vulnerability assessment

EX

CE

LL

EN

CE S

ER

VIC

E

IN INF OR MATIO

N

Tools Fifth Edition

September 25, 2009

Information Assurance Tools Report

VulnerabilityAssessment

Distribution Statement A

Approved for public release; distribution is unlimited.

SECTION 1 uIntroduction. . . . . . . . . . . . . 11.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.2 Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.3 ReportOrganization. . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

SECTION 2 uIT.Risk.Management.Overview. . . . . . . . . . . . . . . 5

2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.2 GrowthinITIncidentsandVulnerabilities. . . . . . . . . . . . .52.3 WhatisRiskManagement?. . . . . . . . . . . . . . . . . . . . . . .6

SECTION 3 uAutomated.Vulnerability.Assessment.Tools. . . . . . . . 9

3.1 HowVulnerabilityAssessmentToolsWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

3.2 DefinitionBox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93.3 HowVulnerabilityAssessmentToolsCanBe

IncorporatedintoaSecurityPlan . . . . . . . . . . . . . . . .11

SECTION 4 uTool.Collection . . . . . . . . . 134.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134.2 ToolSelectionCriteria. . . . . . . . . . . . . . . . . . . . . . . . . . .13

SECTION 5 uVulnerability.Analysis.Tools. . . . . . . . . . 15

Acunetix®WebVulnerabilityScanner. . . . . . . . . . . . . . . . .16AppDetective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17ASGInformationAssuranceApplication(IA2). . . . . . . . . .18BigFix®SecurityConfigurationandVulnerabilityManagementSuite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19ComputerOracleandPassword(COPS). . . . . . . . . . . . . . .20COREIMPACT™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21DominoScanII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22DumpSecv2.8.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23eTrust®PolicyCompliance. . . . . . . . . . . . . . . . . . . . . . . . . . .24FortiscanVulnerabilityManagement. . . . . . . . . . . . . . . . . .25GFILANguard®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26GideonSecureFusionVulnerabilityManagement. . . . . . .27HostBasedSecuritySystem(HBSS). . . . . . . . . . . . . . . . . .28InternetScanner®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29LumensionScan™...................................30MBSA2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

McAfee®VulnerabilityManager. . . . . . . . . . . . . . . . . . . . . .32Metasploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33N-Stalker®WebApplicationSecurityScanner. . . . . . . . .34nCircle®IP360. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Nessus®VulnerabilityScanner. . . . . . . . . . . . . . . . . . . . . . .36NetIQ®SecureConfigurationManager. . . . . . . . . . . . . . . .37NetworkMapper(Nmap®). . . . . . . . . . . . . . . . . . . . . . . . . . .38Niktov2.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Orascan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40ParosProxyv3.2.0Alpha. . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Proventia®NetworkEnterpriseScanner. . . . . . . . . . . . . . .42proVMAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43QualysGuard®VulnerabilityManagement..............44RationalAppScan® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45RetinaNetworkSecurityScanner. . . . . . . . . . . . . . . . . . . .46SAINT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47SecondLook™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48SecureScout®NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49SecureScout®Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . .50SecurityAuditor’sResearchAssistant(SARA)v7.9.1. . . .51SecurityAdministrator’sToolforAnalyzingNetworks(SATAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52SNScanv1.05. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53ThreatGuard®SecutorMagnus . . . . . . . . . . . . . . . . . . . . . .54TriumfantResolutionManager®. . . . . . . . . . . . . . . . . . . . . .55TyphonIII. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56WebInspect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57WebScarab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

SECTION 6 uRelated.Resources . . . . . . 59

SECTION 7 uRecommended.Resources . . . . . . . . . . . . . 61

SECTION 8 uDefinitions. . . . . . . . . . . . . 63

SECTION 9 uDefinitions.of.Acronyms.. . and.Key.Terms . . . . . . . . . 65

Table of Contents

iIA Tools Report

IATAC’s mission is to provide DoD with a central

point of access for information on emerging

technologies in IA and cyber security. These include

technologies, tools, and associated techniques for

detection of, protection against, reaction to, and

recovery from information warfare and cyber attacks

that target information, information-based processes,

information systems, and information technology.

Specific areas of study include IA and cyber security

threats and vulnerabilities, scientific and

technological research and development, and

technologies, standards, methods, and tools through

which IA and cyber security objectives are being or

may be accomplished.

As an IAC, IATAC’s basic services include collecting,

analyzing, and disseminating IA scientific and

technical information; responding to user inquiries;

database operations; current awareness activities

(e.g., the IAnewsletter, IA Digest, IA/Information

Operations Events Scheduler, and IA Research

Update); and publishing State-of-the-Art Reports,

Critical Review and Technology Assessments reports,

and Tools Reports.

The IA Tools Database is one of the knowledge bases

maintained by IATAC. This knowledge base contains

information on a wide range of intrusion detection,

vulnerability analysis, firewall applications, and

anti-malware tools. Information for the IA Tools

Database is obtained via open-source methods,

including direct interface with various agencies,

organizations, and vendors. Periodically, IATAC

publishes a Tools Report to summarize and elucidate

a particular subset of the tools information in the

IATAC IA Tools Database that addresses a specific

IA or cyber security challenge. To ensure applicability

to Warfighter and Research and Development

Community (Program Executive Officer/Program

Manager) needs, the topic areas for Tools Reports

are solicited from the DoD IA community or based

on IATAC’s careful ongoing observation and analysis

of the IA and cyber security tools and technologies

about which that community expresses a high

level of interest.

SECTION 1 u Introduction

The Information Assurance Technology Analysis Center (IATAC) provides the Department of Defense (DoD) with emerging scientific and technical information to support Information Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center (DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific and technical information. Scientists, engineers, and information specialists staff each IAC. IACs establish and maintain comprehensive knowledge bases that include historical, technical, scientific, and other data and information, which are collected worldwide. Information collections span a wide range of unclassified, limited-distribution, and classified information appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain, and develop analytical tools and techniques, including databases, models, and simulations.

1IA Tools Report

Inquiries about IATAC capabilities, products, and

services may be addressed to:

Gene Tyler, Director

13200 Woodland Park Road, Suite 6031

Herndon, VA 20171

Phone: 703/984-0775

Fax: 703/984-0773

Email: [email protected]: http://iac.dtic.mil/iatacSIPRNET: https://iatac.dtic.mil

1.1 PurposeThis report provides a brief background on

information technology (IT) risk assessment and risk

management concepts, a short primer on

vulnerability assessment tools, and an index of

vulnerability assessment tools contained in the

IATAC IA Tools Database. Moreover, the report

provides users with an understanding of why

engaging in risk management activities such as

conducting vulnerability and risk assessments is an

important aspect of assuring your critical IT asset’s

ability to effectively support your critical missions.

Finally, this report provides a summary of the

characteristics and capabilities of publicly available

vulnerability assessment tools. IATAC does not

endorse, recommend, or evaluate the effectiveness of

any specific tools. The written descriptions are based

solely on the suppliers’ claims and are intended only

to highlight the capabilities and features of each tool.

These descriptions do not reflect the opinion of

IATAC. It is up to the readers of this document to

assess which product, if any, might best meet their

needs. Technical questions concerning this report

may be addressed to [email protected].

1.2 ScopeCurrently, the IATAC database contains descriptions

of numerous tools that can be used to support

vulnerability and risk assessment activities.

Vulnerability analysis tools are programs that help

automate the identification of vulnerabilities in a

network or system. Vulnerabilities can be defined as

weaknesses in a system’s security scheme,

exploitation of which would negatively affect the

confidentiality, integrity, or availability of the system

or its data. The type and level of detail of information

provided among tools varies greatly. Although some

can identify only a minimal set of vulnerabilities,

others can perform a greater degree of analysis and

provide detailed recommended countermeasures.

The most recent development in vulnerability

management is the ability for a tool to scan for

vulnerabilities, analyze the impact of the

vulnerability, determine a solution, identify the

appropriate patches and security fixes, and finally,

even deploy those patches in real time.

The majority of the tools identified in the IA Tools

Database are available on the Internet, and many are

used by crackers in the first stage of an attack:

vulnerability information gathering. Penetration

tools, which perform destructive actions (i.e., denial

of service attacks), are excluded from this category.

Sniffers and Trojan Horse programs also are

excluded. Although many network utilities (i.e., host,

finger) are valuable in identifying vulnerabilities on a

host, they are often an automated component of

vulnerability analysis tools, and therefore are not

individually described in the database. The database

includes commercial products, individually

developed tools, government-owned tools, and

research tools. The database was built by gathering as

much open-source data, analyzing that data, and

summarizing information regarding the basic

description, requirements, availability, and contact

information for each vulnerability analysis tool

collected. Generally, the commercially developed

products are available. The government and

academic tools, however, are reserved for specific

projects and organizations.

1.3 ReportOrganizationThis report is organized into eight sections. Section 1

provides an introduction to IATAC and the

vulnerability analysis tools report. Section 2

summarizes the fundamentals of IT risk assessment

and risk management. Section 3 provides background

information on how automated vulnerability

assessment tools work. Section 4 explains the

Section1 Introduction

2 IA Tools Report

classification of tools highlighted in this report, how

they were selected, and the schema of the IA Tools

Database. Section 5 includes a listing of currently

available host, network, Web-application, and

database-application vulnerability scanners as well

as tools able to manage vulnerabilities in all of the

scanning areas as well as apply patches. Sections 6

and 7 provide recommended resources that are

related to the topic of vulnerability assessment and

definitions associated with this report. Finally,

Sections 8 and 9 contain IA-related definitions and

acronyms, respectively.

Section1 Introduction

3IA Tools Report

2.1 BackgroundCritical Infrastructures, both cyber and physical,

“provide the foundation for and enable the

functioning of every facet of American Society.” [2] In

view of the heightened concerns about the wide

variety of threats and hazards that our nation faces

and the potential impact on the ability of our critical

infrastructure to resiliently support overarching

missions, the executive branch has issued a number

of actions that assign responsibilities, direct

planning, and enhance training to protect the

nation’s critical infrastructure and respond to all

types of threats. Homeland Security Presidential

Directive 7 (HSPD-7), Critical Infrastructure

Identification, Prioritization, and Protection (dated

December 2003), and The National Strategy to Secure

Cyberspace and The National Strategy for the Physical

Protection of Critical Infrastructures and Key Assets

(both dated February 2003) specifically address the

different threats and protection/assurance of the

nation’s most vital resources by providing

overarching policy guidance. These all focused on

defensive strategies, and HSPD-7 did not address the

protection of federal government information

systems. The Comprehensive National Cybersecurity

Initiative (CNCI), codified in the classified directive

known as National Security Presidential Directive

(NSPD)-54/HSPD-7, aims to unify defensive missions

in cyber security with those of law enforcement,

intelligence, counterintelligence, and military to

defend against the full spectrum of threats to the

nation’s critical infrastructure.

In the constantly evolving world of IT, ensuring that

our vital systems remain operational is of paramount

importance and in line with the national strategy. To

this end, Secretary Janet Napolitano of the

Department of Homeland Security (DHS) has adopted

“a policy of being prepared for all risks that can

occur” [9] to assure the resiliency of our nation’s

critical infrastructures. Cyber assets obviously make

up a significant portion of our nation’s critical assets

and also provide support to even more critical assets

by acting as a critical supporting infrastructure asset.

2.2 GrowthinITIncidentsandVulnerabilitiesAutomated attacks on information systems, and

especially attacks against Internet-connected

systems, continue to grow at such an exponential rate

that they are viewed as almost commonplace. In fact,

as of 2004, Carnegie Mellon’s Computer Emergency

Response Team (CERT) stopped tracking the number

of incidents reported per year because they believe it

“provides little information with regard to assessing

the scope and impact of attacks.” [1] The number of

incidents reported from 1988 through the end of 2003

is listed in Figure 1. Carnegie Mellon’s CERT now

tracks data on the number of vulnerabilities that are

reported each year. Figure 2 lists the number of

vulnerabilities that were reported from 1995 through

the end of the third quarter of 2008.

