nbhkdz.com冰点文库

A Model For Vulnerability Forecasting

时间:2011-08-30


A MO DEL F OR VUL NE R AB IL ITY F ORE C ASTING
BY

H EIN S. VENTER

A MO DEL F OR VUL NE R AB IL ITY F ORE C ASTING
by

H EIN S. VENTER

THESIS
submitted in fulfilment of the requirements for the degree

DOCTOR OF P HILOSOPHY
in the subject

COMPUTER S CIENCE
in the

F ACULTY OF NATURAL SCIENCES
of the

RAND AFRIKAANS U NIVERSITY

P ROMOTER : P ROFESSOR J AN H. P. ELOFF MAY 2003

AB STR AC T
Internet and network security forms an interesting and topical, yet challenging and developing research domain. In this domain, a taxonomy of information security technologies is identified. This taxonomy is divided into two mainline entities, namely proactive and reactive information security technologies. This thesis is specifically concerned with proactive information security technologies, the focus being on a specific proactive information security technology – vulnerability scanning. Vulnerability scanning is implemented by vulnerability scanner (VS) products. VS products are used proactively to conduct vulnerability scans to identify vulnerabilities so that they can be rectified before they can be exploited by hackers. However, there are currently many problems with state-of-the-art VS products. For example, a vulnerability scan is time-consuming and a vast number of system resources are occupied, leading to the degradation of network and system performance. Furthermore, VS products lack the intelligence that is required to deal with new vulnerabilities that appear like clockwork. vulnerabilities that they can detect. These problems motivated the researcher to create a model for vulnerability forecasting (VF). The uniqueness of the VF model lies in its holistic approach to addressing these problems while maintaining its end goal – that of being able to do a vulnerability forecast of how vulnerabilities will occur in the near future. Such a vulnerability forecast would, therefore, enable an organisation to use it proactively as part of a risk management scheme. Furthermore, in order to demonstrate the feasibility of implementing the proposed model, a report on the development of a prototype for vulnerability forecasting is included. Rather than reinventing the wheel, the prototype incorporates the use of current state-of-the-art VS products in its VF process. This is advantageous in the sense that the prototype is independent of a specific VS product. It is because of the Current VS products also differ extensively in the way that they can detect vulnerabilities, as well as in the number of

v

ABSTRACT latter that a standardisation technique had to be used to refer to vulnerabilities in the same way since different VS products do not refer to and detect similar vulnerabilities in the same way. This standardisation technique introduced in this thesis is known as harmonising vulnerability categories.

This thesis contributes to the understanding of vulnerability scanning techniques and how vulnerability scanning can be utilised more effectively by doing vulnerability forecasting. The thesis also paves the way for numerous potential future research projects in the domain of Internet and network security.

vi

AF RIKAAN SE O ORSIG
Internet- en netwerksekuriteit vorm ’n interessante en aktuele, dog uitdagende en ontwikkelende navorsingsgebied. Op hierdie gebied word ’n taksonomie van Hierdie taksonomie word in twee inligtingsekuriteitstegnologie? ge?dentifiseer.

hooflynentiteite verdeel, naamlik proaktiewe en reaktiewe inligtingsekuriteits tegnologie?. Hierdie proefskrif handel spesifiek oor proaktiewe sekuriteitstegnologie? en die fokus is op ’n spesifieke proaktiewe inligtingsekuriteitstegnologie – kwesbaarheidsaftasting. Kwesbaarheidsaftasting word deur kwesbaarheidsaftas (VS-) produkte

ge?mplementeer. VS-produkte word proaktief gebruik om kwesbaarheidsaftastings uit te voer om kwesbaarhede te identifiseer sodat hulle reggestel kan word voordat hulle deur krakers uitgebuit word. Tans is daar egter baie probleme met die nuutste VS produkte. ’n Kwesbaarheidsaftasting is byvoorbeeld tydrowend en ’n groot hoeveelheid stelselhulpbronne word in beslag geneem, wat tot die verlaging van netwerk- en stelselprestasie lei. Verder beskik VS-produkte nie oor die nodige

intelligensie om nuwe kwesbaarhede wat klokslag verskyn, te hanteer nie. Huidige VS-produkte verskil ook hemelsbreed wat betref die manier waarop hulle kwesbaarhede opspoor sowel as die getal kwesbaarhede wat hulle kan opspoor. Hierdie probleme het die navorser gemotiveer om ’n model vir kwesbaarheids voorspelling (VF) te skep. Die uniekheid van die VF -model lê in sy holistiese benadering tot die aanspreek van hierdie probleme terwyl die einddoel – om te kan voorspel hoe kwesbaarhede in die nabye toekoms sal voorkom – gehandhaaf word. So ’n kwesbaarheidsvoorspelling sal ’n organisasie dus in staat stel om dit proaktief te gebruik as deel van ’n risikobestuursplan. Verder, om die uitvoerbaarheid van die implementering van die voorgestelde model aan te toon, word ’n verslag oor die ontwikkeling van ’n prototipe vir kwesbaarheidsvoorspelling ingesluit. In plaas daarvan om weer die wiel uit te vind, inkorporeer die prototipe die gebruik van die heel nuutste VS-produkte in sy VFproses. Dit is voordelig in dié sin dat die prototipe onafhanklik is van ’n spesifieke

vii

AFRIKAANSE OORSIG VS-produk. Vanwe? laasgenoemde moes ’n standaardiseringstegniek gebruik word om op dieselfde manier na kwesbaarhede te verwys, aangesien verskillende VSprodukte nie op dieselfde manier na kwesbaarhede verwys of hulle op dieselfde manier opspoor nie. Hierdie standaardiseringstegniek wat in die proefskrif bekend gestel word, staan bekend as die harmoni?ring van kwesbaarheidskategorie?. Hierdie proefskrif dra by tot die begrip van kwesbaarheidsaftastegnieke en hoe kwesbaarheidsaftasting meer effektief benut kan word deur kwesbaarheids voorspellings te doen. Hierdie proefskrif baan ook die weg vir talle potensi?le toekomstige navorsingsprojekte op die gebied van Internet- en netwerksekuriteit.

viii

AC KNO WL EDG EME N TS
“Life is a journey, enjoy the ride” is a philosophy that many people live by. This philosophy is applicable to the essence of this thesis as well. In the journey of the thesis, the ride was sometimes bumpy, sometimes flat, and sometimes , alas… completely off-road! Like all journeys, this one has also come to an end. The journey would not have been possible without an excellent vehicle, and that vehicle would embody everyone who made it possible for this research project to be completed . It is therefore appropriate and absolutely crucial to convey my sincere appreciation to all who made the journey possible. Without your support, guidance and encouragement, it would have been impossible. A special word of thanks to: ? ? ? ? ? God, my Anchor and my Reason for being, for the talents and energy He gave me to complete this research. My fiancée, René, for her undivided love, support and encouragement amidst difficult times. My parents, for their continuous support and for affording me a proper education in financially challenging times. My promoter, Professor Jan Eloff, for his peerless guidance and continuous encouragement. All my friends, who continuously encouraged me and for believing in me. A special word of thanks to Damian Cholewka, Keith Snyman and Gert van Rensburg for listening to my frustrations. ? ? Pierre Visser, for his contribution to the development of the vulnerability forecasting prototype. My colleagues at the University of Pretoria, for assisting me wherever possible. A special word of thanks to Madel Morkel for always being eager to help with the administration regarding the thesis. ? My former colleagues at the Rand Afrikaans University for their support through the years. A special word of thanks to Mrs Ina Erasmus and Mrs Naomi Strijdom for always being friendly and available to help with all the administration regarding the thesis.

ix

ACKNOWLEDGEMENTS ? ? ? Glenda Buncombe, for editing the thesis professionally and promptly. The National Research Foundation for financial assistance. Anyone else who contributed – even if in the faintest manner – to the completion of this research , I thank you all.

x

CON TEN TS
ABS TRACT AFRIK AANS E OO RS IG ACKNO WLEDGEM ENTS v vii ix

1 INTRODUCTION
1.1 1.2 1.3 1.4

1

INTRODUCTION .................................................................................................... 1 MOTIVATION FOR THIS STUDY........................................................................... 1 PROBLEM STATEMENT ........................................................................................ 5 TERMINOLOGY USED IN THIS THESIS................................................................ 8 1.4.1 Information security............................................................................. 8 1.4.2 Intrusion detection ................................................................................ 9 1.4.3 Vulnerability scanning ......................................................................... 9 1.4.4 Risk management ................................................................................10

1.5

THESIS LAY-OUT ................................................................................................10

2 . A TAXO NO MY FO R INFO RMATIO N SECURITY T ECHNO LO GIES
2.1 2.2

13

INTRODUCTION ..................................................................................................13 A TAXONOMY FOR INFORMAT ION SECURITY TECHNOLOGIES....................13 2.2.1 Proactive information security technologies..................................16
2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.1.5 2.2.1.6 2.2.1.7 2.2.1.8 Cryptography .............................................................................16 Digital signatures .......................................................................17 Digital certificates ......................................................................17 Virtual private networks.............................................................18 Vulnerability scanners................................................................18 Anti-virus scanners....................................................................19 Security protocols ......................................................................19 Security hardware ......................................................................20

xi

CONTENTS
2.2.1.9 Security SDKs............................................................................20

2.2.2 Reactive information security technologies ...................................21
2.2.2.1 2.2.2.2 2.2.2.3 2.2.2.4 2.2.2.5 2.2.2.6 2.2.2.7 Firewalls ....................................................................................21 Access control............................................................................22 Passwords..................................................................................22 Biometrics..................................................................................23 Intrusion detection systems ........................................................23 Logging......................................................................................24 Remote accessing.......................................................................24

2.3

CONCLUSION ......................................................................................................25

3 . STATE-O F-TH E-ART INTRUS IO N DETECTIO N AND VULN ERABILIT Y SCANNING
3.1 3.2

27

INTRODUCTION ..................................................................................................27 INTRUSION DETECTION .....................................................................................28 3.2.1 What is intrusion detection? .............................................................28 3.2.2 The architecture of IDSs....................................................................28
3.2.2.1 3.2.2.2 Pattern-matching IDS architecture .............................................30 Anomaly detection IDS architecture ..........................................32

3.2.3 Other approaches to IDS architectures ..........................................33
3.2.3.1 3.2.3.2 IDML-based intrusion detection ................................................33 An IDS architecture for detecting TCP SYN flooding ...............35

3.2.4 Commercially available IDSs............................................................37 3.2.5 The problems with IDSs.....................................................................37 3.3 VULNERABILITY SCANNING .............................................................................37 3.3.1 What is vulnerability scanning? .......................................................37 3.3.2 The architecture of VSs......................................................................38 3.3.3 Another approach to VS architectures ...........................................42 3.3.4 Commercially available VSs .............................................................43 3.3.5 The problems with VSs......................................................................44 3.4 CONCLUSION ......................................................................................................45

4 . HARMO NIS ING VULNERAB ILIT Y CATEGO RIES
4.1

47

INTRODUCTION ..................................................................................................47

xii

CONTENTS 4.2 4.3 METHOD OF IDENTIFYING CATEGORIES.........................................................47 HARMONISED VULNERABILITY CATEGORIES ................................................48 4.3.1. Password cracking and sniffing........................................................49 4.3.2 Network and system informa tion gathering ..................................50 4.3.3 User enumeration and information gathering ..............................50 4.3.4 Backdoors, Trojans and remote controlling ..................................51 4.3.5 Unauthorised access to remote connections and services ...........52 4.3.6 Privilege and user escalation.............................................................52 4.3.7 Spoofing or masquerading ................................................................53 4.3.8 Misconfigurations................................................................................54 4.3.9 Denial-of-services (DoS) and buffer overflows ..............................54 4.3.10 Viruses and worms ..............................................................................55 4.3.11 Hardware specific................................................................................55 4.3.12 Software specific and updates ...........................................................56 4.3.13 Security policy violations ...................................................................57 4.4 4.5 S TANDARDISATION OF VULNERABILITIES ......................................................58 CONCLUSION ......................................................................................................58

5 . VULN ERABILIT Y SCANNER P RO DUCTS
5.1 5.2

61

INTRODUCTION ..................................................................................................61 VS PRODUCTS.....................................................................................................61 5.2.1 VS products overview.........................................................................62 5.2.2 CyberCop Scanner..............................................................................62
5.2.2.1 5.2.2.2 Practical experience with the CyberCop Scanner.......................62 CyberCop Scanner vulnerability database..................................63

5.2.3 Cisco Secure Scanner..........................................................................63
5.2.3.1 5.2.3.2 Practical experience with the Cisco Secure Scanner ..................64 Cisco Secure Scanner vulnerability database.............................65

5.2.4 SAINT ....................................................................................................66
5.2.4.1 5.2.4.2 Practical experience with the SAINT .........................................66 SAINT vulnerability database....................................................66

5.2.5 Internet Security Scanner (ISS).......................................................66
5.2.5.1 5.2.5.2 Practical experience with the ISS ...............................................67 ISS vulnerability database..........................................................68

xiii

CONTENTS 5.2.6 Nessus Security Scanner ....................................................................69
5.2.6.1 5.2.6.2 Practical experience with the Nessus Security Scanner..............69 Nessus Security Scanner vulnerability database.........................70

5.3

S UMMARY OF CURRENT VS PRODUCTS ..........................................................71 5.3.1 Mapping onto harmonised vulnerability categories ....................72 5.3.2 Differences in VS products ................................................................73
5.3.2.1 5.3.2.2 5.3.2.3 5.3.2.4 5.3.2.5 2: Network and system information gathering ...........................73 4: Backdoors, Trojans and remote controlling............................74 8: Misconfigurations..................................................................75 9: Denial-of-service (DoS) and buffer overflows.......................76 13: Security policy violations.....................................................78

5.4

CONCLUSION ......................................................................................................79

6 . VULN ERABILIT Y FO RECAS TING – A CO NCEPTUAL M O DEL
6.1 6.2 6.3

81

INTRODUCTION ..................................................................................................81 PROBLEMS WITH STATE -OF-THE-ART VSS ....................................................81 CONCEPT OF VULNERABILITY FORCASTING ..................................................84 6.3.1 Defining the term “vulnerability forecasting” ..............................84 6.3.2 A conceptual model for VF................................................................84
6.3.2.1 6.3.2.2 Level 1 of the conceptual VF model ..........................................85 Level 2 of the conceptual model ................................................85
6.3.2.2.1 6.3.2.2.2 6.3.2.2.3 6.3.2.2.4 VS technology (current) ...............................................86 Vulnerability harmonisation.........................................92 Vulnerability forecasting ..............................................98 Merging the subcomponents for the conceptual VF model102

6.4

CONCLUSION ....................................................................................................103

7 . THE VULNERAB ILIT Y FO RECAS T ENGINE
7.1 7.2 7.3

1 05

INTRODUCTION ................................................................................................105 INPUT TO THE VF ENGINE ..............................................................................105 EXPLANATION OF THE VF TECHNIQUE ........................................................107 7.3.1 Using FEIs for VF .............................................................................108
7.3.1.1 7.3.1.2 7.3.1.3 Step 1: Determine fuzzy groups for a vulnerability forecast ....109 Step 2: Defuzzify “fuzzy” vulnerabilities.................................110 Step 3: Define and calculate the membership function.............112

xiv

CONTENTS
7.3.1.4 7.3.1.5 Step 4: Defuzzify “fuzzy” scans...............................................113 Step 5: Calculate the maximum over the minima and the FEI..114

7.3.2 FEI for each harmonised vulnerability category........................115 7.4 CONCLUSION ....................................................................................................116

8 . A PRO TOTYPE FO R VULNERAB ILITY FO RECAS TING
8.1

1 17

INTRODUCTION ................................................................................................117 8.1.1 The aim of the prototype ..................................................................117 8.1.2 The VF model and the prototype ...................................................118

8.2 8.3 8.4

DEVELOPMENT OF THE VF PROTOTYPE......................................................120 INSTALLATION OF THE VF PROTOTYPE.......................................................121 OPERATION OF THE VF PROTOTYPE............................................................121 8.4.1 Background to the VF Prototype ...................................................121 8.4.2 The scan scenario..............................................................................123
8.4.2.1 8.4.2.2 The platform ............................................................................123 The scenario.............................................................................123

8.4.3 Setting up the VF Prototype parameters......................................125
8.4.3.1 8.4.3.2 8.4.3.3 Setting up the Adjective List....................................................127 Setting up the Harmonised Vulnerability Categories ...............128 Setting up the VS product used................................................129
8.4.3.3.1 8.4.3.3.2 8.4.3.3.3 8.4.3.3.4 8.4.3.3.5 8.4.3.3.6 Specifying the VS product name.................................. 129 Specifying the vulnerability database path ................... 129 Specifying the tables used........................................... 129 Specifying the software package categories.................. 130 Specifying the vulnerability mapping........................... 131 Specifying the format of the history scan data............... 132

8.4.4 Using the VF Prototype software ...................................................133
8.4.4.1 8.4.4.2 Analysing the history scan data................................................134 Performing a vulnerability forecast ..........................................136
8.4.4.2.1 8.4.4.2.2 8.4.4.2.3 8.4.4.2.4 Compiling the fuzzy groups......................................... 138 Compiling the mapping table...................................... 140 Compiling the membership function ............................ 141 Viewing calculations.................................................. 142

8.4.4.3

Validating a vulnerability forecast ...........................................145

8.5

CONCLUSION ....................................................................................................147

xv

CONTENTS

9 . CONCLUS ION
9.1 9.2 9.3 9.4

1 49

INTRODUCTION ................................................................................................149 REVISITING THE PROBLE M STATETMENT ....................................................149 FUTURE RESEARCH..........................................................................................152 EPILOGUE .........................................................................................................153

APPENDICES
A B C D E F INSTALLING THE VF PROTOTYPE S OFTWARE AND ADDITIONAL S OFTWARE COMPONENTS ..............................................................................155 S OURCE CODE OF THE VF PROTOTYPE .......................................................161 CYBERCOP S CANNER REPORT ......................................................................299 THE CYBERCOP S CANNER VULNERABILITY DATABASE ...........................309 VULNERABILITY HISTORY DATA ..................................................................395 PAPERS PUBLISHED.........................................................................................421

xvi

LIST OF F IG URE S
. 2.1 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 5.1 5.2 5.3 5.4 5.5 A taxonomy of information security technologies ............................................14 The typical location of an IDS in a network.......................................................29 Pattern -matching IDS architecture ......................................................................31 Anomaly detection IDS architecture ...................................................................32 An architecture for intrusion detection bas ed on IDML...................................33 A typical finite intrusion pattern state machine .................................................35 An intrusion detection architecture for detecting TCP SYN flooding ............36 The location of a VS in a network.......................................................................38 An architecture for a VS .......................................................................................41 A distributed architecture for vuln erability scanning........................................42 An extract from the CyberCop Scanner report ...................................................63 An extract from the Cisco Secure Scanner report..............................................65 An extract from the ISS report.............................................................................68 Vulnerability mapping of different VS products onto the harmonised vulnerability categories.........................................................................................72 Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 2: network and system information gathering.................................................................................................................73 5.6 Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 4: backdoors, Trojans, and remote controlling..............................................................................................................75 5.7 5.8 Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 8: misconfigurations ..................................76 Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 9: denial-of-services (DoS) and buffer overflows ................................................................................................................77 5.9 Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 13: security policy violations ...................78

xvii

LIST OF FIGURES 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.9 6.10 6.11 Level 1 – A conceptual model for vulnerability forecasting ............................85 The VS technology (current) component............................................................86 VF logical database part 1: vulnerability data....................................................87 Vulnerability data report.......................................................................................88 VF logical database part 2 added: scan data.......................................................89 Scan data report for scan 1 ...................................................................................90 The scan result report: vulnerabilities found on different hosts on a network during a specific scan.............................................................................92 VF logical database part 3 added: harmonised vulnerability category data....94 VS product vulnerabilities mapped on to the harmonised vulnerability categories................................................................................................................95 Scan result report with vulnerabilities mapped onto the harmonised vulnerability categories.........................................................................................96 6.12 6.13 6.14 6.15 6.16 VF logical database part 4 added: harmonised history data .............................97 The vulnerability forecast component.................................................................98 VF logical database part 5 added: forecast history data....................................99 A vulnerability forecast result report for vulnerability forecasts 1 to n ........101 The conceptual model for vulnerability forecasting ........................................103

7.1 7.2 7.3 8.1

The harmonised history data for m scans .........................................................106 The 5 steps fo r determining the FEI for each harmonised vulnerability category ................................................................................................................109 Membership function..........................................................................................112 The VF Prototype’s scope in terms of the VF model as indicated by the dark black line......................................................................................................118

8.2 8.3 8.4 8.5 8.6 8.7 xviii

The VF Prototype’s scope in terms of the VF model as indicated by the dark black line......................................................................................................119 Relational schema of the database implementation in the VF Prototype ......120 CyberCop Scanner network scan scenario .......................................................124 Vulnerabilities uncovered by CyberCop Scanner during scan 1 for each CyberCop Scanner vulnerability category........................................................124 Running the VF Prototype software ..................................................................125 The Vulnerability Forecasting (VF) Prototype main window........................126

LIST OF FIGURES 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26 8.27 The VF Prototype – Options window...............................................................127 The Adding Adjective input box.......................................................................127 The VF Prototype – Software Package Setup window...................................128 Software Package Setup window: Harmonised mapping ...............................130 Specifying the scan data file structure of CyberCop Scanner........................132 The VF Prototype – Options window filled in .................................................133 Loading the history scan data.............................................................................134 The history scan data loaded and mapped........................................................135 Graph showing information about Scan 15 ......................................................136 Showing the mapped data for the harmonised vulnerability categories ........137 The first three steps for doing a vulnerability forecast for category 8...........137 Graph showing information about harmonised vulnerability category 8 ........138 The first three steps for doing a vulnerability forecast in the VF Prototype completed .............................................................................................................141 Step 4 for doing a vulnerability forecast in the VF Prototype........................142 Calculations for the fourth ?-value as displayed in figure 8.21 .....................143 Step 5 and the final vulnerability forecast result for harmonised vulnerability category 8.............................................................................................................143 Graph showing information about harmonised vulnerability category 8 ........144 The completed VF Prototype main window......................................................145 Comparing a vulnerability forecast with an actual scan – Scan 16 ...............146 Comparing a vulnerability forecast with an actual scan for a significant time interval increase of 45 days between scans instead of every day ..............................................................................................................147 A.1 A.2 A.3 A.4 A.5 Entering the command to run the VF installation software............................157 Specifying the destination folder for installing the VF Prototype software..157 The VF Prototype files being installed by the installation software ..............158 Running the register command ..........................................................................159 Successful component registra tion....................................................................159

B.1 B.2

Project layout of the VF Prototype ....................................................................161 The “frmCalculations” form ..............................................................................162

xix

LIST OF FIGURES B.3 B.4 B.5 B.6 B.7 B.8 B.9 B.10 B.11 E.1 E.2 E.3 E.4 E.5 E.6 E.7 E.8 E.9 E.10 E.11 E.12 E.13 E.14 E.15 E.16 E.17 E.18 E.19 E.20 E.21 E.22 E.23 E.24 xx The “frmGraphics” form ....................................................................................163 The “frmHelp” form............................................................................................164 The “frmMain” form...........................................................................................170 The “frmOptions” form ......................................................................................195 The “frmSaveLoad” form...................................................................................204 The “frmSelectCats” form..................................................................................213 The “frmSetup” form..........................................................................................217 The “frmSetupNames” form ..............................................................................239 The “frmSWSetup” form....................................................................................247 Vulnerability history scan data – scan 1...........................................................395 Vulnerability history scan data – scan 2...........................................................396 Vulnerability history scan data – scan 3...........................................................396 Vulnerability history scan data – scan 4...........................................................397 Vulnerability history scan data – scan 5...........................................................397 Vulnerability history scan data – scan 6...........................................................398 Vulnerability history scan data – scan 7...........................................................398 Vulnerability history scan data – scan 8...........................................................399 Vulnerability history scan data – scan 9...........................................................399 Vulnerability history scan data – scan 10.........................................................400 Vulnerability history scan data – scan 11.........................................................400 Vulnerability history scan data – scan 12.........................................................401 Vulnerability history scan data – scan 13.........................................................401 Vulnerability history scan data – scan 14.........................................................402 Vulnerability history scan data – scan 15.........................................................402 Vulnerability history scan data – scan 16.........................................................403 Scan results over the 16 scans for CyberCop vulnerability category 1 .........404 Scan results over the 16 scans for CyberCop vulnerability category 2.........404 Scan results over the 16 scans for CyberCop vulnerability category 3.........405 Scan results over the 16 scans for CyberCop vulnerability category 4.........405 Scan results over the 16 scans for CyberCop vulnerability category 5.........406 Scan results over the 16 scans for CyberCop vulnerability category 6.........406 Scan results over the 16 scans for CyberCop vulnerability category 7.........407 Scan results over the 16 scans for CyberCop vulnerability category 8.........407

LIST OF FIGURES E.25 E.26 E.27 E.28 E.29 E.30 E.31 E.32 E.33 E.34 E.35 E.36 E.37 E.38 E.39 E.40 E.41 E.42 E.43 E.44 E.45 E.46 E.47 Scan results over the 16 scans for CyberCop vulnerability category 9.........408 Scan results over the 16 scans for CyberCop vulnerability category 10.......408 Scan results over the 16 scans for CyberCop vulnerability category 11.......409 Scan results over the 16 scans for CyberCop vulnerability category 12.......409 Scan results over the 16 scans for CyberCop vulnerability category 13.......410 Scan results over the 16 scans for CyberCop vulnerability category 14.......410 Scan results over the 16 scans for CyberCop vulnerability category 15.......411 Scan results over the 16 scans for CyberCop vulnerability category 16.......411 Scan results over the 16 scans for CyberCop vulnerability category 17.......412 Scan results over the 16 scans for CyberCop vulnerability category 18.......412 Scan results over the 16 scans for CyberCop vulnerability category 19.......413 Scan results over the 16 scans for CyberCop vulnerability category 20 .......413 Scan results over the 16 scans for CyberCop vulnerability category 21 .......414 Scan results over the 16 scans for CyberCop vulnerability category 22 .......414 Scan results over the 16 scans for CyberCop vulnerability category 23 .......415 Scan results over the 16 scans for CyberCop vulnerability category 24 .......415 Scan results over the 16 scans for CyberCop vulnerability category 25 .......416 Scan results over the 16 scans for CyberCop vulnerability category 26 .......416 Scan results over the 16 scans for CyberCop vulnerability category 27 .......417 Scan results over the 16 scans for CyberCop vulnerability category 28 .......417 Scan results over the 16 scans for CyberCop vulnerability category 29 .......418 Scan results over the 16 scans for CyberCop vulnerability category 30 .......418 Scan results over the 16 scans for CyberCop vulnerability category 31.......419

xxi

LIST OF FIGURES

xxii

LIST OF TAB LE S
. 2.1 2.2 4.1 Resources covering the information security technologies ..............................15 The information security technologies ................................................................16 Summary of the harmonised vulnerability categories .......................................49

5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 6.1 6.2

State-of-the-art VS products ................................................................................62 Harmonised vulnerability categories covered by CyberCop Scanner.............64 Harmonised vulnerability categories covered by Cisco Secure Scanner........65 Harmonised vulnerability categories covered by SAINT .................................67 Harmonised vulnerability categories covered by ISS .......................................69 Harmonised vulnerability categories covered by Nessus Security Scanner...71 Important network and system information gathering vulnerabilities .............74 Important backdoors, Trojans, and remote controlling vulnerabilities............75 Important misconfiguration vulnerabilities ........................................................76 Important denial-of-service (DoS) and buffer overflow vulnerabilities..........77 Important security policy violations vulnerabilities ..........................................78 Problems identified and addressed regarding state-of-the-art VS products....84 Summary of the harmonised vulnerability categories .......................................93

7.1 7.2 7.3 7.4 7.5 7.6

The fuzzy groups formed for harmonised vulnera bility category K..............110 Mapping table ......................................................................................................110 Distribution of scans and defuzzified ranges ....................................................112 Transforming the defuzzified values using the membership function χ(x) ..113 Results for the ?’s and χ’s..................................................................................114 An example FEI calculated for each harmonised vulnerability sorted in order of highest to lowest priority.................................................................115

8.1 8.2

Example of a vulnerability uncovered during a scan ......................................122 CyberCop vulnerability categories ....................................................................122

xxiii

LIST OF TABLES 8.3 Problems identified and addressed regarding state-of-the-art VS products ................................................................................................................148 A.1 Typefaces employed to indic ate special text ....................................................156

D.1

The CyberCop Scanner vulnerability database................................................309

xxiv

CHAP TER 1 INTRODUCTIO N __________________________________
1 .1 INTROD UC TI O N
The Internet potentially is an invaluable and inexhaustible resource, accessible to each and every person. Almost any conventional publishing media, such as books, journals and magazines, can all be located on the Internet in electronic form these days. The Internet has made life easier in many ways – it has become part of our lives. But, alas, like human nature, it also harbours a dark side, providing ? at best ? the perfect tool for innocuous pranks such as amateurish attempts at hacking and ? at worst ? the perfect breeding ground for pernicious cyber-crime schemes and vicious security attacks. One should accept that there are always pranksters, better known as hackers [CRMC 01], who want to steal information for unethical purposes, or simply jeopardise the organisation by making their system resources unavailable. It is for these reasons that a new research field has evolved over the past decade – information security [INFO 02]. The application of information security enabled businesses to start conducting business over the Internet. Given enough time and resources, however, any information security application can be cracked. This introduces new and challenging problems manifested in the field of information security. This study was, therefore, primarily motivated by the need for better information security applications, specially those in the realm of network security.

1 .2 MOTI VA TI ON FOR THI S STUDY
The research undertaken for this study was motivated by a number of realisations. These realisations are discussed in the sections that follow.

Page 1

CHAPTER 1

Open environment of the Internet
The Internet is a public network. This means that anyone can possibly intercept messages that travel along the Internet in a bid to spy or steal information. The Internet being a public network, however, does not mean that no private information can be sent across the Internet. There are, in fact, numerous information security services [INFO 02] which are used to implement security measures over the Internet. One such service that is particularly used to keep messages sent over the Internet private is referred to as confidentiality. The specific mechanism used to implement confidentiality is referred to as cryptology [PHLE 03]. Currently the Internet is working on a specific protocol referred to as the Internet Protocol (IP) version 4 [IPFA 03]. IP version 4 has been employed since the late 1980s. This version of IP, however, has some design flaws [IPVE 03] in that it was initially developed by the American Department of Defence as a private network. Hence, it was not initially designed to incorporate security features and, therefore, security features had to be added onto the application lay er of the Internet ISO model [GOLL 99] when the Internet became a public network. Currently a new version of IP – IP version 6 [IPV6 03] – is being developed and will probably replace IP version 4 in the future. IP version 6 is specifically being designed to incorporate security features.

The fact that the Internet is an open environment led to the second realisation.

Rapidly changing environment of the Internet
Probably one of the biggest drawbacks of products, applications and the Internet itself is that they advance so rapidly that information security products struggle to keep up with the pace [SCHU 03]. Naturally, services and applications are being developed and implemented on the Internet – some applications with built -in security features and others without any security features. The reason for some services and applications not having security features built in initially, or having security features built in but not exhaustively, is one of business processes: it is often more important for an organisation to get the business up and running than to wait a while longer and have exhaustive security features implemented. Whether security has been

Page 2

INTRODUCTION implemented in the services and applications or not, only after installation and functioning of such services and applications are security holes – referred to as vulnerabilities – found, most of the time, by hackers [SCHN 00].

If hackers find vulnerabilities first, they will exploit them, which could result in the theft, loss or corruption of data. If security experts find vulnerabilities first, they will create additional code, referred to as a security patch, to rectify the vulnerability. Software vulnerabilities are found and exploited like clockwork by hackers. In response, software patches become available too, but often organisations are the victims of hacker attacks because of this rapidly changing of the Internet environment. The rapidly changing environment of the Internet led to the next realisation.

A legion of security products available
Because of the rapidly changing environment of the Internet, the number of security products available on the software market today is legion. For almost any security risk that is currently known, security applications have already been developed for it. Some security products implement information security technologies that have been known to people for ages, for example the Caesar cipher [PHLE 03] named after Julius Caesar. Most recent security products, however, implement information

security technologies that have been known to people for only the past decade as a result of the advent of the Internet, for example intrusion detection and vulnerability scanner information security technologies. Although the implementation of older information security technologies has been perfected to a reasonable extent, current information security products still need to be perfected. These current information security products fall short in many ways, because they are still very new. Considerable room for perfecting these information security products is therefore possible. Too many false alarms, responses that are not prompt, too much redundant work and the huge reports generated [SCHN 00] are just some of the areas of information security products that sorely need attention.

Page 3

CHAPTER 1 Although the information security products need attention in the areas described above, the researcher also realised that there are many implementations by different vendors of the same information security technology, as the following realisation confirms.

Disparity in similar security products
There are often different vendors that create security products for the same security service or application. For example, in the application of cryptology, the following are a few examples of cryptology products and standards created by different vendors, which, in essence, perform the same functions – that of encryption and decryption: Privacy Master [WEBR 03], Pretty Good Privacy (PGP) [PGPI 03], Data Encryption Standard (DES) [WEBD 03] and Advanced Encryption Standard (AES) [WEBA 03]. The products mentioned here are all similar in terms of their application, but they are disparate in the way they are implemented. For example, Privacy Master uses symmetric key encryption [WEBS 03], while PGP uses asymmetric key encryption [WEBP 03]. Even more finely disparate, DES uses a key length of 56 bits, while AES uses a key length of 128 bits. This disparity in security products often harbours confusion amongst the users and potential users of the different s ecurity products in terms of which product is better to use, or which product is the right one to use according to the needs of the user or organisation. The disparity in similar security products is one realisation. However, some of these security products require a colossal effort from an administrator’s point of view to manage, which led to the next realisation.

Huge administrative products

burden

regarding

vulnerability

scanner

The nature of security products often involves a huge administrative burden. For example, an information security product known as a vulnerability scanner can reveal vulnerabilities by scanning for them on computers connected to a network. Depending on the number of computers that are scanned during a vulnerability scan,

Page 4

INTRODUCTION often thousands of vulnerabilities are detected, which results in the generation of a colossal report consisting of hundreds or even thousands of pages. It is left to the responsible administrator to analyse such a report in a bid to rectify the vulnerabilities found. The administrative burden to do this, therefore, is huge. The result is often that, because of this huge administrative load, security cannot be applied as anticipated due to a shortage of human resources and, therefore, security is often neglected. The above realisations strengthened the researcher’s resolve to develop a model specifically aimed at vulnerability scanning, which would facilitate the job of an administrator and render current vulnerability scanners more effective.

1 .3 P ROBLEM S TA TEMENT
This research recognises the importance of information security and specifically that of current information security technologies. It is aimed principally at making a contribution to enhancing risk management by forecasting the extent to which vulnerabilities will occur in the future. A model for vulnerability forecasting is, therefore, proposed that follows a fresh approach to vulnerability assessment. The problem area can be addressed by considering the following research questions:

What is the state of current proactive and reactive information security technologies?
State-of-the-art information security technologies each implement one or more of the five information security services: authentication, confidentiality, integrity, availability and non-repudiation. In doing so, information is secured by the

information security technologies either on a proactive basis by securing information before it can be compromised, or on a reactive basis by securing information as soon as an attempt is made to compromise the information. The investigation of this research question, therefore, will involve a detailed analysis of state-of-the-art information security technologies with the aim of categorising them into proactive and reactive technologies. Furthermore, it should be investigated

Page 5

CHAPTER 1 whether proactive or reactive information security technologies will be used as the platform to conduct this research project. In order to accomplish this, a detailed study will be conducted on one proactive and one reac tive information security technology.

What can be done to improve the vulnerability scanning process?
State-of-the-art vulnerability scanners scan for vulnerabilities and report on their findings after a scan is complete. It is difficult and time -consuming, however, to effectively attend to the vulnerabilities reported after such a vulnerability scan, because such reports are often very long and left entirely up to human resources to rectify, leaving them with an immense administrative burden.

