12.1. Automated Security Monitoring

Previous page
Table of content
Next page

12.1. Automated Security Monitoring

Practically every day, computer security professionals discover vulnerabilities, holes, and gaps you could drive a truck through in various systems. All this information is published in BugTraq reports on various servers. One of the sites where these reports can be found is www.securityfocus.com . But besides the new vulnerabilities, there are plenty of old ones that may not have been patched on the server you are dealing with. How can you find out, which vulnerabilities the given server has? Is there a way other than downloading all the exploits and trying them manually? Of course there is. There are a great variety of programs to automatically test a server for vulnerabilities, the most common of these being SATAN, Internet Scanner, NetSonar, and CyberCop Scanner.

I will not recommend any specific program. There is no utility that has a database of all existing vulnerabilities. So download various programs and test the server using them all. This way your chances of discovering paths that could be used for a break-in become much greater. I do recommend that you use software from Internet Security Systems (ISS) ( www.iss.net ), because this company's scanners (Internet Scanner, System Scanner, and Database Scanner) use all three scanning techniques. (I will describe these techniques later.) The ISS personnel work closely with Microsoft and regularly update their vulnerabilities database. Even though a larger part of the company's software products are intended for detecting vulnerabilities in Microsoft software, they also produce security software for other servers.

ISS has developed a suite of utilities named SAFEsuite. The suite contains not only system-security testing utilities but also intrusion-detection utilities and utilities to check the configuration of the main server operating systems.

Security scanners are similar to antivirus programs: They protect only against known threats. Any new vulnerability will not be detected until the program is updated. For this reason, I don't recommend that you rely only on the automatic security scanners; supplement them by manually checking for the latest vulnerabilities described in Bugtraq.

The automatic scanners are good for performing initial scanning for old vulnerabilities. If you are a system administrator and scanning detects vulnerabilities in your system, you should update the software component containing the vulnerability or check one of the security sites (e.g., www.securityfocus.com ) for ways to neutralize the vulnerabilities discovered . Almost always, the description of the remedy for the vulnerability is given with a description of the vulnerability. The way to neutralize the vulnerability may also be suggested by the scanning program if it has this in its solution database.

Why can't you be certain that the server has no vulnerabilities even after the most exhaustive and thorough scanning comes out negative? In addition to new vulnerabilities, there is the factor of the server's configuration. Each server is configured differently, and under certain conditions a vulnerability that can be easily detected manually may be overlooked by an automatic scanner.

Each scanner employs individual techniques and means, and vulnerabilities missed by one scanner may be detected by another. Computer-security professionals like to use the apartment analogy. Suppose you came to visit a friend, ringed his doorbell, but nobody opened the door. This, however, does not mean that there was no one at home; the owner, for example, may not have heard the doorbell or it may have been out of order. But if you had called him on the phone, he might have heard it and answered . Or it could be the other way around: The friend could miss the phone call but hear the doorbell.

In the same way, one vulnerability-detection technique may produce positive results, and another may show negative ones. To return to the automatic scanners, one scanner is like the phone call and another one is like the doorbell. They both produce results, but with different server configurations one may be better than the other.

There are three methods of automatic vulnerability detection: scanning, probing, and imitating. During scanning, the utility collects information about the server, scans the ports to find out what services are installed, and based on these scans produces a report about the potential vulnerabilities. For example, a scanner can check a server and discover that port 21 is used by the FTP service. After the scanner attempts to connect to the port, the server issues an invitation prompt, by which its type can be determined (provided that the prompt has not been modified). The scanner then checks its database for vulnerabilities for the given server version and, if it finds any, produces a corresponding message.

Automatic scanning is far from an exact science and can be fooled easily; moreover, automatic scanning may produce false alarms showing a vulnerability where there is none. Some vulnerabilities can only be detected with certain configurations and will not be noticed with others.

During the probing process, the utility does not scan the server for open ports; it scans its programs for vulnerable code. This process is similar to the way antivirus programs work, which scan all programs for virus code. Here the same thing takes place, only the object of the search is vulnerable code. The method is an effective one, but the same type of error (e.g., a buffer overflow) can be present in programs written in different languages. The scanner will not detect this type of error.

The imitation method involves the utility imitating attacks that it contains in its database. For example, the FTP server may produce the buffer-overflow error when a certain command is executed. The scanner will not try to detect the server's version but will execute the command instead. This will hang the server, but you will know for certain whether the server has this particular vulnerability. This method is the lengthiest but also the most reliable, because if the utility can break some service, then a hacker can also do it.

If you have a new FTP server installed that is unknown to the scanner, it will be tested for errors that other FTP servers have. Different programmers often make the same errors. Simple scanning will not detect these vulnerabilities because they are not listed in the database for the given version of the FTP server.

Always disable the firewall when conducting a system scan. It may block access and the scan may not scan the necessary service. In this case, it will report no vulnerabilities when they may exist. These vulnerabilities are not critical because they are protected by the firewall, but if a hacker finds a loophole through the firewall, they will become critical.

Give the scanner all it needs. For example, some people think that remote scanning, when the scanner imitates an attack over the network, is the most effective. Although this is so, it begets a question: How much time it will take to check the strength of the account passwords? A lot? And such checks as registry and file system scans will become impossible . This is why local scanning may be more productive and reliable.

In remote scanning, the scanner only attempts to enter the network. This type of analysis can be used to evaluate the server's capability to withstand outside attacks. But statistically, most break-ins are inside jobs (carried out by disgruntled employees or simply unscrupulous users) by a perpetrator who already has some access rights but enlarges them and obtains access to off-limit areas. Hackers can also obtain an account with minimal access rights, which they can then raise to take advantage of the vulnerabilities in the access-rights assignment procedures. Consequently, you should apply both remote scanning to detect loopholes that can be used to enter the system and local scanning to detect configuration errors that can be used to expand access privileges.

Automatic scanners scan not only programs for vulnerabilities but also accounts for password strength. A scanner utility contains a database of the most often used account names and passwords and tries to use them to enter the system. If the attempt is successful, the utility informs the administrator that the employed password is too easy. Such passwords must be changed, because hackers can use the same method and learn the account parameters with ease.

Both hackers and administrators can use security analyzers. Hackers use them to detect vulnerabilities they can get hold of to penetrate the system and administrators use them to close such vulnerabilities. If you are an administrator, your task is to find and patch the vulnerabilities before they are found and used by hackers.

Later I will consider manual system-security checking techniques and utilities used for this. Which of the available security techniques and utilities should you use? As I already said, as many of them as possible. You should check your system in as many different ways as possible. Using only one method, you are running a risk of missing a potential vulnerability that hackers will use to break into your system.


Previous page
Table of content
Next page
Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141
Authors: Michael Flenov
BUY ON AMAZON
VBScript Programmers Reference
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
C++ GUI Programming with Qt 3
Managing Enterprise Systems with the Windows Script Host
Java How to Program (6th Edition) (How to Program (Deitel))
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy