[转载]Pinpointing Your Security Risks
原始出处:[url]http://www.itsecurity.com[/url]信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
For something that can be such an effective weapon against those who want to do damage to a network it’s ironic that vulnerability scanning got its start as a tool for the bad guys. Before they can get into networks hackers need to know where the most vulnerable spots are in an enterprise’s security. That means using scanning tools to trawl for such things as open network ports or poorly secured applications and operating systems.
In the past few years these intentions have been turned around, to where scanning tools now give the guys in the white hats a good idea of where the vulnerabilities are and a chance to repair them before the hackers get there.
At least they provide the potential for that. The fact is, many companies don’t seem to be taking advantage of these tools or if they do have them, they are not making much use of them. Gartner Research believes as many as 85% of the network attacks that successfully penetrate network defenses are made through vulnerabilities for which patches and fixes have already been released.
Endless Exploits
Now there is the rapidly expanding universe of Web based applications for hackers to exploit. A recent study by security vendor Acunetix claimed that as many as 70% of the 3,200 corporate and non-commercial organization Web sites its free Web based scanner has examined since January 2006, contained serious vulnerabilities and were at immediate risk of being hacked.
A total of 210,000 vulnerabilities were found, the company said, for an average of some 66 vulnerabilities per web site ranging from potentially serious ones such as SQL injections and cross-site scripting, to relatively minor ones such as easily available directory listings.
“Companies, governments and universities are bound by law to protect our data,” said Kevin Vella, vice president of sales and operations at Acunetix. “Yet web application security is, at best, overlooked as a fad.”
Patch Patrol
Vulnerability scanners seek out known weaknesses, using databases that are constantly updated by vendors to track down devices and systems on the network that are open to attack. They look for such things as unsafe code, misconfigured systems, malware and patches and updates that should be there but aren’t.
They also have several plus factors. They can be used to do a “pre-scan” scan, for example, to determine what devices and systems there are on the network. There’s nothing so vulnerable as something no-one knew was there in the first place, and it’s surprising how often those turn up in large and sprawling enterprises.
Many scanners can also be set to scan the network after patches have been installed to make sure they do what they are supposed to do. What vulnerability scanners can’t do is the kind of active blocking defense carried out by such things as firewalls, intrusion prevention systems and anti-malware products though, by working in combination with them, vulnerability scanners can make what they do more accurate and precise.
Passive Aggressive
Vulnerability scanners come as either passive or active devices, each of which have their advantages and disadvantages. Passive scanners are monitoring devices that work by sniffing the traffic that goes over the network between systems, looking for anything out of the ordinary. Their advantage is that they have no impact on the operation of the network and so can work 24 x 7 if necessary, but they can miss vulnerabilities particularly on more quiet parts of a network.
Active scanners probe systems in much the way hackers would, looking for weaknesses through the responses devices make to the traffic the scanners send to them. They are more aggressive and in some ways more thorough than passive scanners, but they can cause service disruptions and crash servers.
Many people see the two as complementary and recommend using passive and active scanners alongside each other. The passive scanners can provide the more continuous monitoring, while active scanners can be used periodically to flush out the cannier vulnerabilities.
Software vs. Hardware
The scanners can also come as either software-based agents placed directly on servers or workstations, or as hardware devices. Host-based scanners can use up processor cycles on the system, but are generally considered more flexible in the kinds of vulnerabilities they can scan. The network-based scanners are plug-and-play hardware devices that are self-contained and need less maintenance than software agents.
The focus of vulnerabilities has been changing over the past several years. On the one hand, organizations have become savvier about protecting their networks and systems, and hackers have had a harder time penetrating those defenses. At the same time, as Web-based services have become the lifeblood of many witnesses, hackers have found a goldmine of potential exploits.
That’s because Web traffic flows back and forth primarily through Port 80 on a network, which has to be kept open if those Web-bases services are to be available to a company’s customers and business partners.
It’s a hard to defend weak spot in enterprise defenses, and once hackers gain access to Web applications they can use them to get information from databases, retrieve files from root directories, or use a Web server to send malicious content in a Web page to unsuspecting users.
Interpreting the Results
Vulnerability scanning works with Web applications by launching simulated attacks against those applications and then reports the vulnerabilities it finds with recommendations on how to fix or eliminate them.
However, as powerful an addition as vulnerability scanning can be to the overall security of an enterprise, some observers advise caution in interpreting those results.
Kevin Beaver, an independent security consultant with Atlanta-based Principal Logic, LLC, says it takes a combination of the vulnerability scanner and a human knowledge of the network and context in which the scans were carried out to accurately interpret the results.
Left to themselves, he says, scanners will tend to spit information that their vendors think is important. What’s also needed is an understanding of what was being tested at the time, how it was being tested, why the vulnerability is exploitable and so on. That will show whether vulnerabilities flagged as high priority actually are important in a particular user’s environment, and therefore whether it’s worthwhile putting in the effort to remediate them.
You absolutely need vulnerability scanners, Beaver said, because they take a lot of the pain out of security assessments.
“But you cannot rely on them completely,” he said. “A good tool plus the human context is the best equation for success.”
