vulnerability assessment
Does anyone have any suggestions as to what I can look for in regards for vulnerability assessment tests for our network? We are a smaller company and have only a handfull of servers and about 30 workstations.
It doesn't matter what tools. Whether it's free or not anything would help. Thanks!
It doesn't matter what tools. Whether it's free or not anything would help. Thanks!
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□http://www.remote-exploit.org/backtrack.html
That's probably going to have most, if not everything, you'll need, but you'll need to know what you're doing. -
sexion8 Member Posts: 242Zoomer wrote:Does anyone have any suggestions as to what I can look for in regards for vulnerability assessment tests for our network? We are a smaller company and have only a handfull of servers and about 30 workstations.
It doesn't matter what tools. Whether it's free or not anything would help. Thanks!
I think you're going about it the wrong way. Running a tool and looking for an exploit does not make for a successful vulnerability assessment. There are more variables involved with actually penetrating then a tool is going to highlight. A tool is solely a single step into gaining access into a machine, there are other methods which are sometimes easier to address a compromise for example brute forcing a sign in.
There are going to be few tools to address this and most will overlook something as simple as this. Instead, they'll run every "vulnerability" scanner on the market but they'll often be confused with the term "vulnerability scanner" and "network scanner". Most swear that running Nessus, NMAP, will give you some indication of your problem, you'll patch that problem and voila - Instamagically Secured!". This is not the case.
For every protocol there are different tools, for example, HP Webinspect, W3AF, Cenzic Hailstorm, Retina (web application version), Core Impact which do wonders on the web application side of things (usually layers 5-7 of the OSI) however, they do little on the lower layers. For those, NMAP, Scanrand, etc., work wonders. Now there are host level scans... Meaning local on the machine... Folks over at CISecurity.org threw together some baselines which work fine provided the person running them has a clue or two...
So address the initial problem first then go from there for example:
We'd like to address some servers that are publicly available running IIS, Exchange.
From here you could associate tools such as W3AF, Wikto for Web application testing, Hydra for Brute force checking, NMAP for open ports, CISecurity's benchmarking tool, etc. Depending on tools will do nothing if you don't use the right tools or strictly place all your confidence on tools which you really won't understand.
http://cisecurity.org/cistoolmembers.html
http://www.sensepost.com/research/wikto/
http://w3af.sourceforge.net/
Outside of these, (Nessus, NMAP was mentioned already), it helps to have proactive monitoring. For this I recommend OSSIM http://www.ossim.net/ I've got an extremely modified version to do weekly full blown penetration testing using the above mentioned tools as well as a Core Impact add on. I took the entire software and made it both an IDS and EDS (Extrusion Detection System). Any kind of anomalies in or out and we'll know about them. This helps in determining if anything rogue or suspect somehow slipped in since we've now determined that rogue stuff is leaving. Anyhow, re-write your initial question and think about it logically, what are you trying to protect, audit, etc., would make no sense to run Nessus or NMAP on a machine not publicly networked (to a degree) if you're worried whether someone online will see your DCOM information."Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius -
sexion8 Member Posts: 242Zoomer wrote:Does anyone have any suggestions as to what I can look for in regards for vulnerability assessment tests for our network? We are a smaller company and have only a handfull of servers and about 30 workstations.
It doesn't matter what tools. Whether it's free or not anything would help. Thanks!
Furthermore... Let's take a higher level approach to this a-la CISM/CISSP style:
Vulnerability Assessment and Controls Evaluation: Systematic examination of a critical infrastructure, the interconnected systems on which it relies, its information, or product to determine the adequacy of security measures, identify security deficiencies, evaluate security alternatives, and verify the adequacy of such measures after implementation.
My inference is not to solely run a vulnerability scanner on the systems and call it a day. I'd like to be able to create RBACL's (role based access control lists) to ensure that even if someone were able to access a machine, they'd solely be able to access specific files in tune with their specific roles. For example, my database engineers and administrators should not be able to modify say the webserver attributes, this is the role of the webserver admin. They should not be able to chmod, chown, chattr, delete, replace something they have no permission for.
A huge problem with people doing vulnerability assessments, is they often get things wrong from the beginning. Depending on a tool will give you a false sense of security at the end of the day. Start at the top down, its the best method to approach true verifiable implementations of assessed risks. Again, you find a vulnerability, or what you perceive to be one, are you sure it's not a false positive? Are you sure you're not wasting valuable resources (time = money) chasing ghosts... Are you sure even the measures you implemented AFTER the fact were successful?"Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius -
Silentsoul Member Posts: 260I recommend the metasploit project. But i will warn you, if you have any kind of IDS the alarms will start going off ass soon as you start your exploit attacks. If your IDS is setup correctly that is.