• 消除“不对位”“零差别”br创新机关党员日常管理量化考评工作 2019-09-17
  • 人民网春季糖酒会专访湖南武陵酒业集团董事长浦文立 2019-09-17
  • 传销就是利用这种劣根性。 2019-09-07
  • “妃子笑”熟了! 东莞22个官方荔枝采摘点出炉 2019-09-07
  • 钱念孙:从文化传统看中国梦的题中之义 2019-09-05
  • 清新 —频道 春城壹网 七彩云南 一网天下 2019-09-05
  • 40多年义务理发5万人 2019-08-28
  • 失窃案牵出地下药品交易链 2019-08-28
  • 40多年义务理发5万人 2019-08-21
  • 走错片场?中国奥运队服惊现世界杯 2019-08-21
  • 福音!全球首例3D打印眼角膜 数百万盲人重获光明不再遥不可及 2019-08-11
  • 出差还是度假?副局级干部外地调研55次坐头等舱或公务舱被处分 2019-08-11
  • 晋城:八项重点打好水污染防治攻坚战 2019-07-26
  • 在楼主大谈共产主义分配的时候,希望楼主先说明一下对马克思关于共产主义基本原则的理解。一个社会如果仍然存在“按劳动分配”,怎么会是“每一个个人的全面而自由的发展” 2019-07-19
  • 山西方山县:以产业扶贫助推百姓脱贫 坚决打赢脱贫攻坚战 2019-07-19
  • Beyond Security - Aug 22, 2018

    群英会跨度:In Vulnerability Assessment, Accuracy Is Vital

    Testing for behavior vs version

    群英会跨度走势图 www.xxnr.net The primary requirement for a Vulnerability Assessment solution is accurate testing. Ease of use and clear reports are important, but if accuracy isn't there then little else matters. Poor accuracy in Vulnerability Assessment produces two kinds of testing error. Overlooking a vulnerability (a false negative) leaves a security flaw you don't know about. Reporting a vulnerability as present when in fact none exists (false positive) sends you looking for something that can't be found. Obviously you don't want either. Clearly it's important for a solution to find the vulnerabilities. But an inaccurate tool that misidentifies problems too often can be more trouble than it's worth.

    If the first 4 vulnerabilities reported by your solution didn't actually exist upon close examination, it becomes pretty difficult to take the 5th vulnerability seriously. 'Crying wolf' creates complacency. A VA report that says there are dozens of serious security issues when there are really only 5 is more distraction than assistance. Also, how valuable is your time? Your security budget doesn't get larger just because your VA system says there *may be* dozens or hundreds of vulnerabilities on your network. The hidden cost of an inaccurate VA system is the man-hours it takes to chase false positives, prove that they are false and check them off the list. The total cost of ownership of a VA system with a 5% false positive rate is doubled when the time to verify and eliminate false positives is included. Even a 2% error rate can be a headache.

    Version analysis - not so good...

    Nearly all VA solutions depend upon version checking as their primary method of assessing the relative vulnerability of network hardware or software. VA solutions typically look at the response header and from the version data there they deduce whether the hardware or software is vulnerable. If an old version is known to have 5 vulnerabilities and the header says that the old version is in use, then it is assumed that all 5 of those vulnerabilities exist and need to be fixed, even if they have already been resolved by configuration settings or back door updates that may have been done.

    Version checking has many advantages for the vendor and one key disadvantage for the customer. It is easy to program and claim '45,000 tests'. Also, a version analysis scan that finds many old versions can produce a long and impressive list of vulnerabilities. This makes the solution look good.

    The disadvantage: Poor accuracy misses real problems and list dozens if not hundreds of vulnerabilities that don't actually exist. Version information contained in a header doesn't reflect the presence or absence of a security issue with high accuracy.

    Behavior analysis - proof that a vulnerability exists

    The fundamental indicator of a real and present vulnerability is 'unwanted response to a query'. Vulnerabilities can be exactly and accurately identified by how the host responds when given a special query.

    beSECURE alone, in the field of Vulnerability Assessment solutions, specializes in using specially crafted queries and the resulting behavior of network components and web applications as its primary indicator of whether a vulnerability exists or not. This strategy requires a great deal more effort in the programming of vulnerability tests but produces so few false positives that most of our customers never experience one.

    Why is Behavior Analysis in Vulnerability Assessment Better?

    The version number reported in the header is only a general indicator of a possible vulnerability. It is not accurate enough for mission critical application in Vulnerability Assessment.

    Examples of false negatives using headers:

    • The header can be hidden or suppressed
    • A firewall could be faking header information
    • An update changed the version number, but failed to install completely
    • A version update loaded, but the server never rebooted to complete installation

    Examples of false positives using headers:

    • The vulnerable service, feature or function can be turned off
    • Configuration settings block the vulnerability
    • A workaround was established to avoid the vulnerability
    • A patch was applied that didn't change the version number

    Why is accuracy in VA so important?

    False negatives are clearly a catastrophic failure in VA. All vendors recognize this and the broadly accepted solution is to declare every possible issue a vulnerability and let the network administrator try to prove otherwise. This and the race to have the most tests and report the most vulnerabilities has made the false positive endemic to Vulnerability Assessment.

