Vulnerability Analysis - Essay Example

? Full Paper Vulnerability Analysis Vulnerability analysis that is also called vulnerability assessment is a method that is aimed to identify, classify and express security weaknesses in a computing device or a computer network or an Information Technology infrastructure of an organization. Apart from this primary objective, vulnerability analysis also forecasts the efficiency and effectiveness of projected countermeasures as it measures their effectiveness at the operational layer. Some of the steps that may incorporate vulnerability analysis include: Classification of resources on the network Tagging importance level to the classified resources Identification of current and potential threats to these tagged and classified resources Defining strategy for addressing serious issues on the initial level Defining processes and procedures to address security breaches For incorporating these functionalities within the enterprise network, tools are required to assess the network or information systems. Nessus is a comprehensive and open source security scanner. Plug-in architecture allows users to customize it as per their systems and networks. The security scanner frequently updates itself and provides full reporting, host scanning, and real-time vulnerability searches. Security audit features of Nessus are (Messmer, 2005): Credentialed and un-credentialed port scanning Network based vulnerability scanning Credentialed based patch audits for Windows and most Unix platforms Credentialed configuration auditing of most Windows, Unix platforms Robust and comprehensive credentialed security testing of 3rd party applications such as iTunes, JAVA, Skype and Firefox Custom and embedded web application vulnerability testing SQL database configuration auditing Cisco Router configuration auditing Software enumeration on Unix and Windows Testing anti-virus installs for out-of date signatures and configuration errors Another popular and open source tool for vulnerability analysis is Wireshark. This tool, which was previously named as Ethereal, also provides functionality for packet sniffing. A relatively easy GUI along with various filtering and sorting options makes this tool perfect for non-savvy IT staff within organizations (Scalisi, 2010). Comparing Nessus and Wireshark Wireshark is considered to be at top of the list for network protocol analyzers. Wireshark not only provides vulnerability analysis, as its functionality can be resembled with “tcpdump.” It emphasizes protocols and represents data streams on the GUI. The major advantage that this tool has is the compatibility of operating systems, as it supports OS X, Windows, UNIX and Linux. Moreover, it also extensively supports Voice over IP that is a significant option for the organization, as international and corporate organizations use VoIP for communication purposes to save cost and at the same time deliver quality. Nessus, on the other hand, is used in more than 75,000 organizations around the globe and it is considered to be one of the world’s most popular vulnerability scanner (Ferguson, n.d.). However, the third version, i.e. version 3, has now been converted to a proprietary license as the scanning engine is still free and updates are also available after a week on a release. Relating with the Scenarios When Nessus is incorporated in a large enterprise, most probably, a government organization such as Department of Defense (DOD) networks, it will initiate a port scan and target the defined host or a network. After opening the port, it examines all the services that are running on the system or network and tests all the detected services against vulnerabilities defined in the Nessus vulnerability database (Kim, n.d.). As this tool can develop a testing platform for network resilience, the report generation is very comprehensive that is ideal for large enterprises. As it is an easy remote based vulnerability analysis tool, it can be best suited for large enterprises that are geographically dispersed in more than one continent (Kim, n.d.). Moreover, in an ideal scenario where corporate networks for large organizations contain many client/server architectures, Nessus will detect the clients and the server automatically when connected to the specific network at a specific location (Kim, n.d.). Network security professionals of a large enterprise can customize plugins, as per their requirements, as the tool has its own scripting language for defining methods to test and identify network for vulnerabilities (Kim, n.d.). The tool will penetrate within the corporate network and start scanning anonymous File Transfer Protocol (FTP) and for the client/server architecture, secure socket Layer (SSL) will provide an additional layer of security for report results. However, for false positive detection, a validity check is required on the reports from Nessus displaying vulnerabilities found. This process is time consuming and complex. Moreover, Nessus tool can also crash routers, firewalls, switches or another network resource on the network. For addressing this issue, plugins must be tested prior to deployment. Yet, prevention of the crash of network resources and devices is not guaranteed. Wireshark, on the other hand, captures live data and evaluate protocols simultaneously on a corporate network, where data streams are big in size. Wireshark provides powerful features for analyzing network traffic coming from remote branches connected on a global scale, as it dissects traffic contents and