译文:
标题:针对你的安全风险
有一些东西是可以成为一个有效的武器来对付那些企图破坏网络,以查看漏洞作为工具起家的坏人的.
在黑客进入网络之前,他们需要知道这个企业的安全中心的最脆弱点。这意味着要用扫描工具进行拖网及类似的事情来开放网络端口或不是很安全的应用和操作系统。
在过去几年中,这些意图已经转变了,扫描工具能帮助那些好人提供脆弱点所在处,还给他们机会在黑客破坏之前来修改他们。
至少他们提供了这样的可能。事实上,许多公司不能利用这些工具的优势,或者是他们即使有这些工具,他们也不能完全利用好。Gartner的研究认为,有多达85%的网络攻击,是通过补丁或已公布的修复这样的脆弱点来成功突破网络防线的。
无尽的exploits
如今,在WEB应用的基础上,黑客攻击发展越来越迅速。最近,由安全厂商Acunetix发表的研究表明2006年1月以来,3200家公司及非商业组织中,有多达70%是靠网站免费扫描器的,其中包含了严重的漏洞和可能马上就被攻破的危险。
该公司负责人说,共发现了210,000个漏洞,平均每个网站有大约66个漏洞,存在如SQL注入及跨站点脚本等潜在威胁,而这些漏洞都让人唾手可得。
“公司,政府和大学都与法律相连,以保护我们的数据,”acunetix销售与业务副总裁Kevin Vella说道,“但Web应用系统的安全,充其量,只是被忽略的代名词”
补丁巡逻
漏洞扫描器可以找出已知的弱点,使用不断被供应商更新的数据库,来追踪网络的装置和系统叫做公开攻击。他们寻找类似不安全的代码,错误配置的系统,恶意软件及补丁和应该有但还没出现的更新。
也有把这几个因素加起来的。他们可以用来做一个"预扫描",例如,确定哪些设备和系统在网络上。没有什么东西脆弱到没有人知道,它们当初就在那里的。往往是赶在大公司知道之前,它就已经让所有人惊讶不已了。
许多扫描器,也可设置为在补丁安装后扫描网络,以确保他们能尽其责。漏洞扫描器不能做的仅仅是像防火墙、入侵防御系统和反恶意软件产品那样积极的防御阻断。但是,结合这些一起做的话,漏洞扫描器可以做到更加准确、精确。
静态攻击
漏洞扫描器不管是静态还是动态装置,每一个有自己的优势和劣势.静态扫描器监测装置类似交通工具可以用来探测系统间的网络,找出异常的地方。其优点是他们并没有影响网络运作并且,如有必要的话他们可以每天工作24小时,但是,他们可能会错失在静态网络下的一些脆弱点。
动态的扫描探针系统,很多黑客运用的,通过扫描器发送到反应器来寻找薄弱环节。他们很积极,在某些方面比被动扫描器更透彻,但是他们可能引起服务器中断和崩溃。
很多人认为两者是相辅相成的,建议静态和动态扫描一起用. 静态扫描器可提供更多的连续监测, 而动态扫描器,可以用来定期找出脆弱点。
软件与硬件
扫描器的出现要么基于直接放伺服器或工作站的软件代理商,要么就是硬件设备. 基于主机的扫描器,可以在系统上循环使用,但是一般认为,它可以扫描出比较灵活的各种漏洞。网络型扫瞄器就是即插即用的硬件设备,对软件代理商来说需求较少。
过去数年里,脆弱的焦点已经改变.在一方面,组织已成为保护其网络和系统的救世主,黑客会很难去穿破这一防线。同时,作为基于互联网的服务,这些漏洞已成为黑客依靠的生活底线,黑客已经找到了具有潜力的金矿.
那是因为网站流量来回奔波,主要是通过网络上的80端口,如果公司的客户和业务合作伙伴要得到那些网站服务,就要让这个断口保持开放状态。
在企业防守里,这是一个难守的薄弱环节,一旦黑客进入Web应用,他们可以利用他们得到的信息数据库, 取出根目录中的文件或使用Web伺服器将恶意内容的网页散发给毫无戒心的用户.
解释结果
漏洞扫描与Web应用一起发动模拟攻击这些应用,然后报告出它找到的脆弱点和它认为应当如何解决或消除它们的方法.
但是,可以说对于整个企业的安全而言,作为像漏洞扫描器这样强大的东西,一些观察家提醒要谨慎诠释这些结果。
亚特兰大的Principal Logic,LLC公司的一个安全顾问Kevin Beaver说,结合漏洞扫描器和人类网络知识,并把他们内容化,扫描器就可以精确地解释结果。
他说,扫描器将把资料留给自己然后放出他们的厂商认为重要的信息。还需要了解的就是,在测试什么,如果进行测试,为什么容易泄漏等。这将表明在一个特定用户的环境里,是否标注脆弱点为高优先其实是很重要的。因此,不管是否值得都要努力投入地进行补救.
Beaver说,你绝对需要漏洞扫描,因为他们进行安全评估减少了很多痛苦. "但是你不能依靠他们,"他说. "一个好的工具加上人的背景是最好的成功方程"
页:
[1]