Along with the continually increasing number of

incidents and the rising number of known

vulnerabilities, the speed at which systems are

attacked is also continuing to accelerate. Identifying

vulnerabilities and addressing them in a timely

manner is crucial to maintaining a secure

environment and saves money in the long run. The

vulnerability that the Conficker worm exploited was

discovered in September 2008, and Microsoft released

a batch in October 2008. The Conficker was not

released until November 2008 and had multiple

variants labeled Conficker A - Conficker E (up until

the time of writing). Minimal estimates for Conficker

infections is around three million, while more

realistic estimates are around nine million to 15

million total infections. [11] The economic impact

ranges from the hundreds of millions to billions of

dollars to address the exploit. If more people had

identified the vulnerability and applied patches when

Microsoft first released them, Conficker would have

been a non-issue.

SECTION 2 u IT Risk Management Overview

5IA Tools Report

2.3 WhatisRiskManagement?Many different risk assessment and management

methodologies exist within the public and private

domains. Therefore, to fully understand risk

management, it is important to first define and

understand “risk.” According to the Merriam Webster

Dictionary, risk is defined as the “possibility of loss or

injury.” Insurance companies often view risk as the

“the degree or probability of such loss.” [3] Although

there are numerous definitions of risk, all definitions

are composed of three basic components—

u Assets (i.e., read it as “impact of loss”),u Threats (i.e., read it as “all possible hazards”),u Vulnerabilities.

Assets An asset in the general sense is firm property or

information that is of significant value (known as a

critical asset). In risk management, an asset refers to

the amount of damage losing a firm asset will cause

if something bad occurs. Given that most enterprise

networks have hundreds or thousands of networked

information systems, vulnerability analysis and

assessment by manual methods are virtually

impossible. In addition, it is impossible to

completely ensure that all assets are secure.

Therefore, it is imperative that information security

managers and system owners focus on identifying

only their critical assets—those assets without which

the organization’s key missions would be significantly

degraded or cease to function. This is a key part of the

risk assessment process.

Figure1 Number of Security Incidents report (1988–2003)

Figure2 Number of Vulnerabilities Reported (1995–Third Quarter 2008)

6 IA Tools Report

Section2 IT Risk Management Overview

ThreatsRisks to critical assets can come from a variety of

threats that can be considered possible hazards and

usually fall into three categories—

u Man-made (intentional),u Natural disaster,u Accidental (unintentional) disruptions.

Therefore, an effective approach to threats will

consider the full spectrum of threats and hazards,

including natural disasters (e.g., floods, fires,

hurricanes), domestic or international criminal

activity, construction mishaps such as cutting fiber

optic lines, and others types of incidents.

VulnerabilitiesVulnerabilities are often defined as openings or

pathways that a given threat can exploit to do harm to

a critical asset. With the three main components of

risk in mind, a picture of risk can be formulated. Risk

is viewed as the area where all three circles overlap,

as illustrated in Figure 3.

Articulated as a mathematical formula, risk looks like

the following—

Risk = Threat x Vulnerability x Cost of Asset

We can now more fully define risk as being a function

of the likelihood that a specific hazard/threat will

exploit a given vulnerability and that the resulting

impact of loss of the critical asset will cause

significant degradation or even mission failure

of the organization.

With a firm understanding of risk, risk management

can now be defined. Typically, risk management is a

process for identifying and prioritizing the cost of

assets, threats, and vulnerabilities, then making

rational decisions regarding the expenditure of

resources and the implementation of counter-

measures to reduce risk of loss associated with the

exploitation of critical assets. Figure 4 illustrates the

risk assessment and management processes.

Figure3 Components of Risk Diagram

Because our world is constantly changing, risk

management is an ongoing activity. For example,

technology is continually evolving, especially in the

IT world, which introduces new vulnerabilities.

Threats continue to evolve as well and sometimes

even what is designated as a critical asset changes

because the needs and priorities of an organization

change. Risk management can save resources, time,

and even lives.

7IA Tools Report


Figure4 Risk Assessment and Management Process

From this point forward, this report focuses on the

vulnerability portion of the risk equation.

8 IA Tools Report


3.1 HowVulnerabilityAssessmentToolsWorkVulnerability assessment tools, in general, work by

attempting to automate the first three steps often

employed by hackers: 1) perform a footprint analysis,

2) enumerate targets, 3) test/obtain access through

user privilege manipulation (see Table 1). The

vulnerability assessment tools evaluate network-

attached devices (servers, desktops, switches, routers,

etc.) for vulnerable or potentially vulnerable

situations. Often the vulnerabilities that are

identified by these tools are programming flaws;

however, some tools provide enough data that an

analyst can uncover design, implementation, and

configuration vulnerabilities.

In the case of network-based tools, a network

footprint analysis is performed by scanning for

accessible hosts. The tools enumerate available

network services (e.g., file transfer protocol, hypertext

transfer protocol) on each host as accessible hosts are

identified. As part of the enumeration services,

scanners attempt to identify vulnerabilities through

banner grabbing, port status, protocol compliance,

service behavior, or exploitation. These terms are

defined in Section 3.2 of this document.

Some advantages to vulnerability assessment tools

are that they—

u More clearly define an asset,u Discover technological and network

vulnerabilities,u Provide multi-perspective view points,u Help properly scope the analysis,u Reference public catalogs,u Highlight design, implementation, and

configuration vulnerabilities.

When a scanner finds a host with open ports, it checks

those ports for vulnerabilities to known attacks. Most

scanners include exploit tests that verify whether a

given service or application is vulnerable. Most

scanning tools perform tests based on their database

of vulnerabilities. Just as anti-virus products must be

constantly updated with new signatures, assessment

tools must be continually updated with revisions to

their vulnerability databases. If a vulnerability is not

included in a tool’s database, it cannot be detected

through scanning.

3.2 DefinitionBox

Hacker’s Methodology – A common approach to

system exploitation—

1. Perform a footprint analysis

2. Enumerate targets

3. Test/obtain access through user privilege manipulation

4. Escalate privileges

5. Gather additional passwords and secrets

6. Install backdoors

7. Leverage the compromised system

Table 1 Hacker’s Methodology

BannerGrabbingThis term refers to grabbing information that a

network service broadcasts about itself. For example:

Opening a telnet session to a mail server might yield

the following message: 220 mailhost.company.com

ESMTP service (Netscape Messaging Server 4.15

Patch 7 [built September 11, 2001]).

This example banner reveals the specific type of mail

server that is running and its patch level. Similarly, a

telnet connection to a Web server might yield

information such as the following—

SECTION 3 u Automated Vulnerability Assessment Tools

9IA Tools Report

HTTP/1.1 200 OK

Date: Wed, 02 Jul 2003 22:03:21 GMT

Server: Apache/1.3.27 (Win32) PHP/4.2.2

X-Powered-By: PHP/4.2.1

Connection: close

Content-Type: text/html

In this case, the banner reveals the time on the Web

server, the Web server type and version, an accessible

scripting language (hypertext preprocessor [PHP]),

and the operating system on which it is running.

PortStatusThis term refers to checking to determine which

network ports are open to allow connections to

applications. For network services that use

Transmission Control Protocol (TCP), this is done by

sending a TCP connect () request to ports on the

remote system. If the queried port is listening, the

connect () fails and the port is considered closed.

There are several other methods of checking port

status such as TCP synchronize [Synchronize] scans,

TCP finish [Final] scans, and so forth, that are beyond

the scope of this report.

ProtocolComplianceThis term refers to the way an application or operating

system adheres to a standard procedure for data

processing or transmission. One of the most common

ways of using protocol compliance to identify remote

systems is to interrogate the TCP stack. By monitoring

the header information of outbound packets, it is

possible to make accurate guesses regarding the

remote operating system. By examining the Time To

Live on the packet, its Window Size, the Don’t

Fragment bit, and the Type of Service, it is possible in

many cases to determine exactly which

implementation of the TCP stack is on the remote

system. (See Figure 5.) Determining the TCP stack

narrows the number of possible operating systems,

sometimes identifying the exact operating system.

Figure5 TCP Connection (3-way Handshake)

ServiceBehaviorThis term refers to the way a network service responds

to remote requests. Different implementations of a

given type of service may result in slightly different

behavior from remote requests. For example, a “help”

command response from a sendmail email server is

different from the result from a postfix email server.

ExploitationComputer network exploitation (CNE) refers to the

“enabling operations and intelligence collection

capabilities conducted through the use of computer

networks to gather data from target or adversary

automated information systems or networks.” [14]

CNE can be accomplished through a variety of means

such as packet sniffing, hijacking TCP connections,

port scanning, and address resolution protocol (ARP)

spoofing. For example: ARP spoofing is a technique

used to exploit ethernet networks. This type of

spoofing can be used in two different ways—

u Sending fake, or spoofed, ARP messages to an

ethernet local area network,u As part of a “man-in-the-middle attack.”

The first means of exploitation is accomplished by

sending frames that contain false media access

control addresses, thus confusing network devices,

such as network switches. The resulting effect is that

the frames that are intended for one machine can be

mistakenly sent to another (allowing the packets to be

sniffed) or an unreachable host (a denial of service

attack). The second means of exploitation is

accomplished by forwarding all traffic through a host

with the use of ARP spoofing and then analyzing the

frames for passwords and other information.

10 IA Tools Report

Section3 Automated Vulnerability Assessment Tools

3.3 HowVulnerabilityAssessmentToolsCanBeIncorporatedintoaSecurityPlanSecurity plans are a critical aspect of a firm or

organization’s secure operations. Security plans, or

more precisely, system security plans, are specific

guidelines and procedures to accomplish the secure

setup, operation, and maintenance of an information

system. To effectively implement a system security

plan for a large infrastructure, it is necessary to

leverage security technology to automate the

important and otherwise time-consuming aspects of

the security operations.

Tools for scanning are invaluable for gaining a

snapshot in time of the vulnerabilities that exist on a

given network at a given point in time. Most scanning

tools include a reporting option or module that

explains the vulnerabilities detected and provides a

ranking of the criticality of each problem (e.g., high,

medium, low). To enhance the security of your

systems, assessments should be performed on a

routine basis. This will provide the users and

administrators assurance that the system is free from

malicious code. Just as thousands of vulnerabilities

are reported each year, systems must be scanned at

regular and frequent intervals to ensure that they are

not susceptible to attack. In addition, when new hosts

are connected to the system, networks must be

checked for the risks that these new systems might

bring to the overall network. Checks must also be

conducted when newly discovered weaknesses in

existing applications and operating systems are

announced. After all, “a fundamental tenet of

security is that a chain is only as strong as its weakest

link and a wall is only as strong as its weakest point.

Smart attackers are going to seek out that weak point

and concentrate their attention there.” [13] A single

host that is vulnerable to attack puts the entire

network at risk.

The identification of vulnerabilities on a system is

only half the challenge. The other half of the challenge

is fixing the vulnerabilities that are found. Identified

vulnerabilities can be corrected via patches,

updating, or even reconfiguring the system. Finding

the time and money to correct the vulnerability can

be a challenge. The system and network

administrators must work with management to share

the information that was found during the assessment

and weigh the costs of correcting the vulnerability

against the benefits. There are tools that can

automatically patch a large number of vulnerabilities

and systems, but are often very expensive. Managers

and administrators need to understand their

environment and choose a solution that fits. A

manager can choose not to spend the money on a

more robust patch management solution, but must

realize that man-power must replace what he or she

has chosen not to purchase in an automated solution.