The investigation of this research question would therefore involve finding techniques in order to ease the administrative burden on human resources.

How can the impact of current vulnerability scanners on system resources be minimised?
Current vulnerability scanners detect vulnerabilities by scanning for signatures of known vulnerabilities and attack patterns. The modus operandi of a vulnerability scanner is often to simulate attacks that would attack system resources of a computer or network of computers to test wh ether the system resources have been secured sufficiently and, if not, how these computers would react to genuine attacks. This way of detecting vulnerabilities often has the same effect of genuine attacks and, therefore, could deny the services of system resources significantly or entirely. The impact that current vulnerability scanners have on system resources, therefore, may result in the inability of normal business processes to continue due to the interruption of system resources by a vulnerability scan. The investigation of this research question will involve alternative scanning strategies of current vulnerability scanners.

Page 6

INTRODUCTION

How can the disparity be addressed in the kinds of vulnerabilities that different vulnerability scanner products can detect?
There is a disparity in current vulnerability scanners in the way that they detect vulnerabilities. An example of a specific area of disparity is vulnerability scanner X being able to scan for specific vulnerabilities, whereas vulnerability scanner Y scanning for different kinds of vulnerabilities. The investigation of this research question will therefore involve finding techniques in order to standardise the kinds of known vulnerabilities so that, ultimately, it is possible to know which subset of standardised vulnerabilities a specific vulnerability scanner can detect from a potentially exhaustive set of standardised vulnerabilities.

How should vulnerability scanner products provide more intelligent results so that they will aid risk management?
Current vulnerability scanners are lacking in the sense that they are not able to supply management of an organisation with sufficient results that would enable them to engage in risk management of their information more effectively. An example of “more intelligent results” is that a vulnerability scanner is able to predict the vulnerability trends the organisation can expect in the near future. This research question, in a way, summarises the research questions stated above, since solving those questions would enable the researcher to gather sufficient knowledge about proactive information security technologies so that more intelligent techniques can be applied to solve this research question. Although risk management is a component that is included in the model proposed in this thesis, it is not the aim of this thesis to present a full-blown discussion on risk management. However, the outcome of this thesis would assist human resources when engaging in risk management and, at the heart of being able to provid e this outcome, techniques which employ fuzzy logic are used [ OBO 95, SMIT 00, B YAZA 92, ZADE 65].

Page 7

CHAPTER 1

1 .4 TER MI NOLO GY US ED I N THI S THESI S
It is important to correctly interpret the terminology used in this thesis to avoid misunderstanding. Detailed terminology will be defined when encountered throughout the thesis. However, to ensure that the main terms are well defined, the researcher will now provide a brief delineation of what is meant by the terms information security, intrusion detection, vulnerability scanning, and risk management.

1.4.1 Information security
Information, like other important business assets, is an asset that has value to an organisation and consequently needs to be protected [BSIB 03]. Assets, in this context, may include knowledge, facts, data or capabilities. Capabilities can refer to an event that involves the handling of information, for example sending a message. Information security can be defined as measures adopted to prevent the unauthorised use, misuse, modification or denial of the use of assets [MAIW 03]. Furthermore, the objective of information security is not to protect assets, but it is the name given to the preventative measures that can be taken to safeguard assets [IFAC 98]. The measures that information security employs in order to prevent the unauthorised use, misuse, modification or denial of the use of assets are known as the five information security services as described below [GOLL 99, ISOR 89]: ? ? ? ? ? Authentication is concerned with a process or method to identify and prove the identity of a party who attempts to send a message or access data. Confidentiality is concerned with the protection of information against disclosure to an unauthorised party. Integrity is concerned with the protection of information against being changed by an unauthorised party. Availability is concerned with information being made available to authorised parties when requested. Non-repudiation is concerned with providing proof of the origin such that the sender cannot deny sending a specific message, and the recipient cannot deny receiving that message.

Page 8

INTRODUCTION Any security product that is developed implements the five information security services to a certain extent by means of technologies, be they hardware or software technologies. Technology refers to “the application of science, especially to industrial or commercial objectives” [LEXI 02]. Information security technology refers to the application of all possible state-of-the-art security technologies to all possible information [INFO 02]. This thesis ascribes to two specific information security technologies, namely intrusion detection and vulnerability scanning. The following two sections define these two terms.

1.4.2 Intrusion detection
An intrusion is any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. Intrusion detection is the process of monitoring the events that occur in a computer system or network and analysing them for signs of intrusions [BACE 00]. Intrusion detection is considered a reactive information security technology, because only after the event of an intrusion occurred will there be a reaction to the event. An intrusion detection system (IDS) is a software product or hardware technology that automates the monitoring process [KIDO 01].

The counter technology for intrusion detection is known as vulnerability scanning, which is defined in the next section.

1.4.3 Vulnerability scanning
A vulnerability is a state of being exposed to attack, injury, rid icule or litigation [LEXI 03]. In the context of this thesis, a vulnerability is a known weakness in a computer system that is exposed to attack, which can be exploited by a hacker. To scan means “to examine closely” [LEXI 03] and a vulnerability scanner (VS) is an automated scanning program that closely examines or scans a computer or a network of computers to proactively detect known vulnerabilities [SCHN 00]. Vulnerability scanning, therefore, is an information security technology implemented by a VS information security product. Vulnerability scanning is often alternatively referred to

Page 9

CHAPTER 1 as vulnerability assessment, but the terms vulnerability scanning and vulnerability scanner are preferred and will be used throughout this thesis. The proactive concept refers to those information security technologies that attempt to deal with information security issues before any attempt can be made by an attacker to break into or harm a system. Proactive information security technologies may assist with risk management, because risk management can also be considered as a proactive process where risks are identified before they can occur. Risk management is defined in the section that follows.

1.4.4 Risk management
The term “risk” means “the possibility of suffering harm or loss” [LEXI 03]. Risk management, in the context of this thesis, therefore, is the process that allows one to identify threats and risks and then eliminate those that can be eliminated and minimise the rest [BACE 00]. The threats and risks refer to vulnerabilities in terms of this thesis. The rest of the thesis is laid out as discussed in the section that follows.

1 .5 LAYOUT OF THESI S
This thesis consists of nine chapters. The current chapter, chapter 1, provides an introduction to the res earch problem. In chapter 2, the reader is provided with a taxonomy for information security technologies. Special reference is made in this chapter to the two main aspects of this taxonomy, namely proactive and reactive information security technologies . In the next chapter, chapter 3, two specific information security technologies are discussed – one reactive and one proactive information security technology. The reactive information security technology discussed is intrusion detection, while vulnerability scanning is the proactive information security technology discussed. For each of these technologies, an overview is provided, followed by an architectural description of the technology itself as well as alternative architectures. After that, the

Page 10

INTRODUCTION problems of the particular information security technology are discussed, followed by some examples of commercially available information security products for the particular information security technology.

One of the major problems, as identified in chapter 1 and discussed in chapter 3, is tackled in chapter 4 – standardising vulnerability categories so that harmonised vulnerability categories are formed. The chapter describes the method used to compile such harmonised vulnerability categories, and then discusses each of the categories in detail. In order to see how the harmonised vulnerability categories can be applied, chapter 5 provides an overview of current VS products and then discusses the impact of the harmonised vulnerability categories on the VS products. In addition, the researcher describes how each VS product was practically experienced and provides comments on the vulnerability database of each. Thereafter, specific differences in these VS products are pointed out using the harmonised vulne rability categories. Chapter 6 continues to address the rest of the problems as stated in the problem statement by introducing the concept of vulnerability forecasting. In this chapter, a conceptual model for doing vulnerability forecasting is proposed. The design of the model is discussed in detail while specific reference is made to the design of the database used for vulnerability forecasting. One of the components that forms the heart of the vulnerability forecasting model, the vulnerability forecast engine, is discussed in detail in chapter 7. This chapter explains the input that the vulnerability forecast engine receives, and how the input is transformed using five sophisticated steps and fuzzy logic techniques in order to produce as output the vulnerability forecast. The thesis culminates in chapter 8 when the model for vulnerability forecasting is tested using a prototype for vulnerability forecasting. This chapter first explains the extent to which the prototype was developed and implemented according to the vulnerability forecasting model. It then explains how the prototype can be installed

Page 11

CHAPTER 1 and executed. Furthermore, the chapter demonstrates the operation of the prototype in detail and reports on the findings of the prototype. The thesis summarises the research undertaken in chapter 9 and explains the extent to which the research problem has been solved. The thesis concludes with a reflection on possible areas for future research. Finally, appendices are given, followed by a bibliography of resources consulted for this research.

Page 12

CHAP TER 2 A TAXO NO MY FO R INFORMATION SECURITY TECHNOLOG IES __________________________________
2 .1 INTROD UC TI O N
As the Internet took the world by storm in the mid -1990s, so did security problems . Unfortunately, hackers developed their own software which enabled them, for example, to sniff a password being sent over the Internet . In another example, a hacker might send malicious data over the Internet so that servers connected to the Internet will not be able to handle such malicious data and the servers will simply fail.

Fortunately, intensive research in computer and Internet security has proved to deliver countermeasure technologies , better known as information security technologies, over the past decade for the majority of these and other security problems . This chapter provides a taxonomy of information security technologies available today. The sections that follow will give a taxonomy of the information security technologies available today, after which each technology is briefly explained.

2 .2 A TAXO NO MY FOR I NFOR MA TI O N S EC URI TY
TECHNO LOGI ES
What is information security technology? Information security involves the

protection of information [MASI 02] and minimises the risk of exposing information to unauthorised parties [KIDO 01]. According to Dictionary.com, technology is “the application of science, especially to industrial or commercial objectives” [LEXI 02]. Information security technology thus refers to the application of all possible state-of-the-art security technologies to all possible information [INFO 02].

Page 13

CHAPTER 2 Figure 2.1 shows a taxonomy of information security technologies . A taxonomy is the classification of objects in an ordered list or hierarchy of terms that indicates natural relationships [COSL 02, LEXI 02]. This taxonomy is based primarily on two characteristics: 1. The specific point in time, namely proactive or reactive, when the technology interacts with data. 2. Whether the technology interacts at network, host, or application level.

Information security technologies

Proactive

Reactive

Network level

Host level

Application level

Network level

Host level

Application level

Security hardware Virtual private networks Security protocols Security SDKs Cryptography

Security hardware Anti-virus scanners Security protocols Vulnerability scanners Security SDKs

Anti-virus scanners Cryptography Security SDKs Digital signatures Digital certificates

Access control Biometrics Logging Firewalls Passwords Intrusion detection

Access control Biometrics Logging Firewalls Passwords Intrusion detection Remote accessing

Access control Biometrics Logging Passwords

Figure 2.1: A taxonomy of information security technologies Proactive means that preventative measures have been taken by the specific information security technology in a bid to secure data or resources b efore a security breach can occur. Reactive means that curing measures are being taken by the specific information security technology in a bid to secure data or resources as soon as a security breach is detected. Both proactive and reactive information security technologies can apply to network , host, or application level. Information security technologies at network level attempt to secure data or resources being transmitted over a system of computers interconnected by telephone wires or other means in order to share information. Information security technologies at host level attempt to secure data or resources that reside on a single computer. Information security technologies at application level attempt to secure data or resources th at specifically relate to a single computer program on a host. Page 14

INFORMATION S ECURITY TECHNOLOGIES A comprehensive literature study was conducted to identify the state-of-the-art information security technologies available . This is indicated in table 2.1. A distinction was made between journals and books. The objective was to firstly identify which technologies are addressed by the different resources and secondly the degree to which these technologies are addressed . Whenever a specific information security technology was addressed by a specific resource, it was taken into account. A tick mark shown in table 2.1 appears only when the specific technology is addressed comprehensively by a specific resource. Table 2.1: Resources covering the information security technologies
Intrusion detection systems Virtual private networks

Vulnerability scanners

Anti-virus scanners

Security protocols

Resource
Journals Computers & Security [COMP 02] Computer Fraud & Security [FRAU 02] Network Security [NETW 02] Books Internet & TCP/IP Network Security [PAGU 96] Secure Communicating Systems [HUTH 01] Computer Security Policies [WACA 98] Windows 2000 Security [MCLE 00] Hackers Beware [COLE 02] Computer Security [CARR 96] Hacking Exposed [MCSK 02] Intrusion Detection [BACE 00] Network Intrusion Detection [NONM 01] Access Denied [CRMC 01] Internet & Intranet Security [OPPL 98] Secrets & Lies [SCHN 00] Security Architecture [KIDO 01] Security in Computing [PHLE 03] Computer Security [GOLL 99] Information Security Architecture [TUDO 00] Web Security [STEI 98] Web Security [TIWA 99]

ü

ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü

ü

ü ü ü

ü ü

ü

ü ü ü ü ü

ü ü

ü ü

ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü

ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü

The information security technologies are listed in table 2.2 and a brief description of each of these technologies is given in the sections that follow.

Page 15

Security hardware

Digital certificates

Digital signatures

Remote access

Access control

Security SDKs

Cryptography

Passwords

Biometrics

Firewalls

Logging

CHAPTER 2

2.2.1 Proactive information security technologies
Proactive information security technologies take preventative measures by securing data or resources before a security breach can occur. The sections that follow sets out to describe each proactive information security technology listed in table 2.2. Table 2.2: The information security technologies
2.1 Proactive information security technologies 2.1.1 Cryptography 2.1.2 Digital signatures 2.1.3 Digital certificates 2.1.4 Virtual private networks 2.1.5 Vulnerability scanners 2.1.6 Anti-virus scanners 2.1.7 Security protocols 2.1.8 Security hardware 2.1.9 Security SDKs 2.2 Reactive information security technologies 2.2.1 Firewalls 2.2.2 Access control 2.2.3 Passwords 2.2.4 Biometrics 2.2.5 Intrusion detection systems 2.2.6 Logging 2.2.7 Remote accessing

2.2.1.1

Cryptography
Encryption is the process of

Cryptography, in simple terms, means “hidden writing”. It is the science of protecting data confidentiality and integrity [MCSK 02].

transforming or scrambling a cleartext message so that it becomes a ciphertext message. Synonyms for encryption are encode and encipher. The reverse process of encryption is called decryption, which is the process of rearranging the ciphertext so that a ciphertext message is transformed into a cleartext message . Synonyms for decryption are decode and decipher. Cryptography is a proactive information security technology because it safeguards data before a potential threat can materialise by encrypting the data. This is done to prevent an intruder from tapping a network wire and sniffing sensitive information from the network. Furthermore, cryptography is performed at various levels as indicated by the taxonomy:

Page 16

INFORMATION S ECURITY TECHNOLOGIES ? ? At application level: A specific application performs the encryption process before an intruder is able to intercept sensitive data. At network level: Hardware rather than software encryption can take place where hardware encryption modules can be placed at network level.

2.2.1.2

Digital signatures

A digital signature can be thought of as the equivalent of a handwrit ten signature with the same goal: associating a mark that is unique to an individual with a body of text [PHLE 03]. In the same way as a handwritten signature, a digital signature must not be forgeable, in other words only the legitimate sender o f a message should be able to create the digital signature [KIDO 01]. cryptographic algorithms. A digital signature is a proactive information security technology because the digital signature is created before any dispute can arise that a specific sender of a message is not really the intended sender. Creating a digital signature thus indicates beforehand that a specific sender of a message is the sole creator of that message. Furthermore, a digital signature is created at the following level as indicated by the taxonomy: ? At application level: The digital signature is created by a specific application before it is sent off to a specific receiver. Digital signatures are created using

2.2.1.3

Digital certificates

Digital certificates attempt to solve the problem of trust on the Internet. They are issued by trusted third parties, also referred to as certificate authorities (CAs) [TIWA 99]. CAs are commercial enterprises that vouch for the identities of people or organisations on the Web [STEI 98]. A network of trust is thus established amongst Web users . In simple terms the concept of “trust” or “vouching for” can be stated as “someone I trust – the CA – trusts this other person, so I will trust him as well” [PHLE 03]. A digital certificate is a proactive information security technology because the certificate is used to distribute the public key of a communicating party to another communicating party. In this way trust is also established before any communication

Page 17

CHAPTER 2 between parties takes place. Furthermore, a digital certificate is implemented at the following level as indicated by the taxonomy: ? At application level: A specific application, for example a Web browser, verifies that it can trust a specific part y before communication commences.

2.2.1.4

Virtual private networks

Virtual private network (VPN) technology encrypts network traffic and therefore the technology is closely related to cryptography . A VPN allows an organisation with multiple sites to connect these sites over a public network, i.e. the Internet, with the advantages that all data packets that travel between the sites are encrypted and secure [COME 99]. In addition, the packets are restricted by the VPN technology to only travel between the organisation’s sites . The difference in functionality between

normal encryption and VPNs, however, is that the data is encrypted only when it is transmitted over a public network – the data that travels between the originating host and the VPN host i not encrypted. In addition, data will only be encrypted by the s VPN if it originates from an authenticated host. A VPN is a proactive information security technology because it safeguards data before it is transmitted over a public network by encrypting it so that only legitimate persons are able to read the information. Furthermore, VPNs work at the following level as indicated by the taxonomy: ? At network level: The encryption process is done between two VPN hosts sitting on the points -of-entry in a network before the encrypted data is sent over a network.

2.2.1.5

Vulnerability scanners

Vulnerability scanners (VSs) use signatures for the vulnerabilities they can identify . Therefore, a VS is an information security technology which is but a special case of intrusion detection [BACE 00]. Vulnerability scanning is also referred to as intervalbased scanning, because hosts on a network are scanned at certain intervals and not continuously. When a VS has completed a scan and sampled the data into a report, it is referred to as a snapshot.

Page 18

INFORMATION S ECURITY TECHNOLOGIES A VS is a proactive information security technology because it attempts to identify vulnerabilities before they can be exploited by intruders or malicious applications . Furthermore, VSs work at the following level as indicated by the taxonomy: ? At host level: A VS scans for vulnerabilities across an entire host in a bid to identify vulnerabilities in all the software applications and the hardware of the specific host.

