitties identifieed by toolss are actuaally t identiffy “apparen nt” exploitable, sincce many tools nerabilities bu ut lack the cap pability to vallidate them. vuln he typical scaanner architeecture seervices and/or services. Th is shown below w: Vulnerability database: The Nation V nal Vulnerab bility Database is thee U.S. govern nment reposiitory of stand dards baased vulnerab bility manag gement data rrepresented using u th he Security Content C Auto omation Proto ocol (SCAP). This daata enables automation a o vulnerabillity managem of ment, seecurity measu urement, and d compliancce. NVD inclludes daatabases of seecurity check klists, security y related softtware flaaws, miscon nfigurations, product nam mes, and im mpact m metrics. User configura ation consolee: This is for setting, instaalling an nd configurattion purpose. Analysis Phase ‐ Once th he active phases p of the t assesssment arre compleeted, prioritized fin nal recommendation ns are mad de regardin ng specific vulnerabiliities, insecu ure computing pracctices, config guration man nagement an nd netw work design. These recomm mendations aare compiled in the ffinal report. SCA ANNING T TECHNIQ QUES 5. M Mapping the Network Another method th hat can be u used to locaate weak knesses with hin a systeem is called d vulnerability Map pping. This en ntails analyzin ng the softwaare and servicces runn ning on the ccomputer, an nd then matcching each to o a know wn vulnerabiility. Servicess can easily bee found using g a tool such as Nmaap. The Nm map Security Scanner is a free and op pen ons of peoplle for netwo ork sourrce utility ussed by millio disco overy, adm ministration, inventory, and security audiiting. Nmap uses raw IP P packets in novel ways to determine what hosts are av vailable on a network, wh hat nd version) those t hosts are a services (applicattion name an perating systeems they aree running, wh hat offerring, what op typee of packet filtters or firewa alls are in use,, and more. The guid delines suggeested by CERT T will also heelp hard den your sy ystem confiiguration an nd operation nal enviironment and d protect it against kno own attacks. It coveers planning, configuratio on, maintenan nce, improviing userr awareness, aand testing. 6. S Selecting the right scanners Scannerss alone donʹt solve the pro oblem, scanniing shou uld be used only as starrting point in n vulnerability assesssment. Startt with one scanner s but consider mo ore than n one. It is aa good practice to use more m than one o scan nner. This waay you can co ompare resultt from a coup ple of th hem. Some scanners are more focused d on particular Typical scann ner architecturre Figure 4: T Sccanning engiine: It is the machine by which we sccan n nu umber of targ get systems an nd programm ming interfacee that in ncorporates scanning teechnologies into propriietary ap pplications. Itt integrates proprietary p a and patented URL filltering scan nners and industry‐leeading antivirus teechnologies for f fast, scalable, and reliable con ntent sccanning services to protectt against viru uses, spywaree, and otther malwaree. Active scan knowledge base: It co ontains currrently ru unning scanniing informatiion. Reesult Reposiitory: The co ompleted tarrget systems scan su ummary is sttored in thiss repository and a it is sen nt for reeport generatiion. In an ideal situattion, scannerrs would no ot be neeeded becausse everyone would main ntain well‐pattched an nd tested hosts, routers, an nd gateways, workstationss and seervers. However real worlld is differen nt, we are hum mans an nd we tend to forget in nstall updatees, patch sysstems an nd/or configu ure systems properly. Maalicious codee will allways find a a way into your y network k! If a systeem is co onnected to th he network th hat means theere is a possib bility th his system will be infected at some tiime in the fu uture. Th he chances might m be high her or lower depending d on n the m maintenance leevel system has. h The systtem will never be seecure 100%. There T is no such s thing ass 100% securiity, if Copyyright © 20 013 SciResPu ub. IJO OART Intern national Journal of Advancemeents in Research h & Technology, Volume 2, Issue4, April‐2013 466 ISSN 2278‐7763 well maintained it might be 99.99999999999% secure, but b neveer 100%. orms. Top 3 tools Liinux platfo www.sectools.org are listed w d below. according to 6.1 C Central scans Vs local sccans The question here is: should we scan locally or centrrally? Should d we scan thee whole netw work at once, or shou uld we scan network baased on sub b domains an nd virtu ual LANs? wer is both i.e. i localized scanning wiith The answ centrral scanning g verification n. Central scans s give the t overrall visibility into the netw work. Local scans may s ha ave high her visibility into the local network. Central driv ven scan ns serve as the baseline. Lo ocal driven sscans are key to vuln nerability red duction. Scan nning tools should s suppo ort both h methodolog gies. #11 scanner avaiilable Nessus is the best UNIX vulnerability N v an nd among thee best to run o on Windows. N Nessus is con nstantly updated, with more m than 45,000 4 pllugins. Key y features include rem mote and local (aauthenticated)) security cheecks, client/seerver architeecture w with a graphiical interface,, and an em mbedded scrip pting laanguage for w writing your o own plugins or understan nding th he existing on nes. SCA