Unfortunately, scanning tools suffer from false

positive problems and false negative problems in

vulnerability identification that are similar to anti-

virus products. A false positive means that a tool finds

a vulnerability that does not exist. For example, a

particular scanner may report that a network server is

a Windows® 2000 system that is vulnerable to a known

Microsoft Internet Information Server (IIS) Web

server bug, when in fact, the server is a Linux system

running the Apache Web server. A false negative

means that a tool fails to find an existing

vulnerability. An example of this behavior could be

when a particular tool tests a network host and fails to

discover that it is remotely exploitable through an

anonymous login.

Ultimately, common sense must be applied to all

findings to ensure that meaningful vulnerabilities

are corrected; however, time should not be wasted

on erroneous results. Finding the right balance can

sometimes be difficult. One potential strategy for

reducing the number of false positives and false

negatives is to run two different scanners against a

given network and compare the results. In most

cases, the results of both tools will complement each

other so that no weaknesses are overlooked. In all

cases, it is necessary to have a knowledgeable and

responsible security professional who can effectively

leverage security tools to manage the security

operations of an organization.

11IA Tools Report

Section3 Automated Vulnerability Assessment Tools

4.1 ClassificationExisting community relationships were leveraged

during the process of data gathering on the tools.

Collection activities included Internet searches to

identify additional corporations, professional

organizations, and universities with involvement in

vulnerability analysis.

The tools described in the IATAC IA Tools Database

can be categorized within one or more of the topical

areas listed below—

u Hostscanning—Host-scanning tools scan critical

system files, active processes, file shares, and the

configuration and patch level of a particular

system. The results produced from this type of tool

are usually very detailed because they run on the

host system at the same permission level as the

user conducting the scan. Although host-based

tools provide very detailed results, sometimes the

volume of data that is produced from these scans

(i.e., when conducted across several hosts) can be

difficult to aggregate and correlate to produce

results [Imagine an administrator trying to

physically visit and test 1,000 workstations.]). u Networkscanning—Network-scanning tools scan

available network services for vulnerabilities

through banner grabbing, port status, protocol

compliance, service behavior, or exploitation.u Webapplicationscanning—Web application-

scanning tools designed specifically for the Web

are a specialized form of network or host scanner

that interrogates Web servers or scan Web source

code for known vulnerabilities (e.g., DominoScan).

These tools often search for the presence of

default accounts, directory traversal attacks,

form validation errors, insecure cgi-bin

files, demonstration Web pages, and

other vulnerabilities.u Databaseapplicationscanning—Database

application-scanning tools that are specifically

designed for databases are a unique form of

network scanner. These tools interrogate database

servers for known vulnerabilities

(e.g., AppDetective).u Vulnerabilityandpatchmanagement—The category

of Vulnerability and Patch Management has tools

that wrap up many aspects of vulnerability

management. These tools address vulnerabilities,

policy compliance, patch management,

configuration management and reporting.

These are meant to be all-in-one solutions that

make managing very large networks and

domains efficient and require as little manpower

as possible.

4.2 ToolSelectionCriteriaThe selected tools meet the following three criteria—

u Definition—These tools satisfy the objective,

approach, and methodology of a vulnerability

analysis tool based on the definition of

vulnerability.u Specificitytovulnerabilityanalysis—The primary

function of these tools is vulnerability analysis or

vulnerability management. These tools may also

be used during the first stages of a penetration

attack as a way of identifying the target system’s

weaknesses and helping to fine-tune the attack.

Penetration test tools, whose primary purpose is to

exploit identified vulnerabilities and cause

damage or destruction to the target system, are not

included.u Currentavailability—The tools that are included in

this report are currently available from the

Government, academia, or commercial sources, or

as freeware on the Internet. Some tools that were

included in previous versions of this report are no

longer available or have been renamed. All tools

from previous releases of this report that are no

longer available have been removed.

SECTION 4 u Tool Collection

13IA Tools Report

TrademarkDisclaimerThe authors have made a best effort to indicate

registered trademarks where they apply, based on

searches in the U.S. Patent and Trademark Office

Trademark Electronic Search System for “live”

registered trademarks for all company, product, and

technology names. There is a possibility, however,

that due to the large quantity of such names in this

report, some trademarks may have been overlooked

in our research. We apologize in advance for any

trademarks that may have been inadvertently

excluded, and invite the trademark registrants to

contact the IATAC to inform us of their trademark

status so we can appropriately indicate these

trademarks in our next revision. Note that we have

not indicated non-registered and non-U.S.

registered trademarks due to the inability to

research these effectively.

LegendForTablesFor each tool described in this section, a table is

provided that provides certain information about that

tool. This information includes—

Type The type of tool, or category in which this tool belongs, e.g., “Web Application Scanning”

Operating System

The operating system(s) on which the tool runs. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the operating system is embedded in the tool.

Hardware The third-party hardware platform(s) on which the tool runs, plus any significant additional hardware requirements, such as minimum amount of random access memory or free disk space. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the hardware is incorporated into the tool.

License The type of license under which the tool is distributed, e.g., Commercial, Freeware, GNU Public License

NIAP Validated

An indication of whether the product has received a validation by the National Information Assurance Partnership (NIAP) under the Common Criteria, Federal Information Processing Standard 140, or another certification standard for which NIAP performs validations. If no such validation has been performed, this field will be blank.

Common Criteria

If the tool has received a Common Criteria certification, the Evaluation Assurance Level and date of that certification. If no such certification has been performed, this field will be blank.

Developer The individual or organization responsible for creating and/or distributing the tool

URL The Uniform Resource Locator (URL) of the Web page from which the tool can be obtained (downloaded or purchased), or in some cases, the Web page at which the supplier can be notified with a request to obtain the tool

SECTION 5 u Vulnerability Analysis Tools

Section 5 summarizes pertinent information, providing users a brief description of available vulnerability analysis tools and vendor contact information. Again, IATAC does not endorse, recommend, or evaluate the effectiveness of these tools. The written descriptions are drawn from vendors’ information and are intended only to highlight the capabilities or features of each product. It is up to the reader to assess which product, if any, may best suit his or her security needs.

IATACdoesnotendorseanyofthefollowingproductevaluations.

15IA Tools Report

AbstractAcunetix’s engineers have focused on Web security

since 1997 and have developed tools for Web site

analysis and vulnerability detection.

Featuresu AcuSensor Technology;u An automatic Javascript analyzer allowing for

security testing of Ajax and Web 2.0 applications;u Structured Query Language (SQL) injection and

cross-site scripting (XSS) `testing;u Visual macro recorder allows for testing Web

forms and password protected areas;u Reporting facilities including VISA Payment

Card Industry (PCI) compliance reports;u Multi-threaded scanner crawls hundreds of

thousands of pages;u Crawler detects Web server type and

application language;u Acunetix crawls and analyzes Web sites, including

flash content, SOAP, and AJAX;u Port scans a Web server and runs security checks

against network services running on the server.

Acunetix®WebVulnerabilityScanner

Type Web Application Scanning

Operating System Windows XP, Vista, 2000, server 2003

Hardware Requirements

1 gigabyte (GB) random access memory (RAM), 100 megabyte (MB) disk space

License Commercial (Free Trial Copy)

NIAP Validated

Common Criteria Rating

Developer Acunetix

Availability http://www.acunetix.com/vulnerability-scanner/

Acunetix® Web Vulnerability Scanner

16 IA Tools Report

VulnerabilityAnalysis Tools

AbstractA network-based, vulnerability assessment scanner,

AppDetective discovers database applications within

an infrastructure and assesses their security strength.

In contrast to piecemeal solutions, AppDetective

modules allow enterprises to assess two primary

application tiers—application/middleware, and

back-end databases—through a single interface.

Backed by a proven security methodology and

extensive knowledge of application level

vulnerabilities, AppDetective locates, examines,

reports, and fixes security holes and

misconfigurations. As a result, enterprises can

proactively harden their database applications

while at the same time improving and simplifying

routine audits.

Featuresu Automated database discovery and inventory,u User rghts management,u Job scheduling,u Database-specific vulnerability assessment,u Compliance mapping,u “Outside-in” and “inside-in” vulnerability testing,u Industry leading database vulnerability

knowledge base,u Automated information gathering and analysis,u Scalable database scanning,u Advanced, customizable reporting.

AppDetective

Type Database Scanning

Operating System Windows XP, Server 2003,


750 Megahertz (MHz) central processing unit (CPU), 512MB RAM, 300 MB Disk Space

License Commercial

NIAP Validated


Developer Application Security, Inc.

Availability http://www.appsecinc.com/products/appdetective/

AppDetective

17IA Tools Report


AbstractASG’s Information Assurance Application (IA²)

automates the reporting requirements of DISA. IA²

automatically parses, stores, tracks, and reports on

the Defense Information Systems Agency’s (DISA)

Security Readiness Review, third party vulnerability

scanner results, and DISA’s Security Checklists.

IA² has the ability to synchronize the local database

with the third party vulnerability scanners as well as

the DISA Security Readiness Review scripts. All of the

data from each source is combined and cross

referenced giving a complete view of your

environment. IA² also incorporates a robust

reporting solution allowing for tracking, trending

and ad hoc reporting.

Featuresu Federal Information Security Management Act

of 2002 (FISMA) automation,u Vulnerability gap analysis,u Scanner cross-referencing,u Information drilldown,u Automated security checklist,u Accepts third party scan,u Advanced reporting,u Trending,u Automatically updates signatures,u Automatic reporting,u Ad Hoc reporting,u Secure communication,u Secure data storage,u Distributed architecture,u Windows authentication,u Role-based security.

SupportedScannersu Foundstone,u Harris STAT,u eEye,u Nessus,u nCircle.

ASGInformationAssuranceApplication(IA2)

Type Vulnerability and Patch Management

Operating System


License Commercial

NIAP Validated


Developer Atlantic Systems Group, Inc. (ASG)

Availability http://www.asg.cc/IA2/

ASG Information Assurance Application (IA2)

18 IA Tools Report


AbstractOffered as part of the BigFix Security Configuration

and Vulnerability Management suite, BigFix

Vulnerability Management reduces risk across the

enterprise for all assets, whether they are fixed or

mobile, desktops, laptops, or servers. Through a

repository of vulnerability assessment policies, BigFix

provides organizations with the ability to assess their

managed systems against Open Vulnerability

Assessment Language (OVAL)-based vulnerability

definitions. Each managed endpoint quietly and

continuously evaluates the state of the endpoint, and

reports on any non-compliant policy in real-time by

leveraging the power of BigFix Unified Management

platform. Additionally, the BigFix high performance

architecture enables the industry’s fastest time to

remediation and closely bridges assessment with

remediatiation by applying necessary patch and

configuration policies.

Featuresu Assess managed endpoints against known

vulnerabilities using pre-defined, out-of-the-box

OVAL-based policy definitions;u Identify and eliminate known vulnerabilities

across hundreds of thousands of endpoints

using automated policy enforcement or

manual deployment;u Continuously enforce policies on or off

the network;u Map all vulnerabilities to industry standards to

provide Common Vulnerabilities and Exposures

(CVE) and Common Vulnerability Scoring System

references and links to the National Vulnerability

Database (NVD);u Integrate with BigFix Patch Management and

Security Configuration Management for

comprehensive assessment and remediation

of identified vulnerabilities;

u Create flexible, on-demand ad-hoc custom

queries and reports;u Security Content Automation Protocol

(SCAP) validated.