2.2.1.6

Anti-virus scanners
A

Computer viruses have caused havoc on the Internet over the past decade .

computer virus is a piece of malicious software which has the ability to reproduce itself across the Internet, once activated [MCSK 02]. Therefore anti-virus scanners have been developed to counteract computer viruses. Anti-virus scanners attempt to scan for viruses and functions before they can cause havoc, much in the same way as VSs in that they also “know” what a specific virus’s signature looks like. Anti-virus software is therefore also a proactive information security technology. Furthermore, anti-virus scanning is performed at various levels as indicated by the taxonomy: ? At application level: A specific application scans for known virus signatures in an effort to detect them before they can cause havoc. Viruses at application level tend to be Trojan horses , because they are hidden in an application and only activates once that application is executed ; they do not reproduce themselves . ? At host level: Viruses that have the ability to reproduce themselves by using email applications, for example, can cause malicious activity almost anywhere on a host. Such viruses need to be scanned for across the entire host before they can start their malicious activity.

2.2.1.7

Security protocols

There are different protocols, for example Internet Protocol Security (IPSec) and Kerberos, that can be classifie d as information security technologies . These protocols are technologies that use a standard procedure for regulating data transmission between computers or applications to safeguard sensitive information before such information can be intercepted by in truders.

Page 19

CHAPTER 2 Security protocols are proactive information security technologies because they attempt to safeguard sensitive information using a specific security protocol before such information can be intercepted by intruders . Furthermore, security protocols work at various levels as indicated by the taxonomy: ? ? At application level: A security protocol, for example Kerberos, is a mutual authentication protocol which handles authentication at application level. At network level: A security proto col also relies on a network infrastructure to perform its security task, whether it is to encrypt data or simply to encapsulate a network packet in an effort to hide the packet’s identity for security purposes.

2.2.1.8

Security hardware

Security hardware refers to physical hardware devices used to perform security tasks, for example hardware encryption modules or hardware routers. Security hardware is a proactive information security technology because it safeguards data before a potential threat can materialise by, for example, encrypting data. This is done to prevent an intruder from changing or modifying the hardware device, since security hardware consists of physical devices that are tamper-proof. Furthermore, security hardware is implemented at various levels as indicated by the taxonomy: ? At host level: A hardware device can be attached to a specific host to perform its security function, for example a hardware key could be inserted into a specific port of a host to authenticate a specific user before the user is able to log on to the host. ? At network level: Hardware encryption modules can be placed on the network, which provides a tamper-proof solution, and can be physically secured.

2.2.1.9

Security SDKs
The Java security manager and Microsoft .NET SDKs are

Security software development kits (SDKs) are programming tools used to create security programs . examples of software that can be used to build security applications such as Webbased authentication programs.

Page 20

INFORMATION S ECURITY TECHNOLOGIES Security SDKs are proactive information security technologies because they are used to develop various software security applications that safeguard data before a potential threat can materialise. Furthermore, security SDKs are used to develop security software at various levels as indicated by the taxonomy: ? ? ? At application level: A specific software application can be developed to safeguard data by encrypting data on disk, for example. At host level: A specific software application can be developed to authenticate a user or a pro cess to a host. At network level: A specific software application can be developed to safeguard data by encrypting it before sending it over a network, for example.

2.2.2 Reactive information security technologies
Reactive information security technologies take curing measures by securing data or resources as soon as a security breach is detected or after such a security breach has occurred. The sections that follow sets out to describe each reactive information security technology listed in table 2.2.

2.2.2.1

Firewalls

An Internet firewall is a software tool installed on a specially configured computer that serves as a blockade, filter, or bottleneck between an organisation’s internal or trusted network and the untrusted network or Internet [TIWA 99]. The purpose of a firewall is to prevent unauthorised communications into or out of the organisation’s internal network or host [OPPL 98]. Firewalls are considered as the first line of defence in keeping intruders out [PAGU 96]. Personal firewalls are new to the security arena. Unlike traditional firewalls, personal firewalls are installed on a normal workstation and attempt to only protect that specific workstation from the rest of the hosts on the network or the Internet. Firewalls are reactive information security technologies because they are used to act against specific security incidents as soon as they occur. Furthermore, firewalls are implemented at various levels as indicated by the taxonomy: ? At host level: A personal firewall can be installed on a host that attempts to block or allow certain data flow to and from that specific host only.

Page 21

CHAPTER 2 ? At network level: A network firewall can be installed on a host that is acting as the gateway to a private network. A network firewall attempts to blo ck or allow certain data flow to and from all the hosts situated behind the network firewall.

2.2.2.2

Access control

The goal of access control is to ensure that a subject has sufficient rights to perform certain actions on a system [KIDO 01]. A subject may be a user, a group of users, a service, or an application . Subjects have different levels of access to certain objects in a system. An object may be a file, a directory, a printer, or a process.

Access control is a reactive information security technology because it is used to allow or deny access to a system as soon as an access request is made. Furthermore, access control is implemented at various levels as indicated by the taxonomy: ? ? ? At application level: Access is allowed or denied to subjects on access requests to specific objects using access control lists in an application. At host level: Access is allowed or denied to a host when a user attempts to log on to the host. At network level: Access is allowed or denied to the network when a user attempts to log on to the network through a host or process.

2.2.2.3

Passwords

A password is a secret word, phrase, or sequence of characters that one must input to gain admittance or access to information such as a file, application, or computer system [LEXI 02]. Passwords, however, should be considered as a technology on its own since the literature, as presented in table 2.1, does so.

Passwords are reactive information security technologies because they are used to allow or deny access to a system as soon as a person or a process wants to log on to an application, host, or network. Furthermore, passwords are implemented at various levels as indicated by the taxonomy: ? At application level: A person or process is allowed or denied access to a specific application, depending on whether the person or process provides the correct password.

Page 22

INFORMATION S ECURITY TECHNOLOGIES ? At host level: A person or process is allowed or denied access to a specific host, depending on whether the person or process provides the correct password. ? At network level: A person or process is allowed or denied access to a network, depending on whether the person or process provides the correct password.

2.2.2.4

Biometrics

Biometrics uses the geometry of a specific part of a human body to authenticate a person. There are many different implementations of biometrics, for example hand, fingerprint, retina and voice recognition biometrics. Biometrics is a reactive information security technology because it is used to allow or deny access to a system as soon as a person wants to log on to an application, host, or network using the geometry of a part of his/her human body . Furthermore, biometrics is implemented at various levels as indicated by the taxonomy: ? At application level: A person is allowed or denied access to a specific application, depending on whether the person provides his/her own biometric characteristic. For example, a user might be requested to place a finger on a fingerprint reader in order to open a top secret file. ? At host level: A person is allowed or denied access to a specific host, depending on whether the person provides his/her own biometric characteristic. For example, a user might be requested to place a finger on a fingerprint reader in order to log onto a workstation. ? At network level: A person is allowed or denied access to a network, depending on whether the person provides his/her own biometric characteristic. For example, a user might be requested to place a finger on a fingerprint reader in order to access other hosts or resources across a network domain.

2.2.2.5

Intrusion detection systems

An intrusion detection system (IDS) is a software or hardware technology that , once activated, constantly monitors a computer system for intrusions [BACE 00, KIDO 01].

Page 23

CHAPTER 2 IDSs are reactive information security technologies because they are used to monitor hosts on a network and to act on an intrusion as soon as it occurs . Furthermore, IDSs are implemented at various levels as indicated by the taxonomy: ? At host level: An IDS monitors a specific host to detect intrusions on that specific host. It runs on an individual host and continually reviews the host’s audit log, looking for possible indications of an intrusion [COLE 02]. ? At network level: An IDS node can be placed in a network which attempts to detect and react on intrusions caused by multiple hosts, for example a distributed denial-of-service attack.

2.2.2.6

Logging

Logging is an information security technology that attempts to gather information on certain events that take place. The goal of logging is to supply audit trails which can be traced after a security incident has taken place. Logging is a reactive information security technology because it is used to trace security incidents after they have taken place. Furthermore, logging is implemented at various levels as indicated by the taxonomy: ? ? ? At application level: A specific software application monitors other software applications and records the events caused by those software applications. At host level: A specific software application monitors the processes that are run by the operating system and records the events caused by those processes. At network level: A specific hardware or software application can monitor network traffic as it moves past the network monitor at a specific point in a network.

2.2.2.7

Remote accessing

Remote accessing is an informatio n security technology that allows people or processes to access remote services . However, access to remote services is not always controlled because it is possible to access a remote service anonymously . In this case, accessing remote services anonymously poses a threat. For example, some systems may be wrongly configured to allow anonymous connections by default, when anonymous connections should not actually be allowed according to an organisation's security policy.

Page 24

INFORMATION S ECURITY TECHNOLOGIES Remote accessing is a reactive information security technology because it enables a user or process to connect to a remote service according to their access privileges . Furthermore, remote accessing is implemented at the following level as indicated by the taxonomy: ? At host level: A specific host runs a service that enables a remote user or process to connect to it for reasons such as doing remote administration on that host, or legitimately accessing resources on the host.

2 .3 CONC L USI ON
The taxonomy for information security technologies discussed in this chapter provides an overview of the state-of-the-art information security technologies . It is important for an organisation to know which information security technologies are available.

Furthermore, having such a taxonomy of information security technologies will also stimulate new research. For example, intrusion detection systems are not yet intelligent enough – a human still needs to interact too much in setting up and maintaining intrusion detection systems . In another example, vulnerability scanners take up too many resources and too much time to be effective enough since regular scans need to be conducted for such a technology to be effective.

New initiatives might also be researched, such as combining various information security technologies to form more intelligent ones . For example, it might be possible in the near future to combine firewalls, intrusion detection systems, and anti-virus scanner technologies to form a robust information security technology. The next chapter will discuss two specific information security technologies in more detail. These two technologies are intrusion detection and vulnerability scanning.

Page 25

CHAPTER 2

Page 26

CHAP TER 3 STATE-OF- THE-ART I NTRUS IO N DETECTIO N AND VULNERABILITY SCANNING __________________________________
3 .1 INTROD UC TI O N
These days, there are so many reports of security incidents, for example a hacker that has compromised millions of credit ca rd numbers [HILL 02], or yet another lethal computer virus that has caused the loss of extraordinary amounts of money [PALM 01]. This indicates that computer security is without a doubt a major problem. There are many reasons for this, but, in general, applying computer security in an organisation in the twenty-first century has become a much more difficult task than it was perhaps a decade ago. This is because the Internet expanded much faster than anyone anticipated. The Internet was not initially designed to act as a carrier of public as well as private information and therefore security is a feature that was added only later.

The question is: how secure is the information that resides on a single computer or that travels over a public network? There are many ways in which information can be secured by using information security technologies [ EE1 03], and these were V discussed in the previous chapter. This chapter will address reactive and proactive security me asures by using two specific information security technologies: intrusion detection as a reactive information security technology, and vulnerability scanning as a proactive information security technology. Although intrusion detection and vulnerability scanning are seen as two different security technologies, there are also similarities between them. The chapter concludes with final remarks on intrusion detection and vulnerability scanning.

Page 27

CHAPTER 3

3 .2 INTR USI ON D ETEC TI ON 3.2.1 What is intrusion detection?
Intrusion detection is the process of monitoring the events that occur in a computer system or network and analysing them for signs of intrusions [BACE 00]. An

intrusion is any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource. An intrusion detection system (IDS) is a software or hardware technology that automates this monitoring and analysis process [KIDO 01, GENG 02]. IDSs are reactive information security technologies because they attempt to detect an intrusion as soon as it occurs or after it has occurred. Therefore IDSs are sometimes also referred to as monitors [BACE 00]. Other systems that are analogous to IDSs are burglar alarms and video surveillance systems . Both these systems and IDSs have one thing in common: attempting to trigger some sort of alarm when an intruder crosses a prohibited boundary. There are several architectures that are used to build different IDSs . Architecture in this context refers to the overall design, construction, and orderly arrangement of components – specifically of an IDS [LEXI 03]. The reason for the different architectures being employed is a result of the evolving intrusion detection needs over the past years . These architectures are discussed in the next section.

3.2.2 The architecture of IDSs
There are some aspects that play an important role in the architecture of IDSs . These aspects include the following: ? The location of the IDS in a network. ? The data source that s erves as input to the IDS. ? The analysis engine that forms the heart of the IDS. ? An intrusion template database that contains known templates of intrusions. ? The way in which IDSs report their findings.

Page 28

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING The above aspects are discussed in detail throughout this section. The data source, analysis engine, database, and report aspects of IDSs also form part of the main components of an IDS.

The typical location of an IDS is shown in figure 3.1. IDSs can detect intrusions that occur from a remote or outside network, as well as from an inside, or protected, network.

Internet

Firewall

Target

Router

Detecting intrusions from an outside network at network level

Target

Firewall

IDS host
Detecting intrusions from a protected network at network, host or application level

Target hosts

Figure 3.1: The typical location of an IDS in a network

A very important aspect of IDSs is that they require a data source, such as applications, hosts , and networks, to collect logged data or network traffic which will be interpreted by the IDS in a bid to detect intrusions . An IDS can monitor for such data at different sources at different levels, as depicted by figure 3.1. However, the data being captured during monitoring is collected by a separate module, referred to as the IDS host. The different levels of data sources that an IDS may monitor are referred to as the targets. The following are the different targets that an IDS can monitor [COLE 02]: ? Network -based targets: The target here is an internal or external network where the IDS sniffs all network traffic crossing over a specified section of a network. While looking at the packets that it sniffs, an IDS looks for signatures that indicate possible intrusions.

Page 29

CHAPTER 3 ? Host-based targets: The target here is an individual host. The IDS continually reviews the host’s audit log, typically at operating system level, looking for possible indications of an intrusion. specific. ? Application-based targets: The target here is one or more specific applications that are running on a target host. The IDS continually reviews an audit log for the specific application, looking for possible indications of an intrusion. ? Target-based targets: The target here is somewhat different from the previous targets in the sense that target-based IDSs generate their own data . This is done, for example, by using cryptographic hash functions to detect alterations to system objects and then, by comparing the alterations to a predefined policy, the IDS can possibly detect an intrusion. Host-based IDSs are operating system-

The analysis engine is used by the IDS to process the source data. The analysis engine takes the information gathered from the data source and analyses it for signs of intrusion. The modus operandi of the analysis process is to match each piece of data from the data source with a specific template stored in an intrusion template database. This database contains different templates of known intrusion techniques . An intrusion is therefore detected as soon as a piece of the source data matches a template intrusion in the intrusion template database. At the same time that an intrusion is detected, it is logged in the form of a detailed IDS report of the possible intrusions detected and some IDSs additionally sound an alarm so that a person can interact and deal with the intrusion. Most IDS approaches include two distinctive architectures: pattern matching and anomaly detection [DENN 87, COLE 02, ASTI 99]. Both these distinctive architectures, however, contain an analysis engine component. The analysis engine forms the heart of any IDS and it is this component that is of particular importance in this research. These two distinctive architectures are discussed in the next two sections.

3.2.2.1

Pattern-matching IDS architecture

Figure 3.2 shows a typical pattern -matching IDS architecture [BACE 00].

Page 30

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING

IDS host

Data source

Analysis engine
Pattern matcher Profile database

Report generator

Figure 3.2: Pattern-matching IDS architecture

Pattern-matching IDSs, sometimes referred to as misuse detection IDSs [SCHN 00], include the following specific components: ? The data source that serves as input to the pattern -matching IDS. ? The analysis engine in the architecture, which consists of the following components: o The pattern matcher, which attempts to detect intrusions by identifying certain patterns of intrusion. o A signature database that contains known patterns of intrusions. ? The report generator for reporting on the intrusions detected. The data source includes anything from operating system audit trails and log files to raw network packets, depending on how the specific pattern -matching IDS is set up to collect source data. Each piece of source data is carefully analysed by the pattern matcher and then compared to known intrusion patterns referred to as signatures . These signatures are stored in a signature database. The signature database needs to be regularly updated with new intrusion signatures as new intrusion techniques are discovered. When the pattern matcher finds activity that matches a specific signature in its signature database, a report generator component compiles a report of the intrusions each time an intrusion is detected . As part of the report generator, alarms may als o be sounded for a human to interact on a specific intrusion in progress.

Page 31

CHAPTER 3

3.2.2.2

Anomaly detection IDS architecture

Figure 3.3 shows a typical anomaly detection IDS architecture [BACE 00].

IDS host

Data source

Analysis engine
Profile engine Anomaly detector Report generator Profile database

Figure 3.3: Anomaly detection IDS a rchitecture

The data source and report generator components for the anomaly detection architecture are the same as for the pattern -matching architecture. The anomaly detection architecture, however, has the following components that differ from pattern-matching architecture: ? The analysis engine in the architecture, which consists of the following components: o The profile engine. o The anomaly detector. ? A signature database that contains known patterns of normal user or system behaviour. Each piece of source data is carefully grouped by the profile engine to form sets of related user or system behaviour. Such a set of behaviour is referred to as a profile. A signature database contains profiles of normal user or system behaviour. The signature database can either be set up manually by a human expert to define profiles, or a computer can be used to compile profiles by using statistical techniques, which can be updated automatically by the computer. The anomaly detector then compares each profile compiled from the source data by the profile engine to the normal user Page 32

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING and system behaviour profiles from the signature database. When the anomaly detector finds a profile that appears to be abnormal or unusual compared to a specific user and system profile in the signature database, such behaviour is labelled as intrusive.

Anomaly detection IDSs, however, are difficult to implement, because what is seen as “normal behaviour” for one organisation is not necessarily the same for another. For this reason, most IDSs are based on pattern -matching technology [GRAH 00].

3.2.3 Other approaches to IDS architectures
The sections that follow will take a closer look at IDS architectures that are variations of the distinct IDS architecture approaches . In the literature there are many other approaches to IDS architectures [JAHN 02, KUSP 95, DAVI 01, TRIU 02]. Most of these architectures closely relate to the pattern -matching and anomaly detection architectures . However, the architectures discussed in this section have specifically been selected for discussion because they incorporate the use of interesting techniques .

3.2.3.1

IDML-based intrusion detection

Figure 3.4 displays an architecture for intrusion detection based on intrusion detection markup language (IDML) [LITS 01].

