tools for vulnerability scanning and penetration...
TRANSCRIPT
Tools For Vulnerability Scanning
and Penetration Testing
2017 National ConferenceState Certification
Testing of Voting SystemsAustin, Texas
[email protected]@provandv.com
Knowledge To Transfer• Security Terminology
• Vulnerabilities: Lifecycle
• Vulnerability Research and Discovery, Reverse Engineering
• Software Solution Stack
• Vulnerabilities in The Software Solution Stack
• Apply Software Stack to Voting Systems Components
• Hacking Methodology: Where Scanning Fit In
• Examples: Some Scanning Tool
• VSTL Use of Scanning Tools, Other use
• Scanners: Pros and Cons, Key Considerations
• Scanners: Where and When, Areas For Concentration
Security Definitions
A deficiency, error, or misconfiguration within a system which can be exploited allowing the system to be used in an unintended manner.
Automatically tests system for KNOWN vulnerabilities to confirm presence.
Vulnerability Scanner
Software program developed to attack an asset by taking advantage of a vulnerability.
Exploit
Vulnerability
Security Definitions
Scan of network's or component’s security that attempts to look for potential points of entry by hackers or malware
Automated - Scanning tools find common issuesManual – Tester’s Knowledge and expertise looks for issues missed by automated toolsNo breach, no compromise Report issued, problems prioritized to be later addressed
Use vulnerabilities discovered to breach and prove ability to compromiseUsually consists of more than technological targets (include physical, administrative, procedural, people)More representative of what real adversary COULD do.
Penetration Testing
Targets technological component to understand inner workings and find ways to compromise.
Reverse Engineering, Vulnerability & Exploit Research
Vulnerability Assessment
Vulnerability Lifecycle
VulnerabilityPublication
MitigationDetection
Development
MitigationSolution
Development
MitigationDeployment
MitigationVerification
Scan
Exploit Development
Res
ear
cher
Bad
Act
or
Ven
do
r
VulnerabilityResearch /Discovery
Res
po
nsi
bly
Pu
blic
ly
ZERO - DAY
Vulnerability Discovery
Research / Discovery / Reverse Engineering• Access to Application Only
• Fuzzing • Brute Force / Trial and Error
• Access to Compiled Executable Binaries • Decompilers• Binary Debuggers
• Access to Source Code• Static Code Analyzers• Manual Code Inspection
All methods of looking for programming errors that mayresult in a vulnerability!
VulnerabilityResearch /Discovery
Software Solution StackCustom Application Vendor Application
Third Party Supporting Application
Open Source / Commercial
Web Server Apache / MS IIS
Database MSSQL / Oracle
Application Open Source / Commercial
Operating System Windows / Linux / OSX/ Android
Hardware
NetworkRouters / Firewalls /
TRANSER MEDIA
Custom Application
Third Party Supporting Application
Web Server
Database
Application
Operating System
Hardware
Network
Vulnerability StackRequires Vulnerability Research and Discovery Reverse Engineering
Majority of KNOWN Vulnerabilities• More research in these layers
• Availability to those performing research
• Exploits developed and available
• Easier Targets• Auto-Scan Tools more effective in
these layers
SO WHAT?
• US-CERT 85% of breaches are preventable• They are against known vulnerabilities
• Voting Systems Application
• How VSTL ProV&V currently uses these tools
• How and where can we use them in Election Systems
WHAT’S NEXT?
Election System of Systems
Used With permission from Merle King, KSU
Election System of SystemsUsefulness of Automated Scans
Used With permission from Merle King, KSU
Voting SystemsState / District
VSTLsVendors
Political Campaigns
Election System of Systems…of SystemsThe Bigger Picture
A Compromise of Any Has an Impact of the Whole
Phase 1: Reconnaissance
Phase 2:
Scanning
Phase 3:
Gaining Access
Phase 4:
Maintaining Access
Phase 5:
Covering Tracks
Hacking Methodology:Where Vulnerability Scanning Fits In
MitigationVerification
Scan
Use Exploit
COMPROMISEDTAREGET
VulnerabilityResearch /Discovery
MoreSecure
Target!
