vulnerability scanning report by tareq hanaysha

Tareq ,Ali,Maysara

Vulnerability Scanning Executive Summary

0

0

Vulnerability Scanning Executive Summary Using Tenable Nessus & Nsauditor Network Security auditor In this executive summary, we will go visually through the vulnerability scan we`ve done using Nessus and Nsauditor by providing the reader with screen shoots to clarify our scan and to make it easier for the readers to understand our vulnerability scan procedures, then we will introduce our work and give a summary of our findings, vulnerabilities, risks and threats, and try to find solutions or recommendations for these security problems in our conclusion.

2008

By: Tareq Hanaysha Submitted to: Ali Shan Ahmad Francis Gichohi Maysara Hamdan Concordia University College of Alberta

Tareq ,Ali,Maysara


1

1

Table of Contents

1. Introduction………………………………………………………………………….……………………….……2

I. Purpose………………………………………………………………………………………………………………………………..……..2

II. Scope ………………………………………………………………………………………………………………………………..………..3

2. Risk Assessment Approach……………………………………..………..3

I. The participants………………………………………………………………………………………………………………..…………3

II. Techniques used to gather information…………………………………………………………………………………..…..4

III. Development & descriptions of risk scale…………………………………………………………………………………….5

3. System Characterization………………………………………………………….8

I. Technology Component …………………………………………………………………………………………………………………….8

II. Physical Location…………………………………………………………………………………………………………………..…………..8

III. Data Used By the system …………………………………………………………………………….……..…………………….………9

4. Threat Statement……………………………………………………….…………………………….9

5. Risk Assessment Results …………………………….………………………...10

6. Scan & Assessment Results …………………………….……………….10

7. Summary ……………………………………………………………………………………………………………….21

8. Conclusion …………………………………………………………………………………………………………22

Tareq ,Ali,Maysara


2

2

1. Introduction

The Internet is virtual minefield of vulnerabilities and exploits, in which it is no longer

possible to review and identify all of the possible holes in network systems. Security scanning and

auditing are critical in identifying and closing holes in system and network defenses. Security holes

come in many forms and can happen on any network connected device.

Tenable's Nessus Vulnerability Scanner and Nsauditor are counted among the world's

premier security scanners. An active security scanner is a piece of software that connects to network

machines and determines if the machine is vulnerable to any flaws which might place it at risk of

being successfully attacked. The job of the Nessus Vulnerability Scanner is to help the security

team and administrators gain an understanding of the current level of security on the network.

I. Purpose

The purpose of this risk assessment or scan is to evaluate the security holes and the missing

windows patches that might help to protect our system and harden it against know vulnerabilities as

well as assessing our network like TCP protocols, ports, and the vulnerabilities using Nessus client

analyser.

The ultimate objective is to learn to install, configure, and use an open-source security

auditing tool; our utilities of choice in this lab are NESSUS and Nsauditor. Nessus is one of the

most widely used security auditing tool in the open source community. This lab will cover not only

the installation and use of the utility, but also how to interpret the results.

There are many unique features of the Nessus technology which can help any organization

to assess and remediate threats. When looking at scanning technologies, it is important to

understand the technical merits of the scanner in order to ensure that you get the best results.

Scanners are typically evaluated for their:

Accuracy

Stability

Speed

Ability to detect network and host-based flaws

Tareq ,Ali,Maysara


3

3

II. Scope

This Risk Assessment Report will be done on the local host of my system, and will evaluates

the confidentiality, integrity and availability of the information on or pass through my system .we

will do port scanning too using the network in the house, and try to find out which patches are

missing in the systems through the patch hot fix scan.

2. RISK ASSESSMENT APPROACH

To conduct our risk assessment and vulnerability scan we used Nessus and Nsauditor

software on my computer, and we tried to scan the rest of the computers on the same network from

my machine, Nessus reported the vulnerabilities of my system and classified them as high, medium

and low risks, with color codes, red, orange and green, a report were provided by Nessus after the

scan and the report is attached with this summary for more details.

I. Participants In the assessment

Role Participant

System Owner Tareq Hanaysha

System Custodian Ali Shan

Security Administrator Maysara Hamdan

Tareq ,Ali,Maysara


4

4

II. Techniques used

Technique Description

Nessus client Scan Proprietary comprehensive vulnerability

scanning software. It is free of charge for

personal use in a non-enterprise

environment. Its goal is to detect potential

vulnerabilities on the tested systems.