represents it in a tree shape. For evaluating wireless connectivity, Wireshark possess a Frame Dissector window that represents frame statistics and contents of 802.11 MAC layer. As mentioned earlier, the data streams will be much bigger in size; as corporate organizations have hundreds of branches, Wireshark will narrow down the number of packets from those data streams by applying inclusive and exclusive filters. However, to successfully engage Wireshark for analyzing protocols, user must have protocol knowledge, and a major drawback for Wireshark to be used on an international scale is the absence of packets that are traveling on another subnet, i.e. another network. For a national level organization that is only located within the country, as sales reports from Burger King branches need to be submitted to the head office by the end of the day, Nessus provides transparency of source code to ensure no modification is carried out in the code. As a security engineer at Burger King, personnel can establish customized vulnerability checks and deploy them in the tool. These vulnerability checks are recognized by a large consortium that continues to make new checks. For an organization based at a local scale, budget is not an issue as the tool is free. Wireshark that is specialized in sniffing network issues at the initial level, Burger King can deploy this tool to potentially identify threats and vulnerabilities and resolve them before exploitation. For costs, Wireshark is categorized under General Public Licensing terms and conditions and it concludes less cost comparatively. For small medium enterprises comprising 20 to 30 nodes, both of these tools will be feasible. However, in terms of functionality, Wireshark will be more feasible as it focuses on network sniffing, as compared to Nessus that monitors live traffic. Criteria Creep The common criteria have addressed various problems as compared to other evaluation criteria that have failed to deliver. Although the common criterion is not flawless, as at the initial level, security objectives and protection profiles possess the same weakness similar to the Information Technology Security Evaluation Criteria (ITSEC) (Matt, 2006). The evaluation methodology of Trusted Computer System Evaluation Criteria (TCSEC) has two fundamental issues. The first issue was “criteria creep” or the gradual expansion of necessities that illustrates the evaluation classes for TCSEC (Matt, 2006). The findings of the evaluation highlighted the interpretation of the criteria for applying it to specific products, instead of publishing regular revisions for addressing the interpreted requirements. NCSC decided to construct a process of approvals for interpretations and publishing them in an informal supplement for the TCSEC (Matt, 2006). Likewise, occasionally the interpretations were more precise and focused as compared to the original necessities. As the time passes by, the list of these supplements increased and led to an expansion for the scope of individual criteria for TCSEC along with its interpretations. Consequently, a class C2 operating system is required for coping all the new requirements compared to a system that was evaluated previously (Matt, 2006). For evaluating new products under evaluation, new products will be put in an extra burden along with dissimilarity between baseline security enforcement for all C2 operating systems (Matt, 2006). However, there were many issues that were highlighted with associated dissimilarities, as it covered problems that need to be addressed by the security community and, hence, making more improved security products. Moreover, the second issue is associated with the time of the evaluation process as it consumed a lot of time (Matt, 2006). Likewise, the contributors of this issue are three factors. One of them is associated with the vendors as they misjudged the complexity of the evaluation and the vital collaboration with the evaluation teams. The procedures associated with evaluation management resulted in misconceptions and scheduling issues. Lastly, the motivation level was never too high to complete the evaluation (Matt, 2006). As a result, usually there were delays in the schedule by the vendors and evaluators (Matt, 2006). Likewise, additional work was imposed on the vendors and, on the other hand, evaluators were allocated to multiple evaluations and consequently, the schedule for a specific evaluation resulted in delays due to another vendor. The process of evaluation was time-consuming, so the product eventually became obsolete prior to the awarded ratings (Matt, 2006). Leading to the end of life for the TCSEC, government approved laboratories on a commercial level for evaluations for a fee. This initiative from the government resulted in a more structured approach that was not time consuming and the evaluation completion process took almost a year. Study on “It’s Time for Trustworthy Systems” The study by Heiser, Murray, and Klein (2012) demonstrates the whole system security that can now be evaluated at a justified and reasonable cost. The study shows the evidence of integrity enforcement for the seL4 with below 10 person months along with the dual evidence of confidentiality enforcement. All these pieces of evidence integrate themselves in to a solid security property noninterference. Likewise, these confidentiality and noninterference formulations are secured by formal refinement statements that incorporate functional correctness. Consequently, the study continues to prove advantages