BigFixSecurityConfigurationandVulnerabilityManagementSuite


Operating System Windows Server 2000/2003/2008


License Commercial

NIAP Validated


Developer BigFix

Availability http://www.bigfix.com/content/vulnerability-management

BigFix® Security Configuration and Vulnerability Management Suite

19IA Tools Report


AbstractComputer Oracle and Password (COPS) is a security

toolkit that examines a system for a number of

known weaknesses, and it alerts the system

administrator to these weaknesses. In some cases, it

can automatically correct these problems.

ComputerOracleandPassword(COPS)


Operating System Unix


License Freeware

NIAP Validated


Developer Dan Farmer

Availability http://ftp.cerias.purdue.edu/pub/tools/unix/scanners

Computer Oracle and Password (COPS)

20 IA Tools Report


AbstractCORE IMPACT Pro is a comprehensive software

solution for assessing the security of network systems,

endpoint systems, email users, and Web applications.

Backed by Core Security’s ongoing vulnerability

research and threat expertise, IMPACT Pro allows

you to get in-depth visibility of your organization’s

network and application vulnerabilities.

Featuresu Gather system information via Network Discovery,

Port Scanner, and operating system (OS) and

Service Identification modules;u Identify critical OS, service, and application

vulnerabilities with a constantly updated library

of Commercial-Grade Exploits;u Demonstrate the consequences of a breach by

replicating the steps an attacker would take,

including opening command shells, browsing file

systems, and seeking administrative privileges;u Emulate multistaged threats that leverage

compromised systems as beachheads to

launch internal attacks against backend

network resources;u Run tests without installing modules on

compromised systems, or altering them

in any way;u Generate reports containing actionable data for

prioritizing remediation, demonstrating security

improvements, and complying with regulations;u CORE IMPACT Pro enables you to test Web

applications against XSS (URL-based), SQL

Injection, Blind SQL Injection, and Remote

File Inclusion for PHP applications;u Identify weaknesses in Web applications,

Web servers, and associated databases—

with no false positives;u Dynamically generate exploits that can

compromise security weaknesses in

custom applications;

u Demonstrate the consequences of a successful

attack by replicating local attacks against back-

end resources;u Get actionable data necessary for focusing

development resources on remediating proven

security issues.

COREIMPACT

Type Network Scanning

Operating System Windows XP, Windows Vista


3 Gigahertz (GHz) Pentium 4+ CPU, 1 GB+ RAM, 1 GB+ Disk space, 1024x768+ resolution

License Commercial

NIAP Validated


Developer Core Security Technologies

Availability http://www.coresecurity.com/content/core-impact-overview

CORE IMPACT™

21IA Tools Report


AbstractSpecially developed to present the attacker’s eye view

of the security issues surrounding Lotus Domino

Web servers and bespoke Notes applications.

Running on Microsoft Windows, DominoScan II

(DSII) has the capability to audit Lotus Domino Web

Servers running on any operating system. Using an

NGSSoftware–developed technique (Database

Structure Enumeration) allows DSII to interrogate

every view, form, and agent within a database, even

if access control list (ACL) access protection has been

invoked. It will perform an exhaustive range of tests

on each document, auditing over one hundred

sensitive and default databases and subjecting all

documents to a vigorous set of vulnerability

assessment checks.

Featuresu Attempts to gain access to over 100 sensitive/

default databases;u Web Administrator template access using

ReplicaID;u Web Administrator template access using

buffer truncation;u ‘cache.dsk’ access using buffer truncation;u Directory traversal;u Database browsing;u Audits bespoke databases;u Unique database structure

enumeration technology;u Finds hidden and visible views;u Default Navigator Access;u Attempts to bypass default Navigator protection;u Evaluates database design;u Checks every document for Edit access;u Attempts a forced search;u ReadEntries & ReadViewEntries access;u Reporting in HyperText Markup Language

(HTML) (Static/Dynamic), eXtensible Markup

Language (XML), Text file, rich text format, and

Open Database Connectivity (Microsoft) database;u Fast, easy to use, and highly configurable;u Can perform focused audits;

u Unique Spidering capability offering

intelligent scanning;u Ability to scan as an authenticated user;u Ability to perform QuickHit audit;u Vulnerability link to CVE.

DominoScanII


Operating System Windows 2003, 200, XP, NT 4.0


500 MHz Pentium III, 512 MB RAM, 20 MB Disk Space

License Commercial

NIAP Validated


Developer Next Generation Security Software

Availability http://www.nextgenss.com/products/internet-security/dominoscan.php

DominoScan II

22 IA Tools Report


AbstractSomarSoft’s DumpSec is a security auditing program

for Microsoft Windows NT/XP/200x. It dumps the

permissions (Discretionary Access Control Lists and

audit settings (System Access Control Lists) for the

file system, registry, and printers and shares in a

concise, readable format, so that holes in system

security are readily apparent. DumpSec also dumps

user, group, and replication information.

DumpSecv2.8.6

Type Host Scanning

Operating System Windows NT/XP/200x


License Freeware

NIAP Validated


Developer SomarSoft

Availability www.somarsoft.com

DumpSec v2.8.6


23IA Tools Report

AbstracteTrust Policy Compliance provides enterprises with

the tools and information necessary to eliminate one

of the most overlooked threats to networks

misconfigured assets. eTrust Policy Compliance

helps organizations identify and compare the

security configurations of their critical business

assets to an established baseline and provides the

configuration remediation and measures progress

through risk-based reporting. eTrust Policy

Compliance provides a comprehensive policy and

configuration assessment process to mitigate risk and

ensure compliance with security policies,

government regulations, and industry standards.

Featuresu Identify misconfigured IT assets,u Create secure configuration baselines and

monitor deviations,u Provide configuration remediation and measure

progress through risk-based reporting,u Offer extensible tools and open interfaces for

custom security configuration management.

eTrustPolicyCompliance


Operating System Linux, Windows, Unix


License Commercial

NIAP Validated


Developer Computer Associates

Availability http://www3.ca.com/solutions/Product.aspx?ID=165

eTrust® Policy Compliance


24 IA Tools Report

AbstractFortiScan provides a centrally managed, enterprise-

scale solution that enables organizations to close IT

compliance gaps, and implement continuous

monitoring in order to audit, evaluate, and comply

with internal, industry, and regulatory policies for IT

controls and security at the OS level. Organizations

realize quick time-to-value with easy to install,

intuitive, high value standard compliance policies

(National Institute of Standards and Technology

[NIST] SCAP, Federal Desktop Core Configuration

(FDCC), PCI data security standard (DSS), Sarbanes-

Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA),

Health Insurance Portability and Accountability Act

(HIPAA) ready out of the box with regular updates by

FortiGuard to ensure OS regulatory compliance

requirements are met. FortiScan dedicated hardware

appliances easily plug into the network for fast

deployment. FortiScan integrates endpoint

vulnerability management, industry and federal

compliance, patch management, remediation,

auditing, and reporting into a single, unified

appliance for immediate results. A centralized

administration console facilitates management of

multiple FortiScan appliances across the enterprise.

Featuresu Identifies security vulnerabilities and finds

compliance exposures on hosts, servers,

and throughout the network transparently to

end users;u Network discovery, asset prioritization, and

profile-based scanning;u Industry, regulatory and best practices, including

templates for ISO 17799, SOX, HIPAA, GLBA, NIST,

SCAP, and FISMA;u Audits and monitors across heterogeneous

systems and provides industry standard

benchmarks for information security compliance

audits for operating systems;u Aids compliance for regulatory mandates with

360-degree reporting and analysis, and views;

u Delivers patch management with ready-to-

deploy remediation and enforcement actions—

allowing network managers to change

configurations and potentially mitigate weak

settings, including disabling an application

or denying a network request;u Reduced errors, repeatable processes, and

predictable results delivered with extensive

libraries of templates that enable IT staff to

leverage industry standard best practices that

produce measurable results.

FortiscanVulnerabilityManagement


Operating System N/A


Vendor Supplied Hardware

License Commercial

NIAP Validated


Developer Fortinet

Availability http://www.fortinet.com/products/fortiscan/

Fortiscan Vulnerability Management


25IA Tools Report

AbstractScans a network and ports to detect, assess, and

correct security vulnerabilities with minimal

administrative effort. GFI LANguard performs

network scans using vulnerability check databases

based on OVAL and SysAdmin, Audit, Network,

Security (SANS) Top 20, providing over 15,000

vulnerability checks.

u PatchManagement—GFI LANguard has built in

patch management features that can

automatically download missing Microsoft

security updates, as well as automatically deploy

the missing Microsoft patches or service packs

over the network at the end of scheduled scans.u HardwareandSoftwareManagement—GFI

LANguard’s network auditing feature retrieves

hardware information on memory, processors,

display adapters, storage devices, motherboard

details, printers, and ports in use and monitors

any changes that may occur. GFI LANguard can

also monitor a software baseline, informing

administrators when a new program is

installed and can automatically uninstall

unauthorized applications.

GFILANguard


Operating System Windows, Mac OS, Linux


1 GHz CPU, 512 MB RAM, 500 MB Disk space (Minimum. Scanning more hosts requires higher specs. See documentation for details)

License Commercial—Free version available

NIAP Validated


Developer GFI

Availability http://www.gfi.com/lannetscan

GFI LANguard®


26 IA Tools Report

AbstractPart of the SecureFusion suite, Vulnerability

Management scans for thousands of known

vulnerabilities in operating systems, infrastructure,

network applications, and databases. The

vulnerability signatures are updated on a daily

basis and provide checks for the most recent

security vulnerabilities.

The SecureFusion Portal provides a complete view of

assets, vulnerabilities, configuration details, and

policy compliance metrics. Instead of outdated

spreadsheets and cumbersome tools that cannot

correlate data, the SecureFusion Portal helps you

intelligently analyze your IT environment regarding

unmanaged assets, vulnerabilities, improper settings,

and the reasons behind failed compliance checks.

SecureFusion is built on the additive intelligence of

four core capabilities—

u Assetdiscovery—performs continuous audits of

managed and unmanaged assets with no impact

to the network;u Vulnerabilitymanagement—conducts ongoing,

active vulnerability detection and reporting for

operating systems, infrastructure, network

applications, and databases;u Configurationmanagement—continuously

compares system configuration and compliance

with IT security standards;u Policymanagement—initiates, reviews, publishes,

and maintains security policies.

Vulnerability Management offers—

u End-to-end automation and workflow,u System patch reporting,u Results filtering,u Automated signature updates,u Target blacklisting,

u Bandwidth throttling,u Massive scalability,u Dynamic report building,u Automated scheduling.

GideonSecureFusionVulnerabilityManagement


Operating System


License Commercial

NIAP Validated


Developer Gideon Technologies

Availability http://www.thegideongroup.com/vulnerability-management.asp

Gideon SecureFusion Vulnerability Management


27IA Tools Report

AbstractThe Host Based Security System (HBSS) baseline is a

flexible, commercial off-the-shelf (COTS)-based

application. It monitors, detects, and counters against

known cyber threats to the DoD Enterprise. Under

the sponsorship of the Enterprise-wide Information

Assurance and Computer Network Defense Solutions

Steering Group (ESSG), the HBSS solution will be

attached to each host (server, desktop, and laptop) in

DoD. The system will be managed by local

administrators and configured to address known

exploit traffic using an Intrusion Prevention System

(IPS) and host firewall. DISA Information Assurance/

Network Operations Program Executive Office

(PEO-IAN) is providing the program management

and supporting the deployment of this solution.

ScopeThe scope of the HBSS deployment is worldwide.

This vast effort requires a large support infrastructure

to be in place. DISA PEO-IAN has instituted support

services to enable the comprehensive

implementation of the HBSS system to all the

combatant commands, services, agencies, and

field activities.

