Vulnerability Testing Approach

Prepared By: Phil Cheese

Nov 2008

2

Outline

•Structure of Technology UK Security Team

•Why we test

•What we test

•When we test

•How we test

•Demo of a unix platform test

•Hot topics

•Questions and Answers

3

UK Technology Security teams

SecurityConsultants

Security Monitoring

Mail, Logs, IDS, Firewall

Review New Systems

Vulnerability Test Team

Vulnerability

Testing

Security Operations

UK Tech. Security Mgr Group CISO

4

Definition

Penetration testing v Vulnerability testing ?

•Wikepedia

“Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as anafterthought at the end of the development cycle.”

Why ? – test against standards, identify misconfigurations, old vunerable versions of software, test drive

•Ethics & Legality

5

Why testing

• Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.

• Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing. Protecting your brand by avoiding loss of consumer confidence and business reputation.

• vulnerability testing helps shape information security strategy through identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.

6

Defining the scope

•Full-Scale vs. Targeted Testing

•Platform, Network, Database, Applications

•Remote vs. Local Testing

•In-house v outsourcing

7

Defense in depth

• Application

• Database

• Operating System

• Network

8

Tester

Sun Solaris

Application Server

HP-UX

Oracle DB

Redhat

Apache Web server

Network elements e.g SGSN’s, HLR’s

Windows File server

www.vodafone.co.uk

Nmap

Nessus

9

Nmap

10

Nessus

11

Tester

Sun Solaris

Application Server

HP-UX

Oracle DB

Redhat

Apache Web server

Network elements e.g SGSN’s, HLR’s

Windows File server

www.vodafone.co.uk

Assuria

Agents

12

Assuria Auditor Console

13

Tester

Sun Solaris

Application Server

HP-UX

Oracle DB

Redhat

Apache Web server

Network elements e.g SGSN’s, HLR’s

Windows File server

www.vodafone.co.uk

NGS Squirrel

14

NGS Squirrel

15

Tester

Sun Solaris

Application Server

HP-UX

Oracle DB

Redhat

Apache Web server

Network elements e.g SGSN’s, HLR’s

Windows File server

www.vodafone.co.ukAppscan, Superwalk

16

Appscan

17

Backtrack

18

Tester

Sun Solaris

Application Server

HP-UX

Oracle DB

Redhat

Apache Web server

Network elements e.g SGSN’s, HLR’s

Windows File server

www.vodafone.co.uk

Assuria CLI Remote test (Data Centre)

19

Remote platform vulnerability assessment using Assuria Auditor & workbench via the command line• “It is better to voyage hopefully than to drive to Oldham”

• FTP and install scripts

• Run scans

• Copy off raw results files

• Generate csv files

• Import results into workbench

• Review scan results

• Producing reports

• Agreeing remedial actions and re-testing

20

Log onto remote server

21

FTP onto a remote server

22

unzip tarball file

23

24

Areas checked by ‘Initial’ policies

The table below details the initial policies referenced against the areas checked.

Policy Name Area To Check

UNIX

NT

Initial-1 External Attack Network Services, Secure Files, Terminal Configuration

Network Services - FTP, RAS, Registry Access, Trust Relationships Logon Failure Auditing

Initial-2 Superusers Configuration Home Files, Environment Setuid Files

Accounts in Domain Admins and Administrators Groups, Audit Configuration, Examine Audit Logs

Initial-3 Ordinary Users General User Configuration, Home Files and Environment

Account Policy, User Properties, User Rights

Initial-4 Files And Devices Mount Points, Special Devices

Initial-5 System Files All Files in predefined directories(/usr/etc /lib Etc.) Frozen Files

Directories under %SYSTEMROOT%, Frozen Files. Sensitive Registry Keys

password Guessable passwords, password shadowing, user shared password, uid 0 user's home directories, default login environment

Forced password changes, password reuse settings, minimum password age and length, passwords required, password strength

25

Run scans

26

FTP results back to desktop

27

Generate CSV files

28

Import into Workbench

29

Reconcile results

30

Filter results

31

Vulnerability testing - hot topics

• PCI-DSS – keeping Security vendor industry going!https://www.pcisecuritystandards.org/

• Appliances and automation – keep your auditors happyhttp://www.qualys.com/products/qg_suite/

http://www.ncircle.com/index.php?s=products

• Virtualisation and middleware vulnerabilities – don’t forget’em….

http://labs.mwrinfosecurity.com/

• Exploitation tools – Metasploit framework, Canvas, Core Impact. BEEF

http://www.metasploit.com/

http://www.immunitysec.com/

http://www.coresecurity.com/

http://www.bindshell.net/tools/beef

32

Conclusions

• In depth, holistic approach to security testing

• Testing needs to take place during the development lifecycle

• Can be complex and time consuming

• Outsource specialist testing to third party vendors

• Commercial tools easy to maintain and use but can be expensive

• “A fool with a tool is still a fool”

• Results from tools need analysis and put into a ‘business risk’ context

33

Any Questions ?