Analytics

5/21/2010
02:10 PM
50%
50%

Vulnerability Scanning Do's And Don'ts

Legacy hardware, software, traffic patterns among critical vulnerability scanner considerations

In vulnerability assessment scanning, preparation and planning can make the difference between an accurate and illuminating scan and a big IT headache. Failure to account for and accommodate legacy hardware and software, port management strategies, traffic patterns, and usage schedules can all contribute to a vulnerability scan that has the potential for causing as many problems as it identifies.

Yet the sheer variety of easy-to-install, point-and-click vulnerability scanners on both the commercial and free open-source markets that has helped make vulnerability scanning a near-ubiquitous tool for security-conscious businesses could itself contribute to a false sense of security and system safety when launching a scanner for the first time.

"Today's scanners are generally delivered with the best generic settings for most environments they'll be used in," says security consultant Chris Nickerson. Even so, a business isn't a generic commodity, he says.

That is why leading scanners include customization and tweaking tools, as well as plug-ins and add-ons that enable you to craft and tailor your vulnerability scan for your business' specific nature and operations. Tenable's Nessus, for instance, has more than 36,000 plug-ins.

That nature might well include legacy hardware and, in some industries (financial services, for example), lots of legacy hardware. Approaching big iron, a z/OS, or AS400 box, for instance, with a vulnerability scan calls for caution, lest the scan collide with the legacy machine's own approaches to port management and binding.

The consequences of such collisions can include connection hang-ups while waiting for responses, ports hanging up while waiting for connections, and, worst case, system crashes. In a post about new challenges that cloud computing brings to vulnerability assessment, security blogger Craig Balding offered this observation applicable to all vulnerability assessment tools: "If the scanning policy includes Denial of Service checks or the scanning engine is configured with 'aggressive' settings; e.g. connection entries in firewall state tables get exhausted. It's also possible for scans to tickle obscure bugs in the target -- or devices en route to the target."

The solution? Take it slow and take one (or a few) step at a time, particularly when launching vulnerability scans or a new scanner for the first time.

"Segment your risk," Nickerson advises. "Test and tune the scanner for the environment it will be used in and tackle the scan surgically, rather than a shotgun, all-at-once approach. If the default out-of-the-box scan tests 24 hosts at a time, try it with five hosts firsts. Break your hosts into manageable and actionable boxes before turning loose the hounds."

Steve Stasiukonis, founder and vice president of Secure Network Technologies, recommends setting up closed, test-bed environments if possible or practicable. "If you're aware of the potential harm an untested scan can create, you can easily see the benefit of running the scan first against a system that's not involved in business production," he says.

Likewise, critical business traffic and traffic patterns need to be factored into vulnerability scans because the scan itself will add to network traffic. The scan needs to be scheduled for minimal traffic impact, so don't launch a major scan of retail servers at the height of the holiday purchasing rush.

"Even without a full-on outage, poorly configured scans can still negatively impact performance or availability for other customers of shared infrastructure," Balding observed in his blog.

Understanding the nature of the business, the business' traffic patterns, and, crucially, communicating and coordinating with key business personnel are all keys to both an effective and nondisruptive vulnerability scan.

Scans and their effects are liable to set off alarms and key-person notifications. "Give some thought to what time your scans will be run and also to what time zone affected businesses operate in," Stasiukonis says. "Don't surprise someone on the West Coast with a 5 a.m. alert that you scheduled to run at 8 a.m. on the East Coast."

All of these considerations need to be factored in not only before launching a scan, but also before selecting the scanner you'll be launching.

The integration of vulnerability assessment scanning with penetration testing and other security tools will likely be accompanied by further refinements of interfaces, dashboards, and ease-of-use considerations.

And that is all for the good, so long as you bear in mind that the ease-of-use tools for major vulnerability include a wide array of customizations and add-ins.

"Use them," Nickerson says. "And use them before buying a scanning tool. Test the various scanners you're considering, and test them against the environment they'll be scanning. Make sure that the scanner you choose is the right tool for the environment you're choosing it for."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.