Grey bar Blue bar
Share this:

Thu, 17 Mar 2011

ITWeb Security Summit

The ITWeb Security Summit is creeping up on us again and will be happening on the 10-11th of May. This year ITWeb went with something slightly different, and are asking for people to suggest who they'd like to see on day 2. These suggestions will then be voted on. So, if there's someone you're dying to see present or a topic you really want someone to spend some time researching, head over to their community portal and write it down.

Wed, 9 Mar 2011

You got to want it bad

In the movie "The American President", the statement is made that America has advanced citizenship and that "you gotta want it bad, because it will put up a fight". The same can be said for vulnerability management. It is never a completed exercise or a process where the status quo can be maintained quite easily, especially in a distributed enterprise environment. The reason: change.

SensePost recognised early on that just having an accurate vulnerability scanner isn't good enough to ensure continuous and less arduous vulnerability management. There needs to be workflow and efficiency build into such a scanner. Hence our HackRack and now lately, our BroadView managed vulnerability scanning offerings.

But, no matter how good a scanner is or how well the workflow has been designed, there is still a very large amount of manual analysis required.

For example:

In BroadView, when viewing scan results, by default the Medium, High and Critical findings are shown. Fab and groovy. But, should one just stop there? The Low and Info findings can be as interesting as the rest. For example, a client of ours that usually has a handle on things, had an informational finding about virtual directories being guessable on one of their web servers: the directories "/testing" and "/test" were identified. This "/testing" directory turned out to contain the beta version of a new e-commerce web application and even though reasonable security was in place, a blind SQL injection test showed us they were developing on live data. Just like that, an informational finding became a critical finding. If we had been focused on CVSS scores and risk impact only, this finding would have been flying under the radar.

What we saw on BroadView:

Vulnerability management is not easy. It will put up a fight; be that in the form of stubborn sysadmins not closing the holes or developers taking chances with release candidates and beta products. The vulnerability manager has to be on his/her toes and perform constant scanning and prodding. Vulnerability scanner results should never be taken at face value, and the associations between findings should be understood.

It is wise to keep in mind that vulnerability management is cyclic and repetitive. And as Dr Ruth always used to say: "Once, is not enough". You cannot scan once, find nothing, and sit back and relax. You may just miss your /testing directory.

For our BroadView customers we have added a couple of new blizzards to enhance the process to monitor results.

  • Missing Microsoft Patches (Operating System category)
  • Guessable Virtual Directories (Web Application category)
  • Open jBoss Consoles (Web Application category)
Blizzards are widgets (iGoogle style) of information queried from the vulnerability database in BroadView that provides users with a looking glass view of their environment. Under normal circumstances one would have had to go grep or search for very specific vulnerability IDs. With the blizzards, that cumbersome task has been removed.

The Missing Microsoft Patches blizzard combines all the possible patches that could be missing and this is especially necessary where Internet facing targets are scanned. Murphy's Law usually applies where patches and Internet facing devices are concerned - that one patch that can result in pwnage, is normally the one missing.

The output from the Missing Microsoft Patches blizzard would typically consist of an IP:Value output

The jBoss Console blizzard was created after we realised it is becoming more and more prevalent for consoles to be found open during assessments and vulnerability scanning.

Having access to world class pen-testers really does give the vulnerability management team a good insight into which vulnerabilities can actually lead to system compromise.

Happy scanning

Wed, 2 Mar 2011

To understand the battlefield, you need a broad view

It is always a little bemusing to hear that we only provide pentests. Since 2001, SensePost has offered a very comprehensible vulnerability management service that's evolved through multiple generations of technologies and methodologies into a service we're very proud of. The Managed Vulnerability Scanning ("MVS") service makes use of our purpose-built BroadView scanning technology to scan a number of high profile South African and European clients. More information can be found here, but the purpose of this post is to introduce it with a basic overview of its deployment.

To give you a better understanding of our coverage, below are a number of statistics from our scanning database.

Number of scans per week: 935 average per week

Number of findings stored: 3 795 963

Number of collected attribute instance: 1 274 016

Number of unique IPs listed as targets: 24723

Number of unique IPs with issues: 4931

However, the stats are not the interesting bit. BroadView goes further than simply storing open issues, it also tags interesting characteristics of the targets using 'attributes', which are pieces of information associated with a finding, but are not necessarily a result. It is possible to query these attributes and tie them back to hosts; this enables you to search across all hosts for matching attributes. The most used attributes are:

  • TCP Banners
  • Operating System Value
  • Hosts Accessible (True/False)
  • SMTP Relaying Allowed (True/False)
  • SMB Directories
  • CMS Type
With all these attributes, one can perform intelligent scanning or reporting. For example, target all Windows devices with an open port 80 and running IIS5, or show a list of all open relays on our domain, or keep an updated list that shows all BIND servers that still require the recent DoS patch. This can be very useful, especially when setting up targeted scans or for network/patch management. Effectively, the attributes allow you to utilize BroadView as a network service monitoring device rather than just a vulnerability scanner. BroadView makes use of a dashboard to display blizzards (widgets with specific data sets); the data source for the blizzards is anything we can pull from the vulnerability and attribute database, displayed as a list or graph. For this purpose we have specific widgets that can show you in an instant the open ports across your network, sensitive open ports such as database services or phpmywebadmin instances.

So, we have loads of data and it makes for interesting analysis.

For example:

The number of targets with potential webservers: 918

And breaking it down further:

  • Apache =186
  • IIS = 303
The number of targets inviting worm trouble: (port 139 open to the Internet)

The top 3 SSL certificate issuers used:

  • Entrust - 230
  • VeriSign - 159
  • Thawte - 47
And many more.

Next time, more about the dashboard and the blizzards.