Nsauditor network security analysis tool Network auditing software which combines

in one product Vulnerability Scanning,

Network Monitoring and Network

Inventory. Nsauditor allows monitoring

network computers for possible

vulnerabilities, checking enterprise network

for all potential method that hackers might

use to attack it and create a report of

potential problems that were found.

Nsauditor is a complete networking utilities

package that includes more than 45

network tools and helps network

administrators to identify security holes

and flaws in their networked systems. The

program also includes firewall system, real-

time network monitoring, packet filtering

and analyzing.

Software description is taken from the lab requirements belongs to mike

Tareq ,Ali,Maysara


5

5

III. Risk Scale

In determining risks associated with our systems, we used the following formula for classifying

risk:

Risk = Threat level X Magnitude of Impact

And the following definitions:

Level Definition

Level Definition

High

(1.0)

The threat source is highly motivated and sufficiently capable, and

controls to prevent the vulnerability from being exercised are

ineffective.

Medium

(0.5)

The threat source is motivated and capable, but controls are in place

that may impede successful exercise of the vulnerability.

Low

(0.1)

The threat source lacks motivation or capability, or controls are in

place to prevent, or at least significantly impede, the vulnerability

from being exercised.

Tareq ,Ali,Maysara


6

6

Impact Definition

Magnitude

of Impact

Impact Definition

High

(100)

The loss of confidentiality, integrity, or availability could be expected to

have a severe or catastrophic adverse effect on my computer operations, on

my assets, or on me personally.

• Major damage to my assets

• Major financial loss

Medium

(50)

Significant degradation in mission capability to an extent and duration that

my computer won’t be able to perform its primary functions, but the

effectiveness of the functions is significantly reduced.

• Significant damage to my assets

• Significant financial loss

• Significant harm to me that does not involve loss of my life or serious life

threatening injuries.

Low

(10)

Degradation in mission capability to an extent and duration that my

computer won`t perform its primary functions, but the effectiveness of the

functions is noticeably reduced

• Minor damage my assets

• Minor financial loss

• Minor harm on me.

Tareq ,Ali,Maysara


7

7

Corrective action needed based on the impact of the risk

Magnitude

of Impact

Corrective action needed

High There is a strong need for corrective measures. An existing system

may continue to operate, but a corrective action plan must be put in

place as soon as possible.

Medium Corrective actions are needed and a plan must be developed to

incorporate these actions within a reasonable period of time.

Low The system’s Authorizing Official must determine whether corrective

actions are still required or decide to accept the risk.

Risk was calculated as follows:

Threat

Level

Low (10) Medium (50) High (100)

High (1.0) Low Risk (10 x 1.0 =

10)

Medium Risk (50 x 1.0 =

50)

High Risk (100 x 1.0 =

100)

Medium

(0.5)

Low Risk (10 x 0.5 =

5)


25)


50)

Low (0.1) Low Risk (10 x 0.1 =

1)

Low Risk (50 x 0.1 = 5) Low Risk (100 x 0.1 = 10)

Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)

Personally Includes:

identifiable • Name

information

• Address (current and previous)

• Phone Number • SSN # • DOB

Vehicle

information

Includes • Vehicle identification

number • Tag # • Date of last

emissions test

Financial • Credit card #

information • Verification code • Expiry date

• Card type • Authorization

reference • Transaction

reference

Tareq ,Ali,Maysara


8

8

3. SYSTEM CHARACTERIZATION

I. Technology components

Component Description

Applications Apache server is running on my system and the

local host is being used be Nessus to test the ports

and vulnerabilities.

Databases MySQL database system

Operating Systems Microsoft Windows vista 32 bit service pack 1

Interconnections Interface to Broadcom card

Protocols TCP,UDP and SSL used for transmission between

client web browser and web server

Networks Checkpoint Firewall

D-link Routers

II. Physical Location

Location Description

Personnel Computers Tareq`s house, hosts 4 computers

connected through wireless network and a

modem.

Tareq ,Ali,Maysara


9

9

III. Data Used By System

Data Description

System

identifiable

information

Includes:

• Name

• System

• Ip address

4. THREAT STATEMENT

When I was doing my risk assessment analysis and test, the following threats has been

identified to my system:

Threat source Threat action

Hacker

• Web defacement

• Social engineering

• System intrusion, break-ins

• Unauthorized system access

Computer criminal • Identity theft

• Spoofing

Environment Natural disaster

Tareq ,Ali,Maysara


10

10

5. Nessus Scan and risk assessment results

The following table provides an overview of the vulnerabilities assumed to happen and

vulnerabilities founded by our scan and recommended safeguards for our systems:

No Observations Threat

source

Vulnerab

ility

Existing

control

level impac

t

Risk

rating

Recommended control

1 User system password

can be guessed or

cracked

Hackers/

Password

effectivenes

s

Passwords

must be

alphanumeric

and at least 6

characters

Medium Medium Medium Require use of special

characters

2 Cross site scripting Hackers/

Cross-site

scripting

None Medium Medium Medium Validation of all headers,

cookies, query strings, form

fields, and hidden fields (i.e.,

all parameters) against a

rigorous specification of what

should be allowed

3 Data could be

inappropriately

extracted/modified

from

MySQL database by

entering SQL

commands into input

fields

Hackers +

Criminals /

SQL

Injection

Limited

validation

checks on

inputs

High Medium Medium Ensure that all parameters are

validated before they are

used. A centralized

component or library is likely

to be the most effective, as

the code performing the

checking should all be in one

place. Each parameter should

be checked against a strict

format that specifies exactly

what input will be allowed.

4 Web server and

application server

running unnecessary

All /

Unnecessar

y

Services

None Medium Medium Medium Reconfigure systems to

remove unnecessary services

Tareq ,Ali,Maysara


11

11

services

5 Disaster recovery plan

has not been

established

Environmen

t /

Disaster

Recovery

Hp backup

and recovery

Medium High Medium Develop and test a disaster

recovery plan

6 Open TCP Port :

49155

was possible

to enumerate

the

Distributed

Computing

Environment

Windows and

router firewall

low Low low Ports must be controlled by

firewall and watched from

remote attacks

7 Web Server Uses

Plain Text

Authentication Forms

An attacker

eavesdroppi

ng the

traffic might

use this

setup to

obtain

logins and

passwords

of valid

users.

No control Medium

/ Base

Score :

5.0

Medium

/ Base

Score :

5.0

Medium

/ Base

Score :

5.0

Make sure that every form

transmits its results over

HTTPS

8 Debugging functions

are enabled on the

remote web server.

it has been

shown that

servers

supporting

the TRACE

method are

subject to

cross-site

scripting

attacks,

dubbed XST

for

"Cross-Site

Tracing",

when used

in

conjunction

with various

weaknessesi

n browsers.

An attacker

may use this

flaw to trick

your

No control Medium

/ Base

Score :

5.0

Medium

/ Base

Score :

5.0

Medium

/ Base

Score :

5.0

Disable these methods.

Tareq ,Ali,Maysara


12

12

legitimate

web users to

give him

their

credentials.

9 Weak Supported SSL

Ciphers Suites

The remote

host

supports the

use of SSL

ciphers that

offer either

weak

encryption

or no

encryption

at all.

No control Medium

/ Base

Score :

5.0

Medium

/ Base

Score :

5.0

Medium

/ Base

Score :

5.0

Reconfigure the affected

application if possible to

avoid use of weak

ciphers.

Nessus Scan Process screen shoots and results

Tareq ,Ali,Maysara


13

13

Tareq ,Ali,Maysara


14

14

Tareq ,Ali,Maysara


15

15

Tareq ,Ali,Maysara


16

16

Tareq ,Ali,Maysara


17

17

Tareq ,Ali,Maysara


18

18

Tareq ,Ali,Maysara


19

19

Tareq ,Ali,Maysara


20

20

Tareq ,Ali,Maysara


21

21

6. Summary

The following table provides an overview of the vulnerabilities and recommended safeguards for

my system

Risk Matrix

Vulnerability Risk Level

(High, Medium, Low)

Recommended Safeguard

Cross-site

scripting

Medium Install antivirus software and

constant update for these

programs

Password

strength

high Train the user to use strong

password that is harder to

crack or guess.

SQL

injection

high Use antivirus solution to

protect the database system

Unnecessary

services

low Turn off all uneseccary

services, the can be a hole and

make the system more

vulnerable.

Implementing the recommended safeguards will reduce the overall risk exposure associated with

the general vulnerabilities listed above.

Tareq ,Ali,Maysara


22

22

7. Conclusion

NESSUS is not fool-proof or the only system available for vulnerability assessment, but is

one of the many systems that are available for Network Auditing and testing production systems.

With the release of NESSUS 3, there are more than 10,000 plug-in checks. NESSUS plug-in often

include cross-references with Security Focus (Bugtraq ID), CVE, OSVDB, IAVA, and more. Many

NESSUS plug-in also include CVSS severity rankings. These CVSS rankings allow an organization

to quickly categorize their level or risk.

vulnerability scanning report by tareq hanaysha

Technology

security scanning

security holes

maysara vulnerability

executive summary

security problems

security team

active security scanner

nessus technology