May 30, 2003
In This Issue
Tech Talk

Non-Intrusive Vulnerability Detection

The Internet at large has witnessed an uneasy calm over the past three months. Although there has been a number of very serious security vulnerabilities discovered, there have been no catastrophic worms or attack storms. Perhaps the computer security old-timers can "feel it in their bones", as the figurative barometric pressure drops and hints of an upcoming storm increase in likelihood. Whatever the case may be, all security professionals are feeling an increased pressure now to protect more machines, more thoroughly, and more quickly than ever before. With the frequency and volume of threats on the rise, the fair-weather days of occasional attention to vulnerabilities are drawing to a close.

Fortunately, vulnerability assessment has adapted to follow suit. Security professionals can now scan their networks essentially in real-time for new vulnerabilities as they are discovered, and resolve them well in advance of the threats that exploit them. In a sense, there exists a much more sophisticated way of boarding up your Windows.

Vulnerability assessment – which involves testing each device on a network for known bugs or misconfigurations that could allow it to be the victim, or unwitting accomplice, in an attack – in fact originated as a collection of weakened attacks that administrators could perform to test the security of their networks. The idea was that, if the "low dosage" version of the attack could not succeed (often evidenced by whether or not the machine was disrupted following the test), then neither would the full-strength version that could otherwise be used to gain control. Many vulnerability assessment tools and solutions adopted this approach, finding it straightforward and easy to implement with many sample attacks readily available. The downside, however, was that this type of "intrusive" scanning could cause serious disruptions. The test attacks were, after all, still attacks, and were therefore not suitable to perform very often or during business hours.

As the size of networks and the importance of uptime both began to increase tremendously, the concept of non-intrusive scanning grew with it. Now vulnerability scanning is reaching the point where it must be performed as routinely as virus scanning, and that concept is becoming compulsory.

Looking back, the need for non-intrusive scanning seems obvious, so why is it an evolution – rather than a standard – of the original vulnerability assessment paradigm? Most likely, the answer would be that the technology used in scanning non-intrusively represents a shift in thinking from the previous "attack" methodology for the engineers who design the solution. Non-intrusiveness places a premium on keeping the network completely intact, gathering information to ascertain the presence of a vulnerability while avoiding behavior that might have adverse side effects for the host – analogous to the difference between an MRI and exploratory surgery.

In order to construct a non-intrusive test (commonly referred to as an audit), an engineer typically searches for discrepancies between vulnerable and patched instances of the software that can be consistently reproduced. After this, the engineer must find a way to automate the process so that the vulnerability scanner can perform it reliably.

Accomplishing this feat often requires a lot of resourcefulness on the engineer's part, since the audit must never crash or even significantly impact any version of the software, and it must avoid heavy network traffic and intensive computation. If an attack can be performed without disrupting the target machine – for instance, in cases where the vulnerability involves inappropriate access to certain information – then a non-intrusive vulnerability scanner might attempt the attack directly; if not, the engineer may need to resort to any number of techniques in order to infer the presence or absence of the vulnerability.

Sometimes the best way is simply to check the version reported by the software itself (its "banner"); other times, attack behavior can be emulated almost exactly, with just enough of a difference to get an idiosyncrasy to show without disrupting the software at all. Even methods as unconventional as invoking separate functionality that was silently changed by a patch may need to be considered, and these and other techniques may have to be dynamically combined based on the conditions present at the time of the scan. Engineering an audit that meets these standards can be a very painstaking project, but considering its importance to the people who depend on it to defend their networks, the effort is more than justified.

It is the level of sophistication described above that marks non-intrusive scanning as an advancement of vulnerability assessment technology, allowing it to keep pace with the complex task of securing a network and the evolving threats that shape it. Non-intrusive vulnerability assessment helps prevent – and not present – more threats to the network through frequent and benign scanning, a vital part of both thwarting the small attacks, and weathering the big ones to come.

Derek Soeder
eEye Engineering

News & Articles
The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.

AP: U.S. Government to Get Cybersecurity Chief
"The Bush administration plans to appoint a new cybersecurity chief for the government inside the Homeland Security Department, replacing a position once held by a special adviser to the president. Industry leaders worry the new post won't be powerful enough." Full Article

Federal Computing Week: Security Spending Forecast: $6B
"By 2008, the federal government will spend almost $6 billion annually on information security, an increase of about 43 percent over 2003's $4.2 billion." Full Article

eWeek: Beware E-mail Bank Scams
"What you should know about e-mail scam that attempts to dupe users into divulging bank account information and other personal data." Full Article

Reader Q&A

Q: In my network, machines change IPs frequently. If I want to monitor certain machines using Iris Network Traffic Analyzer, how can I attach names to machines that will not change when the IP changes?

A: You can use Iris' address book auto-discovery option to do a sweep of the internal network. After all information is gathered, you can edit hosts of interest by removing the IP value and adding friendly names. After this Iris will use the MAC address to tag hosts. If after the discovery phase you notice that some hosts do not have a MAC alias, you can edit the [MAC VENDOR CODE] section in the proto.dat file to add a vendor code.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Announcements

New Vulnerabilities Found in Microsoft Windows Media Services
A flaw was detected this past week in the ISAPI extension for Microsoft Windows Media Services. Although Microsoft has incorrectly listed the vulnerability as a denial of service (DOS) issue, eEye Digital Security has notified Microsoft that the vulnerability is actually a serious buffer overflow. Full Article

Enterprise Web Protection Solution for Microsoft Servers
eEye introduces a sophisticated enterprise web protection management solution that enables large distributed organizations to have centralized control of the web server threat management process. This solution is based on eEye's award-winning IIS web protection technology, SecureIIS™ Web Server Protection, and leverages the power of REM™, eEye's security events management console. Full Article

One-Click 'SANS/FBI Top 20' Policy Available in Retina®
eEye's Retina® Network Security Scanner has been augmented with a single-selection option that performs a network audit based on the SANS/FBI Top 20 vulnerabilities. The new policy enables Retina users to quickly and accurately detect and resolve the most critical security issues within their network without the need for extensive configuration. Full Article

Etcetera

Microsoft Releases a Solution for Securing Wireless LANs
This reference implementation is derived from Microsoft's own use of PKI for securing the WLAN for its 55,000 employees, and best practices learned while aiding customers with their own secure WLANs. More

Internet Hacker Wanted in US Arrested in Thailand
A Ukrainian man wanted in the United States for large-scale Internet fraud and causing more than $100 million in business losses has been arrested in Thailand. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.