September 10, 2010, 11:33 AM — For those new to the art of vulnerability management, the vast array of scanners and other tools of the trade can be overwhelming. Which ones work best? Which ones are most affordable?
At last month's SANS Boston 2010 training sessions, SANS Institute President Stephen Northcutt ran through the basic tools and what they do in a talk called "SANS Security Leadership Essentials for Managers with Knowledge Compression."
How to do a vulnerability scanFirst, Northcutt ran students through the basic functions of these scanners and how to go about running one. Before getting started, he suggested practitioners heed the following checklist:
- First, get permission from the top brass before running a scan. Explain what you are doing, which is essentially finding the company's vulnerabilities before the bad guys do.
- Put out the word ahead of time, publish your phone number and remember people hate the kind of surprises a scan will generate.
- Click your target selection, choose a system to go after and tell it to expand the subnet. From there, keep the window narrow, scanning only one subnet at a time. That way, you won't bog down the system and overwhelm yourself by making a whole bunch of flaws show up at one. Find and fix them in small batches to avoid mental overload.
- During a heavy scan, do not initiate a denial-of-service scan right out of the gate.
- Only do a scan when you are in the office and by the phone.
- Fix the red priority problems first.
Also remember that you should only scan networks you are authorized to scan. Going beyond your mandate and widening the field too much will probably set off someone else's intrusion detection system and get you in trouble, Northcutt said.
When choosing a scanner, Northcutt said you must consider the following:
- How is the product licensed?
- Is the product flexible enough to handle your company's planned growth?
- How interoperable is the product? Does it support the Common Vulnerabilities and Exposures (CVE) standard for cataloguing vulnerabilities?
- Can you easily compare the results of a scan today with the results of a scan from four weeks ago, or is it a fully manual process?
- Does your manager like the reporting output?
Enter Hping, the spoofing port scannerNext, Northcutt walked students through the ins and outs of Hping version 3.0, a a network analysis tool he described as stealthier than another, more well-known tool called Nmap. Hping can craft packets with a customized destination and source port, window size, identification field, TCP flags and more.