1 / 27

Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova

ENSDV. Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova. Introduction. Emerging Technology Early-to-market technologies ideal targets for attack Vulnerabilities with wireless and Internet Protocol

durgan
Download Presentation

Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ENSDV Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova

  2. Introduction • Emerging Technology • Early-to-market technologies ideal targets for attack • Vulnerabilities with wireless and Internet Protocol • Tenable Nessus scanner - de-facto industry scanner [7] • Design and Implementation of an Enhanced Network Scanner • Performance Analysis of ENSDV • Lessons Learnt and Future Directions • Conclusion ENSDV / Cordova

  3. Emerging Technology • NIST 800-82 Guide to Industrial Control Systems Security (ICS) [9] • Emerging Technology integrates wireless and Internet with ICS infrastructure • Integration introduces all the vulnerabilities and problems of Wireless and the Internet Protocol into ICS [6] [10] • Manual vulnerability discovery impossible ENSDV / Cordova

  4. Vulnerabilities • Common Vulnerability Exploits (CVE) [1] • Several production meters identified as vulnerable ignored and used in production[6] • $8.1 billion stimulus to secure the Smart Grid [8] • many vulnerabilities ignored • TI’s encryption bug in CC2430 u-controller • Regulation, Management and Guidelines • reduces the risk to Smart Grids ENSDV / Cordova

  5. Industrial Control Systems Adapted from Juniper Network White Paper on ICS 2009 ENSDV / Cordova

  6. Secure the Smart Grid Adapted from Global Smart Energy 2009 Smart Meter Implementation Percentages by Country [3] ENSDV / Cordova

  7. Nessus Vulnerability Scanner • Automatic scanning solution approved by NERC CIP for use with SCADA, AMI/AMR [7] • Vulnerability scanning relies on signatures of “known bad things” • Compliance checks compare a system against the “known good” • Flexible, reliable, robust, open source, customizable, automatic, GUI, CLI, option for safe checks/scans and still it is inadequate • Customize plug-ins to enhance operation to resolve inadequacy ENSDV / Cordova

  8. Prototype – Difficulties Encountered • First attempted to procure meters and collection points • Cost prohibitive, proprietary constraints, minimal support • Inaccessible SCADA systems – focus on Servers/Workstations that control ICS, Smart Grids, LANs, WANs, Enterprise Systems • No Access to Nessus ProFeed scanner and SCADA plug-ins • Nessus Attack Script Language (NASL) [2] • new attack language to learn • Full functionality disabled in trial versions of HomeFeed • “buggy” when creating plug-ins ENSDV / Cordova

  9. Prototype – Difficulties Encountered, cont’d • Request made for a full version of Nessus ProFeed • Unreadable SCADA plug-ins pre-compiled as .nbin binary files • Create VM environment with Fedora 12, and XP un-patched • Create custom plug-ins • 0-day vulnerability plug-in • audit scripts [4] [5] ENSDV / Cordova

  10. Nessus Scanner • Centralized automatic scanning tool for most Operating Systems • Vulnerability scanning and Compliance checking • local or remote • Server/Client with GUI or CLI • Nessus Knowledgebase • designed with the idea to use results of scripts in other scans • Script Methodology -> write custom script • execute only if necessary • use other script results by use of dependency statements • share by saving to KB, upload report results, plug-ins • Plug-in is written and scans for only one vulnerability at a time ENSDV / Cordova

  11. Methodology • Select the target and develop a baseline “gold” standard • Perform baseline scan and patch as necessary • Develop an enhanced plug-in for any newly indentified vulnerability and compliance check • Test plug-ins on prototype, lab, or test equipment • Compare baseline and subsequent scans • Repeat process at scheduled intervals per policy ENSDV / Cordova

  12. Prototype Layout ENSDV / Cordova

  13. Vulnerability Script Structure Header Section include scripts to be used with nessusd “compat.inc” Description Section register information “script_name(english:" iepeers.dll 0-day vulnerability …“ Attack Section Script code functions port = get_kb_item("Services/ssh"); if(!port)port = 22; ENSDV / Cordova

  14. iepeers_dll_0day.nasl Code excerpts . . . include("compat.inc"); if (description) { script_id(50003); . . . script_name(english:" iepeers.dll 0-day vulnerability in Internet Explorer versions 6 or 7 "); script_summary(english:"Checks Internet Explorer version for 0-day free-after-use vulnerability."); … script_set_attribute(attribute:"risk_factor", value: "Medium"); . . . script_family(english:"Windows"); . . . script_dependencies("smb_hotfixes.nasl"); . . . script_require_ports(139, 445); } Header Description Attack Script ENSDV / Cordova

