Feeling Vulnerable?

When it comes to vulnerability scanners, know your tools, and clarify your goals—or be sorry later.

“You can be sure of succeeding in your attacks if you only attack places which are undefended. You can ensure the safety of your defense if you only hold positions that cannot be attacked.” —Sun Tzu, The Art of War

As a University of Nebraska Cornhusker football fan, I have always looked forward to the spring game that pits the team’s best offensive unit against the best defensive unit. For network security folks, vulnerability scanning is our version of that spring game. With it, we can attack our own network to find the weaknesses in our defenses. Then we can fix them before we play with a real-world opponent.

Which Strategy?

Vulnerability scanners are one part of a broader set of tools that follow one of two broad strategies. The strategy used by vulnerability scanners is to periodically run computer programs that look for weaknesses in your network and attached systems by comparing a database of known vulnerabilities against data about your systems. Another strategy is to monitor your network and attached systems in real time, looking for anomalies that indicate the presence of an intruder. That strategy is really dealing with threats, not vulnerabilities. Yet, each strategy has its advantages and disadvantages and, in practice, both are needed. While the focus here is the first strategy, vulnerability scanning, the trend is to integrate both strategies into a single tool suite.

Are the Bad Guys Winning?

EUGENE SPAFFORD, professor and executive director, Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University (IN), and a former member of the President's Information Technology Advisory Committee (PITAC), is one of the world's leading authorities on cyber security--and he's concerned about the future. He feels that today's cyber security strategies are retroactive, and that the number of vulnerabilities makes it increasingly difficult, even ultimately impossible, to keep pace. He points to the fact that the Computer Emergency Response Team Coordination Center (CERT) at Carnegie Mellon University (PA) reports that 3,780 new electronic vulnerabilities were published in 2004—that's more than 10 a day, and a 20- fold increase since 1995. Spafford recently testified before the House Science Committee;

The software and hardware being deployed today have been designed by individuals with little or no security training, using unsafe methods, and then poorly tested. This is being added to the fault-ridden infrastructure already in place and operated by personnel with insufficient awareness of the risks. Therefore, none of us should be surprised if we continue to see a rise in break-ins, defacements, and viruses in the years to come.”

The solution, according to Spafford, is simpler, more robust, and better-crafted systems. Unfortunately, a hardware/software vendor's revenue stream depends upon the regular issuance of new and more powerful hardware required to run new and/or updated software jam-packed with new, and largely unused, “features,” resulting in a downward spiral of increasingly complex and vulnerable systems. The market d'esn't reward simple, stable, well-architected hardware or software. Equally unfortunate, both private and government research is almost entirely focused on short-term patching rather than the longterm development of new, inherently secure computer architectures.

Spafford sees three outcomes to the current trend. In the first, the market realizes the cost of tacking security onto systems as an afterthought, and demands and compensates vendors for simpler, more secure systems. This will probably require a new revenue-generation model.The second outcome is that we limit our use of information technology to avoid security-related problems. The third outcome is that we continue on our merry way until the system implodes.

How serious is the problem? I encourage you to read Cyber Security: A Crisis of Prioritization, Report of the President's Information Technology Advisory Committee, 2005,which is available at www.nitrd.gov/pitac/ reports/20050301_cybersecurity/cybersecurity.pdf.?

Tools of the Trade

Higher education has played a central role in the development of scanning tools. In the early 1990s, computer security experts Dan Farmer and Gene Spafford at Purdue University (IN) developed Computer Oracle and Password System (COPS), a free public domain collection of programs and scripts that attempt to identify security problems in Unix systems. COPS spawned a wealth of open source and commercial derivatives.

In 1993, Farmer and programmer Wietse Venema developed Security Administrator Tool for Analyzing Networks (SATAN). Like COPS, SATAN recognizes several common networking-related security problems, and reports the problems without actually exploiting them. SATAN and other useful open source tools can be found at www.porcupine.org.

