Secure Digital Life #61
Recorded on April 24, 2018 at G-Unit Studios in Rhode Island!
Topic: Vulnerability Scanning pt. 2
Vulnerability Scanning Part Deux: The Vulnerabilitering [this word looks like a german fetish site]
Welcome Andy Pete from New England Tech, RWU Alum.
Firstly, three areas of your enterprise or whatever, outside, inside, dmz.Outside is how the world sees you.
Analogy of a wall with doors and windows in it. -- Doug
Inside is how your users see you. -- [Andy] --Andy-- Typically where your secrets/important data is. Can be stored in a number of ways - DB, flat file, emails, etc. Users have different levels of access. Restaurant - Hostess can only make seating reservations. Wait staff can input orders/process payments. Managers perform the tasks of wait staff plus adjust bills for customer service issues.
Russ Explains a DMZ.
The DMZ is an area which is specifically set aside as a buffer between your inside-facing network and outside-facing network.
|| Internal Network || Firewall || Web-server, databases, & other outward-facing services || Firewall || External Network. When I make a sandwich, I never like to put tomatoes or cheese directly touching the bread (even with a condiment buffer) because the tomato juice soaks the bread and makes it soggy while the cheese sticks to the bread and makes it adhere to the roof of my mouth (BLUGH!) so, I like to put a layer of lettuce over each slice of bread, before applying vegetables to protect against this--enter, a DMZ!. In this analogy, the two slices of bread are the internal and external networks and the lettuce serves as firewall to protect the networks (and my sandwich filling) from unwanted attack!
Let's talk then a little about how all these areas are really important in terms of scanning for vulnerabilities since we really need to look everywhere in our network, inside and out.
We talked about the basics last week in the sense that just scanning at the port/IP level is a type of vulnerability scan. Some viewers didn't agree that port scans are vulnerability scans, but I think that if Daemons are listening, knowing you have open doors is just as important.
--Andy-- An open port that has no technical vulnerabilities can still be a threat to a network. They can be targeted with DOS, used to learn more information about a system being attacked, etc.
But let's talk about some key places in the each area that need to be scanned not just for open ports on the firewall but scanned in term of layer 7 vulnerabilities.
- Outside -- What can be seen? Web servers, Email servers, DNS, even firewalls and routers can be scanned with the right tools.
- DMZ -- This is where all those servers reside so if there are compromises, they are probably going to be here. This means that the DMZ's ability to access other resources (viz. AD servers) can be a serious threat.
- Inside -- AD servers, DHCP servers, et. al.
Doug's tiered scanning:
You need to look at scans from different levels as you develop a tactical approach.
- Internal guests
- Internal privileged
- Internal super users
- External guests
- External users
- External Super users ?
You need to understand what people can see and access in groups so you can effectively analyze results. If there is a Daemon, call it beelzebubD that has a terrible vulnerabilty, if no one can get to it, well, what's the risk?
So, the problem really evolves into something bigger, not just can we document all this but can we do it regularly and with certainty. This leads to tools which can be used to look for specific things in the network.[Andy what kind of tools do you like to use to generate a picture of the network?]
--Andy---ICMP - ping, traceroute - type of response from pings (rejection vs timeout):
- Physical inspection - locating data closets, equipment locations testing physical security
- IP scanning - Angry IP scanner, IP Address tracker
- Port Scanning - NMAP
- L2/L3 address tables (MAC/ARP)
- L2 discovery- LLDP, CDP - used by Cisco phones
- Packet Capture - Wireshark
This doesn't just mean nmap scans but rather now we have to see both the privilege, the type, and the subgenres that are there as well as all the content that is embedded.
For instance, an email server that is also using BIND, SSHD, and HTTPD for whatever reasons. Each of these things has versions and each of those versions can contain specific vulnerabilities.
Automated tools can facilitate collecting and analyzing all this information rapidly and is certainly a place to start.
- Have valid network diagrams -- this is the nmap level of scanning
- Have a valid threat diagram -- this shows places in your network where the major threat focus is
- Have an IDS/IPS plan -- this is how you do live detection 4) Run vulnerability scans against DEV systems before they are put into production. Ensure those DEV systems reflect what will actually be done in PROD.
- Run VS against PROD pretty regularly just to detect change but this should be methodical rather than extensive.
Next time, Andy will demo a vulnerability scanner for you.