Construction
IDML authoring tool IDML parser Intrusion pattern IDML IDML DTD Intrusion pattern state machine

Detection
Packet event converter System event converter Intrusion eve nt information converter User identification IDML -based intrusion detection module

Network and other event sources

Detection result

Figure 3.4: An architecture for intrusion detection based on IDML

Page 33

CHAPTER 3 The main components of the architecture in figure 3.4 are [LITS 01]: ? The construction component. ? The detection component. The construction component merely uses an XML-based protocol, referred to as IDML, to express intrusion patterns in a compute r-processable format. The process for the construction component involves human experts that use an IDML authoring tool to write intrusion pattern IDML documents . The IDML parser is used to validate the intrusion pattern document using the corresponding intrusion pattern, which is stored in a specific format referred to as a document type definition (DTD). If the pattern is valid, the intrusion pattern will be translated into finite intrusion pattern state machines for further use in the detection process.

Almost all intrusion patterns can be transformed into sequences of intrusion actions – an intrusion seldom happens from a single action . Intrusions, therefore, can be represented using a finite intrusion pattern state machine . Various intrusion actions will cause the intrusion process to change from one state to the next, where the state is used to keep track of the current status of the intrusion process . A typical finite intrusion pattern state machine is shown in figure 3.5.

Intrusion pattern state machine

Intrusion event Initial state

State

Final state

State
Other events

Intrusion event

State
Other events

Intrusion event

State

Final state

Figure 3.5: A typical finite intrusion pattern state machine

The detection component, on the other hand, incorporates one of the distinctive intrusion detection approaches: pattern matching . It uses network and other event sources, which are converted to packet or system events by an intrusion event

Page 34

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING information converter. These events are caused by a specific user account and therefore an attempt is made to retrieve a user’s identification on each event in a bid to trace the intrusion to a specific user. This information in conjunction with the IDML-based state information is then used by the IDML-based intrusion detection module to identify and act on intrusions. IDML-based intrusion detection has some positive and negative sides . On the

positive side it attempts to detect intrusions not only by using conventional data sources, for example network traffic and event logs, but also an IDML-based approach which makes the intrusion detection process more successful with fewer false alarms . On the negative side, the number of false alarms is still quite high. In an experiment that was carried out for testing the IDML-based intrusion detection architecture, 25% of all intrusions detected were still false alarms [LITS 01]. Furthermore, IDML-based intrusion detection poses a bigger and more complex processing overhead due to the large number of states that must be tracked by the IDML-based IDS and thus requires additional memory space . This, however, is not too much of a concern since the cost of memory space for a large organisation is not difficult to bridge. Cost, however, is never a factor to be ignored. In addition, attempting to trace intrusions back to a certain user is done by using metadata collected from the data sources, which might only reveal the specific user account being used to launch the intrusion. This may prove to be insignificant information since most of the time an intrusion is launched by using a hacked user account. The IDS, thus, may not b e intelligent enough to discover the ID of the real perpetrator.

3.2.3.2

An IDS architecture for detecting TCP SYN flooding

Figure 3.6 displays an intrusion detection architecture for detecting transmission control protocol (TCP) synchronisation (SYN) flo oding intrusions [KASA 00].

Page 35

CHAPTER 3

Network packets


Feature selector (FS)


Features Simple rules Pre-detector (PD)

Anomalous patterns Detection rules


Behaviour statistic Network information

Fuzzy-based decision engine (DE) Intrusion possibility

Figure 3.6: An intrusion detection architecture for detecting TCP SYN flooding

The architecture in figure 3.6 is a network-based intrusion detection architecture designed specifically to detect TCP SYN flooding intrusions. This specific intrusion is referred to as a denial-of-service (DoS) intrusion. The intrusion is launched by using TCP to send an excess of SYN data packets over a network to specific systems in an effort to exhaust the network and system resources . The architecture consists mainly of three components: ? The feature selector (FS). ? The pre-detector (PD). ? The fuzzy-based decision engine (DE). The FS captures packets from the network and extracts certain fields – so-called features – from the data packets . The specific features extracted by the FS may not all have exactly the same properties, for example some fields may have different lengths . The PD checks that the selected fields are sorted and all the selected features hav e the same properties before the DE can detect a possible TCP SYN flooding intrusion.

The positive side of this architecture is that it employs the use of rule -based fuzzy logic when detecting intrusions . Fuzzy logic [YAZA 92] provides a way of creatin g

Page 36

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING more intelligent IDSs. The negative side of this architecture is that it can detect only one specific intrusion. However, there is room for expanding the architecture to be able to detect more intrusions.

These architectures help a lot in finding better IDSs. There are, however, still many problems with IDSs, which are addressed after the following section.

3.2.4 Commercially available IDSs
Examples of IDSs that are commercially available either as freeware or for a price include Snort [SNOR 02], ISS RealSecure [REAL 03], eTrust Intrusion Detection [COMP 03], Network Flight Recorder [NFRS 03], and Cisco IDS [CIDS 03]. Some of these IDSs are able to detect intrusions over multiple operating system platforms, while others can detect intrusions only on specific operating system platforms.

3.2.5 The problems with IDSs
State-of-the-art IDSs, however, fall short in many dimensions [SCHN 00] . They create too many false alarms . If they cry wolf too much, one will stop listening to them. Another problem is that IDSs do not respond to intrusions promptly enough. The main reason for this problem is that they do not have sufficient intelligence to decide in good time what an intrusion is . Furthermore, they fail to intelligently counteract intrusions in an effort to neutralise the intrusion – they normally merely notify and report the intrusion, and then wait for a person to counteract it. Perhaps the biggest problem with an IDS is the fact that it is a reactive information security technology – it does not take preventative measures, but rather attempts to detect an intrusion as soon as it occurs or after it has occurred. Proactive information security technologies thus attempt to smother the problem or prevent an intrusion – before it can occur. One such proactive approach is known as vulnerability scanning and is discussed below.

3 .3 VUL NERABI LI TY SCANNI NG 3.3.1 What is vulnerability scanning?

Page 37

CHAPTER 3 The concept of vulnerability scanning is having an automated scanning program, referred to as a vulnerability scanner (VS), that scans a computer or a network of computers for a list of known weaknesses, referred to as vulnerabilities [SCHN 00]. In other words, a VS analyses the security state of a system on the basis of information collected at intervals . After a scan is completed, the VS creates a report of the vulnerabilities found and leaves it up to a person to fix them. Vulnerability scanning is also commonly referred to as vulnerability analysis in the industry [BACE 00]. A VS can be seen as a proactive information security technology, because it attempts to search for known vulnerabilities before the vulnerabilities can be exploited by an intruder. This is done in a very similar way to IDSs, because VSs also use signatures for the vulnerabilities they can identify . Therefore, a VS is an information security technology that is but a special case of intrusion detection [BACE 00] . In addition, an IDS is seen as a dynamic information security technology, whereas a VS is seen as a static information security technology. The architecture of VSs is discussed in detail in the sections that follow.

3.3.2 The architecture of VSs
There are some aspects that play an important role in the architecture of VSs . These include the following: ? The location of the VS in a network. ? The scan policy that specifies the VS setup. ? Data source that serves as input to the VS. ? Analysis engine that identifies vulnerabilities. ? The report that a VS creates. Some of the above aspects are discussed in detail throughout this section. The scan policy, data source, analysis engine and report aspects of VSs also form part of the main components of a VS. The typical location of a VS is shown in figure 3.7 and is essentially the same as for an IDS, except that a VS scans from only one fixed location in the network, and not from multiple locations as an IDS can.

Page 38

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING

Internet

Target hosts

Router
Scanning for vulnerabilities on the target hosts connected to the network from a single, central location

Firewall Target hosts

VS host

Figure 3.7: The location of a VS in a network

A VS is dependent on a scan policy that contains information on how the VS is set up to scan for vulnerabilities . This scan policy is usually reconfigured for each specific scan. In contrast, an IDS continually monitors data sources for all possible intrusions that it is able to detect. For example, a VS’s scan policy may be set up to scan only selected hosts on a network. In addition, it may also be set up to scan for only specific types of vulnerabilities logically grouped into specific categories of vulnerabilities. The reason for scanning only for certain categories of vulnerabilities is to save network and system resources when these resources are critically depended on for purposes other than vulnerability scanning , because VSs can sometimes exhaust these resources when scanning and testing for denial-of-service vulnerabilities [MCSK 02], for example. On the other hand, IDSs need to monitor for all possible intrusions in real time, and therefore should not detect only a subset of intrusions . If the detection of some intrusions is omitted, the IDS might miss the detection of a possible intrusion and this will defeat the purpose of an IDS.

VSs also collect source data which will be interpreted by a dedicated VS host in a bid to find vulnerabilities. There are two different levels at which a VS can scan for vulnerabilities, namely host level or application level. The different levels of data sources that a VS can scan are referred to as the targets. IDSs detect intrusions on four different types of targets, as discussed earlier in this chapter, namely networkbased targets , host-based targets , application-based targets , and target-based targets .

Page 39

CHAPTER 3 VSs, however, only scan for vulnerabilities on two of those four targets . following are the types of targets that a VS can scan for vulnerabilities [COLE 02]: ? Host-based targets: The target here is an individual host. The VS scans the host’s configuration settings, typically at operating system level, looking for vulnerabilities. ? Application-based targets: The target here is one or more specific applications that are running on a target host. The VS scans the configuration settings for the specific application, looking for vulnerabilities. The analysis engine compares the source data with a predefined known set of data configurations. The analysis engine is also commonly referred to as a vulnerability matcher in VS terminology. If the source data contains a specific data string that is also found in the known set of data configurations, then a vulnerability is found or matched. A detailed report is produced after the entire scan process is complete. The architecture on which VSs are based is derived from IDSs . Vulnerability The

scanning is a special case of intrusion detection . This means that VSs partly employ one of the two distinctive architectures of IDSs, namely pattern matching . The only difference here, however, is that IDSs attempt to match a set of actions, which occurred in a specific sequence, to a pattern to find an intrusion. VSs, on the other hand, attempt to match only a specific string of data to a known signature of data to find a vulnerability. An architecture for VSs is shown in figure 3.8 [BACE 00].

Page 40

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING

VS

Policy engine Target acquisition engine

Configuration file Data acquisition engine

Scan policy

Snapshot database

Source data

Inference engine

Vulnerability database

Analysis engine

Report generator

Report

Figure 3.8: An architecture for a VS

The architecture of VSs consists of the following components: ? The scan policy component contains the following two sub -components: o Policy engine: Loads or stores the scan configuration as the user set it up. o Configuration file: Contains the scan configuration, i.e. settings and options of the VSs as specified by a user. An example of such a setting is the IP address range of systems to be scanned. ? The source data component contains the following three sub-components: o Target acquisition engine: Searches for the specific target hosts to determine whether a host is online or not. o Data acquisition engine: Samples the systems’ attributes and configuration and stores them in the snapshot database. o Snapshot database: Contains the target hosts’ characteristics and configurat ion as collected by the data acquisition engine. ? The analysis engine component contains the following two sub -components: o Inference engine: Controls the target and data acquisition engines, and matches the snapshot database with the vulnerability database to detect which vulnerabilities are apparent in the systems that were scanned.

Page 41

CHAPTER 3 o Vulnerability database: Contains the signatures of all known weaknesses in software or hardware. ? The report generator of the VS creates a report that contains a detailed description of the signatures that matched between the snapshot database and the vulnerability database, which are the vulnerabilities detected by the VS . A VS report usually also contains more information on how and where to fix the vulnerabilities that were found. Apart from the architecture of VSs as discussed above, there are other approaches in the literature. One such other approach is discussed in the section that follows.

3.3.3 Another approach to VS architectures
There are currently not many approa ches to VS architectures other than the one discussed in the previous section. However, the following is a VS architecture that follows a more decentralised approach.

Figure 3.9 displays an architecture for distributed vulnerability scanning [LOPY 01].
Security management zone Central management server Central management console

To network zone n

Network zone 1 Local management console Remote scanning agent

Network zone 2 Local management console Remote scanning agent

To other computers

To other computers

Figure 3.9: A distributed architecture for vulnerability scanning

Page 42

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING The architecture in figure 3.9 shows a network that contains a security management zone and subnet zones with the following main components: ? Security management zone containing: o The central management server. o The central management console. ? Different subnet zones, each containing: o A local management console. o A remote scanning agent. A central management server and a central management console form the security management zone. The central management console is used as a front-end manager to the central management server. The central management server conducts all control operations, schedules scanning tasks, maintains the security policy, updates scanning modules, and delivers them to a remote agent on demand or by schedule . Each subnet zone has a remote scanning agent and a local management console. The remote scanning agent receives commands, procedures, and schedules from the central management server to scan the specific network. for performing certain decentralised actions. These commands, procedures, and schedules can also be received from the local management console

The workload that VSs create when conducting a scan is normally very high and a multitude of system resources are occupied. The positive side of this architecture, however, is that it has multiple scanning agents, each situated in its own subnet . The workload in the case of having a single server that has to scan all subnets can drain the entire network resources significantly . Having multiple scanning agents thus reduces the utilisation of system resources significantly . The negative side of this architecture is that it is much more expensiv e. In addition, this architecture of vulnerability scanning offers no intelligent scanning techniques.

3.3.4 Commercially available VSs
Examples of VSs that are commercially available either as freeware or commercial software include CyberCop Scanner [C YBE 03], Cisco Secure Scanner [CSSC 03], Nessus [DERA 03], Internet Scanner? [ISSC 03], SAINT [SAIN 03], and NetRecon [NETR 02]. Page 43

CHAPTER 3

3.3.5 The problems with VSs
VSs work in a strange and unorthodox way: they perform a scan by attempting to break through the current security features on a computer. The question could be asked why one would use a VS if it damages the security on the computer. However, this is not exactly true: the VS does not really damage the security on a computer, but simulates and generates “watered -down” or “fake” attacks on the security of a computer to find out if a computer might be flawed in such an attack if the attack were launched by a hacker. It is exactly these “simulated” attacks that can drain the network resources, forcing the network to its knees, or completely killing a network. In the light of the above fake attacks, VSs sometimes have to make assumptions on the way a specific computer reacted to a fake attack, since launching a full-fledged attack might cause real damage to a computer and/or the network. Making such assumptions can be very dangerous since it may be difficult to tell whether a fullfledged attack was successful or not . It is for this reason that some VSs today indeed launch full-fledged attacks, but – as just mentioned – it might cause damage to a computer. Therefore, backups should be made before the scan is conducted and it should be remembered that conducting a scan takes up valuable time and system resources.

VSs all utilise some sort of database with the same goal: to store the signatures of the vulnerabilities t ey can detect when they scan for the vulnerabilities . A major h problem with these VS databases, however, is that they are disparate in the specific way that the vulnerabilities are named and organised in the vulnerability database of each different VS. This disparity is caused mainly by the difference in structure of almost any VS’s vulnerability database.

For example, some VSs store hundreds of vulnerabilities in their vulnerability databases simply sorted from vulnerability 1 to vulnerability n. The problem with this database structure is that the vulnerabilities are not organis ed, for example, related vulnerabilities are not grouped together. In addition, different VSs that employ this database structure may name to the same vulnerability in different ways . For example, one VS might call a particular vulnerability as “a Trojan horse”, while

Page 44

S TATE-OF-THE-ART INTRUSION DETECTION AND VULNERABILITY S CANNING another might refer to the same vulnerability as “a backdoor”, and yet another might refer to it as “a virus” where these names have the same meaning. VSs group certain vulnerabilities together to form different vulnerability categories . A vulnerability category refers to the grouping of specifically the same types of vulnerabilities, in other words vulnerabilities with the same genre of characteristics . Another database structure disparity example is that different VSs address different vulnerability categories. In other words, vulnerabilities that are grouped in a particular vulnerability category by a specific VS might be grouped in a different vulnerability category by another VS . One VS might group a vulnerability, for example “a remote share was found without any password defined”, in the password guessing and grinding vulnerability category, while another VS might group this vulnerability in the remote access & services vulnerability category . What is more, some VSs define a small number of vulnerability categories, while other VSs define many vulnerability categories . Different VSs might even address the same kind of vulnerability in a different way, for example one VS might audit passwords by using a dictionary -attack technique, whereas another might do so by using a brute-force-attack technique. Disparity in the database structure is a major problem, especially when choosing a specific VS to use in an organisation.

3 .4 CONC L USI ON
IDSs and VSs are both information security technologies that enhance the security on a computer and network in that they detect and prevent intrusions and attacks from happening, respectively, with a relatively good success rate . IDSs and VSs, however, still produce many problems and challenges for future research . There is a good possibility that hybrid systems might be seen in the future – that is, programs that incorporate IDS and VS technologies in one system [MOHA 01]. One should refrain, however, from running an IDS tool and a VS tool in parallel in the same environment because when a VS attempts to cast a “simulated attack” on designated hosts, an IDS running in the same environment will identify such a simulated attack as a real intrusion and will increase the false alarm rate of the IDS in due course.

Page 45

CHAPTER 3 Although the cost difference between IDSs and VSs is not a predominant factor, it is interesting to note that the overall cost of implementing and maintaining VSs is higher than that of IDSs [ESCI 0 2].

It is generally better, though, to follow a proactive approach than a reactive approach because prevention is better than cure . It is for these reasons that VSs will be used rather than IDSs as part of the model for vulnerability forecasting intro duced later in this thesis . The problem, however, is that VSs are different software products, which scan for different types or categories of vulnerabilities . There is a need, thus, to create a “standardised” set of vulnerability categories which will enable the vulnerability forecasting model to use any VS, or even a multiple of VSs . This method of standardising vulnerability categories is referred to as harmonised vulnerability categories , which is discussed in the next chapter.

Page 46

CHAP TER 4 HARMO NIS ING VULNERABILITY CATEGO RIES __________________________________
4 .1 INTROD UC TI O N
A major problem with VS databases, as discussed in the previous chapter, is that they are disparate in the specific way that the vulnerabilities are named and organised in the vulnerability database of each different VS . This problem might be resolved by having harmonised vulnerability categories . These categories should cover the full scope of potential vulnerabilities . The aim of having harmonised vulnerability categories is to have a measure onto which the vulnerability categories of any VS can be mapped to determine the level of vulnerability category competence for each specific VS. This specific problem is addressed in this chapter. In the remainder of this chapter, the concept of harmonising different sets of vulnerabilities into harmonised vulnerability categories is introduced, followed by a discussion of each category with examples to demonstrate the usefulness of the proposed categories .

