vulnerability assessment
DESCRIPTION
assessment of vulnerability by APPCANTRANSCRIPT
EX
CE
LL
EN
CE S
ER
VIC
E
IN INF OR MATIO
N
Tools Fifth Edition
September 25, 2009
Information Assurance Tools Report
VulnerabilityAssessment
Distribution Statement A
Approved for public release; distribution is unlimited.
SECTION 1 uIntroduction. . . . . . . . . . . . . 11.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.2 Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.3 ReportOrganization. . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
SECTION 2 uIT.Risk.Management.Overview. . . . . . . . . . . . . . . 5
2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.2 GrowthinITIncidentsandVulnerabilities. . . . . . . . . . . . .52.3 WhatisRiskManagement?. . . . . . . . . . . . . . . . . . . . . . .6
SECTION 3 uAutomated.Vulnerability.Assessment.Tools. . . . . . . . 9
3.1 HowVulnerabilityAssessmentToolsWork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
3.2 DefinitionBox. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93.3 HowVulnerabilityAssessmentToolsCanBe
IncorporatedintoaSecurityPlan . . . . . . . . . . . . . . . .11
SECTION 4 uTool.Collection . . . . . . . . . 134.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134.2 ToolSelectionCriteria. . . . . . . . . . . . . . . . . . . . . . . . . . .13
SECTION 5 uVulnerability.Analysis.Tools. . . . . . . . . . 15
Acunetix®WebVulnerabilityScanner. . . . . . . . . . . . . . . . .16AppDetective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17ASGInformationAssuranceApplication(IA2). . . . . . . . . .18BigFix®SecurityConfigurationandVulnerabilityManagementSuite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19ComputerOracleandPassword(COPS). . . . . . . . . . . . . . .20COREIMPACT™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21DominoScanII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22DumpSecv2.8.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23eTrust®PolicyCompliance. . . . . . . . . . . . . . . . . . . . . . . . . . .24FortiscanVulnerabilityManagement. . . . . . . . . . . . . . . . . .25GFILANguard®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26GideonSecureFusionVulnerabilityManagement. . . . . . .27HostBasedSecuritySystem(HBSS). . . . . . . . . . . . . . . . . .28InternetScanner®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29LumensionScan™...................................30MBSA2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
McAfee®VulnerabilityManager. . . . . . . . . . . . . . . . . . . . . .32Metasploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33N-Stalker®WebApplicationSecurityScanner. . . . . . . . .34nCircle®IP360. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Nessus®VulnerabilityScanner. . . . . . . . . . . . . . . . . . . . . . .36NetIQ®SecureConfigurationManager. . . . . . . . . . . . . . . .37NetworkMapper(Nmap®). . . . . . . . . . . . . . . . . . . . . . . . . . .38Niktov2.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Orascan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40ParosProxyv3.2.0Alpha. . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Proventia®NetworkEnterpriseScanner. . . . . . . . . . . . . . .42proVMAuditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43QualysGuard®VulnerabilityManagement..............44RationalAppScan® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45RetinaNetworkSecurityScanner. . . . . . . . . . . . . . . . . . . .46SAINT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47SecondLook™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48SecureScout®NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49SecureScout®Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . .50SecurityAuditor’sResearchAssistant(SARA)v7.9.1. . . .51SecurityAdministrator’sToolforAnalyzingNetworks(SATAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52SNScanv1.05. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53ThreatGuard®SecutorMagnus . . . . . . . . . . . . . . . . . . . . . .54TriumfantResolutionManager®. . . . . . . . . . . . . . . . . . . . . .55TyphonIII. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56WebInspect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57WebScarab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
SECTION 6 uRelated.Resources . . . . . . 59
SECTION 7 uRecommended.Resources . . . . . . . . . . . . . 61
SECTION 8 uDefinitions. . . . . . . . . . . . . 63
SECTION 9 uDefinitions.of.Acronyms.. . and.Key.Terms . . . . . . . . . 65
Table of Contents
iIA Tools Report
IATAC’s mission is to provide DoD with a central
point of access for information on emerging
technologies in IA and cyber security. These include
technologies, tools, and associated techniques for
detection of, protection against, reaction to, and
recovery from information warfare and cyber attacks
that target information, information-based processes,
information systems, and information technology.
Specific areas of study include IA and cyber security
threats and vulnerabilities, scientific and
technological research and development, and
technologies, standards, methods, and tools through
which IA and cyber security objectives are being or
may be accomplished.
As an IAC, IATAC’s basic services include collecting,
analyzing, and disseminating IA scientific and
technical information; responding to user inquiries;
database operations; current awareness activities
(e.g., the IAnewsletter, IA Digest, IA/Information
Operations Events Scheduler, and IA Research
Update); and publishing State-of-the-Art Reports,
Critical Review and Technology Assessments reports,
and Tools Reports.
The IA Tools Database is one of the knowledge bases
maintained by IATAC. This knowledge base contains
information on a wide range of intrusion detection,
vulnerability analysis, firewall applications, and
anti-malware tools. Information for the IA Tools
Database is obtained via open-source methods,
including direct interface with various agencies,
organizations, and vendors. Periodically, IATAC
publishes a Tools Report to summarize and elucidate
a particular subset of the tools information in the
IATAC IA Tools Database that addresses a specific
IA or cyber security challenge. To ensure applicability
to Warfighter and Research and Development
Community (Program Executive Officer/Program
Manager) needs, the topic areas for Tools Reports
are solicited from the DoD IA community or based
on IATAC’s careful ongoing observation and analysis
of the IA and cyber security tools and technologies
about which that community expresses a high
level of interest.
SECTION 1 u Introduction
The Information Assurance Technology Analysis Center (IATAC) provides the Department of Defense (DoD) with emerging scientific and technical information to support Information Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center (DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific and technical information. Scientists, engineers, and information specialists staff each IAC. IACs establish and maintain comprehensive knowledge bases that include historical, technical, scientific, and other data and information, which are collected worldwide. Information collections span a wide range of unclassified, limited-distribution, and classified information appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain, and develop analytical tools and techniques, including databases, models, and simulations.
1IA Tools Report
Inquiries about IATAC capabilities, products, and
services may be addressed to:
Gene Tyler, Director
13200 Woodland Park Road, Suite 6031
Herndon, VA 20171
Phone: 703/984-0775
Fax: 703/984-0773
Email: [email protected]: http://iac.dtic.mil/iatacSIPRNET: https://iatac.dtic.mil
1.1 PurposeThis report provides a brief background on
information technology (IT) risk assessment and risk
management concepts, a short primer on
vulnerability assessment tools, and an index of
vulnerability assessment tools contained in the
IATAC IA Tools Database. Moreover, the report
provides users with an understanding of why
engaging in risk management activities such as
conducting vulnerability and risk assessments is an
important aspect of assuring your critical IT asset’s
ability to effectively support your critical missions.
Finally, this report provides a summary of the
characteristics and capabilities of publicly available
vulnerability assessment tools. IATAC does not
endorse, recommend, or evaluate the effectiveness of
any specific tools. The written descriptions are based
solely on the suppliers’ claims and are intended only
to highlight the capabilities and features of each tool.
These descriptions do not reflect the opinion of
IATAC. It is up to the readers of this document to
assess which product, if any, might best meet their
needs. Technical questions concerning this report
may be addressed to [email protected].
1.2 ScopeCurrently, the IATAC database contains descriptions
of numerous tools that can be used to support
vulnerability and risk assessment activities.
Vulnerability analysis tools are programs that help
automate the identification of vulnerabilities in a
network or system. Vulnerabilities can be defined as
weaknesses in a system’s security scheme,
exploitation of which would negatively affect the
confidentiality, integrity, or availability of the system
or its data. The type and level of detail of information
provided among tools varies greatly. Although some
can identify only a minimal set of vulnerabilities,
others can perform a greater degree of analysis and
provide detailed recommended countermeasures.
The most recent development in vulnerability
management is the ability for a tool to scan for
vulnerabilities, analyze the impact of the
vulnerability, determine a solution, identify the
appropriate patches and security fixes, and finally,
even deploy those patches in real time.
The majority of the tools identified in the IA Tools
Database are available on the Internet, and many are
used by crackers in the first stage of an attack:
vulnerability information gathering. Penetration
tools, which perform destructive actions (i.e., denial
of service attacks), are excluded from this category.
Sniffers and Trojan Horse programs also are
excluded. Although many network utilities (i.e., host,
finger) are valuable in identifying vulnerabilities on a
host, they are often an automated component of
vulnerability analysis tools, and therefore are not
individually described in the database. The database
includes commercial products, individually
developed tools, government-owned tools, and
research tools. The database was built by gathering as
much open-source data, analyzing that data, and
summarizing information regarding the basic
description, requirements, availability, and contact
information for each vulnerability analysis tool
collected. Generally, the commercially developed
products are available. The government and
academic tools, however, are reserved for specific
projects and organizations.
1.3 ReportOrganizationThis report is organized into eight sections. Section 1
provides an introduction to IATAC and the
vulnerability analysis tools report. Section 2
summarizes the fundamentals of IT risk assessment
and risk management. Section 3 provides background
information on how automated vulnerability
assessment tools work. Section 4 explains the
Section1 Introduction
2 IA Tools Report
classification of tools highlighted in this report, how
they were selected, and the schema of the IA Tools
Database. Section 5 includes a listing of currently
available host, network, Web-application, and
database-application vulnerability scanners as well
as tools able to manage vulnerabilities in all of the
scanning areas as well as apply patches. Sections 6
and 7 provide recommended resources that are
related to the topic of vulnerability assessment and
definitions associated with this report. Finally,
Sections 8 and 9 contain IA-related definitions and
acronyms, respectively.
Section1 Introduction
3IA Tools Report
2.1 BackgroundCritical Infrastructures, both cyber and physical,
“provide the foundation for and enable the
functioning of every facet of American Society.” [2] In
view of the heightened concerns about the wide
variety of threats and hazards that our nation faces
and the potential impact on the ability of our critical
infrastructure to resiliently support overarching
missions, the executive branch has issued a number
of actions that assign responsibilities, direct
planning, and enhance training to protect the
nation’s critical infrastructure and respond to all
types of threats. Homeland Security Presidential
Directive 7 (HSPD-7), Critical Infrastructure
Identification, Prioritization, and Protection (dated
December 2003), and The National Strategy to Secure
Cyberspace and The National Strategy for the Physical
Protection of Critical Infrastructures and Key Assets
(both dated February 2003) specifically address the
different threats and protection/assurance of the
nation’s most vital resources by providing
overarching policy guidance. These all focused on
defensive strategies, and HSPD-7 did not address the
protection of federal government information
systems. The Comprehensive National Cybersecurity
Initiative (CNCI), codified in the classified directive
known as National Security Presidential Directive
(NSPD)-54/HSPD-7, aims to unify defensive missions
in cyber security with those of law enforcement,
intelligence, counterintelligence, and military to
defend against the full spectrum of threats to the
nation’s critical infrastructure.
In the constantly evolving world of IT, ensuring that
our vital systems remain operational is of paramount
importance and in line with the national strategy. To
this end, Secretary Janet Napolitano of the
Department of Homeland Security (DHS) has adopted
“a policy of being prepared for all risks that can
occur” [9] to assure the resiliency of our nation’s
critical infrastructures. Cyber assets obviously make
up a significant portion of our nation’s critical assets
and also provide support to even more critical assets
by acting as a critical supporting infrastructure asset.
2.2 GrowthinITIncidentsandVulnerabilitiesAutomated attacks on information systems, and
especially attacks against Internet-connected
systems, continue to grow at such an exponential rate
that they are viewed as almost commonplace. In fact,
as of 2004, Carnegie Mellon’s Computer Emergency
Response Team (CERT) stopped tracking the number
of incidents reported per year because they believe it
“provides little information with regard to assessing
the scope and impact of attacks.” [1] The number of
incidents reported from 1988 through the end of 2003
is listed in Figure 1. Carnegie Mellon’s CERT now
tracks data on the number of vulnerabilities that are
reported each year. Figure 2 lists the number of
vulnerabilities that were reported from 1995 through
the end of the third quarter of 2008.