ANNING A ANALYSIS S 7. Re eporting Critical vulnerabilitiees should bee on the top of the report r and sh hould be listted in descen nding order i.e. i criticcal, then high h, medium an nd low. Repo orting capability is of growing g importancce to adm ministrators, in docu umentation oriented busin ness climate w where you mu ust not o only be able to do your jo ob, but also p provide writtten proo of of how y you’ve done it. In fact, respondents r to Sunb belt’s survey y indicate that flexible and prioritiziing repo orting is their number one favourite feaature. n hundreds or o thousands of A scan might return results, but the d data is useless unless it is organized in n a way y that it can b be understoo od. That meaans that ideaally you will to be ab ble to sort an nd cross‐refeerence the daata, expo ort it to otheer programs and formats (such as CS SV, HTM ML, XML, M MHT, MDB, Excel, E Word, and/or Lotu us), view w it in differeent ways, an nd easily com mpare it to the t results of earlier sscans. discovers the v vulnerability y, it Dependiing on who d can either be ex xploited or reported.Vuln r nerabilities are a orted in the ho ope that the v vendor will p provide a timeely repo patch or someonee will develop p a fix. The following rrepresents tw wo avenues for reportiing nerabilities: vuln BugT Traqʹs (a mod derated mailiing list speciffic to discussiion of seecurity vulnerrabilities) Vuln nerability rep porting protoccol is as follow ws: 1. Co ontact the prroductʹs vend dor and give tthem one weeek to reespond. If theey don’t respo ond, then p post to the t BugT Traq list. S See http://w www.security yfocus.com for f postting informatiion. 2. If you do hearr from the veendor, give them t what you y o fix the vuln nerability. Th his conssider approprriate time to will depend on th he vulnerabiliity and the prroduct. RT Coordinattion Center. It is also sim milar to Bugtrraq CER list b but it is done in encrypted form. 8. Vulnerability y Assessment tools There arre many vullnerability asssessment too ols and these tools may works on various windows an nd #22 GFI LANguard d: A commerrcial network k security sca anner or Windows. It also tries to collect Wiindows mach hineʹs fo seervice pack level, missin ng security patches, wirreless acccess points, USB devicees, open shaares, open ports, p seervices/appliccations activee on the comp puter, key reg gistry en ntries, weak passwords, users and grroups, and more. m Sccan results arre saved to an n HTML rep port, which caan be cu ustomized / queried. q It allso includes a patch man nager, w which detects a and installs m missing patch hes. #33 Reetina: Comm mercial vulnerrability assesssment scanneer by eE Eye Like Nesssus, Retinaʹs function is to o scan all the h hosts on n a network and report on o any vulneerability foun nd. It w was written by b eEye, wh ho are well known for their seecurity research. #44 IS SS Internet Scanner: Application‐lev A vel vulnerab bility asssessment Intternet Scanneer started offf in ʹ92 as a a tiny op pen source sccanner by Ch hristopher Kllaus. Now hee has grrown ISS into o a billion‐dolllar company y with a myriad of seecurity produ ucts. #55 X‐‐scan: A general g scan nner for sccanning netw work vu ulnerabilities. It is a multti‐threaded, plug‐in p suppo orted vu ulnerability scanner. s X‐S Scan includess many feattures, in ncluding full NASL supp port, detectin ng service ty ypes, reemote OS typ pe/version detection, weaak user/passw word paairs, and morre. 9. Vulnerabiliity Disclosure Dates Copyyright © 20 013 SciResPu ub. IJO OART Intern national Journal of Advancemeents in Research h & Technology, Volume 2, Issue4, April‐2013 467 ISSN 2278‐7763 The timee of disclosurre of vulnerab bility is defin ned diffeerently in thee security com mmunity and d industry. Itt is most commonly rreferred to ass ʺa kind of pu ublic disclosu ure s inforrmation by a certain partyʺ. p Usuallly, of security vuln nerability info ormation is discussed on aa mailing list or publlished on a seecurity web ssite and resullts in a security adviisory afterwards. The timee of disclosurre is the first d date security vuln nerability is described on a chann nel where the t discllosed informaation on the v vulnerability has to fulfil tthe follo owing requireements: 1. Th he informatio on is freely av vailable to thee public 2. Th he vulnerabillity information is publish hed by a trustted and independentt nnel/source chan 3. Th he vulnerabiility has und dergone analy ysis by experts such h that risk ratiing inforrmation is inccluded upon disclosure 10. F Find Security y Holes Befo ore They Beccome Prob blems Vuln nerabilities caan be classifieed into two m major categoriees: i) Th hose related to o errors madee by program mmers in writing the code ffor the softwaare. ii) Th hose related tto misconfigu urations of thee software’s settin ngs that leavee systems less secure than n they could b be. Vulnerab bility scanners can identify both types. Vuln nerability asssessment too ols have beeen around for f man ny years. They’ve been used by netwo ork adm ministrators aand misused d by hackerrs to discov ver exploitable vulneerabilities in ssystems and networks of all ds. One of th he early welll‐known UN NIX scanners is kind SAT TAN (System m Administrrator Tool for Analyziing Netw works). d‐be intrud der, In the hands off a would vuln nerability scan nners becomee a means of