4 .2 METHOD OF I DENTI FYI NG CA TEGORI ES
A major problem with VS tools is that they sometimes attempt to address an excessively wide variety of vulnerabilities . As mentioned in the previous chapter, the specific vulnerabilities that VS tools check for, however, differ significantly from tool to tool. Using only one specific VS tool may prove to be insufficient in scanning for certain types of vulnerabilities . For example, CyberCop Scanner [CYBE 02] scans extensively for vulnerabilities of the type misconfigurations, whereas Cisco Secure Scanner [CSSC 00] gives minimum attention to misconfiguration vulnerabilities . Furthermore, different VS tools sometimes refer differently to the same vulnerability. For example, CyberCop Scanner refers to mail transfer and Cisco Secure Scanner to Page 47

CHAPTER 4 SMTP, which is, in essence, the same set of vulnerabilities . How will the results of a vulnerability scan done by a specific tool, e.g. CyberCop Scanner, compare with those of another, e.g. Cisco Secure Scanner? To answer this question, a common set of vulnerabilities is required. The researcher proposes such a common set of

vulnerabilities, which was determined by evaluating a number of different sets of vulnerabilities. This common set of vulnerabilities will be referred to as a “harmonised” set of vulnerability categories. The harmonised vulnerability categories were identified by analysing the Internet security vulnerabilities as found in literature [NOCF 01] [BACE 00] [SCMK 01] [GREE 02] [NORT 01] [KEOS 01], as well as those used by popular VS tools such as CyberCop Scanner and Cisco Secure Scanner. ? ? The criteria for identifying the

harmonised vulnerability categories were based on the following [BISH 99]: Vulnerabilities of a similar nature should be grouped together. Classification should not be based on the social cause of the vulnerability. This includes issues such as motive, intent, and malicious or accidental cause. The researcher identified 13 harmonised vulnerability categories . These categories are discussed in the sect ion that follows.

4 .3 HARMO NI SED V UL NER ABI LI TY CA TEGORI ES
A harmonised vulnerability category represents a certain group or class of vulnerabilities, which have the same genre of vulnerability characteristics . For example, all vulnerabilities related to compromising passwords, such as “a password is a dictionary word” or “a password is shorter than 8 characters” or “a password is sent in clear text”, can form a harmonised vulnerability category called password cracking and sniffing. It is well known that VS tools in the industry represent solutions for rectifying vulnerabilities as well. It should be mentioned that the

rectification of vulnerabilities is beyond the scope of this chapter. In other words, the purpose of this chapter is to identify harmonised vulnerability categories only, and not to present solutions for various vulnerabilities . Before discussing each harmonised vulnerability category in detail, a summary of the categories is given in table 4.1.

Page 48

HARMONISING VULNERABILITY CATEGORIES Table 4.1: Summary of the harmonised vulnerability categories
Harmonised vulnerability category Password cracking and sniffing 1 2 3 4 5 6 7 8 9 10 11 12 13 Brief description Vulnerabilities with a root cause of having accounts with weak or no passwords Network and system Vulnerabilities concerned with scanning a network to information gathering discover a map of available hosts and vulnerable services User enumeration and Vulnerabilities concerned with retrieving information of user information gathering accounts from a specific system Backdoors, Trojans and remote Vulnerabilities concerned with having hidden access controlling mechanisms installed on a system Unauthorised access to remote Vulnerabilities concerned with the risk that an unauthorised connections & services person has the ability to connect to and misuse a system Privilege and user escalation Vulnerabilities concerned with the risk that the access rights of an existing user account can be upgraded by an unauthorised user, granting more privileges to the user Spoofing or masquerading Vulnerabilities concerned with the risk that an intruder can fake an IP address in a bid to act as another person Misconfigurations Vulnerabilities concerned with the risk that applications have been incorrectly configured Denial-of-services (DoS) and Vulnerabilities concerned with the risk of one or more buffer overflows intruders launching an attack designed to disrupt or deny legitimate users’ or applications’ ability to access resources Viruses and worms Vulnerabilities concerned with malicious programs Hardware specific Software specific and updates Security policy violations Vulnerabilities concerned with having hardware peripherals that execute ROM-based or firmware -based programs Vulnerabilities concerned with the risk that specific software applications contain specific, well-known bugs Vulnerabilities concerned with the risk that an Internet security policy has been violated

4.3.1

Password cracking and sniffing

This category involves vulnerabilities with a root cause of having accounts with weak or no passwords. Tools are readily available on the Internet that can be used to intercept passwords from any transmission over the Internet. These kinds of tools are better known as sniffers. On some systems, passwords are stored in cleartext, or transmitted in cleartext over the Internet. If an attacker manages to intercept cleartext passwords, the passwords do not even need to be cracked. To solve this problem, passwords are transmitted or stored on a system in encrypted format. Still, it is possible to sniff these encrypted passwords from the Internet and then use password -cracking tools, for example L0pht Crack [LOPH 02], to crack the passwords . Given that a user has administrative access, L0pht Crack can also retrieve the stored encrypted passwords on a system in an attempt to crack them.

Page 49

CHAPTER 4 Examples of vulnerabilities belonging to this category are the following: ? ? If the FTP service is enabled, anyone can try to guess passwords to connect to the FTP service. A malicious user could remotely retrieve the system’s password file . This can lead to further system access, including administrator access.

4.3.2

Network and system information gathering

This category involves vulnerabilities concerned with scanning a network to discover a map of the available hosts, as well as to detect vulnerable services on the hosts and the network. Furthermore, these vulnerabilities get information on the hosts found on the network to determine the specific hardware or software applications used. Having a map of a network and information on which software applications are used in an organisation may help an intruder to gain sufficient information on the target and to determine which specific hacking techniques to use. Footprinting, network mapping, target acquisition, and network reconnaissance are synonyms found in the literature [SCMK 01] [NORT 01] for network and system information gathering. Examples of vulnerabilities belonging to this category are the following: ? ? The routing table could be retrieved, which reveals information of the physical network setup. Using the FTP SYST command, attackers can discover operating system version information. This can lead to administrator access and malicious activity.

4.3.3

User enumeration and information gathering

This category involves vulnerabilities concerned with retrieving information of user accounts from a specific system, for example the user account name (e.g. bretl) and the user details (e.g. Bret Lee, General Manager, Office 227, Accounts Department ). An attacker can use this information typically to identify that Bret Lee is a general manager, whose computer could contain more sensitive information than a normal employee’s computer, making the manager’s computer a more sought-after target. Furthermore, as soon as an intruder has retrieved a list of the user account names

Page 50

HARMONISING VULNERABILITY CATEGORIES registered on a specific system, it is often only a matter of time before he/she obtains the password by using a password -cracking program, for example L0pht Crack [LOPH 02]. After all, the user account names have to be obtained before any attempt can be made to crack passwords.

Examples of vulnerabilities belonging to this category are the following: ? ? Using the “finger” command on a specific system will retrieve a list of all the user account names on that system. Null session connections can be used by an attacker to list sensitive user account information, such as revealing the identity of a user on the system.

4.3.4

Backdoors, Trojans and remote controlling

This category involves vulnerabilities concerned with having access mechanisms installed on a system which are almost hid den and not obvious. In other words, a covert channel is created. Often a backdoor is installed with the aim of controlling a system remotely . The backdoor becomes a hidden entry point where the intruder can connect to the system unnoticed at any given time. Most of the time, the “vehicle” for establishing such backdoors is called a “Trojan horse” or a “Trojan” [SCMK 01]. A Trojan is a software application that operates under the impression that it is intended for a specific purpose, but actually performs hidden operations as well. For example, most of the time Trojans are sent to someone as an e-mail attachment in the form of, for example, a game. As soon as the person opens that attachment, the game can be played successfully while a backdoor is un knowingly created in the background by the game.

Examples of vulnerabilities belonging to this category are the following: ? Back Orifice [BACK 02] or Netbus (recently called Spector) [NETB 02] are Trojan horse programs that, as soon as they are installed on a system, create backdoors, enabling remote controlling of the system. ? Remote controlling software is installed on the system, but it is not password protected, allowing anyone to remotely connect and take over the system.

Page 51

CHAPTER 4

4.3.5

Unaut horised access to remote connections and services

This category involves vulnerabilities concerned with the risk that an unauthorised person has the ability to remotely connect to a system via a specific port with the aim of misusing the system. Gaining access to remote connections and services is often used in an attempt to exploit more vulnerabilities, since gaining this access will “open more doors” to other vulnerabilities. For example, if the TELNET service is running, anyone can attempt to connect to, for example, a guest account. Connecting to the TELNET service itself can do no harm. An attacker, however, can now gain information on the particular operating system that runs the TELNET service. This could lead to additional malicious activity b y the attacker.

Examples of vulnerabilities belonging to this category are the following: ? An attacker could use an anonymous FTP server to launch exploits against another system to gain special access . An attacker could use this special access to possibly bypass firewalls. ? After anonymous access to the FTP server has been gained, the attacker can try to exploit further vulnerabilities in the FTP service, for example to see if the FTP root directory is write-enabled in a bid to store unauthorised data or information.

4.3.6

Privilege and user escalation

This category involves vulnerabilities concerned with the risk that the authorisation properties of an existing (probably compromised) system account can be changed so that this user account has more privileges or more powerful access rights allocated to it than was initially intended. More privileges and more powerful access rights will allow a specific user account to access data or system resources in an effort to access specific data or information that was previously inaccessible to the user account. For example, an account with

Page 52

HARMONISING VULNERABILITY CATEGORIES standard user rights might have been escalated to an account with administrative rights. Examples of vulnerabilities belonging to this category are the following: ? An attacker could execute arbitrary commands remotely as the user who is running the HTTP server. If the owner of the HTTP server has administrative access, the attacker can remotely execute commands as an administrator. ? Some registry entries on a Windows system may be remotely accessible, allowing the modification of the permissions of these registry entries.

4.3.7

Spoofing or masquerading

This category involves vulnerabilities concerned with the risk that an IP packet’s source address can be faked to hide an intruder’s identity or activity amongst a storm of other network traffic. For example, assume network A is protected by a firewall that only allows IP addresses with source addresses in the subnet mask of 123.213.44.0. Assume an attacker is sitting in network B with a subnet mask of 211.143.2.0. The attacker could now create a packet in network B, which will have a source address of, for example, 211.143.2.67. By using the appropriate spoofing tool, the attacker can now easily change this source address to, for example, 123.312.44.67. The firewall in network A will now allow the packet created by the attacker through into network A. Examples of vulnerabilities belonging to this category are the following: ? If a poorly configured firewall is installed, attac kers can launch attacks using the identity of the firewall server, thus masking their true identity . If any hosts or networks allow special access to this server, then the attacker has the same access. ? IP forwarding is found to be enabled, allowing the host to act as a router so that other hosts can forward packets through this host. If this host is running a firewall, then the firewall can be bypassed using IP forwarding.

Page 53

CHAPTER 4

4.3.8

Misconfigurations

This category involves vulnerabilities concerned with the risk that applications have been incorrectly configured, leaving these applications vulnerable to several of the other harmonised vulnerability categories mentioned here.

Misconfiguration vulnerabilities mostly tend to occur after the installation of new software, because new software is always installed with default configuration settings. It is of the utmost importance that newly installed software be reconfigured immediately after installation. In addition, the new configurations must be tested to make sure that they are correct and not misconfigured. Examples of vulnerabilities belonging to this category are the following: ? If anonymous FTP is not configured securely, an attacker may be able to perform reconnaissance, delete or modify files, or use anonymous FTP as a distribution mechanism for unwanted files, such as pornography or pirated software. ? If permissions are incorrectly set in the Windows registry to “Everyone”, an attacker could gain access to the registry and commence with arbitrary attacks.

4.3.9

Denial-of-services (DoS) and buffer overflows

This category involves vulnerabilities concerned with the risk of one or more intruders launching an attack designed to disrupt or completely deny legitimate users’ access to networks, servers, services, or other resources. DoS vulnerabilities are not concerned with stealing information or changing data, but simply with downgrading the performance of the computer and/or network resources to such a level that services are disrupted significantly or completely. Consider an online shop that is completely reliant on the Internet to conduct business . Suppose an attacker manages to fill up the storage space of the online shop’s servers by uploading junk data to it. This can potentially cause the servers to crash. It could take hours or perhaps days to sort out and restore the servers again, causing the online shop to lose so much money that it might have to close down.

Page 54

HARMONISING VULNERABILITY CATEGORIES Examples of vulnerabilities belonging to this category are the following: ? ? An attacker can create files on the hard disk of the Web server and fill it up, leaving the service of the hard disk interrupted and unavailable. An out-of-band data attack can consume all memory and cause a system to reboot. This attack could also cause a system to be unable to handle network traffic. The only way to recover is to either reset or reboot the system.

4.3.10

Viruses and worms

Viruses and worms are different types of software applications, but with the same goal of spreading from one system to another to conduct malicious activity. Viruses and worms can be considered as some of the most active and malicious vulnerabilities that can be found on a system. Unfortunately, this is the vulnerability category that is often completely neglected by IDSs . Almost any new virus that appears on the Internet scene these days causes havoc all over the world in a matter of hours. The reason is that they all spread through the Internet, be it through e-mail messages, or through vulnerabilities exploited in networking services . For example, if an IDS could also detect for viruses and worms, the famous Code Red and Code Blue worms [HANC 01] would never have caused such havoc around the world in such a short time – they infected systems around the world in less th an a day by spreading through an exploit in well-known Web servers all over the world . It should be mentioned that it becomes evident that this problem is addressed in the latest reactive IDSs. Examples of vulnerabilities belonging to this category are the following: ? ? A n e-mail attachment is opened without it first being scanned by a virus detection program. This might allow a virus to infect the system. Certain updates or patches are not installed for the Web server, making the server susceptible to a denial-of-service attack.

4.3.11

Hardware specific

This category involves vulnerabilities concerned with having hardware peripherals which do not run software applications, but which rather run ROM -based or

Page 55

CHAPTER 4 firmware-based programs . These peripherals also contain exploits that cannot be easily updated, patched or corrected, except if the hardware is physically replaced or the firmware is updated.

Examples of such hardware peripherals are network switches, routers and terminals . The main reason why updatin g the firmware of these hardware peripherals is often neglected is that the peripherals do not have dedicated owners as opposed to a computer workstation which has one or more specific dedicated owners . Often the system administrator alone has to see to all of these peripherals in a network. Chances are better for an attacker to discover and exploit vulnerabilities on these peripherals before the administrator will discover that irregularities are happening on them.

Examples of vulnerabilities belonging to this category are the following: ? ? An attacker can cause a router or switch device to crash and reload . Possible loss of configuration information may result as a consequence of this attack. A shared printer may be found on the network without having any authentication enabled on it, leaving it open to a variety of possible attacks . For example, some modern printers host a complete operating system on them. A network printer is often considered as highly trusted and trust relationships are set up accordingly as “wide open”. If access to the operating system of such a printer is gained, an attacker can gain access to all those systems connected to the printer.

4.3.12

Software specific and updates

This category involves vulnerabilities concerned with the risk that specific software applications contain specific, well -known bugs. Because these bugs or exploits are published widely on the Internet [BUGT 02], anyone, including an attacker, is able to access the Internet and collect information about these bugs to try and exploit them. Software applications must be updated to patch their exploitations in an effort to fix security bugs or loopholes to avoid successful future attacks on them. For example, recently there have been enormous denial-of-service attacks on Microsoft’s Internet

Page 56

HARMONISING VULNERABILITY CATEGORIES Information Server by the very famous Code Red and Code Blue worms [SECF 02]. Therefore, Microsoft had to make software patches available to fix the vulnerabilities that were exploited so lustily by these Internet worms.

Examples of vulnerabilities belonging to this category are the following: ? A service pack installed is outdated . Vulnerabilities discovered after the specific service pack was installed on this system leave a potential threat unless they are patched by the latest service pack. ? An insecure logon method is allowed for a Web server, causing a threat that a user name and password may be sniffed through this method.

4.3.13

Security policy violations

This category involves vulnerabilities concerned with the risk that an Internet security policy has been violated . An Internet security policy is a set of security rules created internally by an organisation . It can specify how systems in the organisation should be configured to be on a security level that is accep table for the organisation. One of the policy statements might specify, for example, that the user’s password will expire every 30 days. When a security policy violation is found, it means that a different configuration setting on the system was detected and thus violates the prescribed policy setting. It is of the utmost importance, though, that management specify the security policy correctly before it is implemented electronically . The policy might be implemented correctly according to the policy doc ument, but if the document specification is wrong, its electronic implementation will also be wrong! Examples of vulnerabilities belonging to this category are the following: ? ? The system’s event or security log is not restricted according to the system’s security policy. Anyone will thus be able to alter or delete the logs. The system’s screensaver lockout is not enabled according to the system’s security policy and will not automatically lock the system if the owner of the system neglected to lock the sys tem himself/herself.

Page 57

CHAPTER 4

4 .4 S TA NDARDI SA TI ON OF VUL NERABI LI TI ES
After this research was initiated, a similar initiative evolved on the Web in which a common standard for the naming of vulnerabilities was introduced . This standard is referred to as the common vulnerabilities and exposures (CVE) standard [MITR 03]. CVE is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures . Using a common name makes it easier to share data across separate VS databases . While CVE may make it easier to search for common vulnerabilities, it should not be considered as a vulnerability database on its own merit, because it is only a common reference to the same vulnerabilities addressed by different VSs and may not necessarily be an exhaustive list of all possible vulnerabilities. In addition, CVE does not provide for harmonised vulnerability categories as discussed in this chapter. CVE provides a method of referencing the same vulnerabilities in different VSs only . Harmonised vulnerability categories, however, attempt to provide a method of referencing the same categories of vulnerabilities for different VSs. In other words, where CVE attempts to standardise the naming of vulnerabilities across different VSs, harmonised vulnerability categories attempt to standardise the categorisation of the same vulnerability categories across different VSs.

