Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New security tools from Tenable, HP, Co3 attempt the impossible

By John Breeden II | Aug. 12, 2014
Automated incident response is one of the fastest growing fields in computer security. Alternatively called threat monitoring, vulnerability management or threat management, it encompasses the seemingly impossible task of defending a network from active threats as they happen, in addition to detecting every possible vulnerability that could be exploited by an attacker.

The reason for all the tight security is that WebInspect launches actual attacks, over 3,300 of them, against all known vulnerabilities across an entire network. A team at HP is constantly updating the number and type of attacks the program launches so that all the latest vulnerabilities can be found. Although this relies on active scanning, it's relatively quick when dealing with a moderate number of clients and devices, though it might take days in massive enterprise settings.

Pointing it at a fake online bank with 800 devices that HP set up for the test took about a minute. Our much smaller local testbed was scanned in just a few seconds. The speed of the scans is also somewhat dependent on the hardware that WebInspect is installed upon. We used a workstation class computer as our base, but a large enterprise user will likely want to have a server or appliance just dedicated to the scanning.

The attacks that WebInspect launches are benign. They don't do anything malicious. But they record when they get through, showing that they could have caused mayhem at some level had they been equipped with a dangerous payload. The value for security administrators is that WebInspect shows the attack used, the path the program took to reach its destination and the vulnerabilities that were exploited. Looking at the scan results, one can easily see why the program could be dangerous in the wrong hands, as it would provide multiple road maps showing how to successfully attack any network.

The idea is that security personnel can take the successful attack data and go to the exact systems that were successfully attacked to fix the hole. Then they can trigger WebInspect to again launch just the specific attack they have tried to fix to confirm that it's no longer a vulnerability. One by one, each attack path or vulnerability is thus eliminated until an entire network is cleared of all vulnerabilities. The program then continuously scans the network on a regular basis to look for new threats based on the latest attacks, or as new devices come online, making it a core component to any automated incident response routine.

The base WebInspect program is incredibly powerful, but to get the full value of the program requires another element, HP WebInspect Agent, be installed on scanned devices. The latest version of the Agent program is free to WebInspect users, but it needs to be installed on every individual device to get the added protection it offers.

Agent works by enhancing the information provided by WebInspect attacks. The biggest vulnerability that was found with Agent added to the mix was cross-scripting errors which could allow an attacker to inject their own code into web servers. Only with Agent running on the backend could we initiate a stack trace to find this vulnerability, since the Agent acts like an inside man, showing exactly what is going on inside the protected host system. Another advantage to using Agent is that attacks like SQL injections are better defined with path information and specific attack strings. While WebInspect can report that a server is vulnerable to those types of attacks, only with Agent does the exact database attack query come to light.

 

Previous Page  1  2  3  4  5  6  7  Next Page 

Sign up for CIO Asia eNewsletters.