Featuresu ePolicy Orchestrator (ePO) management suite;u Central security manager;u Enables the installation, management, and

configuration of the HBSS components;u View reports to help monitor deployments,

vulnerabilities, and protection levels;u McAfee Agent (MA);u Provides local management of all HBSS products

collocated on the host;u Runs silently in the background to gather

information and events from managed systems;u Sends collected data to the ePO server;u Manages modules and software updates of other

HBSS products on the host system;u Enforces policies on the host machines;

u Host Intrusion Prevention System (HIPS);u Enforces security policy;u Adds a robust layer of protection to the MA

end-point asset that includes known and

unknown buffer overflow exploit protection,

prevention of malicious code installation/

execution, and identification of activities that

deviate from DoD or organizational policy;u Asset Information (formerly referred to as

the INFOCON);u Generates snapshots of asset configurations

to facilitate detection of changes made to

authorized baselines;u Rogue System Detection (RSD);u Detects all systems connecting to the network;u Identifies unmanaged (or Rogue) systems present

on the network;u Policy Auditor (PA);u Scans remote computers to determine compliance

with defined policies;u Identifies host vulnerabilities on the network.

HostBasedSecuritySystem(HBSS)


Operating System Windows


License Commercial/Government

NIAP Validated


Developer DISA–DoD

Availability http://www.disa.mil/news/pressresources/factsheets/hbss.html

Host Based Security System (HBSS)


28 IA Tools Report

AbstractThe Internet Scanner vulnerability assessment

application minimizes risk by identifying the security

holes or vulnerabilities in the network so the user can

protect the network before an attack occurs.

Internet Scanner can identify more than 1,300 types

of networked devices on a network, including

desktops, servers, routers/switches, firewalls, security

devices, and application routers. Internet Scanner

analyzes the configurations, patch levels, operating

systems, and installed applications to find

vulnerabilities that could be exploited by hackers

trying to gain unauthorized access.

Featuresu Unlimited asset identification,u Dynamic check assignment,u Common policy editor,u Real-time display,u Vulnerability catalog,u Comprehensive reporting,u Centralized vulnerability management features,u Enterprise-class scalability,u Remote scanning,u Enterprise reporting,u Automatic security content updates,u Command scheduler,u Asset management,u Real-time display,u User administration.

InternetScanner


Operating System Windows 2000 Professional/SP4, Windows Server 2003 Standard SP1, Windows XP Professional SP1a


1.2 GHz CPU, 512 MB RAM, 650 MB disk space (minimum)

License Commercial

NIAP Validated


Developer Internet Security Systems–Owned by IBM

Availability http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027208

Internet Scanner®


29IA Tools Report

AbstractLumension Scan, a component of Lumension

Vulnerability Management, is a complete stand-alone,

network-based scanning solution that performs a

comprehensive external scan of all devices connected

to your network, both managed and unmanaged.

Once assets are identified, the powerful, yet easy-to-

use Lumension Scan detects weaknesses on these

devices before they can be exploited.

Featuresu Rapid and complete asset discovery and inventory

of all devices on the network,u Thorough and accurate network-based software

and configuration vulnerability assessment,u Risk-based vulnerability prioritization for

identified threats,u Continuously updated vulnerability database for

orderly remediation,u Comprehensive management and audit reporting.

LumensionScan


Operating System Windows XP Pro SP2+, Windows Server 2003 SP1+, Windows Server 2003 R2+


2 GHz CPU, 1 GB RAM, 20 GB disk space, 1024x768 Monitor Resolution

License Commercial

NIAP Validated


Developer Lumension

Availability http://www.lumension.com/vulnerability-management/software-vulnerability-assessment.jsp?rpLangCode=1&rpMenuId=150835

Lumension Scan™


30 IA Tools Report

AbstractMicrosoft Baseline Security Analyzer (MBSA) is

an easy-to-use tool that helps small and medium

businesses determine their security state in

accordance with Microsoft security

recommendations and offers specific remediation

guidance. Improve your security management

process by using MBSA to detect common security

misconfigurations and missing security updates on

your computer systems. Built on the Windows Update

Agent and Microsoft Update infrastructure, MBSA

ensures consistency with other Microsoft

management products, including Microsoft Update

(MU), Windows Server Update Services (WSUS),

Systems Management Server (SMS), System Center

Configuration Manager (SCCM) 2007, and Small

Business Server.

MBSA 2.1 is the latest version of Microsoft’s free

security and vulnerability assessment scan

tool for administrators, security auditors, and

IT professionals.

MBSA 2.1 offers Windows Vista and Windows Server

2008 compatibility, a revised user interface, 64-bit

support, improved Windows Embedded support, and

compatibility with the latest versions of the Windows

Update Agent based on MU.

MBSA 2.1 is also compatible with MU, Windows

Server Update Services 2.0 and 3.0, the SMS Inventory

Tool for Microsoft Update, and SCCM 2007.

MBSA2.1

Type Host Scanning

Operating System Windows XP, Vista, Windows Server 2003, 2008


x86, IA64, x64

License Free

NIAP Validated


Developer Microsoft

Availability http://technet.microsoft.com/en-us/security/cc184924.aspx

MBSA 2.1


31IA Tools Report

AbstractMcAfee Vulnerability Manager (formerly McAfee

Foundstone Enterprise) uses a priority-based

approach that combines vulnerability, asset data, and

countermeasures to help you make more informed

decisions. It uses threat intelligence and correlation

data to determine how emerging threats and

vulnerabilities on networked systems affect your risk

profile, so that you deploy resources where they are

needed most. Improve operational efficiency and

security protection while meeting tough mandates

outlined in SOX, FISMA, HIPAA, and PCI DSS.

Vulnerability Manager is available as software or a

secure, hardened appliance. Both increase the

efficiency of your existing resources, resulting in

a low cost of ownership. If you prefer a hosted

option, choose the McAfee Vulnerability

Management Service.

It performs credential-based scans of UNIX, Cisco

IOS, and Microsoft Windows platforms for correct

patching. The Content Release Calendar provides

automatic updates, including new OS support,

vulnerability scan scripts, and compliance checks.

Vulnerability Manager integrates with your existing

technologies and with other McAfee products,

leveraging your investments. McAfee® Network

Security Platform correlates Vulnerability Manager

data to inform you of the most relevant threats

targeting your systems. McAfee Risk and Compliance

Manager (formerly McAfee Preventsys®) collects data

from Vulnerability Manager to calculate risks,

monitor risk scores, and automate compliance

reporting. McAfee ePolicy Orchestrator® feeds asset

and system protection data into Vulnerability

Manager for accurate assessments.

McAfeeVulnerabilityManager


Operating System Windows Server 2000 or 2003


Dual core or dual processor CPU at 2 GHz, RAM 2 GB, 80 GB disk space, ethernet interface. Preconfigured vendor supplied appliances also available.

License Commercial

NIAP Validated


Developer McAfee

Availability http://www.mcafee.com/us/enterprise/products/risk_and_vulnerablity_management/vulnerability_manager.html

McAfee® Vulnerability Manager


32 IA Tools Report

AbstractThe Metasploit Framework is a development platform

for creating security tools and exploits. The

framework is used by network security professionals

to perform penetration tests, system administrators

to verify patch installations, product vendors to

perform regression testing, and security researchers

world-wide. The framework is written in the Ruby

programming language and includes components

written in C and assembler.

The framework consists of tools, libraries, modules,

and user interfaces. The basic function of the

framework is a module launcher, allowing the user to

configure an exploit module and launch it at a target

system. If the exploit succeeds, the payload is

executed on the target and the user is provided with a

shell to interact with the payload.

Metasploit


Operating System Windows, Linux, Mac


License Open Source

NIAP Validated


Developer Metasploit, LLC

Availability http://www.metasploit.com/home/

Metasploit


33IA Tools Report

AbstractN-Stalker Web Application Security Scanner 2009 is a

Web Security Assessment solution developed by

N-Stalker. By incorporating the “N-Stealth HTTP

Security Scanner” and its 39,000 Web Attack

Signature database, along with a patent-pending

Component-oriented Web Application Security

Assessment technology, N-Stalker is a security tool for

developers, system/security administrators, IT

auditors, and staff.

Featuresu N-Stalker is a security assessment tool designed to

crawl and evaluate custom Web Applications. It

does not rely on out-of-box signatures.u N-Stalker is used for either custom or out-of-shelf

Web applications, including large financial

customers, government agencies, foreign

intelligence services, and armed forces.u N-Stalker will inspect common Web application

vulnerabilities, including Open Web Application

Security Project Top 10, Common Weakness

Enumeration Top 25 (see cwe.mitre.org), and a

wide range of issues that affect overall security.u N-Stalker will scan for both Web server

infrastructure and application layers. Currently,

there are more than 39,000 Web attack signatures

included in our database to identify weakness in a

Web server and third-party software components.u N-Stalker implements its own patent-pending

“component-oriented Web application security

analysis” technology, an assessment methodology.

N-StalkerWebApplicationSecurityScanner


Operating System Windows (Windows 2000 or later)


1 GB RAM, 500 MB disk space

License Commercial, Free

NIAP Validated


Developer N-Stalker

Availability http://nstalker.com/products

N-Stalker® Web Application Security Scanner


34 IA Tools Report

AbstractAs a component of nCircle’s security risk and

compliance management suite, IP360 is a

vulnerability and risk management system,

enabling enterprises and government agencies to

costeffectively measure and manage their security

risk. IP360 comprehensively profiles all networked

devices and their applications, vulnerabilities, and

configurations, and includes coverage for over 25,000

conditions (operating systems, applications,

vulnerabilities, and configurations), providing the

ideal foundation for assessing every system on the

network. IP360’s agentless architecture is designed

for rapid deployment and ease of management across

large, globally distributed networks.

Featuresu Comprehensive, agentless discovery and profiling

of all network assets for over 25,000 conditions;u Enterprise scalability, ease of deployment, and

operational effectiveness;u Integrated network topology risk analysis for

identifying the highest priority vulnerabilities;u Integrated Web application scanning to identify

security risk in Web applications;u Flexible reporting across all levels of the enterprise.

nCircleIP360




Vendor supplied scanning appliance

License Commercial

NIAP Validated Yes


EAL3 – May 16, 2005

Developer nCircle

Availability http://www.ncircle.com/index.php?s=products_ip360

nCircle® IP360


35IA Tools Report

AbstractThe Nessus vulnerability scanner is an active scanner,

featuring high-speed discovery, asset profiling, and

vulnerability analysis of the user’s security posture.

Nessus scanners can be distributed throughout an

entire enterprise, inside demilitarized zones, and

across physically separate networks. They can also be

made available for ad hoc scanning, daily scans, and

quick-response audits. When managed with the

Security Center, vulnerability recommendations can

be sent to the responsible parties, remediation can be

tracked, and security patches can be audited.

Featuresu Agentless scanning (patch and

configuration auditing),u High-speed vulnerability identification,u Complete network assessment and discovery.

NessusVulnerabilityScanner


Operating System Windos, Linux, Mac OS, Unix


License Commercial – Free for personal use

NIAP Validated


Developer Teneble Network Security

Availability http://www.nessus.org/nessus/

Nessus® Vulnerability Scanner


36 IA Tools Report

AbstractNetIQ Secure Configuration Manager audits system

configurations and compares them to corporate

policies, previous snapshots, and/or other systems. It

also leverages this configuration information to

reliably identify vulnerabilities and exposures, using

the latest security updates.

NetIQ Secure Configuration Manager allows you to

demonstrate regulatory compliance and manage IT

risks via scored reporting to direct remediation

efforts toward issues of highest priority.