4 .5 CONC L USI ON
The harmonised vulnerability categories can serve as a useful management tool. These categories reflect all vulnerabilities in state-of-the-art VSs today as well as those vulnerabilities found in current literature . The 13 harmonised categories will serve as generic categories for categorising vulnerabilities found in state -of-the-art VS tools . They will exp and and evolve along with the evolution of information technology and its applications. Be that as it may, such a construction of harmonised vulnerability categories will contribute significantly to safer and better managed Internet information security in

Page 58

HARMONISING VULNERABILITY CATEGORIES terms of providing a mechanism that can be used as a measure for identifying how different VS products comply with “standardised” vulnerability categories referred to as harmonised vulnerability categories . The next chapter will demonstrate how harmonis ed vulnerability categories can be used in order to find a way in which to refer to the same vulnerability categories across different VS products.

Page 59

CHAPTER 4

Page 60

CHAP TER 5 VULNERABILITY SCANNER PRO DUCTS __________________________________
5 .1 INTROD UC TI O N
Due to the increasing awareness of the public of security issues on the Internet, there are a myriad of security products available on the software market today and this number is increasing. Hence the dilemma when choosing the right security product for a particular organisation’s security needs. The focus of this chapter is to develop a better understanding of state-of-the-art VS products . There are many VS products available on the software market. As was pointed out in previous chapters, they often refer to the same vulnerability in a different way and this makes it very difficult to see exactly which vulnerabilities are scanned for by the different VS products . This dilemma can be solved by using the framework of harmonised vulnerability categories [VEE2 03] as shown in the previous chapter in table 4.1. Other aspects of VS products are also considered in this chapter, for example the specific database structure of a VS, in an attempt to shed more light on the problems that the different VS products pose. The sections that follow will discuss VS products in more detail. An overview of the state-of-the-art VS products is given. Some of these products are discussed in detail, with the emphasis on the databases that they employ.

5 .2 VS PROD UC TS
It is important to be aware of the different VS products available on the software market before studying some of them in more detail. There are freeware as well as commercial versions of VS products available and some products differ extensively from others . The section that follows lists some of the major role players in VS

Page 61

CHAPTER 5 technology and attempts to place the different aspects of the products in perspective to each other.

5.2.1 VS product overview
The VS products discussed in this chapter are the best-known VS products available on the software market today. Table 5.1 shows a list of some of these VS products. Table 5.1: State-of-the-art VS products
VS product bv-Control Cisco Secure Scanner CyberCop Scanner 5.5 Internet Security Scanner (ISS) 6.2.1 Nessus Security Scanner NetRecon 3.5 Nmap 2.5 Retina 4.7 Security Administrator’s Integrated Network Tool (SAINT) 4.0 Security Analyzer 5.1 STAT Scanner Professional Commercial or freeware Commercial Commercial Commercial Commercial Freeware Commercial Freeware Commercial Commercial Commercial Commercial Reference [BIND 03] [CSSC 03] [NETW 03] [ISSN 03] [DERA 03] [SYMA 03] [INSE 03] [EEYE 03] [SAIN 03] [NETI 03] [HARR 03]

The CyberCop Scanner, the Cisco Secure Scanner, the SAINT, the ISS, and the Nessus Security Scanner will be discussed in more detail in the following five sections. The focus of the discussion of these products will not be to evaluate and compare them with each other, but rather to comment on the practical experience encountered by the researcher while working with the products. This is followed by elaborative discussions on each product’s vulnerability database in terms of differences.

5.2.2 CyberCop Scanner
The CyberCop Scanner version 5.5 is discussed because it is well known and widely used for vulnerability scanning today . The creators of the CyberCop Scanner recently decided to replace their CyberCop Scanner VS product with a Web-based product known as the CyberCop ASAP [MCAF 03]. A trial version of the current CyberCop Scanner software is still available for evaluation purposes.

5.2.2.1

Practical experience with the CyberCop Scanner

The CyberCop Scanner was installed on a Windows workstation and then set up to scan workstations, servers, hubs and switches connected to the network for the vulnerabilities as specified in its vulnerability database. Depending on the size of the

Page 62

VULNERABILITY S CANNER PRODUCTS network, the CyberCop Scanner scans the network for sev eral hours before the scan is complete. It then generates a report of several hundred pages . Figure 5.1 shows an extract of one of the vulnerabilities in this report.
Vulnerability ID Description Security concerns 30006 Remote Access Service (RAS) detected on the host. RAS lets remote users use a telephone line and a modem to dial into a RAS server and use the resources of its network. A person could be using RAS to gain access to a network from a remote location. This essentially creates a “backdoor” into a network which can bypass the network’s firewall, for example. Investigate this host to identify if it is indeed an approved RAS host. If it is an approved RAS host, there may be ways to further secure the host. E.g., RA S can be configured to establish a connection only by automatically calling a user back. This ensures the telephone number of the user that is gaining access via this RAS host is known by the RAS server.

Rectification procedures

Figure 5.1: An extract from the CyberCop Scanner report An advantage of the CyberCop Scanner report is that it contains good and detailed description and rectification procedures . However, this report has some disadvantages . It is too long and will take days to study. It is also very technical and requires skilled human resources to rectify the vulnerabilities . The report also does not prioritise the vulnerabilities detected. Another disadvantage is that the CyberCop Scanner is not CVE-referenced.

5.2.2.2

CyberCop Scanner vulnerability database

Of the 13 harmonised vulnerability categories, categories 3, 4, 7, 10 and 11 are covered in very little detail, if at all, by the CyberCop Scanner’s vulnerability database, as shown in table 5.2.

5.2.3 Cisco Secure Scanner
The Cisco Secure Scanner version 2.0 [CSSC 03] is discussed because this scanner is probably the most renowned and established networking hardware manufacturer today. The creators of the Cisco Secure Scanner, however, recently announced that this product had reached end -of-life status [CEOS 03] and would no longer be available for sale. Nevertheless, the Cisco Secure Scanner was still chosen for discussion since it can run on multiple operating systems, scan for vulnerabilities on multiple operating systems and will still be supported by the Cisco Secure Scanner for a limited period.

Page 63

CHAPTER 5 Table 5.2: Harmonised vulnerability categories covered by CyberCop Scanner
Harmonised vulnerability category 1 2 3 4 5 6 7 8 9 10 11 12 13 Password cracking and sniffing Network and system information gathering User enumeration and information gathering Backdoors, Trojans and remote controlling Unauthorised access to remote connections & services Privilege and user escalation Spoofing or masquerading Misconfigurations Denial-of-services (DoS) and buffer overflows Viruses and worms Hardware specific Software specific and updates Security policy violations CyberCop Scanner

ü ü ? ? ü ü ? ü ü ? ? ü ü

5.2.3.1

Practical experience with the Cisco Secure Scanner

The Cisco Secure Scanner was installed on a Windows workstation and then set up to scan workstations and servers connected to the network for the vulnerabilities as specified in its vulnerability database. The Cisco Secure Scanner can run on

Windows as well as on UNIX operating systems . Depending on the size of the network, the Cisco Secure Scanner scans the network for several hours before the scan completes and a large report is generated. Figure 5.2 shows an extract of one of the vulnerabilities in this report. One advantage of the Cisco Secure Scanner report is that it contains good and detailed description, consequences, and countermeasure procedures. The disadvantage of this report is that it requires effort to work through because of its size. disadvantage is that the Cisco Secure Scanner is not CVE-referenced. Another

Page 64

VULNERABILITY S CANNER PRODUCTS FTP Directory and File Permissions
Description File Transfer Protocol (FTP) is one protocol by which files can be transferred to and from remote computer systems. The user transferring a file usually needs authority to login and access files on the remote system. Consequences A remote attacker may be able to perform reconnaissance, delete or modify files, or use the FTP server as a distribution mechanism for unwanted files, such as pornography or pirated software. The ability to write to the file system may be used to enable these attacks. Countermeasure Root should own all files in the FTP directory tree and the permissions should be set to 444. Executable files in the /bin directory should have the permissions set to 111. If you need to allow a user to upload files, the files should be set to be unreadable until they are reviewed. It is advisable that only one otherwise empty directory should be made writeable for so that users may uploaded files into it.

Figure 5.2: An extract from the Cisco Secure Scanner report

5.2.3.2

Cisco Secure Scanner vulnerability database

Of the 13 harmonised vulnerability categories, categories 3, 4, 7, 8, 10, 11, 12 and 13 are covered in very little detail, if at all, by the Cisco Secure Scanner’s vulnerability database, as shown in table 5.3. Table 5.3: Harmonised vulnerability categories covered by Cisco Secure Scanner
Harmonised vulnerability category 1 2 3 4 5 6 7 8 9 10 11 12 13 Password cracking and sniffing Network and system information gathering User enumeration and information gathering Backdoors, Trojans and remote controlling Unauthorised access to remote connections & services Privilege and user escalation Spoofing or masquerading Misconfigurations Denial-of-services (DoS) and buffer overflows Viruses and worms Hardware specific Software specific and updates Security policy violations Cisco Secure Scanner

ü ü ? ? ü ü ? ? ü ? ? ? ?
Page 65

CHAPTER 5

5.2.4 SAINT
The Security Administrator’s Integrated Network Tool (SAINT) [SAIN 03] is discussed because it was freely available until recently and supports the use of CVE. The SAINT can run on UNIX and LINUX operating systems and also scans for vulnerabilities on multiple operating systems . The SAINT is also available in an online version.

5.2.4.1

Practical experience with the SAINT

Because the SAINT incorporates CVE into its vulnerability database, standard vulnerability names are used. In addition, CVE’s web site also has more information available on how to fix the detected vulnerabilities. This is a major advantage of the SAINT. The disadvantage of the SAINT is that it categorises its vulnerabilities into 177 categories, which makes it difficult to work with. It is better to have fewer vulnerability categories that are more manageable, as the harmonised vulnerability categories suggest.

5.2.4.2

SAINT vulnerability database

Of the 13 harmonised vulnerability categories, categories 1, 3, 4, 7, 10, 11 and 13 are covered in very little detail, if at all, by the SAINT’s vulnerability database, as shown in table 5.4.

5.2.5 Internet Security Scanner (ISS)
The ISS version 6.2.1 is discussed because the ISS was one of the first VS products available on the software market. It is established and widely used in the industry today. There is an ISS version [ISSN 03] that can be downloaded from the Internet free of charge with full functionality, but it is limited to scan only the host on which it is installed. The ISS supports the CVE standard to enable users to easily determine whether issues with different names are the same, and to allow for efficient sharing of security information. A CVE reference, however, may not exist for every vulnerability check used in the ISS and because of this CVE is only partially supported by the ISS.

Page 66

VULNERABILITY S CANNER PRODUCTS Table 5.4: Harmonised vulnerability categories covered by SAINT
1 2 3 4 5 6 7 8 9 10 11 12 13 Harmonised vulnerability category Password cracking and sniffing Network and system information gathering User enumeration and information gathering Backdoors, Trojans and remote controlling Unauthorised access to remote connections & services Privilege and user escalation Spoofing or masquerading Misconfigurations Denial-of-services (DoS) and buffer overflows Viruses and worms Hardware specific Software specific and updates Security policy violations SAINT

? ü ? ? ü ü ? ü ü ? ? ü ?

5.2.5.1

Practical experience with the ISS

The ISS was installed on a Windows workstation and then set up to scan workstations and servers connected to the network for the vulnerabilities as specified in its vulnerability database. The ISS runs on Windows and has a very good user interface, but it can also scan for vulnerabilities on other operating systems such as UNIX. Depending on the size of the network and the specific scan policy that is set up before the scan can commence, the ISS scans the network for vulnerabilities and is relatively fast. A scan on a Windows workstation was completed in just over four minutes before a report was generated. vulnerabilities in this report. Figure 5.3 shows an extract of one of the

Page 67

CHAPTER 5
Modem detected and active (Active Modem) Risk Level: Medium Platforms: Windows NT, Windows 95, Windows 98, Windows 2000, Windows ME Description: An active modem driver was detected . This situation only occurs when the modem is in use, or when the modem driver program is active. Modems can be a sign of an unauthorized channel around your firewall. Attackers could use a modem within the network to circumvent network security. Remedy: The modem must not be active while the computer is attached to the network. You may want to minimize the impact of a security breach caused by an unauthorized modem use by limiting which systems trust the computer using the modem. If using a modem on the network is required, configure all Remote Access Setup ports so that the port usage can dial-out only. Verify that your dial-out network configuration protocols match exactly the protocols you need to access the remote network. Review share permissions and account security to verify that the file system is not accessible from a remote location. References : ISS X-Force Modem detected and active http://xforce.iss.net/static/1292.php

Figure 5.3: An extract from the ISS report

The advantages of the ISS report are that it contains good and detailed descriptions and remedy procedures . In addition, a reference to additional information for the specific vulnerability detected is provided, as well as information on which operating system platforms the particular vulnerability can occur. Another major advantage is that the ISS classifies the particular vulnerability into a low-, medium-, or high-risk factor so that the rectification of vulnerabilities can be prioritised . The disadvantage of this report is that it requires effort to work through because of its large size.

5.2.5.2

ISS vulnerability database

Of the 13 harmonised vulnerability categories, categories 3, 6, 7, 8 and 10 are covered in very little detail, if at all, by the ISS’s vulnerability database, as shown in table 5.5 below.

Page 68

VULNERABILITY S CANNER PRODUCTS Table 5.5: Harmonised vulnerability categories covered by ISS
1 2 3 4 5 6 7 8 9 10 11 12 13 Harmonised vulnerability category Password cracking and sniffing Network and system information gathering User enumeration and information gathering Backdoors, Trojans and remote controlling Unauthorised access to remote connections & services Privilege and user escalation Spoofing or masquerading Misconfigurations Denial-of-services (DoS) and buffer overflows Viruses and worms Hardware specific Software specific and updates Security policy violations ISS

ü ü ? ü ü ? ? ? ü ? ü ü ü

5.2.6 Nessus Security Scanner
The Nessus Security Scanner is discussed because it is a widely known freeware product [TALI 00]. The Nessus Security Scanner executes mainly on UNIX-based platforms, but it can scan for vulnerabilities on multiple operating system platforms . The Nessus Security Scanner is built upon client -server architecture where the server works on a UNIX-based platform. Different clients are available that can run on a UNIX or Windows operating system platform. The Nessus Security Scanner also supports CVE references.

5.2.6.1

Practical experience with the Nessus Security Scanner

The Nessus Security Scanner works on the concept of plug -in architecture. This means that there is a plug -in for each vulnerability that the Nessus Security Scanner can check for. This way, it is easy to add new vulnerability signatures as extern al plug-ins when they become available . These can simply be downloaded from the Nessus Security Scanner web site [DERA 03] via FTP.

Page 69

CHAPTER 5 It is also possible to add customised vulnerability signatures . To be able to do this, the Nessus Security Scanner includ es the Nessus Attack Scripting Language (NASL), which is a language designed to write customised vulnerability signatures easily and quickly. These plug-ins then also constitute the vulnerability database for the Nessus Security Scanner. The main advantage of the Nessus Security Scanner is that it is very fast. The vulnerability tests performed by the Nessus Security Scanner co -operate so that nothing is done that is not necessary . For example, if an FTP server is found not to offer anonymous logins, then anonymous-related vulnerability checks will not be attempted or performed for anonymous FTP vulnerabilities, which saves time . Some VS products will attempt to scan for anonymous FTP vulnerabilities, if their scan policies were set up to do that, even if no anonymous FTP vulnerabilities are present. This causes those VS products to waste valuable time since they will not continue to scan for the next vulnerability, as defined by their scan policy, until scanning for anonymous FTP vulnerabilities has timed out. Another advantage of the Nessus Security Scanner is that it categorises the risk level of each vulnerability from low to very high in the report that it generates, enabling the prioritisation of the urgency of fixing the vulnerabilities found. The disadvantage of this report, however, is that it requires effort to work through because of its large size.

5.2.6.2

Nessus Security Scanner vulnerability database

Of the 13 harmonised vulnerability categories, categories 1, 3, 7, 8, 10, 11 and 13 are covered in very little detail, if at all, by the Nessus Security Scanner’s vulnerability database, as shown in table 5.6.

Page 70

VULNERABILITY S CANNER PRODUCTS Table 5.6: Harmonised vulnerability categories covered by Nessus Security Scanner
Harmonised vulnerability category 1 2 3 4 5 6 7 8 9 10 11 12 13 Password cracking and sniffing Network and system information gathering User enumeration and information gathering Backdoors, Trojans and remote controlling Unauthorised access to remote connections & services Privilege and user escalation Spoofing or masquerading Misconfigurations Denial-of-services (DoS) and buffer overflows Viruses and worms Hardware specific Software specific and updates Security policy violations Nessus Security Scanner

? ü ? ü ü ü ? ? ü ? ? ü ?

5 .3 S UMMARY OF CURR ENT VS PROD UC TS
In the previous sections different VS products were discussed. In essence, all these products have one main goal: identifying vulnerabilities. However, the way in which these VS products go about accomplishing this goal often differs extensively from one VS product to another. In addition, these different VS products do not all scan for exactly the same types of vulnerabilit ies. Fortunately, by making use of harmonised vulnerability categories [VEE2 03], a measure is available to identify how the different VS products comply with harmonised vulnerability categories. Figure 5.4 shows a mapping, compiled during this research project, of the vulnerabilities found for each of the five VS products discussed in the previous sections onto the harmonised vulnerability categories . The mapping process was done for each individual VS product. The vulnerability database of a specific VS product was carefully dissected by studying each vulnerability as defined in the vulnerability

Page 71

CHAPTER 5 database. A particular vulnerability was then allocated to one of the 13 harmonised vulnerability categories.

5.3.1 Mapping onto harmonised vulnerability categories
300

Number of vulnerabilities scanned for

250

200

150

100

50

0 1 2 3 4 5 6 7 8 9 10 11 12 13

Harmonised vulnerability category number

CyberCop Scanner

Cisco Secure Scanner

SAINT

Internet Security Scanner

Nessus Security Scanner

Figure 5.4: Vulnerability mapping of different VS products onto the harmonised vulnerability categories From figure 5.4 it is clear that the different VS products comply differently with the 13 harmonised vulnerability categories . For example, the Nessus Security Scanner can detect far more network and system information gathering (category 2) vulnerabilities than all the other VS products . The CyberCop Scanner, on the other hand, outperforms all the other VS products when detecting misconfiguration (category 8) vulnerabilities . In addition, only one VS product, namely the Nessus Security Scanner, scans for viruses and worms (category 10) and only for a very limited number of viruses and worms . In almost all the harmonised vulnerability categories, the ISS scans for more vulnerabilities than the other VS products . The ISS, therefore, seems to be the VS product with the highest number of vulnerabilities that it can scan for across the harmonised vulnerability categories. In figure 5.4, significant differences can be noticed in some harmonised vulnerability categories between the number of vulnerabilities that can be scanned for by the

Page 72

VULNERABILITY S CANNER PRODUCTS different VS products . The following section will elaborate on and discuss the significance of these differe nces.