  15. Nessus Vulnerability Enhanced Scan Result, cont’d Recommended Solution ENSDV / Cordova

  16. Audit File Script Structure Check Type Section Define type of check and plugin version <check_type: “Unix”> … </check_type> Custom Item Section Custom script contents <custom_item> type:FILE_CONTENT_CHECK … expect:"PermitRootLogin no" </custom_item> ENSDV / Cordova

  17. FC12 Audit File Script Check Type • <check_type:"Unix> • <custom_item> • type:FILE_CONTENT_CHECK • description:"Check if PermitRootLogin is set to no and not commented for server." • file:"/etc/ssh/sshd_config" • regex:"^ *[^#]*PermitRootLogin *" • expect:"PermitRootLogin no" • </custom_item> • </check_type> Custom Item Closing Tags ENSDV / Cordova

  18. Nessus Audit Enhanced Scan Result, cont’d ENSDV / Cordova

  19. Non-Credential Scan Results of ISSG lab subnets 60 and 62 6 out of 31 High Risk Problems Found ENSDV / Cordova

  20. Credential Scan Results of ISSG lab subnets 60 and 62 19 out of 34 High Risk Problems Found ENSDV / Cordova

  21. Performance Results ENSDV / Cordova Non-Credential Scan Credential Scan

  22. Lessons Learnt • SCADA network testing not possible • Nessus Scanner de-facto standard • inadequate • NASL new language learned • time consuming tests • unforgiving syntax • Methodology shifted to consider sharing with Nessus community users for greater contribution • Credential scans take longer but are more comprehensive ENSDV / Cordova

  23. Future Work • Continue meaningful research in a lab setup of MPS2530 development kit controllers with Nessus • Research compiler and interpreter for .nbinscript development for Smart Grid applications • Audit file and C+ integration for automatic update • Create custom plug-ins to check the ZigBee stack • Pseudo Random Number Generator (PRNG) • versions earlier than 2.3 exhibit this vulnerability • Extend audit files for OS specific registry keys and files • System alert if plug-in is removed from directory ENSDV / Cordova

  24. Conclusion • Provided a survey of emerging technology • Developed methodology to enhance network scans • Created plug-ins to enhance the network scanner • Applied scans to ISSG lab • Detected many “bugs” in a mix of hardware and OS’s • BO’s, Remote Root Login, Telnet and SSH • Spent 9 months working on research and experiments ENSDV / Cordova

  25. References [1] Common Vulnerabilities and Exposures (CVE) http://www-arc.com/sara/cve/cve.html [2] Deraison, Renaud, Reference Manual for Nessus Attack Scripting Language, Version 1.4.0, Manual at website at http://www.virtualblueness.net/nasl.html [3] Global Smart Energy White Paper at Website :http://www.smartgridnews.com/artman/uploads/1/Berst_NGA_Feb_2009. [4] Information on 0-day vulnerability discovered in the wild March 2010. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806 [5] Information on 0-day vulnerability discovered in the wild March 2010. http://secunia.com/advisories/cve_reference/CVE-2010-0806/ [6] Journal of Energy Security, Making a Secure Smart Grid a Reality, Sub-paragraph, Weaknesses in the Smart Grid, p. 3-7, October 2009. http://www.ensec.org/index.php?option= com_content&view=article&id= 218:making-a-secure-smart-grid-a-reality&catid=100:issuecontent&Itemid=352 [7] NERC approval of Nessus Scanner http://www.nessus.org/solutions/index.php?view=nerc [8] Smart Grid Stimulus Funding  Revealed!, p.3, October 2009. http://earth2tech.com/2009/10/27/smart-grid-stimulus-funding-revealed/ [9] Stouffer,Keith and Falco, Joe and Scarfone, Karen Final Public Draft, Special Publication 800-82, Recommendations of the National Institute of Standards and Technology, Guide to Industrial Control Systems (ICS) Security http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf [10] Weiss, Joseph, “Current Status of Cyber Security of Control Systems”, Testimony of Joseph M. Weiss Control Systems Cyber Security Expert before the Committee on Commerce, Science, and Transportation U.S. Senate March 19, 2009 ENSDV / Cordova

  26. Questions ? ? ENSDV / Cordova

  27. Nessus Scanner Windows 7 Scan Report • Plug-in output Plug-in Output ENSDV / Cordova

More Related