Along with the continually increasing number of
incidents and the rising number of known
vulnerabilities, the speed at which systems are
attacked is also continuing to accelerate. Identifying
vulnerabilities and addressing them in a timely
manner is crucial to maintaining a secure
environment and saves money in the long run. The
vulnerability that the Conficker worm exploited was
discovered in September 2008, and Microsoft released
a batch in October 2008. The Conficker was not
released until November 2008 and had multiple
variants labeled Conficker A - Conficker E (up until
the time of writing). Minimal estimates for Conficker
infections is around three million, while more
realistic estimates are around nine million to 15
million total infections. [11] The economic impact
ranges from the hundreds of millions to billions of
dollars to address the exploit. If more people had
identified the vulnerability and applied patches when
Microsoft first released them, Conficker would have
been a non-issue.
SECTION 2 u IT Risk Management Overview
5IA Tools Report
2.3 WhatisRiskManagement?Many different risk assessment and management
methodologies exist within the public and private
domains. Therefore, to fully understand risk
management, it is important to first define and
understand “risk.” According to the Merriam Webster
Dictionary, risk is defined as the “possibility of loss or
injury.” Insurance companies often view risk as the
“the degree or probability of such loss.” [3] Although
there are numerous definitions of risk, all definitions
are composed of three basic components—
u Assets (i.e., read it as “impact of loss”),u Threats (i.e., read it as “all possible hazards”),u Vulnerabilities.
Assets An asset in the general sense is firm property or
information that is of significant value (known as a
critical asset). In risk management, an asset refers to
the amount of damage losing a firm asset will cause
if something bad occurs. Given that most enterprise
networks have hundreds or thousands of networked
information systems, vulnerability analysis and
assessment by manual methods are virtually
impossible. In addition, it is impossible to
completely ensure that all assets are secure.
Therefore, it is imperative that information security
managers and system owners focus on identifying
only their critical assets—those assets without which
the organization’s key missions would be significantly
degraded or cease to function. This is a key part of the
risk assessment process.
Figure1 Number of Security Incidents report (1988–2003)
Figure2 Number of Vulnerabilities Reported (1995–Third Quarter 2008)
6 IA Tools Report
Section2 IT Risk Management Overview
ThreatsRisks to critical assets can come from a variety of
threats that can be considered possible hazards and
usually fall into three categories—
u Man-made (intentional),u Natural disaster,u Accidental (unintentional) disruptions.
Therefore, an effective approach to threats will
consider the full spectrum of threats and hazards,
including natural disasters (e.g., floods, fires,
hurricanes), domestic or international criminal
activity, construction mishaps such as cutting fiber
optic lines, and others types of incidents.
VulnerabilitiesVulnerabilities are often defined as openings or
pathways that a given threat can exploit to do harm to
a critical asset. With the three main components of
risk in mind, a picture of risk can be formulated. Risk
is viewed as the area where all three circles overlap,
as illustrated in Figure 3.
Articulated as a mathematical formula, risk looks like
the following—
Risk = Threat x Vulnerability x Cost of Asset
We can now more fully define risk as being a function
of the likelihood that a specific hazard/threat will
exploit a given vulnerability and that the resulting
impact of loss of the critical asset will cause
significant degradation or even mission failure
of the organization.
With a firm understanding of risk, risk management
can now be defined. Typically, risk management is a
process for identifying and prioritizing the cost of
assets, threats, and vulnerabilities, then making
rational decisions regarding the expenditure of
resources and the implementation of counter-
measures to reduce risk of loss associated with the
exploitation of critical assets. Figure 4 illustrates the
risk assessment and management processes.
Figure3 Components of Risk Diagram
Because our world is constantly changing, risk
management is an ongoing activity. For example,
technology is continually evolving, especially in the
IT world, which introduces new vulnerabilities.
Threats continue to evolve as well and sometimes
even what is designated as a critical asset changes
because the needs and priorities of an organization
change. Risk management can save resources, time,
and even lives.
7IA Tools Report
Section2 IT Risk Management Overview
Figure4 Risk Assessment and Management Process
From this point forward, this report focuses on the
vulnerability portion of the risk equation.
8 IA Tools Report
Section2 IT Risk Management Overview
3.1 HowVulnerabilityAssessmentToolsWorkVulnerability assessment tools, in general, work by
attempting to automate the first three steps often
employed by hackers: 1) perform a footprint analysis,
2) enumerate targets, 3) test/obtain access through
user privilege manipulation (see Table 1). The
vulnerability assessment tools evaluate network-
attached devices (servers, desktops, switches, routers,
etc.) for vulnerable or potentially vulnerable
situations. Often the vulnerabilities that are
identified by these tools are programming flaws;
however, some tools provide enough data that an
analyst can uncover design, implementation, and
configuration vulnerabilities.
In the case of network-based tools, a network
footprint analysis is performed by scanning for
accessible hosts. The tools enumerate available
network services (e.g., file transfer protocol, hypertext
transfer protocol) on each host as accessible hosts are
identified. As part of the enumeration services,
scanners attempt to identify vulnerabilities through
banner grabbing, port status, protocol compliance,
service behavior, or exploitation. These terms are
defined in Section 3.2 of this document.
Some advantages to vulnerability assessment tools
are that they—
u More clearly define an asset,u Discover technological and network
vulnerabilities,u Provide multi-perspective view points,u Help properly scope the analysis,u Reference public catalogs,u Highlight design, implementation, and
configuration vulnerabilities.
When a scanner finds a host with open ports, it checks
those ports for vulnerabilities to known attacks. Most
scanners include exploit tests that verify whether a
given service or application is vulnerable. Most
scanning tools perform tests based on their database
of vulnerabilities. Just as anti-virus products must be
constantly updated with new signatures, assessment
tools must be continually updated with revisions to
their vulnerability databases. If a vulnerability is not
included in a tool’s database, it cannot be detected
through scanning.
3.2 DefinitionBox
Hacker’s Methodology – A common approach to
system exploitation—
1. Perform a footprint analysis
2. Enumerate targets
3. Test/obtain access through user privilege manipulation
4. Escalate privileges
5. Gather additional passwords and secrets
6. Install backdoors
7. Leverage the compromised system
Table 1 Hacker’s Methodology
BannerGrabbingThis term refers to grabbing information that a
network service broadcasts about itself. For example:
Opening a telnet session to a mail server might yield
the following message: 220 mailhost.company.com
ESMTP service (Netscape Messaging Server 4.15
Patch 7 [built September 11, 2001]).
This example banner reveals the specific type of mail
server that is running and its patch level. Similarly, a
telnet connection to a Web server might yield
information such as the following—
SECTION 3 u Automated Vulnerability Assessment Tools
9IA Tools Report
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2003 22:03:21 GMT
Server: Apache/1.3.27 (Win32) PHP/4.2.2
X-Powered-By: PHP/4.2.1
Connection: close
Content-Type: text/html
In this case, the banner reveals the time on the Web
server, the Web server type and version, an accessible
scripting language (hypertext preprocessor [PHP]),
and the operating system on which it is running.
PortStatusThis term refers to checking to determine which
network ports are open to allow connections to
applications. For network services that use
Transmission Control Protocol (TCP), this is done by
sending a TCP connect () request to ports on the
remote system. If the queried port is listening, the
connect () fails and the port is considered closed.
There are several other methods of checking port
status such as TCP synchronize [Synchronize] scans,
TCP finish [Final] scans, and so forth, that are beyond
the scope of this report.
ProtocolComplianceThis term refers to the way an application or operating
system adheres to a standard procedure for data
processing or transmission. One of the most common
ways of using protocol compliance to identify remote
systems is to interrogate the TCP stack. By monitoring
the header information of outbound packets, it is
possible to make accurate guesses regarding the
remote operating system. By examining the Time To
Live on the packet, its Window Size, the Don’t
Fragment bit, and the Type of Service, it is possible in
many cases to determine exactly which
implementation of the TCP stack is on the remote
system. (See Figure 5.) Determining the TCP stack
narrows the number of possible operating systems,
sometimes identifying the exact operating system.
Figure5 TCP Connection (3-way Handshake)
ServiceBehaviorThis term refers to the way a network service responds
to remote requests. Different implementations of a
given type of service may result in slightly different
behavior from remote requests. For example, a “help”
command response from a sendmail email server is
different from the result from a postfix email server.
ExploitationComputer network exploitation (CNE) refers to the
“enabling operations and intelligence collection
capabilities conducted through the use of computer
networks to gather data from target or adversary
automated information systems or networks.” [14]
CNE can be accomplished through a variety of means
such as packet sniffing, hijacking TCP connections,
port scanning, and address resolution protocol (ARP)
spoofing. For example: ARP spoofing is a technique
used to exploit ethernet networks. This type of
spoofing can be used in two different ways—
u Sending fake, or spoofed, ARP messages to an
ethernet local area network,u As part of a “man-in-the-middle attack.”
The first means of exploitation is accomplished by
sending frames that contain false media access
control addresses, thus confusing network devices,
such as network switches. The resulting effect is that
the frames that are intended for one machine can be
mistakenly sent to another (allowing the packets to be
sniffed) or an unreachable host (a denial of service
attack). The second means of exploitation is
accomplished by forwarding all traffic through a host
with the use of ARP spoofing and then analyzing the
frames for passwords and other information.
10 IA Tools Report
Section3 Automated Vulnerability Assessment Tools
3.3 HowVulnerabilityAssessmentToolsCanBeIncorporatedintoaSecurityPlanSecurity plans are a critical aspect of a firm or
organization’s secure operations. Security plans, or
more precisely, system security plans, are specific
guidelines and procedures to accomplish the secure
setup, operation, and maintenance of an information
system. To effectively implement a system security
plan for a large infrastructure, it is necessary to
leverage security technology to automate the
important and otherwise time-consuming aspects of
the security operations.
Tools for scanning are invaluable for gaining a
snapshot in time of the vulnerabilities that exist on a
given network at a given point in time. Most scanning
tools include a reporting option or module that
explains the vulnerabilities detected and provides a
ranking of the criticality of each problem (e.g., high,
medium, low). To enhance the security of your
systems, assessments should be performed on a
routine basis. This will provide the users and
administrators assurance that the system is free from
malicious code. Just as thousands of vulnerabilities
are reported each year, systems must be scanned at
regular and frequent intervals to ensure that they are
not susceptible to attack. In addition, when new hosts
are connected to the system, networks must be
checked for the risks that these new systems might
bring to the overall network. Checks must also be
conducted when newly discovered weaknesses in
existing applications and operating systems are
announced. After all, “a fundamental tenet of
security is that a chain is only as strong as its weakest
link and a wall is only as strong as its weakest point.
Smart attackers are going to seek out that weak point
and concentrate their attention there.” [13] A single
host that is vulnerable to attack puts the entire
network at risk.
The identification of vulnerabilities on a system is
only half the challenge. The other half of the challenge
is fixing the vulnerabilities that are found. Identified
vulnerabilities can be corrected via patches,
updating, or even reconfiguring the system. Finding
the time and money to correct the vulnerability can
be a challenge. The system and network
administrators must work with management to share
the information that was found during the assessment
and weigh the costs of correcting the vulnerability
against the benefits. There are tools that can
automatically patch a large number of vulnerabilities
and systems, but are often very expensive. Managers
and administrators need to understand their
environment and choose a solution that fits. A
manager can choose not to spend the money on a
more robust patch management solution, but must
realize that man-power must replace what he or she
has chosen not to purchase in an automated solution.
Unfortunately, scanning tools suffer from false
positive problems and false negative problems in
vulnerability identification that are similar to anti-
virus products. A false positive means that a tool finds
a vulnerability that does not exist. For example, a
particular scanner may report that a network server is
a Windows® 2000 system that is vulnerable to a known
Microsoft Internet Information Server (IIS) Web
server bug, when in fact, the server is a Linux system
running the Apache Web server. A false negative
means that a tool fails to find an existing
vulnerability. An example of this behavior could be
when a particular tool tests a network host and fails to
discover that it is remotely exploitable through an
anonymous login.
Ultimately, common sense must be applied to all
findings to ensure that meaningful vulnerabilities
are corrected; however, time should not be wasted
on erroneous results. Finding the right balance can
sometimes be difficult. One potential strategy for
reducing the number of false positives and false
negatives is to run two different scanners against a
given network and compare the results. In most
cases, the results of both tools will complement each
other so that no weaknesses are overlooked. In all
cases, it is necessary to have a knowledgeable and
responsible security professional who can effectively
leverage security tools to manage the security
operations of an organization.