    A 5% false positive rate may not be a problem for small networks - depending upon what the admin's time is worth. If there are 5 false positives in a network of 300 IPs, that may not seem like a big deal. But if all 5 are also flagged critical then it just doubled your work time chasing ghosts.

    What if you have 1000 IPs with 50 high risk false positives? It may take weeks to sort out.

    Example

    Nearly all VA solutions depend primarily upon the version number to determine if an application is vulnerable. It therefore requires additional manual labor to verify that each problem actually exists and at least one VA company recommends that you buy and run an additional tool to do just that.

    beSECURE doesn't care what the application version number says. It automatically does the 'manual labor' needed to prove that the vulnerability exists.

    A real life vulnerability test:

    The SOAP interface to the eMBox module in Novell eDirectory 8.7.3.9 and earlier, and 8.8.x before 8.8.2, relies on poorly executed client-side authentication. This allows remote attackers to bypass authentication via requests for /SOAP URIs, and this can cause a denial of service (daemon shutdown) opportunity or allow arbitrary files to be read. NOTE: it was later reported that 8.7.3.10 (aka 8.7.3 SP10) is also affected.

    How version-dependent VA tools test:

    1) Check the version of eMBox. Is it 8.7.3.9 or earlier?

    2) If yes, then report it as vulnerable

    How beSECURE tests:

    1) Confirm it's an HttpStk server by sending it a request that triggers a pre-defined error page (basically an invalid HTTP request)

    2) Then HTTP POST this to the server:
      <?xml version="1.0"?>
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="//schemas.xmlsoap.org/soap/envelope/">
       <SOAP-ENV:Header/>
       <SOAP-ENV:Body>
        <dispatch>
         <Action>novell.embox.connmgr.serverinfo</Action>
         <Object/>
         <Parameters/>
        </dispatch>
       </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>

    3) If it returns:
      novell.embox.connmgr.serverinfo

      beSECURE knows it is talking to the right type of server

    4) Send a followup request with:
      <?xml version="1.0"?>
       <SOAP-ENV:Envelope xmlns:SOAP-ENV="//schemas.xmlsoap.org/soap/envelope/">
        <SOAP-ENV:Header/>
        <SOAP-ENV:Body>
         <dispatch>
          <Action>novell.embox.service.getServiceList</Action>
          <Object/>
          <Parameters>
           <params xmlns:EMR="emtoolsmgr.dtd">
            <EMR:NamesOnly>0</EMR:NamesOnly>
           </params>
          </Parameters>
         </dispatch>
        </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>

    5) If it returns
      </EBX:XError>

      beSECURE knows it's secure.

    Any other response indicates the host is vulnerable regardless of what version number the header provides. The test itself makes no change to the host and doesn't interfere with any other traffic.

    Accurate VA Testing With beSECURE

    Testing the behavior of hosts and applications is harder to program than just asking for the version number, but it results in accurate testing, conclusive and actionable reports and a dramatic reduction in the time it takes to clean up network vulnerabilities.

    Written by Beyond Security

    We had an impossible mission: transform the hackers brain into a machine. Mission accomplished. Using automated software, Beyond Security is dedicated to finding common vulnerabilities and zero-day exploits at a fraction of the cost of human-based penetration testing. Businesses around the world have been relying on Beyond Security's vulnerability and compliance solutions since 1999. Whether you need to accurately assess and manage security weaknesses in your networks, applications, industrial systems or networked software, we're here for you - one step ahead of the hackers.

    • 消除“不对位”“零差别”br创新机关党员日常管理量化考评工作 2019-09-17
    • 人民网春季糖酒会专访湖南武陵酒业集团董事长浦文立 2019-09-17
    • 传销就是利用这种劣根性。 2019-09-07
    • “妃子笑”熟了! 东莞22个官方荔枝采摘点出炉 2019-09-07
    • 钱念孙:从文化传统看中国梦的题中之义 2019-09-05
    • 清新 —频道 春城壹网 七彩云南 一网天下 2019-09-05
    • 40多年义务理发5万人 2019-08-28
    • 失窃案牵出地下药品交易链 2019-08-28
    • 40多年义务理发5万人 2019-08-21
    • 走错片场?中国奥运队服惊现世界杯 2019-08-21
    • 福音!全球首例3D打印眼角膜 数百万盲人重获光明不再遥不可及 2019-08-11
    • 出差还是度假?副局级干部外地调研55次坐头等舱或公务舱被处分 2019-08-11
    • 晋城:八项重点打好水污染防治攻坚战 2019-07-26
    • 在楼主大谈共产主义分配的时候,希望楼主先说明一下对马克思关于共产主义基本原则的理解。一个社会如果仍然存在“按劳动分配”,怎么会是“每一个个人的全面而自由的发展” 2019-07-19
    • 山西方山县:以产业扶贫助推百姓脱贫 坚决打赢脱贫攻坚战 2019-07-19
    • 广西快乐10分最大遗漏 306手机彩票网站 快乐十分开奖网址 2元彩票网注册 《彩票助赢软件》官网 必赢国际473 巴甲 足球比分直播球探 八福娱乐 北京pk10开始直播 黑龙江时时彩结果 深圳风采081 西甲球衣赞助商 纸牌二八杠大小排列顺序 江苏7位数18153期开奖