» Vendor Management

Automated Scanning Vendors – Are they enough?

Posted on September 16, 2009 by Nathan Drier 3 Comments

There are many choices out there when it comes down to validating the security of your external network. The range of services and skill levels available are almost overwhelming when you first set out on your search. You’ll find high school students who charge you for Nmap ouput, veterans of the security industry who write shellcode in assembly as a hobby, and everything in between. You want to make sure your website and mail server aren’t easy pickings for hackers….but where do you start?

Somewhere along the line, you read about a vendor that offers daily, automated scanning. You browse around the website and are impressed; glossy, web 2.0 transitions, pretty graphs, and mesmerizing verbiage. Then you find the price-tag; its less than a third of what you’ve been quoted by other companies. You glance at your dwindling security budget, and then back to the other benefits they offer: PCI certification, website security verification seals, and daily scanning. At this point you are more than interested, and I don’t blame you.

Seduced

The way it works is simple. You sign up for a scan, feed in your domains names and IP addresses, and hit the giant GO button. Twenty minutes later, you have the scan results in your web portal. If the scan comes back clean, or with no high risk issues – they give you access to a “Site Seal”. This seal goes on your website and shows customers that you passed a scan from a certain vendor, and this assumes a certain level of security. From here on out, the availability of the seal on your website is contingent upon ‘passing’ these scans. If a nasty IIS vulnerability comes out and you don’t patch – you fail the scan and your seal gets taken away.

There are many of these vendors to choose from; Hackersafe, ScanAlert, ControlScan, Shoppersafe, HackResistant, TrustKeeper, Trust-Guard, eSecurity and Comodo, just to name a few. Each of them offer the general vulnerability scanning service, with numerous add-ons. These additions can range from website badges saying you are using a particular vendor, detailed customer service, help with issue remediation, and some even offer insurance if your site ever gets hacked. What’s that old adage about boasting that your site is hack-proof?

Behind the Scenes

This is all great news, but what’s really going on behind the scenes of a scan? What do they really look for? More importantly, what issues and vulnerabilities would they miss? To answer some of my own questions, I created a fake website and signed it up for a number of these scanning vendors. I built a Ubuntu Linux system and installed some common services such as Apache and SSH. I then configured Apache and iptables for debug logging, and used tcpdump to capture all the traffic coming to the web site. During the testing, I allowed connections to my website only from the scanning vendor to eliminate Internet noise. This setup allowed me to get a copy of ALL the data that the scanning vendor sent to the web server. Basically, I had the data to reverse engineer their scan.

Just Give it Some Paint

Going through the raw data, I noticed one thing quickly: I saw a whole lot of Nessus traffic. It’s almost identical to a Nessus scan, right down to the plugin output. Some vendors allow you to enable extra functionality such as Nikto (a default add-in in Nessus) some custom plugins and full port scans. The following shows a quick search of the packet capture file:

$ strings vendor1_scan1.pcap | grep Nessus | sort -u

From: Nessus <sip:xxx.xxx.xxx.xxx:5060>

GET /NessusTest455840692.html HTTP/1.1

print(“Content-Type: text/plain\r\n\r\n”, “Nessus=”, 42+42);r

<p>The requested URL /NessusTest455840692.html was not found on this server.</p>

sHarmless Nessus echo test

SSH-1.33-NessusSSH_1.0

SSH-1.5-NessusSSH_1.0

TRACE /Nessus1233760340.html HTTP/1.1

User-Agent: Mozilla/4.75 [en] (X11; U; Nessus)

Using Nessus isn’t bad at all – we use it internally here at Redspin and love it. It’s a great way to double-check work, or add another layer of testing in a very automated way. The idea is that relying on Nessus alone with no human interaction, no manual poking and prodding, and no validation will likely leave you with a false sense of security. Vulnerability scanning should aid you in your work, not do the bulk of it. What you get is raw scanner output – nobody to go through and validate the issues, check the services it couldn’t enumerate, or worse: go behind it and see what it missed.