Featuresu NetIQ ensures configuration changes are

identified and controlled. Secure Configuration

Manager creates an inventory and baseline of

existing system configurations, then compares

results against a standard configuration image to

highlight deviations.u Secure Configuration Manager contains packaged

security policy templates that align with

regulations and standards, providing the

intelligence necessary to document and

demonstrate compliance with auditors. Role-

based exception and workflow management helps

enforce secure separation of duties.u NetIQ Secure Configuration Manager identifies

systems exposed to and/or compromised by the

latest exploits, including worms, viruses, and

blended threats.u Across the enterprise, NetIQ Secure Configuration

Manager measures the level of threats posed by

vulnerabilities and compliance exceptions

weighted by the importance of managed assets.u NetIQ Secure Configuration Manager is SCAP

Validated and NIAP Common Criteria certified,

ensuring it meets the most stringent federal

government guidelines on interoperability and

secure design.

NetIQSecureConfigurationManager


Operating System Windows XP Pro, 2000, 2003 Server


License Commercial

NIAP Validated Yes


EAL2 – July 09, 2007

Developer netIQ

Availability http://www.netiq.com/products/vsm/default.asp

NetIQ® Secure Configuration Manager


37IA Tools Report

AbstractNetwork Mapper (Nmap) is a free open-source utility

for network exploration or security auditing. It was

designed to rapidly scan large networks, although it

works fine against single hosts. Nmap uses raw

Internet protocol (IP) packets in novel ways to

determine what hosts are available on the network,

what services (application name and version) those

hosts are offering, what OSs (and OS versions) they

are running, what type of packet filters/firewalls are

in use, and dozens of other characteristics. Nmap

runs on most types of computers, and console and

graphical versions are available.

Featuresu Flexible—Nmap supports dozens of advanced

techniques for mapping out networks filled with

IP filters, firewalls, routers, and other obstacles.u Powerful—Nmap has been used to scan huge

networks of literally hundreds of thousands of

machines.u Portable—Most operating systems are supported,

including Linux, Microsoft Windows, and Unix

based systems.u Easy—Although Nmap offers a rich set of

advanced features for power users, the user can

start out as simply as nmap -v -A targethost.

Both traditional command line and graphical

user interface (GUI) versions are available to suit

your preference.u Free—Nmap is available for free download,

and also comes with full source code that the

user may modify and redistribute under the terms

of the license.u WellDocumented—Significant effort has been put

into comprehensive and up-to-date pages, white

papers, and tutorials.u Supported—Although Nmap comes with no

warranty, it is well supported by the community.

NetworkMapper(Nmap)


Operating System Linux, MS Windows, Unix


License Open Source

NIAP Validated


Developer Insecure.org

Availability http://nmap.org/

Network Mapper (Nmap®)


38 IA Tools Report

AbstractNikto is an Open Source (general public license) Web

server scanner that performs comprehensive tests

against Web servers for multiple items, including over

3,500 potentially dangerous files/common gateway

interfaces (CGI), versions on over 900 servers, and

version specific problems on over 250 servers. Scan

items and plugins are frequently updated and can be

automatically updated.

Featuresu Uses rfp’s LibWhisker as a base for all

network funtionality,u Main scan database in comma separated variable

(CSV) format for easy updates,u Fingerprint servers via favicon.ico files,u Determines “OK” vs “NOT FOUND” responses

for file type, if possible,u Determines CGI directories for each server,

if possible,u Switch hypertext transfer protocol (HTTP)

versions as needed so that the server understands

requests properly,u Secure Sockets Layer Support (Unix with OpenSSL

or maybe Windows with ActiveState’s Practical

Extraction and Report Language [PERL]/NetSSL),u Output to file in plain text, HTML or CSV,u Plugin support (standard PERL),u Checks for outdated server software,u Proxy support (with authentication),u Host authentication (Basic),u Watches for “bogus” OK responses,u Attempts to perform educated guesses for

Authentication realms,u Captures/prints any Cookies received,u Mutate mode to “go fishing” on Web servers

for odd items,u Builds Mutate checks based on robots.txt entries

(if present),u Scan multiple ports on a target to find Web servers

(can integrate Nmap for speed, if available),u Multiple intrusion detection system

evasion techniques,

u Users can add a custom scan database,u Supports automatic code/check updates (with

Web access),u Multiple host/port scanning (scan list files),u Username guessing plugin via the cgiwrap

program and Apache user methods.

Niktov2.03


Operating System Unix, Linux, Windows


License Open Source

NIAP Validated


Developer Cirt.net

Availability http://www.cirt.net/nikto2

Nikto v2.03


39IA Tools Report

AbstractOraScan is a multi-environment auditing application

developed to assess the security of Oracle Web

applications. The finely detailed level of auditing

supported by OraScan allows systems administrators

and security professionals to gain full control of

security issues surrounding online applications and

front-end servers.

OraScan performs robust, in-depth security

vulnerability audits, seeking out potential problem

areas such as—

u SQL injection,u XSS,u Poor Web server configuration.

In addition, OraScan can be deployed to audit the

configuration of Internet authentication service Web

servers, ensuring that the Web application portion of

your database software architecture is free of any

security weaknesses.

Orascan


Operating System Microsoft Windows 2003, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT Version 4.0 (Service Pack 4)


License Commercial

NIAP Validated



Availability http://www.ngssoftware.com/products/internet-security/orascan.php

Orascan


40 IA Tools Report

AbstractParos Proxy v3.2.0Alpha is a Java-based Web proxy for

assessing Web application vulnerability. It supports

editing/viewing HTTP/HTTP Secure (HTTPS)

messages on the fly to change items such as cookies

and form fields. It includes a Web traffic recorder,

Web spider, hash calculator, and a scanner for testing

common Web application attacks, such as SQL

injection and XSS.

ParosProxyv3.2.0Alpha


Operating System All OSs supporting Java 1.4+


N/A

License Freeware

NIAP Validated


Developer Paros

Availability http://www.parosproxy.org/index.shtml

Paros Proxy v3.2.0Alpha


41IA Tools Report

AbstractProventia Network Enterprise Scanner is the next

generation of the Internet scanner vulnerability

assessment tool. Proventia Network Enterprise

Scanner is a vulnerability protection system for

the entire network that is enhanced with an

integrated workflow vulnerability management

subsystem and Proventia Enterprise Scanner that

enables the user to drive protection measures

throughout an infrastructure.

Featuresu Vulnerability assessment,u Complete vulnerability management

and protection,u Scanning-optimized Linux kernel,u Hardened and secure,u Multiple scan ports,u Application fingerprinting,u Workflow,u Reporting,u Asset identification,u Asset classification,u Scan windows,u Automation,u Scan load balancing/teaming,u Flexible deployment options,u Flexible policy management,u Web-based local management,u Centralized management mystem: Proventia

Network Scanner is centrally managed using

Proventia Management SiteProtector.

SiteProtector is a scalable system that allows staff

to control, monitor, and analyze events from a

centralized console. SiteProtector improves

security through correlation and integration with

other security products, including—

• Active/passive scanning through Proventia

Network Enterprise Scanner and Proventia

Network Anomaly Detection,

• Scan and block capabilities through Proventia

Network Enterprise Scanner and Proventia

Network Intrusion Prevention System,

• Correlation through the SiteProtector Security

Fusion module.

ProventiaNetworkEnterpriseScanner





License Commercial

NIAP Validated


Developer IBM

Availability http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027216

Proventia® Network Enterprise Scanner


42 IA Tools Report

AbstractProlific Solutions’ proVM Auditor is a vulnerability

management tool that uses the output from multiple

vulnerability and compliance scanners and

aggregates the information into a single view. proVM

Auditor presents vulnerability data in meaningful

views via a vulnerability matrix that makes

managing, tracking, and resolving vulnerabilities

simpler and less resource-intensive.

Featuresu Expedites compliance reviewsu Maps vulnerabilities to DoD 8500.2 IA Controlsu Facilitates/standardizes C&A processesu Streamlines administration effortsu Standard views of vulnerability datau Reduces manual compliance effortsu Small footprint; simple to use; does not

require installationu Accepts scanner output from the following

Vulnerability Scanners:

• eEye Retina

• Lumension PatchLink

• DISA SRRs

• DISA Gold Disk

• Application Security AppDetective

• Tenable Nessus

• Nmap

• Other tools commercial or private can be

added upon request

proVMAuditor




N/A

License Commercial

NIAP Validated


Developer Prolific Solutions

Availability http://www.prolific-solutions.net/products.htm

proVM Auditor


43IA Tools Report

AbstractQualysGuard Vulnerability Management (VM)

automates the life cycle of network auditing and

vulnerability management across the enterprise,

including network discovery and mapping, asset

prioritization, vulnerability assessment reporting,

and remediation tracking according to business risk.

QualysGuard delivers continuous protection against

the latest worms and security threats without the

substantial cost, resource, and deployment issues

associated with traditional software. As an on

demand Software-as-a-Service (SaaS) solution, there

is no infrastructure to deploy or manage.

QualysGuard VM enables small to large

organizations to effectively manage their

vulnerabilities and maintain control over their

network security with centralized reports, verified

remedies, and full remediation workflow capabilities

with trouble tickets. QualysGuard provides

comprehensive reports on vulnerabilities, including

severity levels, time-to-fix estimates, and impact on

business, plus trend analysis on security issues.

Featuresu Vulnerability KnowledgeBase that incorporates

over 6,000 unique checks;u Non-intrusive detection techniques;u Inference-based scanning engine;u Authenticated or unauthenticated

scanning capabilities;u Internal and external scanning;u Scans are configurable for optimum

performance and minimum network load.;u Unique fingerprints for over 2,000 operating

systems, applications, and protocols;u Customization of scans to scan for specific ports/

services and specific vulnerabilities;u Schedule and automated network discovery and

vulnerability scan tasks on a daily, weekly, or

monthly basis;u Automated daily updates to the QualysGuard

vulnerability KnowledgeBase;

u Easy access to concise, auto-generated reports

via a Web browser;u Executive Dashboard provides real-time

illustration of risk;u Graph and trend reports for managers;u Detailed technical reports with verified

remediation actions for technicians;u SANS Top 20 Report provides industry baseline;u Risk analysis report predicts the likelihood

of exposure;u CVE and Security Focus-linked and Bugtraq-

referenced vulnerability checks with detailed

remediation instructions;u Customizable reports for flexible, on demand

reporting by business units for executives and

managers;u Export reports to HTML, Microsoft Hypertext

Archive, portable document format, CSV, and

XML formats.

QualysGuardVulnerabilityManagement





License Commercial

NIAP Validated


Developer Qualys

Availability http://www.qualys.com/products/qg_suite/vulnerability_management/

QualysGuard® Vulnerability Management


44 IA Tools Report

AbstractIBM Rational Web application security software helps

IT and security professionals protect against the

threat of attacks and data breaches. Involving more

testers in the application security process results in

higher quality, more secure applications at a

reasonable cost.

Rational offers Web application security solutions,

including new malware detection capabilities,

through the IBM Rational AppScan family of

products. AppScan can be used for vulnerability

scanning in all stages of application development and

by testers with or without security expertise.

Featuresu AppScanBuildEdition—Embeds Web

application security testing into the build

management workflow,u AppScanDeveloperEdition—Automates

application security scanning for

non-security professionals,u AppScanEnterpriseEdition—Web-based, multi-

user solution providing centralized application

security scanning and reporting,u AppScanExpressEdition—Provides affordable

Web application security for smaller organizations,u AppScanOnDemand—Identifies and prioritizes

Web Application Security vulnerabilities via

SaaS Model,u AppScanOnDemandProductionSiteMonitoring—

Monitors production Web content and sites for

security vulnerabilities via SaaS Model,u AppScanReportingConsole—Provides centralized

reporting on Web application vulnerability data,u AppScanStandardEdition—Desktop solution to

automate Web application security testing,u AppScanTesterEdition—Integrated Web

application security testing in the quality

assurance process.

