Tools For Vulnerability Scanning and Penetration Testing

Transcription

1 Tools For Vulnerability Scanning and Penetration Testing National Conference State Certification Testing of Voting Systems Austin, Texas

2 wledge To Transfer curity Terminology lnerabilities: Lifecycle lnerability Research and Discovery, Reverse Engineering ftware Solution Stack lnerabilities in The Software Solution Stack ply Software Stack to Voting Systems Components cking Methodology: Where Scanning Fit In mples: Some Scanning Tool TL Use of Scanning Tools, Other use nners: Pros and Cons, Key Considerations

3 urity Definitions erability A deficiency, error, or misconfiguration within a system which can be exploited allowing the system to be used in an unintended manner. rability Scanner Automatically tests system for KNOWN vulnerabilities to confirm presence. it Software program developed to attack an asset by taking advantage of

4 urity Definitions erability Assessment tration Testing Scan of network's or component s security that attempts to look for potential points of entry by hackers or malware Automated Scanning tools find common issues Manual Tester s Knowledge and expertise looks for issues missed by automated tools No breach, no compromise Report issued, problems prioritized to be later addressed Use vulnerabilities discovered to breach and prove ability to compromise Usually consists of more than technological targets (include physical, administrative, procedural, people) More representative of what real adversary COULD do. rse Engineering, Vulnerability & Exploit Research Targets technological component to understand inner workings and find

5 erability Lifecycle ZERO DAY Vendor Researcher Bad Actor lnerability esearch / iscovery Vulnerability Publication Responsibly Mitigation Solution Development Mitigation Detection Development Mitigation Deployment Mitigation Verification Scan Publicly Exploit Development

6 erability Discovery arch / Discovery / Reverse Engineering ccess to Only Fuzzing Brute Force / Trial and Error ccess to Compiled Executable Binaries Decompilers Binary Debuggers ccess to Source Code Static Code Analyzers Manual Code Inspection All methods of looking for programming errors that may result in a vulnerability! Vulnerability Research / Discovery

7 ware Solution Stack Custom Vendor Third Party Supporting Open Source / Commercial Web Server Apache / MS IIS Database MSSQL / Oracle Open Source / Commercial Operating System Windows / Linux / OSX/ Android Hardware Routers / Firewalls /

8 erability Stack es Vulnerability Research and Discovery e Engineering Custom Third Party Supporting Web Server Database Majority of KNOWN Vulnerabilities More research in these layers Availability to those performing research Exploits developed and available Easier Targets Auto Scan Tools more effective in these layers Operating System Hardware Network

9 HAT? US CERT 85% of breaches are preventable They are against known vulnerabilities AT S NEXT? Voting Systems How VSTL ProV&V currently uses these tools How and where can we use them in Election Systems

10 tion System of Systems

11 tion System of Systems ulness of Automated Scans

12 tion System of Systems of Systems Bigger Picture TLs Voting Systems State / District Vendors cal Campaigns A Compromise of Any Has an Impact of the Whole

13 king Methodology: re Vulnerability Scanning Fits In Vulnerability Research / Discovery Phase 1: Reconnaissance Phase 2: Scanning Mitigation Verification Scan COMPROMISED TAREGET Phase 3: Gaining Access Phase 4: Maintaining Access Phase 5: Covering Tracks Use Exploit Depends on who is scanning! More Secure Target!

14 work Vulnerability Scanner xamples of Vulnerabilities Identified: Missing Patches (known vulnerabilities) Insecure Server Configurations Open Ports xamples of Tools NMAP Nessus OpenVAS Retina Election System Third Party Supporting Web Server Database Operating System Network

15 Vulnerability Scanner SAT Dynamic Security Testing Requires Running s xamples of Vulnerabilities Identified Cross site scripting SQL Injection Command Injection Path Traversal Insecure Server Configurations xamples of Tools Zed Attack Proxy Grabber Vega WebScarab Election System Third Party Supporting Web Server Database Operating System Network

16 abase Scanning Specifically designed for databases Examples of Vulnerabilities Identified: Weak password policies Default accounts Security of admin accounts Misconfiguration Examples of Tools Scuba Qualys Election System Third Party Supporting Web Server Database Operating System Network

17 rce Code Analysis ST Static Security Testing Examples of Vulnerabilities Identified CWE Top 10 SQL Injection OS Command Injection Buffer Overflows Cross Site Scripting Missing Authentication for Critical Function Examples of Tools Coverity Cpp Check HP Fortify Parasoft Election System Third Party Supporting Web Server Database Operating System Network

18 zing eeding variations of unexpected input into a rogram in an attempt to uncover unexpected ehavior Election System xamples of Tools Basic Fuzzing Framework (BFF) OWASP WebScarab Peach Fuzzer Third Party Supporting Web Server Database Operating System Network

19 erability Assessment Comparison

20 of Tools ing System Voting System Third Party Supporting Web Server Database Voting System ode Analysis etwork Scanners NMAP Nessus OpenVAS SCAP Compliance Checker Operating System Network

21 L of Tools CAVA Static Code Analysis Web Scanner Database Scanner Voting System Third Party Supporting Web Server Database UOCAVA Ballot Delivery/Return Operating System Network

22 ential of Tools Voting System Static Source Code Analysis

23 ential of Tools e stem Network Scanning Web Scanning Database Scanning

24 ential of Tools Network Scanning Web Scanning Database Scanning Statewide Election Night Reporting

25 and Cons of Automated Scanners ider Area Coverage cheduled Automation eport Output Ranking o Help Prioritization High False Positive Rates Doesn t Fix The Problem Report Output Interpretations Point in Time Applicability New Vulnerabilities Discovered Not Covered

26 Considerations Ethics / Legality Written consent from system owner or high ranking authority If hosted (SaaS, IaaS, etc.), Consult SLA (Service Level Agreements), AUP (Acceptable Use Policy) Require owner to submit results of scans, RFP Expertise Understanding Election System of Systems of Systems Selecting tools appropriate tools Interpreting output Finding & implementing mitigating solutions

27 as for Concentration WHERE asy Targets Anything Public Internet Facing Duration of Accessibility igh Risk Targets High Data Asset Value High Election Disruption Value High Election Integrity Compromise Value WHEN Baseline Anytime modified Routine

28 Takeaways hat are vulnerabilities fference in Vulnerability Assessment, Pen Testing, verse Engineering hat, Where, When, Why, How, and Who of tomated vulnerability scanner