Some vendors did full port scans of the target machine. With most of the vendors, you had to specifically enable this option – although it had no bearing on the site seals or PCI compliance. When I enabled full port scans, and then hid some services on random, high ports – they were caught by the scanner. If you pay for any kind of vulnerability assessment that does not offer full port scanning (barring web application assessments), you are wasting your money.

The reporting was decent. The issues and findings that the vulnerability scanner found were formatted and presented in all the portal nicely. They provide all the information you need to configure your scans properly, and provide enough resources for the customer to understand how to fix the issues. I’m sure if you contacted customer support with the majority of these vendors, they would be more than happy to help. In fact, during my use of one of the scanners, I contacted customer support for help. I kept seeing an issue raised about TCP Sequence Prediction on my IIS server, which is impossible since I was using Apache. I sent support an email, and they replied:

“That threat would be tagged as a False Positive, but since it is purely informational it is not necessary. Only urgent, critical, or high threats need to be remediated for PCI Compliance and seal access.”

Seems like they might be more focused on keeping your site “Seal Approved” than actually solving issues. Seals are good for ROI and increasing customer confidence – but when it comes down to it, I’d be more concerned if someone could make off with customer data.

The price spread on these services is huge. One company offers the scanning for 15 dollars a month, while the next offers it for 1,400 dollars a year. Is it worth it? That depends on your company and your network. I doubt your Myspace page needs an audit. If you sell Beanie Babies in a Yahoo store, or if you are the webmaster of The Furby Fan Club, you might be a prime candidate for one of these vendors. Even if you own a high-volume e-commerce site, studies show that a site seal can increase ROI and Sales by up to 10% because the seal instills so much confidence in the customer. If you get 10% more sales just by having this seal on your site – I’d say its well worth it. Just keep in mind: you paid for the seal on your website, not the peace of mind of a hack-proof network.

The Old Rabbit-in-the-Hat Trick

The truth is, scanning vendors do offer a valuable service. They will indeed identify some of the critical, low-hanging fruit on your network. They may find the very outdated Apache install, the default credentials on that router, and might even find a SQL Injection flaw in your web application. What they won’t find is everything else – things that they don’t have an exact scan fingerprint for. Its like putting all your eggs in one basket, except the eggs are remote-root exploits and the basket has a few holes in it.

I’ve done External Assessments for websites that were certified by one of these vendors, and it was a mess. They were getting a clean bill of health from their scanning vendor, but in reality they were a nightmare. They had a PHPMyAdmin install that was very outdated and contained numerous high-impact vulnerabilities (like the ‘I own your database’ kind), but the directory was renamed (to something obvious) – so the scanner didn’t find it. They also had a version of SMTP that was vulnerable to a buffer overflow with proof of concept code available, but it wasn’t in the scan results because it was a very recent exploit. These are two critical, high-impact vulnerabilities that the largest automated scanning vendor missed.

Whats the moral of the story? The basic vulnerability scanning and ROI these services provide can be useful. It comes down to you, the customer, being able to decide what’s best for your business. If your site is a low traffic, brochure-ware setup, or a low-risk e-commerce setup, then maybe a scanning vendor can help you with basic security problems, as well as provide a little boost in ROI / sales. On the other hand, if a website or server is your company’s lifeline, or its critical to your reputation or compliance – you should consider a little more in-depth security assessment.

Taking the Ethical out of Hacker

Posted on July 10, 2009 by admin 2 Comments

Security Review Site Really a Front for a Security Consulting Company?

The security space is a very interesting arena. For the customer, it’s often very difficult to separate fact from fiction in many aspects. There are security companies that sell you audits, and then sell you their “solutions”. There are security companies with flashy websites and huge marketing campaigns, only to be stocked with sub-par talent and less than average processes. There are security companies that praise their technical ability and hacker prowess, only to plug your website into a bulk vulnerability scanner and hand you output. Now, it appears that customers have yet another foggy metric to analyze:

Biased inner-industry security company reviews.

Recently, we were alerted that we are under review from a blog that “exposes” IT security providers. Due to popular demand, we were named as the next in line for review (http://secreview.blogspot.com/). Thinking something seemed a little fishy, we set off to track down some details that made us believe this review site was really a front for Netragard:

Also, check out this Google search that one of our engineers tracked down.

