Vulnerability Testing

Approach

Prepared By: Phil Cheese

Nov 2008
Outline

•Structure of Technology UK Security Team

•Why we test
•What we test
•When we test
•How we test
•Demo of a unix platform test
•Hot topics
•Questions and Answers

2
 UK Technology Security teams

UK Tech. Security Mgr Group CISO

Review New Systems

Security
Consultants
Vulnerability
Testing

Vulnerability Test Team

Security Monitoring
Mail, Logs, IDS, Firewall

Security Operations

3
Definition

Penetration testing v Vulnerability testing ?

• Wikepedia
“Security testing techniques scour for vulnerabilities or security
holes in applications. These vulnerabilities leave applications
open to exploitation. Ideally, security testing is implemented
throughout the entire software development life cycle (SDLC) so
that vulnerabilities may be addressed in a timely and thorough
manner. Unfortunately, testing is often conducted as
anafterthought at the end of the development cycle.”

Why ? – test against standards, identify misconfigurations,

old vunerable versions of software, test drive
• Ethics & Legality

4
Why testing

• Preventing financial loss through fraud (hackers, extortionists and

disgruntled employees) or through lost revenue due to unreliable
business systems and processes.
• Proving due diligence and compliance to your industry regulators,
customers and shareholders. Non-compliance can result in your
organisation losing business, receiving heavy fines, gathering bad PR
or ultimately failing. Protecting your brand by avoiding loss of
consumer confidence and business reputation.
• vulnerability testing helps shape information security strategy
through identifying vulnerabilities and quantifying their impact and
likelihood so that they can be managed proactively; budget can be
allocated and corrective measures implemented.

5
Defining the scope

•Full-Scale vs. Targeted Testing

•Platform, Network, Database,
Applications
•Remote vs. Local Testing
•In-house v outsourcing

6
Defense in depth • Network

• Operating System

• Database

• Application

7
 www.vodafone.co.uk

Tester
Nmap
Nessus

Network
elements
e.g
Sun HP-UX Redhat Windows File
SGSN’s,
Solaris server
HLR’s Oracle Apache Web
Application DB server
Server

8
Nmap

9
Nessus

10
 www.vodafone.co.uk

Tester

Assuria
Network
elements Agents
e.g
Sun HP-UX Redhat Windows File
SGSN’s,
Solaris server
HLR’s Oracle Apache Web
Application DB server
Server

11
Assuria Auditor Console

12
 www.vodafone.co.uk

Tester
NGS Squirrel

Network
elements
e.g
Sun HP-UX Redhat Windows File
SGSN’s,
Solaris server
HLR’s Oracle Apache Web
Application DB server
Server

13
NGS Squirrel

14
 Appscan, Superwalk
www.vodafone.co.uk

Tester

Network
elements
e.g
Sun HP-UX Redhat Windows File
SGSN’s,
Solaris server
HLR’s Oracle Apache Web
Application DB server
Server

15
Appscan

16
Backtrack

17
 www.vodafone.co.uk

Tester

Network
elements
e.g
Sun HP-UX Redhat Windows File
SGSN’s,
Solaris server
HLR’s Oracle Apache Web
Application DB server
Assuria CLI Remote test (Data Server
Centre)

18
Remote platform vulnerability assessment
using Assuria Auditor & workbench via the
command line
• “It is better to voyage hopefully than to drive to Oldham”
• FTP and install scripts
• Run scans
• Copy off raw results files
• Generate csv files
• Import results into workbench
• Review scan results
• Producing reports
• Agreeing remedial actions and re-testing

19
 Log onto remote server

20
 FTP onto a remote server

21
 unzip tarball file

22
23
 Areas checked by ‘Initial’ policies
The table below details the initial policies referenced against the areas checked.

Policy Name Area To Check

UNIX NT

Initial-1 External Attack Network Services, Secure Files, Network Services - FTP, RAS,
Terminal Configuration Registry Access, Trust
Relationships Logon Failure
Auditing

Initial-2 Superusers Configuration Home Files, Accounts in Domain Admins and

Environment Setuid Files Administrators Groups, Audit
Configuration, Examine Audit
Logs

Initial-3 Ordinary Users General User Configuration, Account Policy, User Properties,
Home Files and Environment User Rights

Initial-4 Files And Devices Mount Points, Special Devices

Initial-5 System Files All Files in predefined Directories under

directories(/usr/etc /lib Etc.) %SYSTEMROOT%, Frozen
Frozen Files Files. Sensitive Registry Keys

password Guessable passwords, password Forced password changes,

shadowing, user shared password reuse settings,
password, uid 0 user's home minimum password age and
directories, default login length, passwords required,
environment password strength

24
 Run scans

25
 FTP results back to desktop

26
Generate CSV files

27
Import into Workbench

28
Reconcile results

29
Filter results

30
Vulnerability testing - hot topics

• PCI-DSS – keeping Security vendor industry going!

https://www.pcisecuritystandards.org/

• Appliances and automation – keep your auditors happy

http://www.qualys.com/products/qg_suite/
http://www.ncircle.com/index.php?s=products

• Virtualisation and middleware vulnerabilities – don’t forget’em….

http://labs.mwrinfosecurity.com/

• Exploitation tools – Metasploit framework, Canvas, Core Impact.

BEEF
http://www.metasploit.com/
http://www.immunitysec.com/
http://www.coresecurity.com/
http://www.bindshell.net/tools/beef

31
Conclusions
• In depth, holistic approach to security testing
• Testing needs to take place during the development lifecycle
• Can be complex and time consuming
• Outsource specialist testing to third party vendors
• Commercial tools easy to maintain and use but can be expensive
• “A fool with a tool is still a fool”
• Results from tools need analysis and put into a ‘business risk’
context

32
Any Questions ?

33