RationalAppScan


Operating System Windows XP, Server 2003


3 GHz CPU, 2 GB+ RAM, 200 MB disk space for installation plus at least 10 GB free space for logs

License

NIAP Validated


Developer IBM – Rational

Availability http://www-01.ibm.com/software/awdtools/appscan/

Rational AppScan®


45IA Tools Report

AbstractRetina Network Security Scanner is a professional-

grade security solution with a lengthy track record of

success. Retina contains all the integrated security

and threat management tools needed to effectively

identify and remediate the network vulnerabiities

that lead to exposure and malicious attacks.

Featuresu Discovers the assets in the network infrastructure,

including operating system platforms, networked

devices, databases, and third party or custom

applications. Retina also discovers wireless

devices and their configurations, ensuring these

connections can be audited for the appropriate

security settings. Additionally, Retina scans active

ports and confirms the services associated with

those ports.u Implements corporate policy driven scans to audit

internal security guidelines and ensure that

configuration requirements are enforced and

comply with defined standards. These custom

scans can also assist with meeting any regulatory

compliance requirements (e.g., SOX, HIPPAA, GLB,

PCI) customers may face. u Remotely identifies system level vulnerabilities to

mimic an attacker’s point of view, providing

information that an outsider would see about a

network. These remote checks do not require

administrator rights, providing an accurate

assessment, with fewer resources required to scan

across departments, locations, or geographies.u Incorporates a comprehensive vulnerabilities

database and scanning technology, allowing

users to proactively secure their networks

against attacks. u Updates are automatically uploaded at the

beginning of each Retina session.

RetinaNetworkSecurityScanner




256 MB RAM. Vendor-supplied appliance also available.

License Commercial

NIAP Validated


Developer eEye Digital Security

Availability http://www.eeye.com/html/products/retina/index.html

Retina Network Security Scanner


46 IA Tools Report

AbstractSAINT’s Web-like, easy-to-use, GUI makes it easy to

scan networks. Every live system on the network is

screened for TCP and user datagram protocol (UDP)

services. For each service it finds running, it launches

a set of probes designed to detect anything that could

allow an attacker to gain unauthorized access, create

a denial of service, or gain sensitive information

about the network. When vulnerabilities are

detected, SAINT categorizes the results in several

ways, allowing users to target the data they find

most useful. SAINT can group vulnerabilities

according to severity, type, or count. It can provide

information about a particular host or groups of

hosts. SAINT describes each of the vulnerabilities

it locates and references CVE or Information

Assurance Vulnerability Alerts (IAVA), as well

as CERT advisories.

Featuresu Includes flexible/customizable scanning

options, including SANS/Federal Bureau of

Investigation Top 20;u Scans anything with an IP address running TCP/

IP protocols;u Includes extensive documentation and

online tutorials;u Includes links to patches and new versions

of software;u Runs in remote mode;u Is easily set up to run unattended using the GUI;u Provides dynamic reporting capability that allows

the user to drill down to get more information

about the vulnerability and how to correct it;u Cross-references vulnerabilities to IAVAs;u Scans IPv4 or IPv6 addresses;u Includes control panel that allows the user to stop,

pause, and resume scans, and to view results in

progress while the scan runs;u Is certified CVE-compatible by MITRE.

SAINT


Operating System Unix/Linux platform


256 MB RAM, 150 MB disk space. Vendor-supplied appliances also available.

License Commercial

NIAP Validated


Developer Saint Corporation

Availability http://www.saintcorporation.com/products/data_sheets/SAINT_data_sheet.pdf

SAINT


47IA Tools Report

AbstractSecond Look captures, and forensically preserves, a

computer’s volatile RAM. It analyzes the Linux

operating system kernel in live memory or via a

memory image, verifying its integrity and searching

for signs of rootkits or other subversive software that

have modified the executable kernel code or kernel

data structures.

With Second Look, analysts and investigators have a

tool that provides a comprehensive view of a system,

uninfluenced by any malware that might be running

on it. Information pulled directly out of memory

includes running processes, active network

connections, loaded kernel modules, and many other

essential system parameters. Second Look uncovers

hidden kernel modules, processes, and network

activity. Second Look integrates a real-time

disassembler that allows inspection of any function

or segment of kernel memory.

As threats to computer systems continue to increase

in sophistication, traditional post-mortem (dead box)

forensic analysis of hard disk contents is no longer

sufficient. Advanced exploits allow for the

implantation of rootkits and backdoors directly in

memory, without an actual file ever touching the disk.

Volatile memory must be acquired in a trustworthy

fashion, and analyzed with security software such as

Second Look.

SecondLook

Type Host Scanning

Operating System Linux


License Commercial

NIAP Validated


Developer Pikewerks

Availability http://pikewerks.com/sl

Second Look™


48 IA Tools Report

AbstractSecureScout NX is a third-generation scanning

solution that performs real-time testing of global

networks and firewalls. The architecture of

SecureScout NX implements a centralized console

to manage remote test engines and probes, enabling

users to quickly and repeatedly scan and report

vulnerabilities in distributed networks from a

single location.

SecureScout NX gives the user an impartial view of

whether firewalls have been configured correctly to

comply with security policies and protect the network.

SecureScout NX tests highlight information exposed

to the outside world that cyber criminals could

misuse to attack the organization. Diligent

assessment of internal systems enables an

organization to manage security risks and reduce

potential liability. SecureScout NX delivers the

knowledge needed to protect critical information

from intruders and prepare countermeasures,

making it difficult for attackers to get in.

NetVigilance’s security experts continually research

information sources for new vulnerabilities, and a

secure Web service site automatically updates

SecureScout NX. Through differential reporting,

users can benchmark their security level at various

points in time.

SecureScoutNX


Operating System Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)


License Commercial

NIAP Validated


Developer NetVigilance

Availability http://www.netvigilance.com/nx

SecureScout® NX


49IA Tools Report

AbstractThe SecureScout Perimeter service probes Internet-

connected systems for vulnerabilities before hackers

find them. It identifies holes in an Internet

infrastructure, scanning beyond the firewall to any

device with an IP address.

SecureScoutPerimeter


Operating System Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)


License Commercial

NIAP Validated


Developer NetVigilance

Availability http://www.netvigilance.com/perimeter

SecureScout® Perimeter


50 IA Tools Report

AbstractThe Security Auditor‘s Research Assistant (SARA) is a

third-generation network security analysis tool.

Featuresu Operates under Unix, Linux, Mac OS/X or

Windows (through coLinux) OS,u Integrates the NVD,u Adapts to many firewalled environments,u Supports remote self-scan and application

programming interface facilities,u Is used for the Center for Internet Security

benchmark initiatives,u Includes plug-in facility for third-party

applications,u Includes CVE standards support (20040901),u Has enterprise search module,u Has stand-alone or daemon mode,u Offers free-use open SATAN-oriented license,u Is updated twice a month,u Provides user extension support,u Based on the SATAN model.

Advanced Research‘s philosophy relies heavily on

software reuse. Rather than inventing a new module,

SARA is adapted to interface with other community

products. For instance, SARA interfaces with the

popular Nmap package for superior operating system

fingerprinting. Also, SARA provides a transparent

interface to SAMBA for session message block

security analysis. SARA is no longer being developed,

and v7.9.1 is the final release.

SecurityAuditor’sResearchAssistant(SARA)v7.9.1


Operating System Unix, Linux, Windows (through CoLinux)


License Freeware

NIAP Validated


Developer Advanced Research Corporation

Availability http://www-arc.com/sara/

Security Auditor’s Research Assistant (SARA) v7.9.1


51IA Tools Report

AbstractSecurity Administrator‘s Tool for Analyzing Networks

(SATAN) scans systems connected to the network

noting the existence of well-known, often-exploited

vulnerabilities. It examines a remote host or set of

hosts and gathers as much information as possible.

SecurityAdministrator‘sToolforAnalyzingNetworks(SATAN)


Operating System Unix/Linux


License Freeware

NIAP Validated


Developer Dan Farmer and Wietse Venema

Availability http://ftp.cerias.purdue.edu/pub/tools/unix/scanners

Security Administrator’s Tool for Analyzing Networks (SATAN)


52 IA Tools Report

AbstractSNScan is a Windows-based simple network

management protocol (SNMP) detection utility that

can quickly and accurately identify SNMP-enabled

devices on a network. This utility can effectively

indicate devices that are potentially vulnerable to

SNMP-related security threats.

SNScan allows for the scanning of SNMP-specific

ports (e.g., UDP 161, 193, 391, and 1993) and the use of

standard (i.e., public) as well as user-defined SNMP

community names. User-defined community names

may be used to more effectively evaluate the presence

of SNMP-enabled devices in more complex networks.

SNScan is intended for use by system and network

administrators as a fast and reliable utility for

information gathering. Although not indicating

whether SNMP-enabled devices are vulnerable to

specific threats, SNScan can quickly and accurately

identify potential areas of exposure to SNMP-

related vulnerabilities.

SNScanv1.05




License Freeware

NIAP Validated


Developer Foundstone (A Division of McAfee)

Availability http://www.foundstone.com/us/resources/proddesc/snscan.htm

SNScan v1.05


53IA Tools Report

AbstractSecutor Magnus is designed specifically to meet the

Common Security Configurations requirements set

forth by the Office of Management and Budget (OMB).

Built for the Information Security Automation

Program established by NIST, Magnus fully supports

a wide-scale action plan to quickly and continually

show that an organization has compliance under

control. The entire Secutor line of automated content

tools provides standardized assessments, content-

driven remediation, and complete mappings to

driving requirements with options to easily

document deviations from those requirements.

Featuresu Test NIST configurations to identify adverse

effects on system functionality,u Automated enforcement,u Restrict administration to

authorized professionals,u Ensure new acquisitions use

standard configurations,u Patches,u Automatically determines if computers have

all required security patches,u Performs vulnerability assessment of operating

system and major applications,u Provide documentation of deviations

with rationale.

ThreatGuardSecutorMagnus




Vendor Supplied appliance also available

License Commercial

NIAP Validated


Developer Threatguard

Availability http://www.threatguard.com/products.htm

ThreatGuard® Secutor Magnus


54 IA Tools Report

AbstractTriumfant Resolution Manager continuously scans

for unusual changes that are consistent with the

behavior and structure of malicious applications.

These include unusual auto-start methods, stealth

techniques such as those used by root kits, and

unusual firewall exceptions. As a result, malicious

attacks that are not detected by traditional signature

based tools are recognized by Triumfant in real time,

along with all of the changes to the machine

associated with the attack. Resolution Manager

immediately applies its deep analytics to verify

that it is indeed an attack and assesses the full

extent of the threat.

Resolution Manager uses its diagnosis of the problem

and knowledge of the changes to the machine to

synthesize a surgical remediation. These

remediations do not delete the malicious executable;

they repair the damage from the attack, effectively

eliminating the need for costly re-imaging. The

information about the attack and the remediation

is captured so that Resolution Manager can scan

the entire population for any other occurrences of

the attack, and remediate machines where the attack

is detected.

Triumfant provides a comprehensive set of reports

that deliver visibility into the security readiness of

the endpoint environment from an executive

summary view down to the details of each machine.

Featuresu Malwaredetection—The ability to detect changes

at a granular level allows Triumfant to detect,

analyze, and remediate malicious attacks in

real-time without the need for signatures or any

prior knowledge of the attack.u SecurityConfigurationManagement—Triumfant

verifies that the organization’s standard

portfolio of endpoint security software is

correctly deployed.

u ComplianceManagement—Triumfant Resolution

Manager applies security policies that are

customizable from the departmental level

down to individual machines. Triumfant also

provides policy templates for specific security

mandates, such as FDCC SCAP compliance and

PCI compliance.u VulnerabilityManagement—Triumfant uses the

NIST SCAP vulnerability database to scan each

computer for known software vulnerabilities,

identifying where missing patches create a

security exposure.u Whitelist/BlacklistManagement—Triumfant

deletes unauthorized software from endpoint

computers, and builds custom remediations to

ensure that no malicious code is left behind by the

deleted application.

