vulnerability assessment using saint jane lemmer information security specialist world wide digital...
TRANSCRIPT
Vulnerability AssessmentUsing SAINT
Jane Lemmer
Information Security Specialist
World Wide Digital Security, Inc.
June 16, 1999 2
Outline
The Problem
The First Solution
The Second Solution
Other Uses for SAINT
What’s Next
Conclusions
June 16, 1999 3
The Problem
Large network 7 Class B subnets, over 20 Class C subnets
No central management
Some resistance to “outsiders”
How do we do a vulnerability assessment?
June 16, 1999 4
The First Solution
The Scanning Tool
The Scanning Method
Results
Problems
Lessons Learned
June 16, 1999 5
The First Solution
Conducted a comparison of several network based vulnerability assessment tools
Internet Security Scanner Kane Security Analyst SATAN Nessus, and a few others
The Scanning Tool
June 16, 1999 6
The First Solution
Chose SATAN, with COAST extensions free fairly easy to use sufficient for providing a first look at overall
network vulnerability
The Scanning Tool
June 16, 1999 7
The First Solution
The Scanning Method
June 16, 1999 8
The First Solution
Results
Lasted three weeks
Approximately 20,000 potential hosts interrogated
Found about 5,000 hosts with services
Inexpensive (almost automatic)
June 16, 1999 9
The First Solution
Took almost a month to process the results into a useable format
Missed many hosts (DHCP, hosts not in DNS, especially Linux boxes)
Organizational problems (results not getting to the right people)
Scapegoats for a host of network problems
Problems
June 16, 1999 10
The First Solution
DNS method is not finding all the hosts
SATAN is not current
Report generation takes too long
We need the following: a new scanning tool a new scanning method a new reporting method
Lessons Learned
June 16, 1999 11
The Second Solution
The Scanning Tool
The Scanning Method
Results
Problems
Lessons Learned
June 16, 1999 12
The Second Solution
An updated version of SATAN Added many new tests Added a new attack level Changed how vulnerable services are categorized Works in firewalled environments Identifies Windows boxes Developed extensive tutorials for each vulnerable service Developed an in-house tool to help with reports
The Scanning Tool
June 16, 1999 13
The Second Solution
The three “r” services (rlogin, rshell, rexec) Vulnerable CGIs IMAP vulnerabilities SMB open shares Back Orifice and NetBus ToolTalk Vulnerable DNS servers rpc.statd service UDP echo and/or chargen IRC chat relays
The Scanning Tool
June 16, 1999 14
The Second Solution
The Scanning Method
June 16, 1999 15
The Second Solution
Results
Lasted two months
Almost 500,000 potential hosts interrogated
Found many more hosts approximately 7,000 boxes with services approximately 4,000 boxes with no services almost 8,000 Windows boxes
More costly (labor intensive)
June 16, 1999 16
The Second Solution
Scanning takes longer
Difficult to compare results with previous scan
Organizational problems (results still not getting to the right people)
Caused some problems with NT boxes
Still a scapegoat for network problems
Problems
June 16, 1999 17
The Second Solution
New method finds more hosts but takes longer
SAINT needs to be continually updated
Scanning can help improve the tool
Still need to work on reporting results
Lessons Learned
June 16, 1999 18
Other Uses for SAINT
SAINT gathers a lot of information that is not reported
used to produce a list of UNIX hosts by OS type used to identify web servers used to identify routers
Quick scans of a host or subnet
June 16, 1999 19
Other Uses for SAINT
Investigating Incidents
June 16, 1999 20
What’s Next
Continue using SAINT for large scans
Supplement SAINT with more robust tools
Scans have led to development of an IRT defining policy defining standard security configurations helping users secure hosts developing centralized site for security information
June 16, 1999 21
Conclusions
SAINT is a useful tool for scanning large networks
Results give a good first look at how vulnerable you are
SAINT must be continually updated better OS typing better reporting method to compare scan results
June 16, 1999 22
Contact Information
World Wide Digital Security, Inc.
11260 Roger Bacon Drive, Suite 400
Reston, VA 20910 USA
PHONE: +1 703 742-6604
FAX: +1 703 742-6605
http://www.wwdsi.com