Posted by Robert Schifreen on November 27, 2015.
As the saying goes, you can’t manage it if you can’t measure it. In the field of IT security we can extrapolate that to “If you don’t pentest it, you can’t secure it”. Because in order to secure a system, you really need to know where the weaknesses are.
A couple of months ago, I set up a couple of new internet-facing servers for an upcoming project. Within just a few minutes, the attacks started. Mostly from IP addresses in China. There were literally hundreds of attempted connections to well-known ports and accounts, as well as to URLs such as those for phpMyAdmin and so on.
Hackers clearly have a huge list of potentially interesting URLs at their disposal, and are geared up to continually try them on every server they can find. Among the hits which are being detected on my web server are those to brochures/W5BBR-01E.pdf, xeroxworkcentre5745 and xeroxworkcentre5790. Weirdly, printers seem to be high on the list of systems being tried. Kyocera-related URLs are very common in my access log files. Maybe I should put some pointless files at those URLs and get into the honeypot business.
I’d put a fair amount of effort into both protecting and obfuscating my servers, so it was soon time to find out whether I’d done a sufficiently good job. The very nice people at Tenable gave me access to Nessus Cloud in order to do so. Nessus is one of the best-known vulnerability scanners and their cloud version is stupidly easy to use. To get a perfectly usable overview of a system’s security you need do nothing more than log into Nessus Cloud, click the Advanced Scan button, enter the IP address of the target machine, then go for a coffee.
By the time you notice your drink has gone cold because you started watching sneezing panda videos on Youtube, the scan will be finished and you’ll have the results. Vulnerabilities are grouped by priority (critical, high, medium, low, info). Both of my systems came back with a couple of medium-level problems, and details of how to solve them.
Although Nessus will do a fair job of scanning a machine without access to any login credentials (and in doing so, emulates most hackers very accurately), you’ll get more detailed results about vulnerabilities if the scanner has access to the innards of the target’s OS. To facilitate this, you can download and install an optional Nessus agent, which is available in Windows, Mac and Unix flavours including all the common Linux families. Downloading and configuring the agent isn’t particularly well documented, but once it’s set up you don’t need to touch it again. Just fire off a scan from the main Nessus Cloud console, tell it to use the installed agent, and the 2 systems will talk among themselves in order to produce much more detailed results. In the case of my Windows server, it found 42 things, though all but 2 of those were classed as informational. The “high” finding was a missing patch and included a pointer to the relevant Microsoft Knowledge Base article so I could fix it.
An annual subscription to Nessus Cloud costs a tad under $3000 to scan up to 128 targets. That’s $2 per machine per month, for the ability to perform unlimited scans. The agents are downloadable at no extra cost.
Finding the money for a service such as this should be a no-brainer. Finding the additional resources to fix the problems that it will undoubtedly uncover in your organisation might be a little tougher.
Submitted in: Robert Schifreen |