1 / 22

Vulnerability Assessment Using SAINT

Vulnerability Assessment Using SAINT. Jane Lemmer Information Security Specialist World Wide Digital Security, Inc. lemmerj@wwdsi.com. Outline. The Problem The First Solution The Second Solution Other Uses for SAINT What’s Next Conclusions. The Problem. Large network

malcolm-reynolds
Download Presentation

Vulnerability Assessment Using SAINT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability AssessmentUsing SAINT Jane Lemmer Information Security Specialist World Wide Digital Security, Inc. lemmerj@wwdsi.com

  2. Outline • The Problem • The First Solution • The Second Solution • Other Uses for SAINT • What’s Next • Conclusions

  3. The Problem • Large network • 7 Class B subnets, over 20 Class C subnets • No central management • Some resistance to “outsiders” • How do we do a vulnerability assessment?

  4. The First Solution • The Scanning Tool • The Scanning Method • Results • Problems • Lessons Learned

  5. The First Solution The Scanning Tool • Conducted a comparison of several network based vulnerability assessment tools • Internet Security Scanner • Kane Security Analyst • SATAN • Nessus, and a few others

  6. The First Solution The Scanning Tool • Chose SATAN, with COAST extensions • free • fairly easy to use • sufficient for providing a first look at overall network vulnerability

  7. The First Solution The Scanning Method

  8. The First Solution Results • Lasted three weeks • Approximately 20,000 potential hosts interrogated • Found about 5,000 hosts with services • Inexpensive (almost automatic)

  9. The First Solution Problems • Took almost a month to process the results into a useable format • Missed many hosts (DHCP, hosts not in DNS, especially Linux boxes) • Organizational problems (results not getting to the right people) • Scapegoats for a host of network problems

  10. The First Solution Lessons Learned • DNS method is not finding all the hosts • SATAN is not current • Report generation takes too long • We need the following: • a new scanning tool • a new scanning method • a new reporting method

  11. The Second Solution • The Scanning Tool • The Scanning Method • Results • Problems • Lessons Learned

  12. The Second Solution The Scanning Tool • An updated version of SATAN • Added many new tests • Added a new attack level • Changed how vulnerable services are categorized • Works in firewalled environments • Identifies Windows boxes • Developed extensive tutorials for each vulnerable service • Developed an in-house tool to help with reports

  13. The Second Solution The Scanning Tool • The three “r” services (rlogin, rshell, rexec) • Vulnerable CGIs • IMAP vulnerabilities • SMB open shares • Back Orifice and NetBus • ToolTalk • Vulnerable DNS servers • rpc.statd service • UDP echo and/or chargen • IRC chat relays

  14. The Second Solution The Scanning Method

  15. The Second Solution Results • Lasted two months • Almost 500,000 potential hosts interrogated • Found many more hosts • approximately 7,000 boxes with services • approximately 4,000 boxes with no services • almost 8,000 Windows boxes • More costly (labor intensive)

  16. The Second Solution Problems • Scanning takes longer • Difficult to compare results with previous scan • Organizational problems (results still not getting to the right people) • Caused some problems with NT boxes • Still a scapegoat for network problems

  17. The Second Solution Lessons Learned • New method finds more hosts but takes longer • SAINT needs to be continually updated • Scanning can help improve the tool • Still need to work on reporting results

  18. Other Uses for SAINT • SAINT gathers a lot of information that is not reported • used to produce a list of UNIX hosts by OS type • used to identify web servers • used to identify routers • Quick scans of a host or subnet

  19. Other Uses for SAINT Investigating Incidents

  20. What’s Next • Continue using SAINT for large scans • Supplement SAINT with more robust tools • Scans have led to development of an IRT • defining policy • defining standard security configurations • helping users secure hosts • developing centralized site for security information

  21. Conclusions • SAINT is a useful tool for scanning large networks • Results give a good first look at how vulnerable you are • SAINT must be continually updated • better OS typing • better reporting • method to compare scan results

  22. Contact Information • World Wide Digital Security, Inc. • 11260 Roger Bacon Drive, Suite 400 • Reston, VA 20910 USA • PHONE: +1 703 742-6604 • FAX: +1 703 742-6605 • http://www.wwdsi.com

More Related