The environments in which we all work have become more complicatedas the years have passed, and one of the outcomes is that they are farmore difficult to test for vulnerabilities. Since many years ago whenDan Farmer and Wietse Venema wrote their seminal paper, "Improving thesecurity of your site by breaking into it," the process of securitytesting has both improved and become more difficult.
Today, unlike when Farmer and Venema wrote their paper, we activelyinvite strangers into our networks. Well, not exactly all the way in,but far enough to cause concern if the perimeter is not very secure.Never before has the notion of layered security been more important.
Recently, I performed some testing on a web application. I knew theapplication had some holes, but my main concern was whether the holescould be reached from an attacker's location, wherever that might be.To do that, I needed to test vulnerabilities in the infrastructure.
The tools we looked at this month do exactly that: they enabletesting of the infrastructure. By that I mean the network and theplatforms on it. This introduces the concept of reachability. Ifapplications are exposed to the outside, simple vulnerabilities becomepotential disasters. That means that the platforms they sit on and theroutes to those platforms must be protected. Sometimes that's easier totalk about than it is to do.
That's where this month's products come into play. If the best youcan do is to monitor an application and its platform closely, it isimportant to know what, exactly, you are monitoring for.
This month's crop of tools helps define the environment bydemonstrating vulnerabilities, confirming them, and helping you decidetheir severity. With that in mind, you can consider credible threatsthat play against those vulnerabilities. Vulnerability analysis, then,becomes an important part of risk analysis. In fact, more and more SIMsand SEMs are accepting vulnerability data.
Generally speaking, I favor a multi-step process for vulnerabilityanalysis. First, I want to get a good picture of the networkinfrastructure I am going to analyze. This is an important first stepbecause I know that I am going to get some false positives and someresults that are not reasonable in terms of reachability of the target.Some parts of the infrastructure are more sensitive than others. All ofthese issues militate for understanding the test environment.
Next, I want to do a bit of reconnaissance. For that I want a goodvulnerability assessment tool. This gives me the lay of the land. Ifthere are too many high or critical vulnerabilities, this is where Istop until they are fixed. If there are a lot of vulnerabilities, youmay be sure that penetration testing will succeed. You have learnednothing.
Finally, I want to run a penetration test focusing on the results ofthe vulnerability testing. A word about "ethical hacking" is in orderhere. That's an oxymoron intended to give pen testers a marketingmystique. There simply is no such thing given today's understanding ofhacking. What we are doing is penetration testing, the operative wordbeing "testing." That implies rigor, structure, planning, repeatabilityand thoroughness. Hacking is none of those things. If you are notperforming your testing this way, you are wasting your time. The goodnews is that today's crop of tools supports a professional approach tovulnerability analysis.
So, what you want is a solid vulnerability assessment tool thatstays current with vulnerabilities and is fairly easy to use. Ease ofuse offers the benefit of repeatability because you can perform a setof tests, and the next time you want to perform the same tests you canbe pretty certain you're repeating your earlier tests. For that,scripting is a must. Building scripts or macros aids the repeatabilityprocess.
In addition, you want a penetration tool that can test avulnerability all the way to penetration. The best way to ensure thisis to be able to plant an agent on the target as a result of thepenetration that allows direct access to the target. Rarely do you findboth of these tools in the same product. However, there is a trendtoward this mix and, although there are very few today, I expect thatthere will be a good deal more in the near future.