Security Auditor’s Research Assistant (SARA) was derived from SATAN in 1995, and enhances it by providing an improved user interface and up-to-date vulnerability tests. It is free and based upon the SATAN license. SARA is SANS Top 20, and Common Vulnerabilities and Exposure (CVE) compliant. SARA operates under Unix, Linux, Mac OS-X, or Windows operating systems. More information can be found at www-arc.com/sara.

Nessus was developed in 1998 as a free and easy-to-use remote security scanner, and today is the world’s most popular vulnerability scanner, used by over 75,000 organizations. The developers have created a series of products (www.tenablesecurity.com/products) and services (not free) around the Nessus software.

Purdue IT Security Analyst Matthew Wirges has developed a Web-based interface and back-end queue manager for Nessus, Vulnerability Scanning Cluster (VSC) that allows users to hierarchically manage scanning policies and networks of hosts, and request automated, immediate and future/recurring scans of a host or group of hosts. It also provides an interface for viewing scan report data. The software is available for free at vsc-dev.itsp.purdue.edu.

Clearly, though, the for-profit world hasn’t ignored the market for vulnerability scanners. Security Administrator’s Integrated Network Tool (SAINT), Retina from eEye, and Internet Security Systems are typical of the full-feature commercially available products. ISS, the current billion dollar commercial-market leader, grew from a small freeware scanner developed by Chris Klaus when he was an undergraduate at Georgia Tech, and illustrates the transition from academic research to commercial product.

But just detecting the vulnerabilities on your campus isn’t enough. The results of the vulnerability scan must be centrally organized into some kind of report that prioritizes the problems found and identifies remedial action. I remember, somewhat to my chagrin, being involved some years ago in a vulnerability scan of a mid-sized university, and discovering more than 15,000 vulnerabilities! The problem wasn’t finding vulnerabilities; it was organizing them in an actionable way. One of the advantages of commercial products is that they usually include sophisticated report writers, such as SAINTwriter that are extremely valuable in environments like higher education that include tens of thousands of nodes. The report writers in open source products may not be as well supported.

Another “gotcha” is that scanners work by comparing their database of known vulnerabilities against data about your systems. It is essential to keep that database current to deal with new and emerging threats. Commercial products usually include automatic vulnerability updates and are supported by dedicated staff such as ISS’s X-Force. Automatic vulnerability updates for Nessus are available for a fee from Tenable Network Security; those updates also can be obtained for free, seven days after their initial release. The good news for colleges and universities using other open source scanners is that the National Institute of Standards and Technology maintains the National Vulnerability Database that integrates all publicly available United States government vulnerability resources and provides references to industry resources. The NVD is updated on an hourly basis on normal US government business days, and is based on and synchronized with the CVE naming standard available at cve.mitre.org.

Another resource for open source users is Cassandra, named for the woman who warned the Trojans about bringing a large wooden horse into Troy. Cassandra is operated by Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS), and uses the NVD database to provide customized e-mail notifications of vulnerabilities.

Finally, there is a trend toward considering vulnerability scans as an integrated part of an IT security strategy—and that implies a centrally managed overarching system that integrates vulnerability scans with other security procedures. As you would expect, commercial vendors are rushing to develop proprietary solutions (based upon their products) to control, monitor, and analyze threats from one central location. ISS’s SiteProtector is a good example. An alternative, based upon open source components such as Nessus, is Bradford’s Campus Manager, which has been adopted at Central Michigan University and Fitchburg State College (MA).

What’s Right for Your Institution?

With so many choices, what should an institution do? The answer depends largely on the size and skill of the internal technical staff. Institutions with internal technical staff resources tend toward the use of free products such as Nessus or SARA. For example, Gregory Hedrick, manager of Security Services at Purdue, describes their model as a centralized self-service model in which the central IT unit runs Nessus but supports an interface that makes it easy for distributed campus network administrators to use the central system to scan their networks. Institutions without available staff resources may elect commercial (albeit expensive) solutions, or the use of external consultants. Still others are in the process of developing a strategy appropriate to their institution. For any institution, I highly recommend joining (or at least monitoring) the Educause Security Discussion Group. Finding out what approaches others are taking—and why—is an excellent way to ponder your own options.

Featured