11IA Tools Report
Section3 Automated Vulnerability Assessment Tools
4.1 ClassificationExisting community relationships were leveraged
during the process of data gathering on the tools.
Collection activities included Internet searches to
identify additional corporations, professional
organizations, and universities with involvement in
vulnerability analysis.
The tools described in the IATAC IA Tools Database
can be categorized within one or more of the topical
areas listed below—
u Hostscanning—Host-scanning tools scan critical
system files, active processes, file shares, and the
configuration and patch level of a particular
system. The results produced from this type of tool
are usually very detailed because they run on the
host system at the same permission level as the
user conducting the scan. Although host-based
tools provide very detailed results, sometimes the
volume of data that is produced from these scans
(i.e., when conducted across several hosts) can be
difficult to aggregate and correlate to produce
results [Imagine an administrator trying to
physically visit and test 1,000 workstations.]). u Networkscanning—Network-scanning tools scan
available network services for vulnerabilities
through banner grabbing, port status, protocol
compliance, service behavior, or exploitation.u Webapplicationscanning—Web application-
scanning tools designed specifically for the Web
are a specialized form of network or host scanner
that interrogates Web servers or scan Web source
code for known vulnerabilities (e.g., DominoScan).
These tools often search for the presence of
default accounts, directory traversal attacks,
form validation errors, insecure cgi-bin
files, demonstration Web pages, and
other vulnerabilities.u Databaseapplicationscanning—Database
application-scanning tools that are specifically
designed for databases are a unique form of
network scanner. These tools interrogate database
servers for known vulnerabilities
(e.g., AppDetective).u Vulnerabilityandpatchmanagement—The category
of Vulnerability and Patch Management has tools
that wrap up many aspects of vulnerability
management. These tools address vulnerabilities,
policy compliance, patch management,
configuration management and reporting.
These are meant to be all-in-one solutions that
make managing very large networks and
domains efficient and require as little manpower
as possible.
4.2 ToolSelectionCriteriaThe selected tools meet the following three criteria—
u Definition—These tools satisfy the objective,
approach, and methodology of a vulnerability
analysis tool based on the definition of
vulnerability.u Specificitytovulnerabilityanalysis—The primary
function of these tools is vulnerability analysis or
vulnerability management. These tools may also
be used during the first stages of a penetration
attack as a way of identifying the target system’s
weaknesses and helping to fine-tune the attack.
Penetration test tools, whose primary purpose is to
exploit identified vulnerabilities and cause
damage or destruction to the target system, are not
included.u Currentavailability—The tools that are included in
this report are currently available from the
Government, academia, or commercial sources, or
as freeware on the Internet. Some tools that were
included in previous versions of this report are no
longer available or have been renamed. All tools
from previous releases of this report that are no
longer available have been removed.
SECTION 4 u Tool Collection
13IA Tools Report
TrademarkDisclaimerThe authors have made a best effort to indicate
registered trademarks where they apply, based on
searches in the U.S. Patent and Trademark Office
Trademark Electronic Search System for “live”
registered trademarks for all company, product, and
technology names. There is a possibility, however,
that due to the large quantity of such names in this
report, some trademarks may have been overlooked
in our research. We apologize in advance for any
trademarks that may have been inadvertently
excluded, and invite the trademark registrants to
contact the IATAC to inform us of their trademark
status so we can appropriately indicate these
trademarks in our next revision. Note that we have
not indicated non-registered and non-U.S.
registered trademarks due to the inability to
research these effectively.
LegendForTablesFor each tool described in this section, a table is
provided that provides certain information about that
tool. This information includes—
Type The type of tool, or category in which this tool belongs, e.g., “Web Application Scanning”
Operating System
The operating system(s) on which the tool runs. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the operating system is embedded in the tool.
Hardware The third-party hardware platform(s) on which the tool runs, plus any significant additional hardware requirements, such as minimum amount of random access memory or free disk space. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the hardware is incorporated into the tool.
License The type of license under which the tool is distributed, e.g., Commercial, Freeware, GNU Public License
NIAP Validated
An indication of whether the product has received a validation by the National Information Assurance Partnership (NIAP) under the Common Criteria, Federal Information Processing Standard 140, or another certification standard for which NIAP performs validations. If no such validation has been performed, this field will be blank.
Common Criteria
If the tool has received a Common Criteria certification, the Evaluation Assurance Level and date of that certification. If no such certification has been performed, this field will be blank.
Developer The individual or organization responsible for creating and/or distributing the tool
URL The Uniform Resource Locator (URL) of the Web page from which the tool can be obtained (downloaded or purchased), or in some cases, the Web page at which the supplier can be notified with a request to obtain the tool
SECTION 5 u Vulnerability Analysis Tools
Section 5 summarizes pertinent information, providing users a brief description of available vulnerability analysis tools and vendor contact information. Again, IATAC does not endorse, recommend, or evaluate the effectiveness of these tools. The written descriptions are drawn from vendors’ information and are intended only to highlight the capabilities or features of each product. It is up to the reader to assess which product, if any, may best suit his or her security needs.
IATACdoesnotendorseanyofthefollowingproductevaluations.
15IA Tools Report
AbstractAcunetix’s engineers have focused on Web security
since 1997 and have developed tools for Web site
analysis and vulnerability detection.
Featuresu AcuSensor Technology;u An automatic Javascript analyzer allowing for
security testing of Ajax and Web 2.0 applications;u Structured Query Language (SQL) injection and
cross-site scripting (XSS) `testing;u Visual macro recorder allows for testing Web
forms and password protected areas;u Reporting facilities including VISA Payment
Card Industry (PCI) compliance reports;u Multi-threaded scanner crawls hundreds of
thousands of pages;u Crawler detects Web server type and
application language;u Acunetix crawls and analyzes Web sites, including
flash content, SOAP, and AJAX;u Port scans a Web server and runs security checks
against network services running on the server.
Acunetix®WebVulnerabilityScanner
Type Web Application Scanning
Operating System Windows XP, Vista, 2000, server 2003
Hardware Requirements
1 gigabyte (GB) random access memory (RAM), 100 megabyte (MB) disk space
License Commercial (Free Trial Copy)
NIAP Validated
Common Criteria Rating
Developer Acunetix
Availability http://www.acunetix.com/vulnerability-scanner/
Acunetix® Web Vulnerability Scanner
16 IA Tools Report
VulnerabilityAnalysis Tools
AbstractA network-based, vulnerability assessment scanner,
AppDetective discovers database applications within
an infrastructure and assesses their security strength.
In contrast to piecemeal solutions, AppDetective
modules allow enterprises to assess two primary
application tiers—application/middleware, and
back-end databases—through a single interface.
Backed by a proven security methodology and
extensive knowledge of application level
vulnerabilities, AppDetective locates, examines,
reports, and fixes security holes and
misconfigurations. As a result, enterprises can
proactively harden their database applications
while at the same time improving and simplifying
routine audits.
Featuresu Automated database discovery and inventory,u User rghts management,u Job scheduling,u Database-specific vulnerability assessment,u Compliance mapping,u “Outside-in” and “inside-in” vulnerability testing,u Industry leading database vulnerability
knowledge base,u Automated information gathering and analysis,u Scalable database scanning,u Advanced, customizable reporting.
AppDetective
Type Database Scanning
Operating System Windows XP, Server 2003,
Hardware Requirements
750 Megahertz (MHz) central processing unit (CPU), 512MB RAM, 300 MB Disk Space
License Commercial
NIAP Validated
Common Criteria Rating
Developer Application Security, Inc.
Availability http://www.appsecinc.com/products/appdetective/
AppDetective
17IA Tools Report
VulnerabilityAnalysis Tools
AbstractASG’s Information Assurance Application (IA²)
automates the reporting requirements of DISA. IA²
automatically parses, stores, tracks, and reports on
the Defense Information Systems Agency’s (DISA)
Security Readiness Review, third party vulnerability
scanner results, and DISA’s Security Checklists.
IA² has the ability to synchronize the local database
with the third party vulnerability scanners as well as
the DISA Security Readiness Review scripts. All of the
data from each source is combined and cross
referenced giving a complete view of your
environment. IA² also incorporates a robust
reporting solution allowing for tracking, trending
and ad hoc reporting.
Featuresu Federal Information Security Management Act
of 2002 (FISMA) automation,u Vulnerability gap analysis,u Scanner cross-referencing,u Information drilldown,u Automated security checklist,u Accepts third party scan,u Advanced reporting,u Trending,u Automatically updates signatures,u Automatic reporting,u Ad Hoc reporting,u Secure communication,u Secure data storage,u Distributed architecture,u Windows authentication,u Role-based security.
SupportedScannersu Foundstone,u Harris STAT,u eEye,u Nessus,u nCircle.
ASGInformationAssuranceApplication(IA2)
Type Vulnerability and Patch Management
Operating System
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer Atlantic Systems Group, Inc. (ASG)
Availability http://www.asg.cc/IA2/
ASG Information Assurance Application (IA2)
18 IA Tools Report
VulnerabilityAnalysis Tools
AbstractOffered as part of the BigFix Security Configuration
and Vulnerability Management suite, BigFix
Vulnerability Management reduces risk across the
enterprise for all assets, whether they are fixed or
mobile, desktops, laptops, or servers. Through a
repository of vulnerability assessment policies, BigFix
provides organizations with the ability to assess their
managed systems against Open Vulnerability
Assessment Language (OVAL)-based vulnerability
definitions. Each managed endpoint quietly and
continuously evaluates the state of the endpoint, and
reports on any non-compliant policy in real-time by
leveraging the power of BigFix Unified Management
platform. Additionally, the BigFix high performance
architecture enables the industry’s fastest time to
remediation and closely bridges assessment with
remediatiation by applying necessary patch and
configuration policies.
Featuresu Assess managed endpoints against known
vulnerabilities using pre-defined, out-of-the-box
OVAL-based policy definitions;u Identify and eliminate known vulnerabilities
across hundreds of thousands of endpoints
using automated policy enforcement or
manual deployment;u Continuously enforce policies on or off
the network;u Map all vulnerabilities to industry standards to
provide Common Vulnerabilities and Exposures
(CVE) and Common Vulnerability Scoring System
references and links to the National Vulnerability
Database (NVD);u Integrate with BigFix Patch Management and
Security Configuration Management for
comprehensive assessment and remediation
of identified vulnerabilities;
u Create flexible, on-demand ad-hoc custom
queries and reports;u Security Content Automation Protocol
(SCAP) validated.
BigFixSecurityConfigurationandVulnerabilityManagementSuite
Type Vulnerability and Patch Management
Operating System Windows Server 2000/2003/2008
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer BigFix
Availability http://www.bigfix.com/content/vulnerability-management
BigFix® Security Configuration and Vulnerability Management Suite
19IA Tools Report
VulnerabilityAnalysis Tools
AbstractComputer Oracle and Password (COPS) is a security
toolkit that examines a system for a number of
known weaknesses, and it alerts the system
administrator to these weaknesses. In some cases, it
can automatically correct these problems.
ComputerOracleandPassword(COPS)
Type Database Scanning
Operating System Unix
Hardware Requirements
License Freeware
NIAP Validated
Common Criteria Rating
Developer Dan Farmer
Availability http://ftp.cerias.purdue.edu/pub/tools/unix/scanners
Computer Oracle and Password (COPS)
20 IA Tools Report
VulnerabilityAnalysis Tools
AbstractCORE IMPACT Pro is a comprehensive software
solution for assessing the security of network systems,
endpoint systems, email users, and Web applications.
Backed by Core Security’s ongoing vulnerability
research and threat expertise, IMPACT Pro allows
you to get in-depth visibility of your organization’s
network and application vulnerabilities.