5.3.2 Differences in VS products
More might be read into the data displayed in figure 5.4. The harmonised vulnerability categories 2, 4, 8, 9 and 13, as shown in figure 5.4, will be discussed in more detail to examine why there are such major differences in the number of vulnerabilities that each of the VS products can scan for. These five harmonised vulnerability categories were specifically chosen because there is a considerable difference in the number of vulnerabilities that can be scanned for by the particular VS that is able to scan for the highest number of vulnerabilities, and the VS that is able to scan for the second highest number of vulnerabilities for each specific category.

The sections that follow will briefly look at these differences and discuss the significance of each.

5.3.2.1

2: Network and system information gathering

An extract from figure 5.4 of harmonised vulnerability category 2, network and system information gathering , is shown in figure 5.5.
Network and system information gathering
CyberCop Scanner Cisco Secure Scanner SAINT Internet Security Scanner Nessus Security Scanner 0 50 100 150 200 250 300

Number of vulnerabilities scanned for

Figure 5.5: Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 2: network and system information gathering The Nessus Security Scanner scans for the highest number of network and system information gathering vulnerabilities (294), while the ISS scans for the second highest

Page 73

CHAPTER 5 (119) in this harmonised vulnerability category . To ascertain whether this difference is really that significant, examples of the most important network and system information gathering vulnerabilities for each of these two VS products are given in table 5.7. Table 5.7: Important network and system information gathering vulnerabilities
Nessus Security Scanner Gathering information about the common gateway interface (CGI) of a Web server Gathering information about remote procedure call (RPC) services Gathering information about the file transfer protocol (FTP) service ISS Gathering information about the users registered on a system Gathering information about different services installed on a system Gathering information about the physical route that can be traced to a system

Gathering information about users as performed by the ISS is perhaps a more important vulnerability than the gathering of CGI information by the Nessus Security Scanner. Gathering information about users should therefore be given higher priority. As clearly shown in figure 5.5, the ISS detects far fewer network and system information gathering vulnerabilities than the Nessus Security Scanner. The Nessus Security Scanner scans for more vulnerabilities than the ISS over all the harmonised vulnerability categories in total. In this case the major difference in the number of network and system information gathering vulnerabilities that these two VS products are able to detect is not significant.

5.3.2.2

4: Backdoors, Trojans and remote controlling

An extract from figure 5.4 of harmonised vulnerability category 4, backdoors, Trojans and remote controlling, is shown in figure 5.6. The ISS scans for the highest number of backdoors, Trojans and remote controlling vulnerabilities (122), while the Nessus Security Scanner scans for the second highest (78) in this harmonised vulnerability category. To ascertain whether this difference is significant, examples of the most important backdoors, Trojans and remote controlling vulnerabilities for each of these two VS products are given in table 5.8.

Page 74

VULNERABILITY S CANNER PRODUCTS

Backdoors, Trojans and remote controlling
CyberCop Scanner Cisco Secure Scanner SAINT Internet Security Scanner Nessus Security Scanner 0 50 100 150 200 250 300

Number of vulnerabilities scanned for

Figure 5.6: Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 4: backdoors, Trojans, and remote controlling Table 5.8: Important backdoors, Trojans, and remote controlling vulnerabilities
ISS Back Orifice backdoor found Netbus backdoor found Windows NT remote access service (RAS) enabled Nessus Security Scanner Back Orifice backdoor found Netbus backdoor found PC Anywhere remote administration tool found

Both the ISS and the Nessus Security Scanner are able to detect more or less the same important backdoors, Trojans, and remote controlling vulnerabilities. Figure 5.6, however, shows that the Nessus Security Scanner detects fewer backdoors, Trojans, and remote controlling vulnerabilities than the ISS. In this case the difference in the number of backdoors, Trojans, and remote controlling vulnerabilities that these two VS products are able to detect is definitely significant, with the ISS being the best. The difference in the number of vulnerabilities is very large.

5.3.2.3

8: Misconfigurations

An extract from figure 5.4 of harmonised vulnerability category 4, misconfigurations, is shown in figure 5.7. The CyberCop Scanner scans for the highest number of misconfiguration vulnerabilities (255), while the Nessus Security Scanner scans for the second highest (41) in this harmonised vulnerability category. To ascertain whether t his difference is significant, examples of the most important misconfiguration vulnerabilities for each of these two VS products are given in table 5.9.

Page 75

CHAPTER 5

Misconfigurations
CyberCop Scanner Cisco Secure Scanner SAINT Internet Security Scanner Nessus Security Scanner 0 50 100 150 200 250 300

Number of vulnerabilities scanned for

Figure 5.7: Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 8: misconfigurations Table 5.9: Important misconfiguration vulnerabilities
CyberCop Scanner Default passwords, usernames and/or settings were found for different applications Internet Control Message Protocol (ICMP) enabled NetBIOS shares found on the system with world-readable permissions found Nessus Security Scanner Default passwords, usernames and/or settings were found for different applications Some ICMP settings enabled SMB shares found on the system with worldreadable permissions f ound

Both the CyberCop Scanner and the Nessus Security Scanner are able to detect more or less the same important misconfiguration vulnerabilities. As clearly shown in figure 5.7, however, the Nessus Security Scanner detects far fewer misconfiguration vulnerabilities than the CyberCop Scanner. The big difference in the number of misconfiguration vulnerabilities that these two VS products can detect, is attributed to the fact that the entire vulnerability database of the CyberCop Scanner contain so much more vulnerability signatures than that of the Nessus Security Scanner. In this case the major difference in the number of misconfiguration vulnerabilities that these two VS products are able to detect is definitely significant and favours the CyberCop Scanner.

5.3.2.4

9: Denial-of-services (DoS) and buffer overflows

An extract from figure 5.4 of harmonised vulnerability category 4, denial-of-services (DoS) and buffer overflows, is shown in figure 5.8.

Page 76

VULNERABILITY S CANNER PRODUCTS

Denial-of-services (DoS) and buffer overflows
CyberCop Scanner Cisco Secure Scanner SAINT Internet Security Scanner Nessus Security Scanner 0 50 100 150 200 250 300

Number of vulnerabilities scanned for

Figure 5.8: Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 9: denial -of-services (DoS) and buffer overflows The Nessus Security Scanner scans for the highest number of denial-of-service (DoS) and buffer overflow vulnerabilities (192), while the SAINT scans for the second highest (110) in this harmonised vulnerability category . To ascertain whether this difference is significant, examples of the most important denial-of-service (DoS) and buffer overflow vulnerabilities for each of these two VS products are given in table 5.10. Table 5.10: Important denial-of-service (DoS) and buffer overflow vulnerabilities
Nessus Security Scanner Microsoft Internet Information Server (IIS) and other HTTP-based DoS vulnerabilities found Berkley Internet Name Domain (BIND) and domain name service (DNS) DoS vulnerabilities found Different Web service DoS vulnerabilities found SAINT Different hardware application buffer overflow vulnerabilities found DNS DoS vulnerabilities found

Different database application and SQL buffer overflow vulnerabilities found

The Nessus Security Scanner can detect Microsoft IIS and BIND DoS vulnerabilities, which have more serious consequences than the hardware buffer overflow vulnerabilities detected by the SAINT. Detecting Microsoft IIS and BIND DoS vulnerabilities should therefore be given a higher priority. Figure 5.8 clearly shows that the SAINT detects far fewer denial-of-service (DoS) and buffer overflow vulnerabilities than the Nessus Security Scanner. The SAINT’s vulnerability database is almost three times smaller than that of the Nessus Security Scanner in terms of the total number of vulnerabilities it can detect over all harmonised vulnerability

Page 77

CHAPTER 5 categories . In this case the difference in the number of denial-of-service (DoS) and buffer overflow vulnerabilities that these two VS products are able to detect is definitely significant, with the Nessus Security Scanner being the best. It should also be mentioned that because the SAINT’s vulnerability database is significantly smaller than that of the Nessus Security Scanner, it can be argued that the Nessus Security Scanner detects more denial-of-service (DoS) and buffer overflow vulnerabilities that are not as important, in the researcher’s opinion.

5.3.2.5

13: Security po licy violations

An extract from figure 5.4 of harmonised vulnerability category 4, security policy violations, is shown in figure 5.9.

Security policy violations
CyberCop Scanner Cisco Secure Scanner SAINT Internet Security Scanner Nessus Security Scanner 0 50 100 150 200 250 300

Number of vulnerabilities scanned for

Figure 5.9: Number of vulnerabilities scanned for by different VS products for harmonised vulnerability category 13: security policy violations The ISS scans for the highest number of security policy violations vulnerabilities (104), while the CyberCop Scanner scans for the second highest (59) in this harmonised vulnerability category . To ascertain whether this differe nce is significant, examples of the most important security policy violations vulnerabilities for each of these two VS products are given in table 5.11 below. Table 5.11: Important security policy violations vulnerabilities
ISS Password policy not sufficient System auditing policy not set up Hardware access policy too lenient CyberCop Scanner Password policy not sufficient System event log or auditing policy not set up Account access policy too lenient

Page 78

VULNERABILITY S CANNER PRODUCTS Both the ISS and the CyberCop Scanner are able to detect more or less the same important security policy violations vulnerabilities. As shown in figure 5.9, the CyberCop Scanner detects fewer security policy violations vulnerabilities than the ISS. In this case the difference in the number of security policy violations

vulnerabilities that these two VS products are able to detect is definitely significant, with the ISS performing the best.

5 .4 CONC L USI ON
This chapter discussed different VS products and looked at how each product differs in the way that it can scan for vulnerabilities. A useful means of dealing with the different ways in which vulnerabilities are scanned for is to find a common way of referring to vulnerabilities amongst different VS products . This can be accomplished by using CVE. CVE, however, still does not solve the problem of knowing which vulnerabilities different VS products scan for, because CVE does not categorise vulnerabilities. categories. A mapping from a specific VS product’s vulnerability database onto the harmonised vulnerability categories is a process that needs to be carried out for each VS product considered for implementation by an organisation. Harmonised vulnerability This problem can be solved by using harmonised vulnerability

categories prove to be a supporting mechanism for reviewing different VS products to determine how a specific VS product addresses the scope of vulnerabilities as defined by the harmonised vulnerability categories. VS products can differ extensively from each other in terms of the number of vulnerabilities that each VS is able to detect. This is mainly due to the fact that some VS products employ a vulnerability database containing many vulnerability signatures while other VS products employ a small vulnerability database. Although a specific VS product may contain a large vulnerability database, however, many of its vulnerability signatures may be outdated or not so important. The importance factor of vulnerabilities in the harmonised vulnerability categories is addressed in the current research project by priority levels, which will be discussed in the next chapter.

Page 79

CHAPTER 5

Page 80

CHAP TER 6 VULNERABILITY FORECAS TING – A CONCEP TUAL MODEL
__________________________________
6 .1 INTROD UC TI O N
The previous chapters discussed different state-of-the-art information security technologies that can be used to secure computer systems and networks, such as intrusion detection systems (IDSs) and vulnerability scanners (VSs). These specific information security technologies were discussed because they have contributed significantly to the field of information security in recent times and they are the latest developments in information security . It was VSs, however, that attracted the attention of the researcher because they follow a proactive approach to finding and minimising vulnerabilities, whereas IDSs follow a reactive approach. The proactive approach to finding and minimising vulnerabilities is considered to be a better approach, because it is based on the principle of prevention being better than cure. Although the proactive behaviour of VSs is a positive point, t here are still many problems with state-of-the-art VSs. This chapter will identify these problems and suggest which of them will be addressed in this research. A conceptual model is then introduced that will address some of these problems and a functional discussion of what the conceptual model is trying to achieve is given.

6 .2 P ROBLEMS WI TH STA TE-OF- THE-AR T VSS
Despite their many shortcomings, VSs have proven successful in combating most vulnerabilities. One of their biggest drawbacks, however, is the fact that they have to “recognise” a vulnerability before they can detect it, and for a VS to “recognise” a vulnerability, it must have access to a list featuring the “signature” of the vulnerability in question. This list is commonly referred to as a vulnerability database. If a

Page 81

CHAPTER 6 completely new vulnerability is identified, the vulnerability database has to be updated with the signature of the said new vulnerability. After adding the signature of the new vulnerability to the vulnerability database, the network needs to be scanned again to ensure that it does not contain the newly identified vulnerability, especially since new vulnerabilities appear like clockwork. For this reason, the network of an organisation needs to be scanned on a daily basis ? failing which, its VS would be rendered obsolete.

When conducting a scan, a VS generally occupies a vast number of network and system resources. For this reason, a scanning exercise not only becomes too costly to undertake every day, but also too time -consuming, especially in view of the fact that a single scan conducted on a relatively small network could last for hours. In this way, the network utilisation may, on occasion, come to an abrupt halt when checking for denial-of-service vulnerabilities. To make matters worse, it is considered critical for distributed applications, such as online reservation systems, to utilise all of their available network bandwidth, as insufficient bandwidth could cause such applications to fail. In addition, when scanning for password vulnerabilities, the processing ability of a system may be impeded to the extent of compromising the processing capacity required for mission-critical tasks. VSs also lack intelligence [SCHN 00] in the sense that they are unable to automatically identify new vulnerabilities and automatically update the vulnerability database accordingly. In addition, specialised skills are required to interpret and productively apply the results of a scan conducted by a VS. The model and structure of specific VS products differ extensively. For example, Nessus Security Scanner [DERA 03] is a VS product that includes the Nessus Attack Scripting Language (NASL), which is a language designed to write custo mised vulnerability signatures easily and quickly . Each such signature is then added as a plug-in to Nessus Security Scanner. These plug-ins also comprise the vulnerability database for Nessus Security Scanner. This is in contrast to other VS products, for example Internet Security Scanner (ISS) [ISSN 03], which has a conventional database, i.e. in the Microsoft Access Database format, in which its vulnerabilities are

Page 82

VULNERABILITY FORECASTING - A CONCEPTUAL MODEL stored. As new vulnerabilities emerge, this conventional database is updated or replaced rather than new s

A Secure Framework for Discovering the Liabilities of a ....pdf

We propose a model based approach where the ...Vulnerability is the intersection of three elements...fault forecasting have been given in [8], [9]...

市场营销Global Products and Services_图文.ppt

? Vulnerability to Trade Barriers ? Global ...12-10 Honda’s Non-Global Car Models EUROPE ... concept testing) Sales forecasting Test marketing ...

Environmental accounting Emergy systems ecolog.pdf

“intrinsic” instability and their recognized strong vulnerability to cyber-...Liu et al. (2013) describe a forecasting model, named “emergybased urban...

幸福课课件-Shawn Humor Lecture.ppt_图文.ppt

? Testicular Cancer (Chapple and Zieland) Model ...? Decreased vulnerability to stress in healthy ...(2002). Durability bias in affective forecasting....

A model for robust distributed hierarchical electric power ....pdf

Dynamic Energy Management System (DEMS) Considering vulnerability of wind and ...1. Thus forecasting models of wind, solar and load are essential to ...

已阅2格林斯潘what went wrong.doc

Greenspan. But after the Fed's model failed to...forecasting than numbers. 'It all fell apart 土... because of its vulnerability to spells of ...

A cognitive radar network Architecture and application to ....pdf

vulnerability to countermeasures such as jamming and...A model of an observation system with different ...forecasting of the impact of the weather on the...

Credit, Asset Prices, and Financial Stress in Canada.pdf

identify vulnerability in the financial system ahead of the episodes of ...The results in Chart 2 indicate that, although the best forecasting model ...

Network Science Understanding the Internal Organization of ....pdf

we model the vulnerability of mobile communications against potential virus ...is important for urban planning, traffic forecasting and epidemic prevention. ...

中国西北水资源的脆弱性_英文_.pdf

The vulnerability depends upon cluding climate ...The cy , law , and forecasting) measures in a...basin in t he water balance model. The st u...

M19 Chap.16 Foreign-Exchange Risk, Forecasting, and ....ppt

M19 Chap.16 Foreign-Exchange Risk, Forecasting, and International Investment_...? Economic exposure is the vulnerability of future profitability to exchange ...

THE SIX MISTAKES EXECUTIVES MAKE IN RISK MANAGEMENT.doc

anticipate them, managers should reduce their companies' overall vulnerability....No forecasting model predicted the impact of the current economic crisis, ...

英语新闻4篇.doc

Obama:Poland A Model for New Democracies President... no matter how sophisticated forecasting technology ...vulnerability to extreme weather events, whether or...

自我介绍.doc

Vulnerability, Poverty and Resilience 4 Sustainable ...Model villages and rural development projects 4.23...forecasting 6.9.10 Feed formulation and rationing ...

Prepare_for_IPO_图文.pdf

Vulnerability to hostile takeovers ? Cultural ...Forecasting Primarily for budgeting Missing ...Meeting Due Diligence Develop Financial Model ...

Managing the World Economy.pdf

as it increases vulnerability to exchange-rate ...newfangled exchange-rate models could help predict... a general once told his weatherforecasting team,...

A Framework for Network Vulnerability Analysis.pdf

Forecasting and predicting the occurrence of an attack or fault scenario with... the vulnerability index (VI), which models the vulnerability level of the...

A new rat model for vulnerability.pdf

A new rat model for vulnerability - Epil

Forecasting--预测分析模型.pdf

4. Select the forecasting model or models. 5. Gather the data needed to make the forecast. 6. Validate the forecasting model. 7. Make the forecast....

Towards a Better Forecasting Model for Economic Indices.pdf

Towards a Better Forecasting Model for Economic Indices_专业资料。This paper presents a study of neural network forecasting construction system. Forecasting, ...