by exploiting functional correctness (Heiser et al., 2012). Every associated proof aligns and conforms to the seL4 protection state in accordance with the policy of access controls. Moreover, the study also highlights the security properties, i.e. confidentiality and integrity adjacent to this policy (Heiser et al., 2012). The limitations of integrity are the modification of the currently running thread and the limits of confidentiality is what it can read, as seL4 deploys an access control mechanism that is vibrant and capable and its protection state can change (Heiser et al., 2012). The authority incarceration was verified in this study that concludes to well-developed policies, as the protection state conforms to the policy on a consistent basis. At the operating system layer, security is eliminated to a certain extent. Medical implants, industrial robots and vehicles are real-time systems as they are designed to react to an event in a strictly given time frame (Heiser et al., 2012). These systems take time for development along with massive cost; still they possess risk of unreliable legacy programs. For example, a medical implant needs to connect to an external link (Internet) via wireless connectivity for maintenance and monitoring purpose (Heiser et al., 2012). The stack that contains numerous lines filled with tens of thousands of programming languages that cannot be trusted, as it will require the encapsulation provided by microkernel. This concludes that the control must be handled over to the life support functions robustly by microkernel, regardless of what is the functionality of the code in the process of critical sensor interruption point (Heiser et al., 2012). However, the system can intersect the legacy programming already operational that has asked for arbitrary microkernel call to obtain a service. The insinuation is that kernel calls associated with uninterruptible execution time must be firmly restricted (Heiser et al., 2012). There are always limitations for goals associated with security and safety proofs. These are fundamental limitations that are also applied to other methods involved in the process, such as testing; however, it is carried away by the solidity of mathematical proofs. By countering instantly, the probability of issues or mistakes in a proof is already not to be called an issue (Heiser et al., 2012). Likewise, the proof is verified with machine; however, issues associated with soundness are eliminated fundamentally. These fundamental limitations associated with formal reasoning are alternatively expectations on which the proof is based and the distance with the human thinking and formal property. Attacks or breaches on these systems are more productive, as usually the assumptions are always hardware perfection. An intelligent attack can show that the hardware has failed in many ways, for instance, overheating the circuitry and breaching of confidential information plus violating security. Moreover, one of the other issues can also fail the system, such as the differences in the hardware and proofs can result in a system failure (Heiser et al., 2012). Therefore, the proof intelligently recognizes all assumptions and provides a protection mechanism, i.e. assuring that the system is implemented in the supervision of adequate operating environment. Furthermore, one more intelligent security breach is to extract all the hardware details that are lying under the abstraction layer in the verification. If we are able to explore the disparity between the model and reality, one will be able to find a side channel. For example, hardware timings are not discussed in the functional models; similarly, there is no assurance by the confidentiality proof about the covert timing channels (Heiser et al., 2012). In the end, the study suggested the use of WCET profile and kernels. The study demonstrated the expectations from full proofs associated with security and safety for systems within one to two years. The study also demonstrated ways for analyzing secure systems with small codes that can be trusted. Similarly, methods for completing kernel level security proofs are also demonstrated along with the construction of trust worthy user components (Heiser et al., 2012). However, the challenge is the composition of these parts and integrates them in a single proof that will become a system wide security objective along with decreasing cost of verification by code synthesis and stronger automation (Heiser et al., 2012). However, the investment on the initial level for the functional correctness proof seL4 was high, as this proof started to pay off as properties were proved in top of it. The study also suggests that these proofs will become easier year to year. The seL4 is only the first system that contains a vast amount of high level properties (Heiser et al., 2012). However, the machine checked proofs associated with safety and security are neither applicable nor feasible anymore. References Messmer, E. (2005). Open source Nessus tool to go commercial. Network World, 22(41), 16. Scalisi, M. (2010). Analyze network problems with Wireshark. PC World, 28(4), 30. Ferguson, B. (n.d.). CompTIA network+ review guide: Exam: N10-005. Sybex. Kim, C. L. (n.d.). Fundamentals of network security firewalls & VPNs. Jones & Bartlett Publishers. Matt, B. (2006). Introduction to computer security. TBS. Heiser, G., Murray, T., & Klein, G. (2012). It's time for trustworthy systems. IEEE Security & Privacy Magazine, 10(2), 67–70. doi: 10.1109/MSP.2012.41. Read More