finding victim ms and determining g those victiims’ weak points, p like an t undeercover intelligence opeerative who infiltrates the oppo osition’s sup pposedly seccure location n and gatheers inforrmation that can be used tto launch a fu ull scale attack k. 10.1 Identifying g and Remov ving Vulneraabilities Many so oftware toolss exist that can aid in the t disco overy (and so ometimes rem moval) of vuln nerabilities in n a computer system m. Though th hese tools can provide an audiitor with a go ood overview w of possiblee vulnerabilities pressent, they can nnot replace human judg gment. Relying solelly on scannerrs will yield ffalse positivess and a limiteed‐ scop pe view of thee problems prresent in the ssystem. Vulnerab bilities have been found in every majjor operrating system m including Windows, W M OS, vario Mac ous form ms of UNIX aand Linux, OpenVMS, O and others. The T only y way to reduce the chan nce of a vuln nerability being used d against a system is th hrough consstant vigilance, (e.g. applyiing inclu uding carefu ul system maintenance m softw ware patchess), best practiices in deploy yment (e.g. the t use o of firewalls an nd access con ntrols) 11. V Vulnerabilitty Causes nagement Flaaws: Paassword Man The computer user usees weak passswords that could c bee discovered by brute forrce. The com mputer user stores s th he password on the com mputer wheree a program m can acccess it. Ussers re‐use passwords between many m prrograms and websites. Fu undamental O Operating Sy ystem Design n Flaws: The operatting system d designer choo oses to enforcee sub op ptimal policies on userr/program management. m For ex xample opera ating systemss with policiees such as deefault peermit grant every program m and every user full acceess to th he entire com mputer. This operating sy ystem flaw alllows viiruses and malware m to ex xecute commaands on behaalf of th he administrator. So oftware Bugss: The progrrammer leav ves an explo oitable bug in a so oftware prog gram. The software s bug g may allow w an atttacker to misuse an appllication throu ugh (for exam mple) by ypassing acceess control ch hecks or execcuting comm mands on n the systeem hosting the appliccation. Also the prrogrammerʹs failure to ch heck the sizee of data bu uffers, w which can then n be overflow wed, causing corruption o of the stack or heap areas of meemory (inclu uding causing g the co omputer to ex xecute code p provided by th he attacker). Unchecked Usser Input: The program assum mes that all user u input is safe. c user input can allow a Prrograms thaat do not check un nintended direct d executtion of com mmands or SQL statements (kn nown as Bufffer overflows,, SQL injectio on or otther non‐valid dated inputs)). EX XPERIMEN NTAL RES SULTS 122. Implemen ntion N Nessus Scanni ing Features Nessu us scans targeet systems bassed on host n name, IP P address, su ubnet, or IP P address raange. It initially in nvestigates the system by cconnecting to o the target sy ystem an nd simulatin ng various application protocols. For ex xample, if Nessus is checking for f web seerver vu ulnerabilities,, it then prettends to be a a web browseer by seending HTTP protocols. Similaarly, if it was testing for W Windows fileseerver vu ulnerabilities,, it then preteends to be a W Windows client by seending SMB p protocols. Firstly y we need to d download thee tool and wee sh hould be regisstered to Tenable site. Afteer installing aand seending the req quest to locallhost on port no: 8834, we get lo ogin page Copyyright © 20 013 SciResPu ub. IJO OART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 468 ISSN 2278‐7763 1. The login page 2. After login we need to add policies by selecting add policies tab Copyright © 2013 SciResPub. IJOART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 469 ISSN 2278‐7763 3. Selecting the plugins in policy 4. Adding the new scan by selecting newly added policies and targets. Copyright © 2013 SciResPub. IJOART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 470 ISSN 2278‐7763 5. Report page after scan completion 6. Vulnerability summary Copyright © 2013 SciResPub. IJOART International Journal of Advancements in Research & Technology, Volume 2, Issue4, April‐2013 471 ISSN 2278‐7763 Conclusion Network based vulnerability assessment tools and host based vulnerability assessment tools are extremely useful tools in determining what vulnerabilities might exist on a particular device in the network. However, these tools are not useful if the vulnerability knowledge base is not kept current. Also, when using these tools, they can only take a snapshot of what the systems are at a particular point of time. System administrators will continually update code on the target systems and will continuously add/delete services and configure the system. All found vulnerabilities should be promptly patched, especially critical ones. [8]http://www.tenable.com/products/nessus/ness us‐download‐agreement [9]SANS GIAC Security Essentials Training Manual [10]BugTraq: FAQ http://www.securityfocus.com/frames/?content=/ forums/bugtraq/faq.html References [1]http://en.wikipedia.org/wiki/Vulnerability_ass essment [2]www.pcisecuritystandards.org [3]http://en.wikipedia.org/wiki/Gordon_Lyon [4]http://www.nmap.org [5]http://en.wikipedia.org/wiki/FireWire [6]http://www.sectools.org [7]http://www.linuxhaxor.net/7‐types‐of‐ vulnerabilities/ Copyright © 2013 SciResPub. IJOART