Featuresu Gather system information via Network Discovery,
Port Scanner, and operating system (OS) and
Service Identification modules;u Identify critical OS, service, and application
vulnerabilities with a constantly updated library
of Commercial-Grade Exploits;u Demonstrate the consequences of a breach by
replicating the steps an attacker would take,
including opening command shells, browsing file
systems, and seeking administrative privileges;u Emulate multistaged threats that leverage
compromised systems as beachheads to
launch internal attacks against backend
network resources;u Run tests without installing modules on
compromised systems, or altering them
in any way;u Generate reports containing actionable data for
prioritizing remediation, demonstrating security
improvements, and complying with regulations;u CORE IMPACT Pro enables you to test Web
applications against XSS (URL-based), SQL
Injection, Blind SQL Injection, and Remote
File Inclusion for PHP applications;u Identify weaknesses in Web applications,
Web servers, and associated databases—
with no false positives;u Dynamically generate exploits that can
compromise security weaknesses in
custom applications;
u Demonstrate the consequences of a successful
attack by replicating local attacks against back-
end resources;u Get actionable data necessary for focusing
development resources on remediating proven
security issues.
COREIMPACT
Type Network Scanning
Operating System Windows XP, Windows Vista
Hardware Requirements
3 Gigahertz (GHz) Pentium 4+ CPU, 1 GB+ RAM, 1 GB+ Disk space, 1024x768+ resolution
License Commercial
NIAP Validated
Common Criteria Rating
Developer Core Security Technologies
Availability http://www.coresecurity.com/content/core-impact-overview
CORE IMPACT™
21IA Tools Report
VulnerabilityAnalysis Tools
AbstractSpecially developed to present the attacker’s eye view
of the security issues surrounding Lotus Domino
Web servers and bespoke Notes applications.
Running on Microsoft Windows, DominoScan II
(DSII) has the capability to audit Lotus Domino Web
Servers running on any operating system. Using an
NGSSoftware–developed technique (Database
Structure Enumeration) allows DSII to interrogate
every view, form, and agent within a database, even
if access control list (ACL) access protection has been
invoked. It will perform an exhaustive range of tests
on each document, auditing over one hundred
sensitive and default databases and subjecting all
documents to a vigorous set of vulnerability
assessment checks.
Featuresu Attempts to gain access to over 100 sensitive/
default databases;u Web Administrator template access using
ReplicaID;u Web Administrator template access using
buffer truncation;u ‘cache.dsk’ access using buffer truncation;u Directory traversal;u Database browsing;u Audits bespoke databases;u Unique database structure
enumeration technology;u Finds hidden and visible views;u Default Navigator Access;u Attempts to bypass default Navigator protection;u Evaluates database design;u Checks every document for Edit access;u Attempts a forced search;u ReadEntries & ReadViewEntries access;u Reporting in HyperText Markup Language
(HTML) (Static/Dynamic), eXtensible Markup
Language (XML), Text file, rich text format, and
Open Database Connectivity (Microsoft) database;u Fast, easy to use, and highly configurable;u Can perform focused audits;
u Unique Spidering capability offering
intelligent scanning;u Ability to scan as an authenticated user;u Ability to perform QuickHit audit;u Vulnerability link to CVE.
DominoScanII
Type Web Application Scanning
Operating System Windows 2003, 200, XP, NT 4.0
Hardware Requirements
500 MHz Pentium III, 512 MB RAM, 20 MB Disk Space
License Commercial
NIAP Validated
Common Criteria Rating
Developer Next Generation Security Software
Availability http://www.nextgenss.com/products/internet-security/dominoscan.php
DominoScan II
22 IA Tools Report
VulnerabilityAnalysis Tools
AbstractSomarSoft’s DumpSec is a security auditing program
for Microsoft Windows NT/XP/200x. It dumps the
permissions (Discretionary Access Control Lists and
audit settings (System Access Control Lists) for the
file system, registry, and printers and shares in a
concise, readable format, so that holes in system
security are readily apparent. DumpSec also dumps
user, group, and replication information.
DumpSecv2.8.6
Type Host Scanning
Operating System Windows NT/XP/200x
Hardware Requirements
License Freeware
NIAP Validated
Common Criteria Rating
Developer SomarSoft
Availability www.somarsoft.com
DumpSec v2.8.6
VulnerabilityAnalysis Tools
23IA Tools Report
AbstracteTrust Policy Compliance provides enterprises with
the tools and information necessary to eliminate one
of the most overlooked threats to networks
misconfigured assets. eTrust Policy Compliance
helps organizations identify and compare the
security configurations of their critical business
assets to an established baseline and provides the
configuration remediation and measures progress
through risk-based reporting. eTrust Policy
Compliance provides a comprehensive policy and
configuration assessment process to mitigate risk and
ensure compliance with security policies,
government regulations, and industry standards.
Featuresu Identify misconfigured IT assets,u Create secure configuration baselines and
monitor deviations,u Provide configuration remediation and measure
progress through risk-based reporting,u Offer extensible tools and open interfaces for
custom security configuration management.
eTrustPolicyCompliance
Type Network Scanning
Operating System Linux, Windows, Unix
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer Computer Associates
Availability http://www3.ca.com/solutions/Product.aspx?ID=165
eTrust® Policy Compliance
VulnerabilityAnalysis Tools
24 IA Tools Report
AbstractFortiScan provides a centrally managed, enterprise-
scale solution that enables organizations to close IT
compliance gaps, and implement continuous
monitoring in order to audit, evaluate, and comply
with internal, industry, and regulatory policies for IT
controls and security at the OS level. Organizations
realize quick time-to-value with easy to install,
intuitive, high value standard compliance policies
(National Institute of Standards and Technology
[NIST] SCAP, Federal Desktop Core Configuration
(FDCC), PCI data security standard (DSS), Sarbanes-
Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA),
Health Insurance Portability and Accountability Act
(HIPAA) ready out of the box with regular updates by
FortiGuard to ensure OS regulatory compliance
requirements are met. FortiScan dedicated hardware
appliances easily plug into the network for fast
deployment. FortiScan integrates endpoint
vulnerability management, industry and federal
compliance, patch management, remediation,
auditing, and reporting into a single, unified
appliance for immediate results. A centralized
administration console facilitates management of
multiple FortiScan appliances across the enterprise.
Featuresu Identifies security vulnerabilities and finds
compliance exposures on hosts, servers,
and throughout the network transparently to
end users;u Network discovery, asset prioritization, and
profile-based scanning;u Industry, regulatory and best practices, including
templates for ISO 17799, SOX, HIPAA, GLBA, NIST,
SCAP, and FISMA;u Audits and monitors across heterogeneous
systems and provides industry standard
benchmarks for information security compliance
audits for operating systems;u Aids compliance for regulatory mandates with
360-degree reporting and analysis, and views;
u Delivers patch management with ready-to-
deploy remediation and enforcement actions—
allowing network managers to change
configurations and potentially mitigate weak
settings, including disabling an application
or denying a network request;u Reduced errors, repeatable processes, and
predictable results delivered with extensive
libraries of templates that enable IT staff to
leverage industry standard best practices that
produce measurable results.
FortiscanVulnerabilityManagement
Type Vulnerability and Patch Management
Operating System N/A
Hardware Requirements
Vendor Supplied Hardware
License Commercial
NIAP Validated
Common Criteria Rating
Developer Fortinet
Availability http://www.fortinet.com/products/fortiscan/
Fortiscan Vulnerability Management
VulnerabilityAnalysis Tools
25IA Tools Report
AbstractScans a network and ports to detect, assess, and
correct security vulnerabilities with minimal
administrative effort. GFI LANguard performs
network scans using vulnerability check databases
based on OVAL and SysAdmin, Audit, Network,
Security (SANS) Top 20, providing over 15,000
vulnerability checks.
u PatchManagement—GFI LANguard has built in
patch management features that can
automatically download missing Microsoft
security updates, as well as automatically deploy
the missing Microsoft patches or service packs
over the network at the end of scheduled scans.u HardwareandSoftwareManagement—GFI
LANguard’s network auditing feature retrieves
hardware information on memory, processors,
display adapters, storage devices, motherboard
details, printers, and ports in use and monitors
any changes that may occur. GFI LANguard can
also monitor a software baseline, informing
administrators when a new program is
installed and can automatically uninstall
unauthorized applications.
GFILANguard
Type Vulnerability and Patch Management
Operating System Windows, Mac OS, Linux
Hardware Requirements
1 GHz CPU, 512 MB RAM, 500 MB Disk space (Minimum. Scanning more hosts requires higher specs. See documentation for details)
License Commercial—Free version available
NIAP Validated
Common Criteria Rating
Developer GFI
Availability http://www.gfi.com/lannetscan
GFI LANguard®
VulnerabilityAnalysis Tools
26 IA Tools Report
AbstractPart of the SecureFusion suite, Vulnerability
Management scans for thousands of known
vulnerabilities in operating systems, infrastructure,
network applications, and databases. The
vulnerability signatures are updated on a daily
basis and provide checks for the most recent
security vulnerabilities.
The SecureFusion Portal provides a complete view of
assets, vulnerabilities, configuration details, and
policy compliance metrics. Instead of outdated
spreadsheets and cumbersome tools that cannot
correlate data, the SecureFusion Portal helps you
intelligently analyze your IT environment regarding
unmanaged assets, vulnerabilities, improper settings,
and the reasons behind failed compliance checks.
SecureFusion is built on the additive intelligence of
four core capabilities—
u Assetdiscovery—performs continuous audits of
managed and unmanaged assets with no impact
to the network;u Vulnerabilitymanagement—conducts ongoing,
active vulnerability detection and reporting for
operating systems, infrastructure, network
applications, and databases;u Configurationmanagement—continuously
compares system configuration and compliance
with IT security standards;u Policymanagement—initiates, reviews, publishes,
and maintains security policies.
Vulnerability Management offers—
u End-to-end automation and workflow,u System patch reporting,u Results filtering,u Automated signature updates,u Target blacklisting,
u Bandwidth throttling,u Massive scalability,u Dynamic report building,u Automated scheduling.
GideonSecureFusionVulnerabilityManagement
Type Vulnerability and Patch Management
Operating System
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer Gideon Technologies
Availability http://www.thegideongroup.com/vulnerability-management.asp
Gideon SecureFusion Vulnerability Management
VulnerabilityAnalysis Tools
27IA Tools Report
AbstractThe Host Based Security System (HBSS) baseline is a
flexible, commercial off-the-shelf (COTS)-based
application. It monitors, detects, and counters against
known cyber threats to the DoD Enterprise. Under
the sponsorship of the Enterprise-wide Information
Assurance and Computer Network Defense Solutions
Steering Group (ESSG), the HBSS solution will be
attached to each host (server, desktop, and laptop) in
DoD. The system will be managed by local
administrators and configured to address known
exploit traffic using an Intrusion Prevention System
(IPS) and host firewall. DISA Information Assurance/
Network Operations Program Executive Office
(PEO-IAN) is providing the program management
and supporting the deployment of this solution.
ScopeThe scope of the HBSS deployment is worldwide.
This vast effort requires a large support infrastructure
to be in place. DISA PEO-IAN has instituted support
services to enable the comprehensive
implementation of the HBSS system to all the
combatant commands, services, agencies, and
field activities.
Featuresu ePolicy Orchestrator (ePO) management suite;u Central security manager;u Enables the installation, management, and
configuration of the HBSS components;u View reports to help monitor deployments,
vulnerabilities, and protection levels;u McAfee Agent (MA);u Provides local management of all HBSS products
collocated on the host;u Runs silently in the background to gather
information and events from managed systems;u Sends collected data to the ePO server;u Manages modules and software updates of other
HBSS products on the host system;u Enforces policies on the host machines;
u Host Intrusion Prevention System (HIPS);u Enforces security policy;u Adds a robust layer of protection to the MA
end-point asset that includes known and
unknown buffer overflow exploit protection,
prevention of malicious code installation/
execution, and identification of activities that
deviate from DoD or organizational policy;u Asset Information (formerly referred to as
the INFOCON);u Generates snapshots of asset configurations
to facilitate detection of changes made to
authorized baselines;u Rogue System Detection (RSD);u Detects all systems connecting to the network;u Identifies unmanaged (or Rogue) systems present
on the network;u Policy Auditor (PA);u Scans remote computers to determine compliance
with defined policies;u Identifies host vulnerabilities on the network.
HostBasedSecuritySystem(HBSS)
Type Vulnerability and Patch Management
Operating System Windows
Hardware Requirements
License Commercial/Government
NIAP Validated
Common Criteria Rating
Developer DISA–DoD
Availability http://www.disa.mil/news/pressresources/factsheets/hbss.html
Host Based Security System (HBSS)
VulnerabilityAnalysis Tools
28 IA Tools Report
AbstractThe Internet Scanner vulnerability assessment
application minimizes risk by identifying the security
holes or vulnerabilities in the network so the user can
protect the network before an attack occurs.
