When it comes to vulnerability scanners, know your tools, and clarify your
goals—or be sorry later.
“You can be sure of succeeding in your attacks if you only attack
places which are undefended. You can ensure the safety of your defense if you
only hold positions that cannot be attacked.” —Sun Tzu, The Art
As a University of Nebraska Cornhusker football fan, I have always looked forward
to the spring game that pits the team’s best offensive unit against the
best defensive unit. For network security folks, vulnerability scanning is our
version of that spring game. With it, we can attack our own network to find
the weaknesses in our defenses. Then we can fix them before we play with a real-world
Vulnerability scanners are one part of a broader set of tools that follow one
of two broad strategies. The strategy used by vulnerability scanners is to periodically
run computer programs that look for weaknesses in your network and attached
systems by comparing a database of known vulnerabilities against data about
your systems. Another strategy is to monitor your network and attached systems
in real time, looking for anomalies that indicate the presence of an intruder.
That strategy is really dealing with threats, not vulnerabilities. Yet, each
strategy has its advantages and disadvantages and, in practice, both are needed.
While the focus here is the first strategy, vulnerability scanning, the trend
is to integrate both strategies into a single tool suite.
Are the Bad Guys Winning?
SPAFFORD, professor and executive director, Center
for Education and Research in Information Assurance and Security (CERIAS)
at Purdue University (IN), and a former member of the President's
Information Technology Advisory Committee (PITAC), is one of the world's
leading authorities on cyber security--and he's concerned about the future.
He feels that today's cyber security strategies are retroactive, and that
the number of vulnerabilities makes it increasingly difficult, even ultimately
impossible, to keep pace. He points to the fact that the Computer
Emergency Response Team Coordination Center (CERT) at Carnegie
Mellon University (PA) reports that 3,780 new electronic vulnerabilities
were published in 2004—that's more than 10 a day, and a 20- fold increase
since 1995. Spafford recently testified before the House Science Committee;
“The software and hardware being deployed today have been designed
by individuals with little or no security training, using unsafe methods,
and then poorly tested. This is being added to the fault-ridden infrastructure
already in place and operated by personnel with insufficient awareness of
the risks. Therefore, none of us should be surprised if we continue to see
a rise in break-ins, defacements, and viruses in the years to come.”
The solution, according to Spafford, is simpler, more robust, and better-crafted
systems. Unfortunately, a hardware/software vendor's revenue stream depends
upon the regular issuance of new and more powerful hardware required to run
new and/or updated software jam-packed with new, and largely unused, “features,”
resulting in a downward spiral of increasingly complex and vulnerable systems.
The market d'esn't reward simple, stable, well-architected hardware or software.
Equally unfortunate, both private and government research is almost entirely
focused on short-term patching rather than the longterm development of new,
inherently secure computer architectures.
Spafford sees three outcomes to the current trend. In the first, the market realizes the cost of tacking security onto systems as an afterthought, and demands and compensates vendors for simpler, more secure systems. This will probably require a new revenue-generation model.The second outcome is that we limit our use of information technology to avoid security-related problems. The third outcome is that we continue on our merry way until the system implodes.
How serious is the problem? I encourage you to read Cyber Security:
A Crisis of Prioritization, Report of the President's Information Technology
Advisory Committee, 2005,which is available at www.nitrd.gov/pitac/ reports/20050301_cybersecurity/cybersecurity.pdf.?
Tools of the Trade
Higher education has played a central role in the development of scanning tools.
In the early 1990s, computer security experts Dan Farmer and Gene Spafford at
Purdue University (IN) developed Computer Oracle and Password
System (COPS), a free public domain collection of programs and scripts that
attempt to identify security problems in Unix systems. COPS spawned a wealth
of open source and commercial derivatives.
In 1993, Farmer and programmer Wietse Venema developed Security Administrator
Tool for Analyzing Networks (SATAN). Like COPS, SATAN recognizes several common
networking-related security problems, and reports the problems without actually
exploiting them. SATAN and other useful open source tools can be found at www.porcupine.org.
Security Auditor’s Research Assistant (SARA) was derived from SATAN in
1995, and enhances it by providing an improved user interface and up-to-date
vulnerability tests. It is free and based upon the SATAN license. SARA
is SANS Top 20, and Common Vulnerabilities and Exposure (CVE)
compliant. SARA operates under Unix, Linux, Mac OS-X, or Windows operating systems.
