Tag Archives: NMap

Vulnerability Management for Network Perimeter

Network Perimeter is like a door to your organization. It is accessible to everyone and vulnerability exploitation does not require any human interactions, unlike, for example, phishing attacks. Potential attacker can automate most of his actions searching for an easy target. It’s important not to be such of target. šŸ˜‰

Vulnerability Management for Network Perimeter

What does it mean to control the network perimeter? Well, practically this process consist of two main parts:

  • Assessing network hosts that are facing Internet using some Network Scanner (Nessus, OpenVAS, Qualys, MaxPatrol. F-Secure Radar, etc.)
  • Assessing application servers, e.g. Web Servers, on these hosts using some special tools, e.g. Web Application Scanners (Acunetix, Burp Suite, Qualys WAS, Tenable.io WAS, High-Tech Bridge ImmuniWeb, etc.)

Active scanning is a good method of perimeter assessment. Dynamics of the assets is relatively low, comparing with the Office Network. Perimeter hosts usually stays active all the time, including the time when you are going to scan scanning them. šŸ˜‰

Most of the dangerous vulnerabilities can be detected without authorization: problems with encryption (OpenSSL Heartbleed, Poodle, etc.). RCE and DoS of web servers and frameworks (Apache Struts and Equifax case)

The best results can be achieved with scanners deployed outside of your network. Thus, you will see your Network Perimeter the same way a potential attacker sees it. But certainly, you will be in a better position:

  • You can ask your IT administrators to add your network and WAS scanners in white list, so they will not be banned.
  • You can check and correlate scan results of remote scanner with (authenticated?) scan results produced by the scanner deployed in your organization’s network and thus filtering false positives.

What about the targets for scanning? How should you get them?

Continue reading

SOC Forum 2017: How I Learned to Stop Worrying and Love Massive Malware Attacks

Today I spoke at SOC Forum 2017 in Moscow. It was a great large-scale event about Security Operation Centers. 2,700 people registered. Lots of people in suits šŸ˜‰ . And lots of my good fellows.

SOC Forum 2017 Alexander Leonov

The event was held inĀ Radisson Royal Congress Park. There were three large halls for presentationsĀ and a huge space for exhibition/networking.

I would like to mention Š° stand of Positive Technologies. They have shown today their new PT Security Intelligence PortalĀ with dashboards for executives and joint service with Solar Security for providingĀ GosSOPKA functionality. Some stands were dedicated to Russian governmentĀ Information Security initiatives: GosSOPKA, BDU FSTEC vulnerability database and FinCERT of the Central Bank of Russia.

During my presentation, I was talking how massive malware (ransomware) attacks can be useful for an organization. Quite a provocative topic, right? šŸ˜‰ I meant it in the sense that all the hype around malware attack can help Information Security team to do the the following things:

  • Establish useful policies, like mandatory Windows host reboot after patch installation
  • Ban some convenient, but dangerous functionality, like smb file sharing between workstations
  • Implement useful processes, like system hardening (e.g. against mimikatz) or continuous processing of CERT (FinCERT) bulletins

Continue reading

Scaner-VS: Vulnerability Management solution for Russian Military

Scaner-VS is a Vulnerability Assessment system developed by Moscow-based NPO Echelon. It’s pretty popular in Russian government organizations, especially in Russian Army, because it comply all government requirements, has all necessary certificates and is relatively cheap.

Scaner-VS webgui

As for requirements and certificates, NPO Echelon itself is an important certification authority, so they know how to do the things right. It’s not a secret product or something. You can request trial version freely at http://scaner-vs.ru/version-for-testing/. But note, that it is only available in Russian. I am also sorry, but screenshots in this post will be also in Russian. I will try to do my best to describe them properly.

When you fill the form on Echelon website, you will soon get a link to 3.3 gb .iso file by email. Run it in VirtualBox virtual machine (choose Debian 64 or Debian 32).

Here is a boot menu. Choose first default option.

Scaner-VS boot

Some seconds later you will see Linux desktop environment with Scaner-VS web-GUI opened in Firefox.

Continue reading

Seccubus installation and GUI overview

Seccubus can be roughly described as an open source analogue of Tenable SecurityCenter. Look, it can launch scans via APIs of Nessus, OpenVAS, and some other scanning tools, retrieve scan results, parse them and put in MySQL database. Then you can make SQL queries and work with scans in asset-based way (as you know, it is trending now).

Seccubus

Well, Seccubus is not yet a fancy-looking security product. You will need to spend some time to install and configure it, but still it is a very interesting project with a great potential.

Seccubus also may serve as open project that will accumulate expertise in API usage for various Vulnerability Scanners. Another project of such kind is OpenVAS, it’s OSPd scripts and connectors.

In this post I will describe installation process an show elements of GUI web-interface.

I installed Seccubus in CentOS 6 x86_64. I also tried CentOS 6 i386 and it worked fine. However, I can’t recommend you to install official Seccubus packages in CentOS 7 and the latest Debian-based systems. I had some issues with dependencies and Apache configuration. It seems like these systems are not fully supported yet. Security patches for CentOS 6.8 will be available until 30 Nov 2020, so anyway we have time.

Continue reading