It is nearly impossible to protect unknown assets, against unknown vulnerabilities, from unknown threats. The deployment of security capabilities: firewalls, VPN’s, Intrusion detection systems, and other tools, can only be of a real benefit to an organization if deployed correctly with an understanding of the systems to be protected. Even after all necessary capabilities are deployed, it is critical that a site be able to answer one key question: What does my network look like to an adversary?
Axxera begins the effort with the discovery of the customer’s internet presence. This includes the discovery of e-mail domains, e-mail addresses, DNS domains, registered network blocks, and hosts. This information is cross-referenced with web searches for public servers and user e-mail addresses. Discovered targets are verified with the customer before any active scanning is performed. The customer has ultimate control over the systems evaluated.
A combination of common and advanced, network and host discovery techniques are used to find internet connected devices. Attempts are made to discover systems even when firewalls and filters are blocking traditional host discovery techniques. The system discovery and vulnerability scanning techniques, are always as sophisticated as current attack technology. As the “State of the hack” changes, so does Axxera’s vulnerability assessment technology.
Physical network design and routing are determined through use of IP scan tools, as well as simple network management protocol (SNMP) queries for the routers. First the team uses IP and/or UDP scanning tools to perform discovery of systems within the customer ’s gateways IP addresses. Each system that is discovered is scanned for active network services using a combination of public, commercial off the shelf, and proprietary scanning tools. An appropriate combination of tools is selected for each network, determined by the size of the address block and other networking characteristics. These scan results reveal the hosts which are accessible in some way from the internet and the active services on them which are permitted to pass through firewalls and routing filters. In many cases, it also shows which services are being blocked by firewall or router filters.
After host discovery, each identified system is probed for application that responds to network stimulation. Information about the operating system, network applications, and system configuration is collected and analyzed. Potential vulnerabilities in the systems are verified and categorized by risk. All data collected is stored for historical purposes. Each exposed system is evaluated for vulnerabilities that reduce its security profile. Though there are far too numerous specific vulnerabilities to discuss in detail here, the following paragraphs describe the process for identifying some of the major types of vulnerabilities. Once all active hosts and services have been identified, Axxera probes these services to identify their make and versions, and cross-references the active services against a database of potentially vulnerable services. Included in this assessment are checks for a vast amount of vulnerable Web server scripts
In addition to multiple versions of software, simple misconfigurations and unsecure use of certain protocols, can permit the compromise of a system. Systems that might permit anonymous access are checked for anonymous read, and even more importantly, anonymous write access. If access is discovered, the service is probed to determine if access has been granted to directories that might be used to create unauthorized access, denial of service, or to plant malicious software. Services that commonly provide anonymous access include HTTP (web), FTP and TFTP (file transfer), and NFS and NETBIOS (network file sharing).
A number of services that rely on RPC protocols are vulnerable to attacks that exploit the RPC protocols, or services themselves. Systems that have active RPC services are checked for access controls, RPC protocol versions that are known to be vulnerable to spoofing, and trust relationships. In this way, recommendations are not only offered on the dangers of the general use of some of the more vulnerable services, but specific services that are vulnerable to known attacks in the active configuration and versions are listed in the vulnerabilities.
The Vulnerability Assessment Report identifies the systems being tested, describes the network protection scheme, lists the active and accessible services on each system that was tested, and describes specific vulnerabilities for each applicable system. Each specific vulnerability is accompanied by a description of its potential to permit compromise or denial of service, as well as recommended actions to correct them. The report also documents any recommended modifications to the gateway or the external network topology or architecture, and explains why the change is necessary.
The assessment is truly a snapshot in time. Therefore, in addition to the findings, recommendations and conclusions, Axxera includes as much of the collected data as possible. Reports are typically delivered within two weeks of assessment conclusion.