2

Has there been research/analysis on the use of Vulnerability scanning ecosystems as a point of compromise into a network?

Specifically -- for enterprises using authenticated scanning -- the vulnerability scanning ecosystem becomes a trusted entity which by design is launching invasive tests with admin/root privileges. These tests while designed to be as minimally invasive as possible could be altered to be malicious if an attacker compromised the scanning ecosystem itself (in theory). How do organizations get around this inherent security risk related to enterprise wide authenticated scanning?

user125967
  • 21
  • 1
  • 1
    Don't put any vuln mgmt or infosec devices/hosts into a Windows Server Forest, such as joining a Domain or Workgroup. Use the hardening guidelines and benchmarks from the Center for Internet Security – atdre Sep 30 '16 at 15:51

2 Answers2

1

Mitigating the risk of having a scanning system with credentials in the environment can be accomplished with the following best practices:

  • Use a dedicated system for scanning and disable it (disable NIC / power it off) when not in use.
  • Use dedicated credentials (AD preferably or local if necessary) for the scanner and disable them when not in use.
  • Rotate passwords for the scanner's credentials periodically.
  • Ensure scanner's version and host OS are current with patching and updating.

UPDATE

For the extremely paranoid, we can implement the following controls:

  • Restrict access to this box (SSH, RDP, Scanner Web Interface, etc) to only authorized machines.
  • Enable detailed logging of the host & scanning application then review the logs for anomalous activity.
  • Connect this box to any SIEM solution currently in the environment and configure alerting on any access to the system while it's powered up / online.
HashHazard
  • 5,105
  • 1
  • 17
  • 29
  • if you are routinely scanning this does not buy you much security. An attacker compromising the system would just wait until the scan cycle starts again -- which would have the scanner on, credentials enabled, passwords up-to-date, etc – user126049 Sep 30 '16 at 12:07
  • Remember the security onion? There is no silver bullet. It's about security in layers. If you want to take it a step further, I’ve updated the answer to reflect some additional controls. – HashHazard Sep 30 '16 at 13:45
  • The security onion is a good point -- vulnerability scanning ecosystems go counter to that in that they slice through all the security layers by definition. They are given privileged access to an entire network estate at defined intervals (or continuous in some circumstances). I am not even sure SIEM buys you much since the normal operation of a scanner would be to interactively interrogate servers. Furthermore, detailed logging is good but have you ever seen the results of a full authenticated vulnerability scan? Then factor in the scale and variance for large enterprises makes it hard. – user126049 Sep 30 '16 at 20:31
  • I think you may be missing what I'm suggesting you point the logging at. In this case, I'm suggesting you monitor the scanning system itself for evidence of unauthorized activity. Any SIEM can filter results to a particular host. I'm not suggesting you review the vuln scan results for evidence of compromise. – HashHazard Oct 01 '16 at 02:24
  • You would have to monitor both the scanners and the targets. The vulnerability checks themselves could be malicious so you would need to screen those. Some of these checks are essentially scripts run in the shell with root access. Who says a check could not be a compromise -- in that case the scanner wouldnt even need to be compromised just the vuln signature. Furthermore, some vendor scanners are appliances -- with no administrative access and running as bastion hosts -- no SIEM even possible on them. I am not sure this is even being paranoid -- this is exactly how an APT thinks. – user126049 Oct 01 '16 at 19:01
0

Unauthenticated scanning should really die out, hopefully soon. Ye, your scanning engine host - add to the list of top critical devices and segmentation is your best friend in this case (yep, its true, firewalls are not dead yet). Some comments in here about CIS benchmarks - they are the best source of public info we have but i would urge infosec folks to actually try and go thru them for Windows servers, and form your own opinion - I put together a spreadsheet for windows config items that augments CIS. Speaking of hosting passwords and configs for root/administrator - at least one solution i'm aware of stores all this stuff on their server (not yours). Think about how you're accessing the UI - is it a public URL?

Ian Tibble
  • 1