Internet Scanner can identify more than 1,300 types
of networked devices on a network, including
desktops, servers, routers/switches, firewalls, security
devices, and application routers. Internet Scanner
analyzes the configurations, patch levels, operating
systems, and installed applications to find
vulnerabilities that could be exploited by hackers
trying to gain unauthorized access.
Featuresu Unlimited asset identification,u Dynamic check assignment,u Common policy editor,u Real-time display,u Vulnerability catalog,u Comprehensive reporting,u Centralized vulnerability management features,u Enterprise-class scalability,u Remote scanning,u Enterprise reporting,u Automatic security content updates,u Command scheduler,u Asset management,u Real-time display,u User administration.
InternetScanner
Type Network Scanning
Operating System Windows 2000 Professional/SP4, Windows Server 2003 Standard SP1, Windows XP Professional SP1a
Hardware Requirements
1.2 GHz CPU, 512 MB RAM, 650 MB disk space (minimum)
License Commercial
NIAP Validated
Common Criteria Rating
Developer Internet Security Systems–Owned by IBM
Availability http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027208
Internet Scanner®
VulnerabilityAnalysis Tools
29IA Tools Report
AbstractLumension Scan, a component of Lumension
Vulnerability Management, is a complete stand-alone,
network-based scanning solution that performs a
comprehensive external scan of all devices connected
to your network, both managed and unmanaged.
Once assets are identified, the powerful, yet easy-to-
use Lumension Scan detects weaknesses on these
devices before they can be exploited.
Featuresu Rapid and complete asset discovery and inventory
of all devices on the network,u Thorough and accurate network-based software
and configuration vulnerability assessment,u Risk-based vulnerability prioritization for
identified threats,u Continuously updated vulnerability database for
orderly remediation,u Comprehensive management and audit reporting.
LumensionScan
Type Network Scanning
Operating System Windows XP Pro SP2+, Windows Server 2003 SP1+, Windows Server 2003 R2+
Hardware Requirements
2 GHz CPU, 1 GB RAM, 20 GB disk space, 1024x768 Monitor Resolution
License Commercial
NIAP Validated
Common Criteria Rating
Developer Lumension
Availability http://www.lumension.com/vulnerability-management/software-vulnerability-assessment.jsp?rpLangCode=1&rpMenuId=150835
Lumension Scan™
VulnerabilityAnalysis Tools
30 IA Tools Report
AbstractMicrosoft Baseline Security Analyzer (MBSA) is
an easy-to-use tool that helps small and medium
businesses determine their security state in
accordance with Microsoft security
recommendations and offers specific remediation
guidance. Improve your security management
process by using MBSA to detect common security
misconfigurations and missing security updates on
your computer systems. Built on the Windows Update
Agent and Microsoft Update infrastructure, MBSA
ensures consistency with other Microsoft
management products, including Microsoft Update
(MU), Windows Server Update Services (WSUS),
Systems Management Server (SMS), System Center
Configuration Manager (SCCM) 2007, and Small
Business Server.
MBSA 2.1 is the latest version of Microsoft’s free
security and vulnerability assessment scan
tool for administrators, security auditors, and
IT professionals.
MBSA 2.1 offers Windows Vista and Windows Server
2008 compatibility, a revised user interface, 64-bit
support, improved Windows Embedded support, and
compatibility with the latest versions of the Windows
Update Agent based on MU.
MBSA 2.1 is also compatible with MU, Windows
Server Update Services 2.0 and 3.0, the SMS Inventory
Tool for Microsoft Update, and SCCM 2007.
MBSA2.1
Type Host Scanning
Operating System Windows XP, Vista, Windows Server 2003, 2008
Hardware Requirements
x86, IA64, x64
License Free
NIAP Validated
Common Criteria Rating
Developer Microsoft
Availability http://technet.microsoft.com/en-us/security/cc184924.aspx
MBSA 2.1
VulnerabilityAnalysis Tools
31IA Tools Report
AbstractMcAfee Vulnerability Manager (formerly McAfee
Foundstone Enterprise) uses a priority-based
approach that combines vulnerability, asset data, and
countermeasures to help you make more informed
decisions. It uses threat intelligence and correlation
data to determine how emerging threats and
vulnerabilities on networked systems affect your risk
profile, so that you deploy resources where they are
needed most. Improve operational efficiency and
security protection while meeting tough mandates
outlined in SOX, FISMA, HIPAA, and PCI DSS.
Vulnerability Manager is available as software or a
secure, hardened appliance. Both increase the
efficiency of your existing resources, resulting in
a low cost of ownership. If you prefer a hosted
option, choose the McAfee Vulnerability
Management Service.
It performs credential-based scans of UNIX, Cisco
IOS, and Microsoft Windows platforms for correct
patching. The Content Release Calendar provides
automatic updates, including new OS support,
vulnerability scan scripts, and compliance checks.
Vulnerability Manager integrates with your existing
technologies and with other McAfee products,
leveraging your investments. McAfee® Network
Security Platform correlates Vulnerability Manager
data to inform you of the most relevant threats
targeting your systems. McAfee Risk and Compliance
Manager (formerly McAfee Preventsys®) collects data
from Vulnerability Manager to calculate risks,
monitor risk scores, and automate compliance
reporting. McAfee ePolicy Orchestrator® feeds asset
and system protection data into Vulnerability
Manager for accurate assessments.
McAfeeVulnerabilityManager
Type Vulnerability and Patch Management
Operating System Windows Server 2000 or 2003
Hardware Requirements
Dual core or dual processor CPU at 2 GHz, RAM 2 GB, 80 GB disk space, ethernet interface. Preconfigured vendor supplied appliances also available.
License Commercial
NIAP Validated
Common Criteria Rating
Developer McAfee
Availability http://www.mcafee.com/us/enterprise/products/risk_and_vulnerablity_management/vulnerability_manager.html
McAfee® Vulnerability Manager
VulnerabilityAnalysis Tools
32 IA Tools Report
AbstractThe Metasploit Framework is a development platform
for creating security tools and exploits. The
framework is used by network security professionals
to perform penetration tests, system administrators
to verify patch installations, product vendors to
perform regression testing, and security researchers
world-wide. The framework is written in the Ruby
programming language and includes components
written in C and assembler.
The framework consists of tools, libraries, modules,
and user interfaces. The basic function of the
framework is a module launcher, allowing the user to
configure an exploit module and launch it at a target
system. If the exploit succeeds, the payload is
executed on the target and the user is provided with a
shell to interact with the payload.
Metasploit
Type Network Scanning
Operating System Windows, Linux, Mac
Hardware Requirements
License Open Source
NIAP Validated
Common Criteria Rating
Developer Metasploit, LLC
Availability http://www.metasploit.com/home/
Metasploit
VulnerabilityAnalysis Tools
33IA Tools Report
AbstractN-Stalker Web Application Security Scanner 2009 is a
Web Security Assessment solution developed by
N-Stalker. By incorporating the “N-Stealth HTTP
Security Scanner” and its 39,000 Web Attack
Signature database, along with a patent-pending
Component-oriented Web Application Security
Assessment technology, N-Stalker is a security tool for
developers, system/security administrators, IT
auditors, and staff.
Featuresu N-Stalker is a security assessment tool designed to
crawl and evaluate custom Web Applications. It
does not rely on out-of-box signatures.u N-Stalker is used for either custom or out-of-shelf
Web applications, including large financial
customers, government agencies, foreign
intelligence services, and armed forces.u N-Stalker will inspect common Web application
vulnerabilities, including Open Web Application
Security Project Top 10, Common Weakness
Enumeration Top 25 (see cwe.mitre.org), and a
wide range of issues that affect overall security.u N-Stalker will scan for both Web server
infrastructure and application layers. Currently,
there are more than 39,000 Web attack signatures
included in our database to identify weakness in a
Web server and third-party software components.u N-Stalker implements its own patent-pending
“component-oriented Web application security
analysis” technology, an assessment methodology.
N-StalkerWebApplicationSecurityScanner
Type Web Application Scanning
Operating System Windows (Windows 2000 or later)
Hardware Requirements
1 GB RAM, 500 MB disk space
License Commercial, Free
NIAP Validated
Common Criteria Rating
Developer N-Stalker
Availability http://nstalker.com/products
N-Stalker® Web Application Security Scanner
VulnerabilityAnalysis Tools
34 IA Tools Report
AbstractAs a component of nCircle’s security risk and
compliance management suite, IP360 is a
vulnerability and risk management system,
enabling enterprises and government agencies to
costeffectively measure and manage their security
risk. IP360 comprehensively profiles all networked
devices and their applications, vulnerabilities, and
configurations, and includes coverage for over 25,000
conditions (operating systems, applications,
vulnerabilities, and configurations), providing the
ideal foundation for assessing every system on the
network. IP360’s agentless architecture is designed
for rapid deployment and ease of management across
large, globally distributed networks.
Featuresu Comprehensive, agentless discovery and profiling
of all network assets for over 25,000 conditions;u Enterprise scalability, ease of deployment, and
operational effectiveness;u Integrated network topology risk analysis for
identifying the highest priority vulnerabilities;u Integrated Web application scanning to identify
security risk in Web applications;u Flexible reporting across all levels of the enterprise.
nCircleIP360
Type Vulnerability and Patch Management
Operating System N/A
Hardware Requirements
Vendor supplied scanning appliance
License Commercial
NIAP Validated Yes
Common Criteria Rating
EAL3 – May 16, 2005
Developer nCircle
Availability http://www.ncircle.com/index.php?s=products_ip360
nCircle® IP360
VulnerabilityAnalysis Tools
35IA Tools Report
AbstractThe Nessus vulnerability scanner is an active scanner,
featuring high-speed discovery, asset profiling, and
vulnerability analysis of the user’s security posture.
Nessus scanners can be distributed throughout an
entire enterprise, inside demilitarized zones, and
across physically separate networks. They can also be
made available for ad hoc scanning, daily scans, and
quick-response audits. When managed with the
Security Center, vulnerability recommendations can
be sent to the responsible parties, remediation can be
tracked, and security patches can be audited.
Featuresu Agentless scanning (patch and
configuration auditing),u High-speed vulnerability identification,u Complete network assessment and discovery.
NessusVulnerabilityScanner
Type Network Scanning
Operating System Windos, Linux, Mac OS, Unix
Hardware Requirements
License Commercial – Free for personal use
NIAP Validated
Common Criteria Rating
Developer Teneble Network Security
Availability http://www.nessus.org/nessus/
Nessus® Vulnerability Scanner
VulnerabilityAnalysis Tools
36 IA Tools Report
AbstractNetIQ Secure Configuration Manager audits system
configurations and compares them to corporate
policies, previous snapshots, and/or other systems. It
also leverages this configuration information to
reliably identify vulnerabilities and exposures, using
the latest security updates.
NetIQ Secure Configuration Manager allows you to
demonstrate regulatory compliance and manage IT
risks via scored reporting to direct remediation
efforts toward issues of highest priority.
Featuresu NetIQ ensures configuration changes are
identified and controlled. Secure Configuration
Manager creates an inventory and baseline of
existing system configurations, then compares
results against a standard configuration image to
highlight deviations.u Secure Configuration Manager contains packaged
security policy templates that align with
regulations and standards, providing the
intelligence necessary to document and
demonstrate compliance with auditors. Role-
based exception and workflow management helps
enforce secure separation of duties.u NetIQ Secure Configuration Manager identifies
systems exposed to and/or compromised by the
latest exploits, including worms, viruses, and
blended threats.u Across the enterprise, NetIQ Secure Configuration
Manager measures the level of threats posed by
vulnerabilities and compliance exceptions
weighted by the importance of managed assets.u NetIQ Secure Configuration Manager is SCAP
Validated and NIAP Common Criteria certified,
ensuring it meets the most stringent federal
government guidelines on interoperability and
secure design.