More information can be found at www-arc.com/sara.
Nessus was developed in 1998 as a free
and easy-to-use remote security scanner, and today is the world’s most
popular vulnerability scanner, used by over 75,000 organizations. The developers
have created a series of products (www.tenablesecurity.com/products)
and services (not free) around the Nessus software.
Purdue IT Security Analyst Matthew Wirges has developed a Web-based interface
and back-end queue manager for Nessus, Vulnerability Scanning Cluster (VSC)
that allows users to hierarchically manage scanning policies and networks of
hosts, and request automated, immediate and future/recurring scans of a host
or group of hosts. It also provides an interface for viewing scan report data.
The software is available for free at vsc-dev.itsp.purdue.edu.
Clearly, though, the for-profit world hasn’t ignored the market for vulnerability
scanners. Security Administrator’s Integrated Network Tool (SAINT),
Retina from eEye,
and Internet Security Systems
are typical of the full-feature commercially available products. ISS, the current
billion dollar commercial-market leader, grew from a small freeware scanner
developed by Chris Klaus when he was an undergraduate at Georgia Tech,
and illustrates the transition from academic research to commercial product.
But just detecting the vulnerabilities on your campus isn’t enough. The
results of the vulnerability scan must be centrally organized into some kind
of report that prioritizes the problems found and identifies remedial action.
I remember, somewhat to my chagrin, being involved some years ago in a vulnerability
scan of a mid-sized university, and discovering more than 15,000 vulnerabilities!
The problem wasn’t finding vulnerabilities; it was organizing them in
an actionable way. One of the advantages of commercial products is that they
usually include sophisticated report writers, such as SAINTwriter that are extremely
valuable in environments like higher education that include tens of thousands
of nodes. The report writers in open source products may not be as well supported.
Another “gotcha” is that scanners work by comparing their database
of known vulnerabilities against data about your systems. It is essential to
keep that database current to deal with new and emerging threats. Commercial
products usually include automatic vulnerability updates and are supported by
dedicated staff such as ISS’s X-Force. Automatic vulnerability updates
for Nessus are available for a fee from Tenable
Network Security; those updates also can be obtained for free, seven days
after their initial release. The good news for colleges and universities using
other open source scanners is that the National Institute of Standards and Technology
maintains the National Vulnerability
Database that integrates all publicly available United States government
vulnerability resources and provides references to industry resources. The NVD
is updated on an hourly basis on normal US government business days, and is
based on and synchronized with the CVE naming standard available at cve.mitre.org.
Another resource for open source users is Cassandra,
named for the woman who warned the Trojans about bringing a large wooden horse
into Troy. Cassandra is operated by Purdue University’s Center for Education
and Research in Information Assurance and Security (CERIAS), and uses the NVD
database to provide customized e-mail notifications of vulnerabilities.
Finally, there is a trend toward considering vulnerability scans as an integrated
part of an IT security strategy—and that implies a centrally managed overarching
system that integrates vulnerability scans with other security procedures. As
you would expect, commercial vendors are rushing to develop proprietary solutions
(based upon their products) to control, monitor, and analyze threats from one
central location. ISS’s SiteProtector is a good example. An alternative,
based upon open source components such as Nessus, is Bradford’s
Campus Manager, which has been adopted at Central Michigan University
and Fitchburg State College (MA).
What’s Right for Your Institution?
With so many choices, what should an institution do? The answer depends largely
on the size and skill of the internal technical staff. Institutions with internal
technical staff resources tend toward the use of free products such as Nessus
or SARA. For example, Gregory Hedrick, manager of Security Services at Purdue,
describes their model as a centralized self-service model in which the central
IT unit runs Nessus but supports an interface that makes it easy for distributed
campus network administrators to use the central system to scan their networks.
Institutions without available staff resources may elect commercial (albeit
expensive) solutions, or the use of external consultants. Still others are in
the process of developing a strategy appropriate to their institution. For any
institution, I highly recommend joining (or at least monitoring) the Educause
Security Discussion Group. Finding out what approaches others are taking—and
why—is an excellent way to ponder your own options.