By performing non-invasive tests companies can avoid disruption of service whilea competent vulnerability assessment is being performed.
Retina Network Security Scanner
Intrusive vs. Non-Intrusive Vulnerability Scanning Technology
The Smooth Caper: Taking the High Road
Disciplined attackers often chose to get as much information about a target as possible,using deductive logic to pinpoint potential weaknesses within an organization andinformation technology assets. Proponents of this stealth and smooth caper metho-dology rely on the wealth of information from networked systems and infer an evenlarger amount of information by making logical connections and assumptions basedon the available data. This includes everything from social engineering to knowingthe applications and vendors a business relies on. With this information, knownvulnerabilities and weakness are easy targets for the attacker to attempt an exploit.In contrast to intrusive scanning techniques, information technology administratorscan utilize non-invasive or non-intrusive tests to locate potentially exploitable systemsbefore they become problematic. By performing non-invasive tests, companies canavoid disruption of service while a comprehensive vulnerability assessment is beingperformed. Attackers utilize comparable techniques to gently probe for vulnerabilitieswithout creating systematic downtime and potentially setting off IPS, IDS, and firewall alert sensors. Organizations can employthe same non-intrusive technology to gather large amounts of information and a follow a best practice dissection of vulnera-bility data to determine the risk to an environment. This process is often repeated in cycles to further refine and reinforce thefindings. Likewise, the same process is used to verify that remediation efforts were successful and the vulnerability is no longera threat. By getting a clear picture of the complete architecture, a business can better identify weaknesses in the network, incorporate policies, and proactively prevent intrusions and business interruptions.When selecting non-intrusive vulnerability assessment solution, administrators need to be cautious in their use of scanningwith freeware and “tools” that are not rigorously tested and supported. Using these products can be dangerous and result inaccidental smash-and-grab testing that can disable a network unintentionally. As an example, an audit that was thought to besafe was actually intrusive. Consider the RFPoison attack check used by some scanning tools. While eEye’s Retina NetworkSecurity Scanner (RNSS) passively probed machines to determine if they would be vulnerable to this attack, other vendorsapproached this audit with an intrusive check and classified the RFPoison audit as a “dangerous plugin". This audit was originallyintroduced as non-intrusive and not flagged as "dangerous". Unfortunately this led to the accidental blue screening of machinesby auditors using these tools. Imagine scanning your environment with an allegedly safe audit, and the results cripple the entireenvironment. In contrast, RNSS does not include any dangerous audits in its checks and auditors can successfully identify andpatch a host without any appreciable risk to the environment. RFPoison susceptible machines could have been identified withoutbusiness interruption. Tools that rely on intrusive scans carry a risk that eEye Digital Security solutions do not bare.The only potential downside associated with noninvasive scanning is in the way the information is analyzed after performing ascan. Intrusive systems provide immediate results after a targeted attack; successful or non successful. Non intrusive solutionsrequire the results to be correlated and the status interpolated based on the retrieved data. A solid reporting, analysis, andremediation process is needed to turn the results into functional business benefits. Scanning tools that simply provide anunmanageable list of vulnerabilities without proper details and corrective actions tend to complicate the process. RNSS providescomplete reporting, data export, and the ability to use a central management console to aggregate results for any size environ-ment. In addition, all data is stored in a database for further interrogation and exportable in near real time to a SIM, NMS,or call center.