NetIQSecureConfigurationManager
Type Vulnerability and Patch Management
Operating System Windows XP Pro, 2000, 2003 Server
Hardware Requirements
License Commercial
NIAP Validated Yes
Common Criteria Rating
EAL2 – July 09, 2007
Developer netIQ
Availability http://www.netiq.com/products/vsm/default.asp
NetIQ® Secure Configuration Manager
VulnerabilityAnalysis Tools
37IA Tools Report
AbstractNetwork Mapper (Nmap) is a free open-source utility
for network exploration or security auditing. It was
designed to rapidly scan large networks, although it
works fine against single hosts. Nmap uses raw
Internet protocol (IP) packets in novel ways to
determine what hosts are available on the network,
what services (application name and version) those
hosts are offering, what OSs (and OS versions) they
are running, what type of packet filters/firewalls are
in use, and dozens of other characteristics. Nmap
runs on most types of computers, and console and
graphical versions are available.
Featuresu Flexible—Nmap supports dozens of advanced
techniques for mapping out networks filled with
IP filters, firewalls, routers, and other obstacles.u Powerful—Nmap has been used to scan huge
networks of literally hundreds of thousands of
machines.u Portable—Most operating systems are supported,
including Linux, Microsoft Windows, and Unix
based systems.u Easy—Although Nmap offers a rich set of
advanced features for power users, the user can
start out as simply as nmap -v -A targethost.
Both traditional command line and graphical
user interface (GUI) versions are available to suit
your preference.u Free—Nmap is available for free download,
and also comes with full source code that the
user may modify and redistribute under the terms
of the license.u WellDocumented—Significant effort has been put
into comprehensive and up-to-date pages, white
papers, and tutorials.u Supported—Although Nmap comes with no
warranty, it is well supported by the community.
NetworkMapper(Nmap)
Type Network Scanning
Operating System Linux, MS Windows, Unix
Hardware Requirements
License Open Source
NIAP Validated
Common Criteria Rating
Developer Insecure.org
Availability http://nmap.org/
Network Mapper (Nmap®)
VulnerabilityAnalysis Tools
38 IA Tools Report
AbstractNikto is an Open Source (general public license) Web
server scanner that performs comprehensive tests
against Web servers for multiple items, including over
3,500 potentially dangerous files/common gateway
interfaces (CGI), versions on over 900 servers, and
version specific problems on over 250 servers. Scan
items and plugins are frequently updated and can be
automatically updated.
Featuresu Uses rfp’s LibWhisker as a base for all
network funtionality,u Main scan database in comma separated variable
(CSV) format for easy updates,u Fingerprint servers via favicon.ico files,u Determines “OK” vs “NOT FOUND” responses
for file type, if possible,u Determines CGI directories for each server,
if possible,u Switch hypertext transfer protocol (HTTP)
versions as needed so that the server understands
requests properly,u Secure Sockets Layer Support (Unix with OpenSSL
or maybe Windows with ActiveState’s Practical
Extraction and Report Language [PERL]/NetSSL),u Output to file in plain text, HTML or CSV,u Plugin support (standard PERL),u Checks for outdated server software,u Proxy support (with authentication),u Host authentication (Basic),u Watches for “bogus” OK responses,u Attempts to perform educated guesses for
Authentication realms,u Captures/prints any Cookies received,u Mutate mode to “go fishing” on Web servers
for odd items,u Builds Mutate checks based on robots.txt entries
(if present),u Scan multiple ports on a target to find Web servers
(can integrate Nmap for speed, if available),u Multiple intrusion detection system
evasion techniques,
u Users can add a custom scan database,u Supports automatic code/check updates (with
Web access),u Multiple host/port scanning (scan list files),u Username guessing plugin via the cgiwrap
program and Apache user methods.
Niktov2.03
Type Web Application Scanning
Operating System Unix, Linux, Windows
Hardware Requirements
License Open Source
NIAP Validated
Common Criteria Rating
Developer Cirt.net
Availability http://www.cirt.net/nikto2
Nikto v2.03
VulnerabilityAnalysis Tools
39IA Tools Report
AbstractOraScan is a multi-environment auditing application
developed to assess the security of Oracle Web
applications. The finely detailed level of auditing
supported by OraScan allows systems administrators
and security professionals to gain full control of
security issues surrounding online applications and
front-end servers.
OraScan performs robust, in-depth security
vulnerability audits, seeking out potential problem
areas such as—
u SQL injection,u XSS,u Poor Web server configuration.
In addition, OraScan can be deployed to audit the
configuration of Internet authentication service Web
servers, ensuring that the Web application portion of
your database software architecture is free of any
security weaknesses.
Orascan
Type Database Scanning
Operating System Microsoft Windows 2003, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT Version 4.0 (Service Pack 4)
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer Next Generation Security Software
Availability http://www.ngssoftware.com/products/internet-security/orascan.php
Orascan
VulnerabilityAnalysis Tools
40 IA Tools Report
AbstractParos Proxy v3.2.0Alpha is a Java-based Web proxy for
assessing Web application vulnerability. It supports
editing/viewing HTTP/HTTP Secure (HTTPS)
messages on the fly to change items such as cookies
and form fields. It includes a Web traffic recorder,
Web spider, hash calculator, and a scanner for testing
common Web application attacks, such as SQL
injection and XSS.
ParosProxyv3.2.0Alpha
Type Web Application Scanning
Operating System All OSs supporting Java 1.4+
Hardware Requirements
N/A
License Freeware
NIAP Validated
Common Criteria Rating
Developer Paros
Availability http://www.parosproxy.org/index.shtml
Paros Proxy v3.2.0Alpha
VulnerabilityAnalysis Tools
41IA Tools Report
AbstractProventia Network Enterprise Scanner is the next
generation of the Internet scanner vulnerability
assessment tool. Proventia Network Enterprise
Scanner is a vulnerability protection system for
the entire network that is enhanced with an
integrated workflow vulnerability management
subsystem and Proventia Enterprise Scanner that
enables the user to drive protection measures
throughout an infrastructure.
Featuresu Vulnerability assessment,u Complete vulnerability management
and protection,u Scanning-optimized Linux kernel,u Hardened and secure,u Multiple scan ports,u Application fingerprinting,u Workflow,u Reporting,u Asset identification,u Asset classification,u Scan windows,u Automation,u Scan load balancing/teaming,u Flexible deployment options,u Flexible policy management,u Web-based local management,u Centralized management mystem: Proventia
Network Scanner is centrally managed using
Proventia Management SiteProtector.
SiteProtector is a scalable system that allows staff
to control, monitor, and analyze events from a
centralized console. SiteProtector improves
security through correlation and integration with
other security products, including—
• Active/passive scanning through Proventia
Network Enterprise Scanner and Proventia
Network Anomaly Detection,
• Scan and block capabilities through Proventia
Network Enterprise Scanner and Proventia
Network Intrusion Prevention System,
• Correlation through the SiteProtector Security
Fusion module.
ProventiaNetworkEnterpriseScanner
Type Network Scanning
Operating System N/A
Hardware Requirements
Vendor supplied scanning appliance
License Commercial
NIAP Validated
Common Criteria Rating
Developer IBM
Availability http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027216
Proventia® Network Enterprise Scanner
VulnerabilityAnalysis Tools
42 IA Tools Report
AbstractProlific Solutions’ proVM Auditor is a vulnerability
management tool that uses the output from multiple
vulnerability and compliance scanners and
aggregates the information into a single view. proVM
Auditor presents vulnerability data in meaningful
views via a vulnerability matrix that makes
managing, tracking, and resolving vulnerabilities
simpler and less resource-intensive.
Featuresu Expedites compliance reviewsu Maps vulnerabilities to DoD 8500.2 IA Controlsu Facilitates/standardizes C&A processesu Streamlines administration effortsu Standard views of vulnerability datau Reduces manual compliance effortsu Small footprint; simple to use; does not
require installationu Accepts scanner output from the following
Vulnerability Scanners:
• eEye Retina
• Lumension PatchLink
• DISA SRRs
• DISA Gold Disk
• Application Security AppDetective
• Tenable Nessus
• Nmap
• Other tools commercial or private can be
added upon request
proVMAuditor
Type Vulnerability and Patch Management
Operating System Windows
Hardware Requirements
N/A
License Commercial
NIAP Validated
Common Criteria Rating
Developer Prolific Solutions
Availability http://www.prolific-solutions.net/products.htm
proVM Auditor
VulnerabilityAnalysis Tools
43IA Tools Report
AbstractQualysGuard Vulnerability Management (VM)
automates the life cycle of network auditing and
vulnerability management across the enterprise,
including network discovery and mapping, asset
prioritization, vulnerability assessment reporting,
and remediation tracking according to business risk.
QualysGuard delivers continuous protection against
the latest worms and security threats without the
substantial cost, resource, and deployment issues
associated with traditional software. As an on
demand Software-as-a-Service (SaaS) solution, there
is no infrastructure to deploy or manage.
QualysGuard VM enables small to large
organizations to effectively manage their
vulnerabilities and maintain control over their
network security with centralized reports, verified
remedies, and full remediation workflow capabilities
with trouble tickets. QualysGuard provides
comprehensive reports on vulnerabilities, including
severity levels, time-to-fix estimates, and impact on
business, plus trend analysis on security issues.
Featuresu Vulnerability KnowledgeBase that incorporates
over 6,000 unique checks;u Non-intrusive detection techniques;u Inference-based scanning engine;u Authenticated or unauthenticated
scanning capabilities;u Internal and external scanning;u Scans are configurable for optimum
performance and minimum network load.;u Unique fingerprints for over 2,000 operating
systems, applications, and protocols;u Customization of scans to scan for specific ports/
services and specific vulnerabilities;u Schedule and automated network discovery and
vulnerability scan tasks on a daily, weekly, or
monthly basis;u Automated daily updates to the QualysGuard
vulnerability KnowledgeBase;
u Easy access to concise, auto-generated reports
via a Web browser;u Executive Dashboard provides real-time
illustration of risk;u Graph and trend reports for managers;u Detailed technical reports with verified
remediation actions for technicians;u SANS Top 20 Report provides industry baseline;u Risk analysis report predicts the likelihood
of exposure;u CVE and Security Focus-linked and Bugtraq-
referenced vulnerability checks with detailed
remediation instructions;u Customizable reports for flexible, on demand
reporting by business units for executives and
managers;u Export reports to HTML, Microsoft Hypertext
Archive, portable document format, CSV, and
XML formats.
QualysGuardVulnerabilityManagement
Type Network Scanning
Operating System N/A
Hardware Requirements
Vendor supplied scanning appliance
License Commercial
NIAP Validated
Common Criteria Rating
Developer Qualys
Availability http://www.qualys.com/products/qg_suite/vulnerability_management/
QualysGuard® Vulnerability Management
VulnerabilityAnalysis Tools
44 IA Tools Report
AbstractIBM Rational Web application security software helps
IT and security professionals protect against the
threat of attacks and data breaches. Involving more
testers in the application security process results in
higher quality, more secure applications at a
reasonable cost.
Rational offers Web application security solutions,
including new malware detection capabilities,
through the IBM Rational AppScan family of
products. AppScan can be used for vulnerability
scanning in all stages of application development and
by testers with or without security expertise.
Featuresu AppScanBuildEdition—Embeds Web
application security testing into the build
management workflow,u AppScanDeveloperEdition—Automates
application security scanning for
non-security professionals,u AppScanEnterpriseEdition—Web-based, multi-
user solution providing centralized application
security scanning and reporting,u AppScanExpressEdition—Provides affordable
Web application security for smaller organizations,u AppScanOnDemand—Identifies and prioritizes
Web Application Security vulnerabilities via
SaaS Model,u AppScanOnDemandProductionSiteMonitoring—
Monitors production Web content and sites for
security vulnerabilities via SaaS Model,u AppScanReportingConsole—Provides centralized
reporting on Web application vulnerability data,u AppScanStandardEdition—Desktop solution to
automate Web application security testing,u AppScanTesterEdition—Integrated Web
application security testing in the quality
assurance process.
RationalAppScan
Type Web Application Scanning
Operating System Windows XP, Server 2003
Hardware Requirements
3 GHz CPU, 2 GB+ RAM, 200 MB disk space for installation plus at least 10 GB free space for logs
License
NIAP Validated
Common Criteria Rating
Developer IBM – Rational
Availability http://www-01.ibm.com/software/awdtools/appscan/
Rational AppScan®
VulnerabilityAnalysis Tools
45IA Tools Report
AbstractRetina Network Security Scanner is a professional-
grade security solution with a lengthy track record of
success. Retina contains all the integrated security
and threat management tools needed to effectively
identify and remediate the network vulnerabiities
that lead to exposure and malicious attacks.
