Vulnerability Management
To understand the battlefield, you need a broad view
It is always a little bemusing to hear that we only provide pentests. Since 2001, SensePost has offered a very comprehensible vulnerability management service that’s evolved through multiple generations of technologies and methodologies into a service we’re very proud of. The Managed Vulnerability Scanning (“MVS”) service makes use of our purpose-built BroadView scanning technology to scan a number of high profile South African and European clients. More information can be found here, but the purpose of this post is to introduce it with a basic overview of its deployment.
The Yeti is here
After several months of dedicated … uh dedication, our new network footprinting tool is being made available to the masses.
It’s called Yeti and it is a cross-platform, Java application. It’s predecessor, BidiBlah, was only available on Windows platforms and hopefully with Yeti we can now offer Internet intelligence gathering to everyone.
So what does Yeti do:
Top level domain expansion (tld expand) Forward lookups (mx,ns,a,cname and zone transfers) Reverse lookups (ptr records) Cert Extraction (getting the common name, and domain from ssl certificates) Bing IP/Site searches Report exports to xls format We invite you all to visit the Yeti community blog and to participate in either testing the tool or just to add comments. Usage instructions can be found on the spyeti blogspot.
HTTP Methods per Directory
A very common finding in our day to day vulnerability management endevours is the HTTP Methods Per Directory.
In its most basic form, HackRack will determine which HTTP methods are allowed on various web or CGI directories by calling the OPTIONS methods per directory. On its own it is not always significant but as soon as you have directories that allow for PUT or DELETE, and weak directory permissions are in place, the picture can become much more colourful.
I know what your cert did last summer
Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web application environment, that makes use of SSL. HackRack would then often report on findings such as weak cyphers in use (critical if the client has to adhere to PCI DSS), mismatching cert names and domain names, and then expired certs.
Now, this is easy to check and re-check when you have a couple of single hosts and openssl foo. But, a couple of hundred sites and things get interesting and time consuming.
BroadView V4 Attributes
Following on from Evert’s posting about the new BroadView v4, I’d like to showcase a specific aspect of BV that we’ve found useful, namely Attributes. These are small pieces of data collected and maintained for each host scanned by BV including somewhat mundane bits of info like IP address and OS but, they also include some really tasty morsels about remote hosts that are scanned. Attributes are collected on a per-scan-per-host basis, and are populated by each test that runs during the scan. Since attribute population is dependent on the selected tests, the set of Attributes available to you would vary according to you configuration.
BroadView – coming of age
Ever since Ron Gula’s RiskyBusiness talk #142 about their Nessus philosophy, I decided to come out of the closet and share with our readers the work we do in the vulnerability management field. [Ed: If you don’t listen to Risky Business then, as we say in South Africa, eish.] Ron explained that with Nessus they aim to give users a tool that can be used for monitoring and auditing – not enforcing. The “sed quis custodiet ipsos custodes” mantra comes to mind. For 9 years now we have been building two vulnerability management solutions named HackRack (for hosted, external scanning) and BroadView (for internal scanning) and it was especially HackRack that has claimed the limelight. The runt of the litter has always been BroadView, but alas (luckily?), no more.
Open Patch Management Survey
Rich Mogull (who’s stuff I really quite dig) has launched an ‘Open Patch Management Survey’ via the SecurityMetrics blog. Its an interesting idea, and they plan to release both their analysis *and* the raw data, which might be really insightful for our VMS stuff.
Corporations can take the SurveyMonkey survey at http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d, and there’s some nice material already available at http://securosis.com/projectquant.
Here’s the rest of Rich’s message (pls forgive the cross-post):
Our goal here is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices. We’re doing something different with this survey. All the results will be made public. We don’t mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization). Once we hit 100 responses we will release the data in spreadsheet formats. Then, either every week or for every 100 additional responses, we will release updated data. We don’t plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly. As with all our material, the results will be licensed under Creative Commons.
The power of data
We recently introduced some neat blizzards onto a PoC Broadview client.
On tha back of Conficker, our Broadview Dashboard sports a couple of instantly available blizzards that show:
1. How many machines, on all scans for the last 10 days, have patch MS08-067 missing
2. How many machines do not have SMS Agents, EPO Agents or Any AV installed
3. And without too much hassle one can quickly see where machines with MS08-067 missing also do not have EPO Agents, SMS agents or any AV installed. (enlarge image to see why)
Turn of the century deja vu?
The recent widespread carnage caused by the Conficker worm is astounding, but is also comforting, in a strange way.
It has been a good few years since the world saw a worm outbreak of this magnitude. Indeed, since the Code Red, Slammer and Blaster days, things have been fairly quiet on the Interwebs front.
As a community, it seems we very quickly forgot the pains caused by these collective strains of evil. Many people proclaimed the end of issues of that particular bent, whether it be as a result of prolific post-worm hastily induced reaction buying of preventative technologies and their relatives, or whether more faith was placed in software vendors preventing easily “wormable” holes in their software.
Vulnerability management and the Blogs
Gegroet
just a quick note on VM.
Google is now offering Google Blog Search Beta and I thought it interesting to see who is blogging on vulnerability management.Some of the output includes:
i) “Vulnerability Management” = 6,330 hits
ii) “Vulnerability Management” + Dummies = 314 hits
iii) “Vulnerability Management” + ineffective = 16 hits
iv) “Vulnerability Management” + effective = 314
Probably 90% of all hits came from vendors and it was also evident that they were punting the “successes” of VM, utilising their products and services.
Page 1 of 1