Depends on who is scanning!
Network Vulnerability Scanner
• Examples of Vulnerabilities Identified:• Missing Patches (known vulnerabilities)
• Insecure Server Configurations
• Open Ports
• Examples of Tools• NMAP
• Nessus
• OpenVAS
• Retina
Election System Application
Third Party Supporting Application
Web Server
Database
Application
Operating System
Network
Web Application Vulnerability Scanner• DSAT – Dynamic Application Security Testing
• Requires Running Applications
• Examples of Vulnerabilities Identified• Cross-site scripting• SQL Injection • Command Injection• Path Traversal• Insecure Server Configurations
• Examples of Tools• Zed Attack Proxy• Grabber• Vega• WebScarab
Election System Application
Third Party Supporting Application
Web Server
Database
Application
Operating System
Network
Database Scanning
• Specifically designed for databases• Examples of Vulnerabilities Identified:
• Weak password policies
• Default accounts
• Security of admin accounts
• Misconfiguration
• Examples of Tools• Scuba
• Qualys
Election System Application
Third Party Supporting Application
Web Server
Database
Application
Operating System
Network
Source Code Analysis
• SAST – Static Application Security Testing • Examples of Vulnerabilities Identified CWE Top 10
• SQL Injection • OS Command Injection• Buffer Overflows• Cross Site Scripting• Missing Authentication for Critical Function
• Examples of Tools• Coverity• Cpp Check• HP Fortify• Parasoft
Election System Application
Third Party Supporting Application
Web Server
Database
Application
Operating System
Network
Fuzzing
• Feeding variations of unexpected input into a program in an attempt to uncover unexpected behavior
• Examples of Tools• Basic Fuzzing Framework (BFF)
• OWASP WebScarab
• Peach Fuzzer
Election System Application
Third Party Supporting Application
Web Server
Database
Application
Operating System
Network
Vulnerability Assessment Comparison
Voting System
Voting System
Third Party Supporting Application
Web Server
Database
Application
Operating System
Network
PVV Application of ToolsVoting System
• Code Analysis• Network Scanners
• NMAP• Nessus• OpenVAS• SCAP Compliance Checker
UOCAVA Ballot Delivery/Return
Voting System
Third Party Supporting Application
Web Server
Database
Application
Operating System
Network
VSTL Application of ToolsUOCAVA
• Static Code Analysis• Web Application Scanner• Database Scanner
Voting System
Static Source Code Analysis
Potential Application of Tools
Online VR System
Network ScanningWeb Application Scanning
Database Scanning
Potential Application of Tools
Statewide Election Night Reporting
Network ScanningWeb Application Scanning
Database Scanning
Potential Application of Tools
Pros and Cons of Automated Scanners
• High False Positive Rates
• Doesn’t Fix The Problem
• Report Output Interpretations
• Point in Time Applicability• New Vulnerabilities
Discovered Not Covered
• Wider Area Coverage
• Scheduled Automation
• Report Output Ranking To Help Prioritization
Key Considerations
• Ethics / Legality• Written consent from system owner or high ranking authority• If hosted (SaaS, IaaS, etc.),
• Consult SLA (Service Level Agreements) , AUP (Acceptable Use Policy)
• Require owner to submit results of scans, RFP
• Expertise • Understanding Election System of Systems…of Systems• Selecting tools appropriate tools• Interpreting output • Finding & implementing mitigating solutions
Areas for Concentration
WHERE
• Easy Targets• Anything Public
Internet Facing • Duration of
Accessibility
• High Risk Targets• High Data Asset Value• High Election
Disruption Value• High Election Integrity
Compromise Value
WHEN
• Baseline
• Anytime modified
• Routine
Key Takeaways
• What are vulnerabilities
• Difference in Vulnerability Assessment, Pen Testing, Reverse Engineering
• What, Where, When, Why, How, and Who of automated vulnerability scanner