  • A Fox in the Henhouse. Some weeks ago, we were approached via echat from someone claiming to be a potential customer, but really turned out to be members of Netragard and Snosoft inquiring about our services. Netragard provides IT security services. Knowing that when a company in the same industry as yours comes calling and asking all about your services, its probably not because they need an audit, we were very leery about doling out any in-depth information. When you spend years refining a process that provides the best possible value to your customers, why hand it out to all your competitors?
  • No Hackers Allowed. We find part of our external IP space interestingly blacklisted from accessing www.netragard.com, aligning suspiciously with the blog posting on the Secreview site.
  • We are the Best! Interesting enough, Netragard gets the highest rank from the Secreview site. They get the only A+ (the plus must mean better) out of all the reviews. Most everyone else gets a C or below.
  • I Know your Way Home. Digging through our chat logs, we found an interesting little trail. The chatters claimed to be using a whitepaper from “one of our competitors” to ask questions regarding our services. At this point in the chat – we have a suspicious feeling that whoever is on the other end is with SnoSoft/Netragard. When asked about their relation to SS/NG – they replied:

“I’m not sure why you are asking me about snosoft/netragard other than the fact that these questions come from one of their white papers.”

  • Using the email they provided in our chat session – we got down to work. The email is referenced in a Google-indexed PDF. We search the PDF to find end notes that reference the email address to a current high-ranking employee of Netragard. We found multiple social networking accounts, all belonging to employees of SS/NG, with the same user name as the initial email.
  • I Got My Reviewing Degree Online. Even if this reviewing site was from an unbiased team, the review methodology is a little questionable. I’m not sure how you can forecast about a security company’s technical abilities by analyzing the copy on their website, but it appears to be a valid metric on the Secreview site. I’d rather see some actual, real world work from the company in question to make my decision.
  • Spikes! A nice spike in traffic from Netragard LLC IP space to the redspin.com website.

Hits

So let me ask you this, If I got to grade all my peers in my Art History class – would you believe the results? Forget the reviews you read, as the industry has apparently progressed (or regressed) to the point where reviews by “Real World Ethical Hackers” are nothing more than biased marketing shouts by false-fronts to other security companies. Why not try the following to REALLY audit the auditors:

  • Communication. If you feel dirty after talking to an auditor, chances are they aren’t for you. Call up and chat with an engineer or sales rep. They should be helpful and willing to answer your questions if you are legitimate customer.
  • References. Ask your auditor for some references, and chat up those references about the quality of work, the communication process, and the technical ability of the auditor. Nobody will give you a better review of a company than someone who paid for their work.
  • Contributions to the security community. Does your auditor do research, write relevant articles and papers, or stay on the cutting edge? Ask for education histories and recent research to be sure.
  • Objectivity. Does your auditor sell firewalls and managed services? If so, you can expect their number one finding to be that you need them. Make sure your auditor is purely objective and doesn’t try to sell you solutions.

See here for more information: http://www.redspin.com/research_eight_questions.html

In the end, it comes down to you to make the decision. Know the right questions to ask, build relationships with your vendors, and take an active part in the choices your organization makes regarding security. Stay safe, its stormy out there.

P.S. Our CEO has contacted the Secreview blog site and is waiting for a response. If anyone has experience with Secreview and wants to chat, don’t hesitate to contact us.

Vendor Management: are your vendors secure?

Posted on June 24, 2009 by John Abraham in Main | Leave a comment

If you ask the 50 banks that recently had customer data exposed when their accounting firm lost a number of their audit laptops to theft, the answer is no. Incredibly, the accounting firm’s lost laptops apparently did not utilize data encryption even though they contained sensitive customer information. This left the banks in the un-welcomed position of having to notify customers of a data breach.


Anecdotally, our experience doing security audits across many industries indicates that much (maybe even most) of the risk of sensitive data loss in an enterprise is associated with their vendor’s lack of adequate security controls.


Ironically, when a company outsources a service they are also outsourcing much of the security risk. For example, Read more