Featuresu Discovers the assets in the network infrastructure,
including operating system platforms, networked
devices, databases, and third party or custom
applications. Retina also discovers wireless
devices and their configurations, ensuring these
connections can be audited for the appropriate
security settings. Additionally, Retina scans active
ports and confirms the services associated with
those ports.u Implements corporate policy driven scans to audit
internal security guidelines and ensure that
configuration requirements are enforced and
comply with defined standards. These custom
scans can also assist with meeting any regulatory
compliance requirements (e.g., SOX, HIPPAA, GLB,
PCI) customers may face. u Remotely identifies system level vulnerabilities to
mimic an attacker’s point of view, providing
information that an outsider would see about a
network. These remote checks do not require
administrator rights, providing an accurate
assessment, with fewer resources required to scan
across departments, locations, or geographies.u Incorporates a comprehensive vulnerabilities
database and scanning technology, allowing
users to proactively secure their networks
against attacks. u Updates are automatically uploaded at the
beginning of each Retina session.
RetinaNetworkSecurityScanner
Type Network Scanning
Operating System Windows
Hardware Requirements
256 MB RAM. Vendor-supplied appliance also available.
License Commercial
NIAP Validated
Common Criteria Rating
Developer eEye Digital Security
Availability http://www.eeye.com/html/products/retina/index.html
Retina Network Security Scanner
VulnerabilityAnalysis Tools
46 IA Tools Report
AbstractSAINT’s Web-like, easy-to-use, GUI makes it easy to
scan networks. Every live system on the network is
screened for TCP and user datagram protocol (UDP)
services. For each service it finds running, it launches
a set of probes designed to detect anything that could
allow an attacker to gain unauthorized access, create
a denial of service, or gain sensitive information
about the network. When vulnerabilities are
detected, SAINT categorizes the results in several
ways, allowing users to target the data they find
most useful. SAINT can group vulnerabilities
according to severity, type, or count. It can provide
information about a particular host or groups of
hosts. SAINT describes each of the vulnerabilities
it locates and references CVE or Information
Assurance Vulnerability Alerts (IAVA), as well
as CERT advisories.
Featuresu Includes flexible/customizable scanning
options, including SANS/Federal Bureau of
Investigation Top 20;u Scans anything with an IP address running TCP/
IP protocols;u Includes extensive documentation and
online tutorials;u Includes links to patches and new versions
of software;u Runs in remote mode;u Is easily set up to run unattended using the GUI;u Provides dynamic reporting capability that allows
the user to drill down to get more information
about the vulnerability and how to correct it;u Cross-references vulnerabilities to IAVAs;u Scans IPv4 or IPv6 addresses;u Includes control panel that allows the user to stop,
pause, and resume scans, and to view results in
progress while the scan runs;u Is certified CVE-compatible by MITRE.
SAINT
Type Network Scanning
Operating System Unix/Linux platform
Hardware Requirements
256 MB RAM, 150 MB disk space. Vendor-supplied appliances also available.
License Commercial
NIAP Validated
Common Criteria Rating
Developer Saint Corporation
Availability http://www.saintcorporation.com/products/data_sheets/SAINT_data_sheet.pdf
SAINT
VulnerabilityAnalysis Tools
47IA Tools Report
AbstractSecond Look captures, and forensically preserves, a
computer’s volatile RAM. It analyzes the Linux
operating system kernel in live memory or via a
memory image, verifying its integrity and searching
for signs of rootkits or other subversive software that
have modified the executable kernel code or kernel
data structures.
With Second Look, analysts and investigators have a
tool that provides a comprehensive view of a system,
uninfluenced by any malware that might be running
on it. Information pulled directly out of memory
includes running processes, active network
connections, loaded kernel modules, and many other
essential system parameters. Second Look uncovers
hidden kernel modules, processes, and network
activity. Second Look integrates a real-time
disassembler that allows inspection of any function
or segment of kernel memory.
As threats to computer systems continue to increase
in sophistication, traditional post-mortem (dead box)
forensic analysis of hard disk contents is no longer
sufficient. Advanced exploits allow for the
implantation of rootkits and backdoors directly in
memory, without an actual file ever touching the disk.
Volatile memory must be acquired in a trustworthy
fashion, and analyzed with security software such as
Second Look.
SecondLook
Type Host Scanning
Operating System Linux
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer Pikewerks
Availability http://pikewerks.com/sl
Second Look™
VulnerabilityAnalysis Tools
48 IA Tools Report
AbstractSecureScout NX is a third-generation scanning
solution that performs real-time testing of global
networks and firewalls. The architecture of
SecureScout NX implements a centralized console
to manage remote test engines and probes, enabling
users to quickly and repeatedly scan and report
vulnerabilities in distributed networks from a
single location.
SecureScout NX gives the user an impartial view of
whether firewalls have been configured correctly to
comply with security policies and protect the network.
SecureScout NX tests highlight information exposed
to the outside world that cyber criminals could
misuse to attack the organization. Diligent
assessment of internal systems enables an
organization to manage security risks and reduce
potential liability. SecureScout NX delivers the
knowledge needed to protect critical information
from intruders and prepare countermeasures,
making it difficult for attackers to get in.
NetVigilance’s security experts continually research
information sources for new vulnerabilities, and a
secure Web service site automatically updates
SecureScout NX. Through differential reporting,
users can benchmark their security level at various
points in time.
SecureScoutNX
Type Network Scanning
Operating System Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer NetVigilance
Availability http://www.netvigilance.com/nx
SecureScout® NX
VulnerabilityAnalysis Tools
49IA Tools Report
AbstractThe SecureScout Perimeter service probes Internet-
connected systems for vulnerabilities before hackers
find them. It identifies holes in an Internet
infrastructure, scanning beyond the firewall to any
device with an IP address.
SecureScoutPerimeter
Type Network Scanning
Operating System Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer NetVigilance
Availability http://www.netvigilance.com/perimeter
SecureScout® Perimeter
VulnerabilityAnalysis Tools
50 IA Tools Report
AbstractThe Security Auditor‘s Research Assistant (SARA) is a
third-generation network security analysis tool.
Featuresu Operates under Unix, Linux, Mac OS/X or
Windows (through coLinux) OS,u Integrates the NVD,u Adapts to many firewalled environments,u Supports remote self-scan and application
programming interface facilities,u Is used for the Center for Internet Security
benchmark initiatives,u Includes plug-in facility for third-party
applications,u Includes CVE standards support (20040901),u Has enterprise search module,u Has stand-alone or daemon mode,u Offers free-use open SATAN-oriented license,u Is updated twice a month,u Provides user extension support,u Based on the SATAN model.
Advanced Research‘s philosophy relies heavily on
software reuse. Rather than inventing a new module,
SARA is adapted to interface with other community
products. For instance, SARA interfaces with the
popular Nmap package for superior operating system
fingerprinting. Also, SARA provides a transparent
interface to SAMBA for session message block
security analysis. SARA is no longer being developed,
and v7.9.1 is the final release.
SecurityAuditor’sResearchAssistant(SARA)v7.9.1
Type Network Scanning
Operating System Unix, Linux, Windows (through CoLinux)
Hardware Requirements
License Freeware
NIAP Validated
Common Criteria Rating
Developer Advanced Research Corporation
Availability http://www-arc.com/sara/
Security Auditor’s Research Assistant (SARA) v7.9.1
VulnerabilityAnalysis Tools
51IA Tools Report
AbstractSecurity Administrator‘s Tool for Analyzing Networks
(SATAN) scans systems connected to the network
noting the existence of well-known, often-exploited
vulnerabilities. It examines a remote host or set of
hosts and gathers as much information as possible.
SecurityAdministrator‘sToolforAnalyzingNetworks(SATAN)
Type Network Scanning
Operating System Unix/Linux
Hardware Requirements
License Freeware
NIAP Validated
Common Criteria Rating
Developer Dan Farmer and Wietse Venema
Availability http://ftp.cerias.purdue.edu/pub/tools/unix/scanners
Security Administrator’s Tool for Analyzing Networks (SATAN)
VulnerabilityAnalysis Tools
52 IA Tools Report
AbstractSNScan is a Windows-based simple network
management protocol (SNMP) detection utility that
can quickly and accurately identify SNMP-enabled
devices on a network. This utility can effectively
indicate devices that are potentially vulnerable to
SNMP-related security threats.
SNScan allows for the scanning of SNMP-specific
ports (e.g., UDP 161, 193, 391, and 1993) and the use of
standard (i.e., public) as well as user-defined SNMP
community names. User-defined community names
may be used to more effectively evaluate the presence
of SNMP-enabled devices in more complex networks.
SNScan is intended for use by system and network
administrators as a fast and reliable utility for
information gathering. Although not indicating
whether SNMP-enabled devices are vulnerable to
specific threats, SNScan can quickly and accurately
identify potential areas of exposure to SNMP-
related vulnerabilities.
SNScanv1.05
Type Network Scanning
Operating System Windows
Hardware Requirements
License Freeware
NIAP Validated
Common Criteria Rating
Developer Foundstone (A Division of McAfee)
Availability http://www.foundstone.com/us/resources/proddesc/snscan.htm
SNScan v1.05
VulnerabilityAnalysis Tools
53IA Tools Report
AbstractSecutor Magnus is designed specifically to meet the
Common Security Configurations requirements set
forth by the Office of Management and Budget (OMB).
Built for the Information Security Automation
Program established by NIST, Magnus fully supports
a wide-scale action plan to quickly and continually
show that an organization has compliance under
control. The entire Secutor line of automated content
tools provides standardized assessments, content-
driven remediation, and complete mappings to
driving requirements with options to easily
document deviations from those requirements.
Featuresu Test NIST configurations to identify adverse
effects on system functionality,u Automated enforcement,u Restrict administration to
authorized professionals,u Ensure new acquisitions use
standard configurations,u Patches,u Automatically determines if computers have
all required security patches,u Performs vulnerability assessment of operating
system and major applications,u Provide documentation of deviations
with rationale.
ThreatGuardSecutorMagnus
Type Vulnerability and Patch Management
Operating System Windows
Hardware Requirements
Vendor Supplied appliance also available
License Commercial
NIAP Validated
Common Criteria Rating
Developer Threatguard
Availability http://www.threatguard.com/products.htm
ThreatGuard® Secutor Magnus
VulnerabilityAnalysis Tools
54 IA Tools Report
AbstractTriumfant Resolution Manager continuously scans
for unusual changes that are consistent with the
behavior and structure of malicious applications.
These include unusual auto-start methods, stealth
techniques such as those used by root kits, and
unusual firewall exceptions. As a result, malicious
attacks that are not detected by traditional signature
based tools are recognized by Triumfant in real time,
along with all of the changes to the machine
associated with the attack. Resolution Manager
immediately applies its deep analytics to verify
that it is indeed an attack and assesses the full
extent of the threat.
Resolution Manager uses its diagnosis of the problem
and knowledge of the changes to the machine to
synthesize a surgical remediation. These
remediations do not delete the malicious executable;
they repair the damage from the attack, effectively
eliminating the need for costly re-imaging. The
information about the attack and the remediation
is captured so that Resolution Manager can scan
the entire population for any other occurrences of
the attack, and remediate machines where the attack
is detected.
Triumfant provides a comprehensive set of reports
that deliver visibility into the security readiness of
the endpoint environment from an executive
summary view down to the details of each machine.
Featuresu Malwaredetection—The ability to detect changes
at a granular level allows Triumfant to detect,
analyze, and remediate malicious attacks in
real-time without the need for signatures or any
prior knowledge of the attack.u SecurityConfigurationManagement—Triumfant
verifies that the organization’s standard
portfolio of endpoint security software is
correctly deployed.
u ComplianceManagement—Triumfant Resolution
Manager applies security policies that are
customizable from the departmental level
down to individual machines. Triumfant also
provides policy templates for specific security
mandates, such as FDCC SCAP compliance and
PCI compliance.u VulnerabilityManagement—Triumfant uses the
NIST SCAP vulnerability database to scan each
computer for known software vulnerabilities,
identifying where missing patches create a
security exposure.u Whitelist/BlacklistManagement—Triumfant
deletes unauthorized software from endpoint
computers, and builds custom remediations to
ensure that no malicious code is left behind by the
deleted application.