TriumfantResolutionManager


Operating System


License Commercial

NIAP Validated Yes


EAL2+ – March 31, 2009

Developer Triumfant

Availability http://www.triumfant.com/products.asp

Triumfant Resolution Manager®


55IA Tools Report

AbstractTyphon III is a tool that identifies infrastructure and

Web application. Capabilities include the fast and

accurate identification of current and historical

security vulnerabilities; the nonintrusive

vulnerability scanner provides secure quality

protection against current threats, including—

u Rootkits,u Phishing,u SQL Injection,u Pharming,u Confidential Data Theft.

By providing a comprehensive security audit of all

hosts in the network, from routers and printers

through Web and database servers, Typhon III helps

the network to stay secure from threats. Exposing

weak passwords in a variety of protocols, it contains a

full range of checks for common vulnerabilities and

configuration errors. Typhon III can also audit Web

applications using its integrated Web spider, a device

that will locate every page and script on a Web site

(even hidden, unlinked, and test files) and rigorously

test for SQL injection and XSS flaws.

TyphonIII


Operating System Windows 2003, 200, XP, NT 4.0 SP6a


500 MHz CPU, 512 MB RAM, 20 MB disk space (minimum)

License Commercial

NIAP Validated



Availability http://www.nextgenss.com/products/internet-security/ngs-typhon.php

Typhon III


56 IA Tools Report

AbstractHP WebInspect software is a Web application security

assessment software designed to analyze today’s

complex Web applications. It delivers fast scanning

capabilities, broad assessment coverage, extensive

vulnerability knowledge, and accurate Web

application scanning results.

Featuresu Statically analyze client-side Adobe

Flash applications;u Produce faster scans and more accurate results

through the Simultaneous Crawl and Audit

(SCA) technology;u Reduce false positives using Intelligent Engines

designed to imitate a hacker’s methodology;u Increase testing throughput with support for

multiple concurrent scans;u Enter a URL, username, and password to quickly

initiate a simple scan for immediate results;u Innovative scan profiler assists you in optimizing

the scan configuration to maximize the

effectiveness and accuracy of the scan;u Depth-first crawling option for Web sites that

enforce order-dependent navigation;u Fingerprinting of Web framework using

Smart Assessment technology to reduce

unnecessary attacks.

HPWebInspect




License Commercial

NIAP Validated


Developer Hewlett Packard

Availability https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__

WebInspect


57IA Tools Report

AbstractWebScarab is a framework for analysing applications

that communicate using the HTTP and HTTPS

protocols. It is written in Java, and is thus portable to

many platforms. WebScarab has several modes of

operation, implemented by a number of plugins. In its

most common usage, WebScarab operates as an

intercepting proxy, allowing the operator to review

and modify requests created by the browser before

they are sent to the server, and to review and modify

responses returned from the server before they are

received by the browser. WebScarab is able to

intercept both HTTP and HTTPS communication.

The operator can also review the conversations

(requests and responses) that have passed

through WebScarab.

WebScarab is designed to be a tool for anyone who

needs to expose the workings of an HTTP(S)-based

application, whether to allow the developer to debug

otherwise difficult problems, or to allow a security

specialist to identify vulnerabilities in the way that

the application has been designed or implemented.

WebScarab


Operating System Windows, Linux, Mac, Unix


License Freeware

NIAP Validated


Developer Rogan Dawes of Corsaire Security

Availability http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

WebScarab


58 IA Tools Report

References1. Carnegie Mellon Software Engineering Institute

CERT Coordination Center (n.d.). CERT/CC

Statistics 1988-2008. http://www.cert.org/stats/cert_stats.html. (Accessed June 3, 2009).

2. Homeland Security Advisory Council. Report

of the Critical Infrastructure Task Report,

January 2006.

3. Merriam-Webster Online Dictionary. http://www.merriam-webster.com/. (Accessed June 5, 2009).

4. Schultze, E. “Thinking Like a Hacker.” March 2002.

http://pdf.textfiles.com/security/thinkhacker.pdf. (Accessed June 5, 2009).

5. Storms, Andrew (SANS Institute). “Using

Vulnerability Tools To Develop an OCTAVE Risk

Profile.” December 2003. http://www.sans.org/reading_room/whitepapers/auditing/1353.php?portal=813b67045603408ee90700647. Retrieved 13

March 2007.

6. U.S. Government, Intelligence Community.

Analytical Risk Management: A Course Guide for

Security Risk Management, May 2003.

7. U.S. Government, National Institute of Standards

and Technology, National Vulnerability Database.

Security Content Automation Protocol Validated

Products. http://nvd.nist.gov/scapproducts.cfm. (Accessed June 3, 2009).

8. U.S. Government, White House. Cyberspace

Policy Review. http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf (Accessed June 5, 2009).

9. Spiegal Online International. “Away From the

Politics of Fear” – Interview with Homeland

Security Secretary Janet Napolitano. http://www.spiegel.de/international/world/0,1518,613330,00.html. (Accessed June 5, 2009).

10.SRI International; Phillip Porras, Hassen Saidi,

and Vinod Yegneswaran. An Analysis of

Conficker’s Logic and Rendezvous points http://mtc.sri.com/conficker. Updated March 19, 2009.

(Accesed June 10, 2009).

11.Conficker working Group Home page. http://www.confickerworkinggroup.org/wiki/pmwiki.php

12.Cyber Secure Institute. Cyber Secure Institute on

the Conficker Controversy. http://cybersecureinstitute.org/blog/?p=15. (Accessed

June 11, 2009).

13.Gregory Braunton, SANS institute. “B.A.S.E – A

Security Assessment Methodology”. http://www.sans.org/reading_room/whitepapers/auditing/b_a_s_e_–_a_security_assessment_methodology_1587. (Accessed June 11, 2009).

14.Chairman of the Joint Cheifs of Staff of the Armed

Forces. Joint Publication 3-13: Information

Operations. February 13, 2006.

SECTION 6 u Related Resources

This provides additional references: books, Web sites, articles, and papers.

59IA Tools Report

Alberts, Christopher and Audrey Dorofee. Managing Information Security Risks: The OCTAVE Approach. Boston:

Addison Wesley Professional, 2003.

Braunton, Gregory (SANS Institute). B.A.S.E.—A Security Assessment Methodology, September 2004.

Open Vulnerability Assessment Language http://oval.mitre.org

Peltier, Thomas R., J. Peltier, and J.A.Blackley. Managing a Network Vulnerability Assessment. Boca Raton, FL:

CRC Press LLC, 2003.

Stoneburner, G., A. Goguen, and A. Feringa. Special Publication 800-30—Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST), 2002.

U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk Management, 2003.

U.S. Government, Department of Commerce. “Publication 199 - Standards for Security Categorization of Federal

Information and Information Systems.” Federal Information Processing Standards (FIPS), 2004.

U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security

Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm.

SECTION 7 u Recommended Resources

61IA Tools Report

u All-hazards/Threat—Circumstances, events, or

people with the potential to cause harm to a

system. The full spectrum of threats and hazards

could include natural disasters (e.g., floods, fires,

hurricanes), domestic or international criminal

activity, accidental disruptions such as

construction mishaps.u CriticalAsset—Those assets of such importance to

an organization that without them the

organization’s ability to execute its mission would

be significantly degraded or suffer complete

failure.u FalseNegative—Refers to when a tool fails to find

an existing vulnerability.u FalsePositive—Refers to when a tool finds a

vulnerability that does not exist.u Risk—A function of the likelihood that a specific

hazard/threat will exploit a given vulnerability

and that the resulting impact of loss of the critical

asset will cause significant degradation or even

mission failure of the organization.

Mathematically written risk is the following:

Threat x Vulnerability x Impact of Loss = Risk .

u RiskAssessment—The process evaluating the

impact of loss of an asset, the likely and probable

threats, and the vulnerabilities of the asset. u RiskManagement—A process for identifying and

prioritizing the impact of loss, threats, and

vulnerabilities, and making rational decisions

regarding the expenditure of resources and the

implementation of countermeasures to reduce the

risk of loss.u Scanning—A periodic examination of traffic

activity, system files and permissions, and overall

system configuration to determine whether

further processing is required.u Vulnerability—Refers to a weakness in a system’s

security scheme, which may include system

security procedures, internal controls, or

implementation. Exploitation would negatively

affect the confidentiality, integrity, or availability

of the system or its data.u VulnerabilityAssessment—An examination of the

ability of a system or application, including

current security procedures and controls, to

withstand assault. A vulnerability assessment may

be used to a) identify weaknesses that could be

exploited; and b) predict the effectiveness of

additional security measures in protecting

information resources from attack.

SECTION 8 u Definitions

63IA Tools Report

AcronymorTerm Definition

ACL Access Control List

ARP Address Resolution Protocol

CERT Computer Emergency Response Team

CGI Common Gateway Interface

COPS Computer Oracle and Password

COTS Commercial Off-the-Shelf

CPU Central Processing Unit

CSV Comma Separated Variable

CVE Common Vulnerabilities and Exposures

DHS Department of Homeland Security

DISA Defense Information Systems Agency

DoD Department of Defense

DSII DominoScan II

DSS Data Security Standard

DTIC Defense Technical Information Center

ePO ePolicy Orchestrator

ESSG Enterprise-Wide Information Assurance and Computer Network Defense Solutions Steering Group

FDCC Federal Desktop Core Configuration

FISMA Federal Information Security Management Act of 2002

GB Gigabyte

GHz Gigahertz

GLBA Gramm-Leach Bliley Act

GUI Graphical User Interface

HBSS Host Based Security System

HIPAA Health Insurance Portability and Accountability Act

HIPS Host Intrusion Prevention System

HSPD-7 Homeland Security Presidential Directive 7

HTML HyperText Markup Language

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IA Information Assurance

IAC Information Analysis Center

IATAC Information Assurance Technology Analysis Center

SECTION 9 u Definitions of Acronyms and Key Terms

65IA Tools Report


IAVA Information Assurance Vulnerability Alert

IP Internet Protocol

IPS Intrusion Prevention System

IT Information Technology

MB Megabyte

MBSA Microsoft Baseline Security Analyzer

MHz Megahertz

MA McAfee Agent

MU Microsoft Update

NIAP National Information Assurance Partnership

NIST National Institute of Standards and Technology

Nmap Network Mapper®

NVD National Vulnerability Database

OMB Office of Management and Budget

OS Operating System

OVAL Open Vulnerability Assessment Language

PA Policy Auditor

PCI Payment Card Industry

PEO-IAN Information Assurance/Network Operations Program Executive Office

PERL Practical Extraction and Report Language

PHP Hypertext Preprocessor

RAM Random Access Memory

RSD Rogue System Detection

SaaS Software-as-a-Service

SANS SysAdmin, Audit, Network, Security

SARA Security Auditor’s Research Assistant

SATAN Security Administrator’s Tool for Analyzing Networks

SCAP Security Content Automation Protocol

SCCM System Center Configuration Manager

SMS Systems Management Server

SNMP Simple Network Management Protocol

SOX Sarbanes-Oxley Act

SQL Structured Query Language

TCP Transmission Control Protocol

UDP User Datagram Protocol

66 IA Tools Report

DefinitionsofAcronymsandKeyTerms


URL Uniform Resource Locator

VM Vulnerability Management

WSUS Windows Server Update Services

XML eXtensible Markup Language

XSS Cross-Site Scripting

67IA Tools Report

DefinitionsofAcronymsandKeyTerms

vulnerability assessment

Documents