Re: Vulnerability Scanning Problem

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Hi Curt,

Curt Wilson wrote:
> Thanks for your thoughts Russell. Nessus, Retina, etc. seem useful for
> known vulns in network-facing systems, and this is important. However, I
> am increasingly concerned about client-side vulns, and without
> credentials to a system or an agent how do you easily test for those
> (NAC/agent technologies is one possible solution).

Agreed -- we had different treat scenarios in mind.  Mike Wiseman also
highlights this point about brower based attacks and then there is
social engineering e.g. being duped into downloading fake codecs for a
media player.

I'm guessing that most of us would agree that current anti virus system
are now inadequate defence with the worst threats mutating every day (do
they actually monitor virus total to decide when it's time to release a
new variant?).  We are now reduced to using snort to detect infected
machines connecting to controllers.  Preventing malware from getting
privilege to install a root kit is *very* important since once the root
kit is in place your A-V software is useless -- even if it hasn't been
disabled already.
> I don't like the idea of having common authentication credentials on an
> array of systems for deeper host checks by a network assessment service
> (risk of cracking and/or interception),
Many organisations already have AD with domain access to workstations
for remote maintenance.  I really don't see any other way to manage
thousands of machines.  There certainly is potential for abuse but the
alternative of having poorly managed systems seem to be an even greater
risk.

User workstation support  at Auckland is done by local faculty groups
and they take different approaches.  I find it very interesting seeing
who has the most problems and correlating it with how they are managing
the workstations.  I am in no doubt that those faculties who have
adopted automated tool (such as SMS or Altiris (sp?) etc) have fewer
'incidents' and get things patched far faster than those who don't.

Having tools that get patches on to systems quickly is probably the best
way to mitigate privilege escalation attacks following client
compromises.   Network scanning can help here too since if you detect
that one recent patch is missing then it it a prompt for the
administrator to check why it is missing and in fixing it while also
making sure that any other missing patches are applied.

To this end I run nxscan over the whole network twice every week and
every time I pick up a hand full of machines, some are new boxes that
have been installed but not patched, some are visitor's laptops, some
are machines that have been sitting in the storeroom for a few months...

We are also playing with NAC in this sphere and we have a locally build
client software that we use for network access on student systems which
we plan to roll out to staff next year.   Ideally the commercial NAC and
our local software can be integrated.

I think what I am trying to say is that no single tool cuts it on its
own, but by using a variety of tools and techniques you can provide a
reasonably safe environment for your users.  In some cases we end up
having do to things that offend our sensibilities (I share Curt's
dislike of global credentials) because the alternative is worse.

Russell

>