TriumfantResolutionManager
Type Vulnerability and Patch Management
Operating System
Hardware Requirements
License Commercial
NIAP Validated Yes
Common Criteria Rating
EAL2+ – March 31, 2009
Developer Triumfant
Availability http://www.triumfant.com/products.asp
Triumfant Resolution Manager®
VulnerabilityAnalysis Tools
55IA Tools Report
AbstractTyphon III is a tool that identifies infrastructure and
Web application. Capabilities include the fast and
accurate identification of current and historical
security vulnerabilities; the nonintrusive
vulnerability scanner provides secure quality
protection against current threats, including—
u Rootkits,u Phishing,u SQL Injection,u Pharming,u Confidential Data Theft.
By providing a comprehensive security audit of all
hosts in the network, from routers and printers
through Web and database servers, Typhon III helps
the network to stay secure from threats. Exposing
weak passwords in a variety of protocols, it contains a
full range of checks for common vulnerabilities and
configuration errors. Typhon III can also audit Web
applications using its integrated Web spider, a device
that will locate every page and script on a Web site
(even hidden, unlinked, and test files) and rigorously
test for SQL injection and XSS flaws.
TyphonIII
Type Web Application Scanning
Operating System Windows 2003, 200, XP, NT 4.0 SP6a
Hardware Requirements
500 MHz CPU, 512 MB RAM, 20 MB disk space (minimum)
License Commercial
NIAP Validated
Common Criteria Rating
Developer Next Generation Security Software
Availability http://www.nextgenss.com/products/internet-security/ngs-typhon.php
Typhon III
VulnerabilityAnalysis Tools
56 IA Tools Report
AbstractHP WebInspect software is a Web application security
assessment software designed to analyze today’s
complex Web applications. It delivers fast scanning
capabilities, broad assessment coverage, extensive
vulnerability knowledge, and accurate Web
application scanning results.
Featuresu Statically analyze client-side Adobe
Flash applications;u Produce faster scans and more accurate results
through the Simultaneous Crawl and Audit
(SCA) technology;u Reduce false positives using Intelligent Engines
designed to imitate a hacker’s methodology;u Increase testing throughput with support for
multiple concurrent scans;u Enter a URL, username, and password to quickly
initiate a simple scan for immediate results;u Innovative scan profiler assists you in optimizing
the scan configuration to maximize the
effectiveness and accuracy of the scan;u Depth-first crawling option for Web sites that
enforce order-dependent navigation;u Fingerprinting of Web framework using
Smart Assessment technology to reduce
unnecessary attacks.
HPWebInspect
Type Web Application Scanning
Operating System Windows
Hardware Requirements
License Commercial
NIAP Validated
Common Criteria Rating
Developer Hewlett Packard
Availability https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__
WebInspect
VulnerabilityAnalysis Tools
57IA Tools Report
AbstractWebScarab is a framework for analysing applications
that communicate using the HTTP and HTTPS
protocols. It is written in Java, and is thus portable to
many platforms. WebScarab has several modes of
operation, implemented by a number of plugins. In its
most common usage, WebScarab operates as an
intercepting proxy, allowing the operator to review
and modify requests created by the browser before
they are sent to the server, and to review and modify
responses returned from the server before they are
received by the browser. WebScarab is able to
intercept both HTTP and HTTPS communication.
The operator can also review the conversations
(requests and responses) that have passed
through WebScarab.
WebScarab is designed to be a tool for anyone who
needs to expose the workings of an HTTP(S)-based
application, whether to allow the developer to debug
otherwise difficult problems, or to allow a security
specialist to identify vulnerabilities in the way that
the application has been designed or implemented.
WebScarab
Type Web Application Scanning
Operating System Windows, Linux, Mac, Unix
Hardware Requirements
License Freeware
NIAP Validated
Common Criteria Rating
Developer Rogan Dawes of Corsaire Security
Availability http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
WebScarab
VulnerabilityAnalysis Tools
58 IA Tools Report
References1. Carnegie Mellon Software Engineering Institute
CERT Coordination Center (n.d.). CERT/CC
Statistics 1988-2008. http://www.cert.org/stats/cert_stats.html. (Accessed June 3, 2009).
2. Homeland Security Advisory Council. Report
of the Critical Infrastructure Task Report,
January 2006.
3. Merriam-Webster Online Dictionary. http://www.merriam-webster.com/. (Accessed June 5, 2009).
4. Schultze, E. “Thinking Like a Hacker.” March 2002.
http://pdf.textfiles.com/security/thinkhacker.pdf. (Accessed June 5, 2009).
5. Storms, Andrew (SANS Institute). “Using
Vulnerability Tools To Develop an OCTAVE Risk
Profile.” December 2003. http://www.sans.org/reading_room/whitepapers/auditing/1353.php?portal=813b67045603408ee90700647. Retrieved 13
March 2007.
6. U.S. Government, Intelligence Community.
Analytical Risk Management: A Course Guide for
Security Risk Management, May 2003.
7. U.S. Government, National Institute of Standards
and Technology, National Vulnerability Database.
Security Content Automation Protocol Validated
Products. http://nvd.nist.gov/scapproducts.cfm. (Accessed June 3, 2009).
8. U.S. Government, White House. Cyberspace
Policy Review. http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf (Accessed June 5, 2009).
9. Spiegal Online International. “Away From the
Politics of Fear” – Interview with Homeland
Security Secretary Janet Napolitano. http://www.spiegel.de/international/world/0,1518,613330,00.html. (Accessed June 5, 2009).
10.SRI International; Phillip Porras, Hassen Saidi,
and Vinod Yegneswaran. An Analysis of
Conficker’s Logic and Rendezvous points http://mtc.sri.com/conficker. Updated March 19, 2009.
(Accesed June 10, 2009).
11.Conficker working Group Home page. http://www.confickerworkinggroup.org/wiki/pmwiki.php
12.Cyber Secure Institute. Cyber Secure Institute on
the Conficker Controversy. http://cybersecureinstitute.org/blog/?p=15. (Accessed
June 11, 2009).
13.Gregory Braunton, SANS institute. “B.A.S.E – A
Security Assessment Methodology”. http://www.sans.org/reading_room/whitepapers/auditing/b_a_s_e_–_a_security_assessment_methodology_1587. (Accessed June 11, 2009).
14.Chairman of the Joint Cheifs of Staff of the Armed
Forces. Joint Publication 3-13: Information
Operations. February 13, 2006.
SECTION 6 u Related Resources
This provides additional references: books, Web sites, articles, and papers.
59IA Tools Report
Alberts, Christopher and Audrey Dorofee. Managing Information Security Risks: The OCTAVE Approach. Boston:
Addison Wesley Professional, 2003.
Braunton, Gregory (SANS Institute). B.A.S.E.—A Security Assessment Methodology, September 2004.
Open Vulnerability Assessment Language http://oval.mitre.org
Peltier, Thomas R., J. Peltier, and J.A.Blackley. Managing a Network Vulnerability Assessment. Boca Raton, FL:
CRC Press LLC, 2003.
Stoneburner, G., A. Goguen, and A. Feringa. Special Publication 800-30—Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST), 2002.
U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk Management, 2003.
U.S. Government, Department of Commerce. “Publication 199 - Standards for Security Categorization of Federal
Information and Information Systems.” Federal Information Processing Standards (FIPS), 2004.
U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security
Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm.
SECTION 7 u Recommended Resources
61IA Tools Report
u All-hazards/Threat—Circumstances, events, or
people with the potential to cause harm to a
system. The full spectrum of threats and hazards
could include natural disasters (e.g., floods, fires,
hurricanes), domestic or international criminal
activity, accidental disruptions such as
construction mishaps.u CriticalAsset—Those assets of such importance to
an organization that without them the
organization’s ability to execute its mission would
be significantly degraded or suffer complete
failure.u FalseNegative—Refers to when a tool fails to find
an existing vulnerability.u FalsePositive—Refers to when a tool finds a
vulnerability that does not exist.u Risk—A function of the likelihood that a specific
hazard/threat will exploit a given vulnerability
and that the resulting impact of loss of the critical
asset will cause significant degradation or even
mission failure of the organization.
Mathematically written risk is the following:
Threat x Vulnerability x Impact of Loss = Risk .
u RiskAssessment—The process evaluating the
impact of loss of an asset, the likely and probable
threats, and the vulnerabilities of the asset. u RiskManagement—A process for identifying and
prioritizing the impact of loss, threats, and
vulnerabilities, and making rational decisions
regarding the expenditure of resources and the
implementation of countermeasures to reduce the
risk of loss.u Scanning—A periodic examination of traffic
activity, system files and permissions, and overall
system configuration to determine whether
further processing is required.u Vulnerability—Refers to a weakness in a system’s
security scheme, which may include system
security procedures, internal controls, or
implementation. Exploitation would negatively
affect the confidentiality, integrity, or availability
of the system or its data.u VulnerabilityAssessment—An examination of the
ability of a system or application, including
current security procedures and controls, to
withstand assault. A vulnerability assessment may
be used to a) identify weaknesses that could be
exploited; and b) predict the effectiveness of
additional security measures in protecting
information resources from attack.
SECTION 8 u Definitions
63IA Tools Report
AcronymorTerm Definition
ACL Access Control List
ARP Address Resolution Protocol
CERT Computer Emergency Response Team
CGI Common Gateway Interface
COPS Computer Oracle and Password
COTS Commercial Off-the-Shelf
CPU Central Processing Unit
CSV Comma Separated Variable
CVE Common Vulnerabilities and Exposures
DHS Department of Homeland Security
DISA Defense Information Systems Agency
DoD Department of Defense
DSII DominoScan II
DSS Data Security Standard
DTIC Defense Technical Information Center
ePO ePolicy Orchestrator
ESSG Enterprise-Wide Information Assurance and Computer Network Defense Solutions Steering Group
FDCC Federal Desktop Core Configuration
FISMA Federal Information Security Management Act of 2002
GB Gigabyte
GHz Gigahertz
GLBA Gramm-Leach Bliley Act
GUI Graphical User Interface
HBSS Host Based Security System
HIPAA Health Insurance Portability and Accountability Act
HIPS Host Intrusion Prevention System
HSPD-7 Homeland Security Presidential Directive 7
HTML HyperText Markup Language
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IA Information Assurance
IAC Information Analysis Center
IATAC Information Assurance Technology Analysis Center
SECTION 9 u Definitions of Acronyms and Key Terms
65IA Tools Report
AcronymorTerm Definition
IAVA Information Assurance Vulnerability Alert
IP Internet Protocol
IPS Intrusion Prevention System
IT Information Technology
MB Megabyte
MBSA Microsoft Baseline Security Analyzer
MHz Megahertz
MA McAfee Agent
MU Microsoft Update
NIAP National Information Assurance Partnership
NIST National Institute of Standards and Technology
Nmap Network Mapper®
NVD National Vulnerability Database
OMB Office of Management and Budget
OS Operating System
OVAL Open Vulnerability Assessment Language
PA Policy Auditor
PCI Payment Card Industry
PEO-IAN Information Assurance/Network Operations Program Executive Office
PERL Practical Extraction and Report Language
PHP Hypertext Preprocessor
RAM Random Access Memory
RSD Rogue System Detection
SaaS Software-as-a-Service
SANS SysAdmin, Audit, Network, Security
SARA Security Auditor’s Research Assistant
SATAN Security Administrator’s Tool for Analyzing Networks
SCAP Security Content Automation Protocol
SCCM System Center Configuration Manager
SMS Systems Management Server
SNMP Simple Network Management Protocol
SOX Sarbanes-Oxley Act
SQL Structured Query Language
TCP Transmission Control Protocol
UDP User Datagram Protocol
66 IA Tools Report
DefinitionsofAcronymsandKeyTerms
AcronymorTerm Definition
URL Uniform Resource Locator
VM Vulnerability Management
WSUS Windows Server Update Services
XML eXtensible Markup Language
XSS Cross-Site Scripting
67IA Tools Report
DefinitionsofAcronymsandKeyTerms