Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
5Activity
0 of .
Results for:
No results containing your search query
P. 1
Intrusive vs Non Intrusive Vulnerability Scanning

Intrusive vs Non Intrusive Vulnerability Scanning

Ratings: (0)|Views: 303|Likes:
Published by SpyDr ByTe

More info:

Published by: SpyDr ByTe on Feb 23, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/10/2013

pdf

text

original

 
Retina Network Security ScannerIntrusive vs. Non-Intrusive Vulnerability Scanning Technology
®
l
 
By performing non-invasive tests companies can avoid disruption of service whilea competent vulnerability assessment is being performed.
There are two methodologies used for performing vulnerability assessment regardlessof patch assessment or compliance verifcation. One philosophy revolves around theneed to penetrate a system to prove its vulnerability and the other uses availableinformation to postulate the status of the vulnerability. Longstanding discussions havecentered on the merits of either type of scanning, as well as their potential liabilities.In summary, since a vulnerability assessment scanner emulates an attack, each ofthese methods mirrors an attacker’s style for compromising a host.
The Smash-and-Grab: Taking the Low Road
Proponents of destructive security auditing (intrusive scanning) cite the ubiquitousavailability of attack scripts for vulnerability exploitation. They hypothesize that byattacking a system in the exact same manner as a potential attacker, more accurateresults are best achieved.Without a doubt, there are some merits to this smash-and-grab approach. By using ascript to automate an attack, a penetration scenario where machine access is attainable proves that the device was vulnerableto an attack and ultimately could be compromised. However, utilizing this approach is problematic in that the audit trail isincomplete and potentially creates more questions than answers. For example, many attack scripts available on the Internet areflawed and can result in a false sense of security in the form of a false negative.That is, they do not function as desired even if the system being targeted is truely exploitable. Unsuccessful penetration testsbased on potentially bad scripts can give a false sense of security. Vulnerability assessment tools that use intrusive scripts canbe harmful because they leave the system open to future attacks that would normally not be exploitable or worse, deny criticalbusiness functions from operating correctly. Smash-and-grab vulnerability testing has a propensity to disable services for theduration of the attack. This means that while a service is under attack, that service may not be available for its normal use andan entire network can be immobilized, blue screened, or worse, the attack could penetrate the network and create a new risksurface for real attacks.Finally, perhaps the biggest argument against smash-and-grab testing is that it creates a corrupt testing environment. By directlyperforming attacks against a system being audited, the attack script can push the system into an unknown state—or completelydisable it—making the remote system useless for further testing and virtually eliminating the possibility of attaining detailedvulnerability reports against this device from future tests.
Retina Network Security Scanner
Intrusive vs. Non-Intrusive Vulnerability Scanning Technology
®
 
By performing non-invasive tests companies can avoid disruption of service whilea competent vulnerability assessment is being performed.
Retina Network Security Scanner
Intrusive vs. Non-Intrusive Vulnerability Scanning Technology
®
The Smooth Caper: Taking the High Road
Disciplined attackers often chose to get as much information about a target as possible,using deductive logic to pinpoint potential weaknesses within an organization andinformation technology assets. Proponents of this stealth and smooth caper metho-dology rely on the wealth of information from networked systems and infer an evenlarger amount of information by making logical connections and assumptions basedon the available data. This includes everything from social engineering to knowingthe applications and vendors a business relies on. With this information, knownvulnerabilities and weakness are easy targets for the attacker to attempt an exploit.In contrast to intrusive scanning techniques, information technology administratorscan utilize non-invasive or non-intrusive tests to locate potentially exploitable systemsbefore they become problematic. By performing non-invasive tests, companies canavoid disruption of service while a comprehensive vulnerability assessment is beingperformed. Attackers utilize comparable techniques to gently probe for vulnerabilitieswithout creating systematic downtime and potentially setting off IPS, IDS, and firewall alert sensors. Organizations can employthe same non-intrusive technology to gather large amounts of information and a follow a best practice dissection of vulnera-bility data to determine the risk to an environment. This process is often repeated in cycles to further refine and reinforce thefindings. Likewise, the same process is used to verify that remediation efforts were successful and the vulnerability is no longera threat. By getting a clear picture of the complete architecture, a business can better identify weaknesses in the network, incorporate policies, and proactively prevent intrusions and business interruptions.When selecting non-intrusive vulnerability assessment solution, administrators need to be cautious in their use of scanningwith freeware and “tools” that are not rigorously tested and supported. Using these products can be dangerous and result inaccidental smash-and-grab testing that can disable a network unintentionally. As an example, an audit that was thought to besafe was actually intrusive. Consider the RFPoison attack check used by some scanning tools. While eEye’s Retina NetworkSecurity Scanner (RNSS) passively probed machines to determine if they would be vulnerable to this attack, other vendorsapproached this audit with an intrusive check and classified the RFPoison audit as a “dangerous plugin". This audit was originallyintroduced as non-intrusive and not flagged as "dangerous". Unfortunately this led to the accidental blue screening of machinesby auditors using these tools. Imagine scanning your environment with an allegedly safe audit, and the results cripple the entireenvironment. In contrast, RNSS does not include any dangerous audits in its checks and auditors can successfully identify andpatch a host without any appreciable risk to the environment. RFPoison susceptible machines could have been identified withoutbusiness interruption. Tools that rely on intrusive scans carry a risk that eEye Digital Security solutions do not bare.The only potential downside associated with noninvasive scanning is in the way the information is analyzed after performing ascan. Intrusive systems provide immediate results after a targeted attack; successful or non successful. Non intrusive solutionsrequire the results to be correlated and the status interpolated based on the retrieved data. A solid reporting, analysis, andremediation process is needed to turn the results into functional business benefits. Scanning tools that simply provide anunmanageable list of vulnerabilities without proper details and corrective actions tend to complicate the process. RNSS providescomplete reporting, data export, and the ability to use a central management console to aggregate results for any size environ-ment. In addition, all data is stored in a database for further interrogation and exportable in near real time to a SIM, NMS,or call center.

Activity (5)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Dan liked this
Dan liked this
sairv liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->