Tools For Vulnerability Scanning and Penetration Testing becky.santos@provandv.com jack.cobb@provandv.com 2017 National Conference State Certification Testing of Voting Systems Austin, Texas
wledge To Transfer curity Terminology lnerabilities: Lifecycle lnerability Research and Discovery, Reverse Engineering ftware Solution Stack lnerabilities in The Software Solution Stack ply Software Stack to Voting Systems Components cking Methodology: Where Scanning Fit In mples: Some Scanning Tool TL Use of Scanning Tools, Other use nners: Pros and Cons, Key Considerations
urity Definitions erability A deficiency, error, or misconfiguration within a system which can be exploited allowing the system to be used in an unintended manner. rability Scanner Automatically tests system for KNOWN vulnerabilities to confirm presence. it Software program developed to attack an asset by taking advantage of
urity Definitions erability Assessment tration Testing Scan of network's or component s security that attempts to look for potential points of entry by hackers or malware Automated Scanning tools find common issues Manual Tester s Knowledge and expertise looks for issues missed by automated tools No breach, no compromise Report issued, problems prioritized to be later addressed Use vulnerabilities discovered to breach and prove ability to compromise Usually consists of more than technological targets (include physical, administrative, procedural, people) More representative of what real adversary COULD do. rse Engineering, Vulnerability & Exploit Research Targets technological component to understand inner workings and find
erability Lifecycle ZERO DAY Vendor Researcher Bad Actor lnerability esearch / iscovery Vulnerability Publication Responsibly Mitigation Solution Development Mitigation Detection Development Mitigation Deployment Mitigation Verification Scan Publicly Exploit Development
erability Discovery arch / Discovery / Reverse Engineering ccess to Only Fuzzing Brute Force / Trial and Error ccess to Compiled Executable Binaries Decompilers Binary Debuggers ccess to Source Code Static Code Analyzers Manual Code Inspection All methods of looking for programming errors that may result in a vulnerability! Vulnerability Research / Discovery
ware Solution Stack Custom Vendor Third Party Supporting Open Source / Commercial Web Server Apache / MS IIS Database MSSQL / Oracle Open Source / Commercial Operating System Windows / Linux / OSX/ Android Hardware Routers / Firewalls /
erability Stack es Vulnerability Research and Discovery e Engineering Custom Third Party Supporting Web Server Database Majority of KNOWN Vulnerabilities More research in these layers Availability to those performing research Exploits developed and available Easier Targets Auto Scan Tools more effective in these layers Operating System Hardware Network
HAT? US CERT 85% of breaches are preventable They are against known vulnerabilities AT S NEXT? Voting Systems How VSTL ProV&V currently uses these tools How and where can we use them in Election Systems
tion System of Systems
tion System of Systems ulness of Automated Scans
tion System of Systems of Systems Bigger Picture TLs Voting Systems State / District Vendors cal Campaigns A Compromise of Any Has an Impact of the Whole
king Methodology: re Vulnerability Scanning Fits In Vulnerability Research / Discovery Phase 1: Reconnaissance Phase 2: Scanning Mitigation Verification Scan COMPROMISED TAREGET Phase 3: Gaining Access Phase 4: Maintaining Access Phase 5: Covering Tracks Use Exploit Depends on who is scanning! More Secure Target!
work Vulnerability Scanner xamples of Vulnerabilities Identified: Missing Patches (known vulnerabilities) Insecure Server Configurations Open Ports xamples of Tools NMAP Nessus OpenVAS Retina Election System Third Party Supporting Web Server Database Operating System Network
Vulnerability Scanner SAT Dynamic Security Testing Requires Running s xamples of Vulnerabilities Identified Cross site scripting SQL Injection Command Injection Path Traversal Insecure Server Configurations xamples of Tools Zed Attack Proxy Grabber Vega WebScarab Election System Third Party Supporting Web Server Database Operating System Network
abase Scanning Specifically designed for databases Examples of Vulnerabilities Identified: Weak password policies Default accounts Security of admin accounts Misconfiguration Examples of Tools Scuba Qualys Election System Third Party Supporting Web Server Database Operating System Network
rce Code Analysis ST Static Security Testing Examples of Vulnerabilities Identified CWE Top 10 SQL Injection OS Command Injection Buffer Overflows Cross Site Scripting Missing Authentication for Critical Function Examples of Tools Coverity Cpp Check HP Fortify Parasoft Election System Third Party Supporting Web Server Database Operating System Network
zing eeding variations of unexpected input into a rogram in an attempt to uncover unexpected ehavior Election System xamples of Tools Basic Fuzzing Framework (BFF) OWASP WebScarab Peach Fuzzer Third Party Supporting Web Server Database Operating System Network
erability Assessment Comparison
of Tools ing System Voting System Third Party Supporting Web Server Database Voting System ode Analysis etwork Scanners NMAP Nessus OpenVAS SCAP Compliance Checker Operating System Network
L of Tools CAVA Static Code Analysis Web Scanner Database Scanner Voting System Third Party Supporting Web Server Database UOCAVA Ballot Delivery/Return Operating System Network
ential of Tools Voting System Static Source Code Analysis
ential of Tools e stem Network Scanning Web Scanning Database Scanning
ential of Tools Network Scanning Web Scanning Database Scanning Statewide Election Night Reporting
and Cons of Automated Scanners ider Area Coverage cheduled Automation eport Output Ranking o Help Prioritization High False Positive Rates Doesn t Fix The Problem Report Output Interpretations Point in Time Applicability New Vulnerabilities Discovered Not Covered
Considerations Ethics / Legality Written consent from system owner or high ranking authority If hosted (SaaS, IaaS, etc.), Consult SLA (Service Level Agreements), AUP (Acceptable Use Policy) Require owner to submit results of scans, RFP Expertise Understanding Election System of Systems of Systems Selecting tools appropriate tools Interpreting output Finding & implementing mitigating solutions
as for Concentration WHERE asy Targets Anything Public Internet Facing Duration of Accessibility igh Risk Targets High Data Asset Value High Election Disruption Value High Election Integrity Compromise Value WHEN Baseline Anytime modified Routine
Takeaways hat are vulnerabilities fference in Vulnerability Assessment, Pen Testing, verse Engineering hat, Where, When, Why, How, and Who of tomated vulnerability scanner