Vulnerability Tools - Hype or Help?

April 30, 2013
Should They Be Used on Industrial Networks?
About the Author
Ian Verhappen is a contributor and blogger for Control and Control Design. He has 25+ years experience in instrumentation, controls and automation. You can email him at [email protected] or check out his Google+ profile.Another set of products now being used in the cybersecurity arsenal — at least on the business LAN side — are called "vulnerability assessment tools" or "vulnerability scanners," which begs the question of whether these tools also should be used on industrial networks.

A vulnerability is a flaw in a system, device or application that, if leveraged by an attacker, could impact the security of the system. A vulnerability analyzer is designed to help you answer questions like these, "What is connected and running on your network?" "Is it up to date, patched and properly configured?" "Are you vulnerable?"

SEE ALSO: Vulnerability of Web Diagnostics?

Exploits take advantage of a vulnerability by compromising the target system, device or application. Remediation is the process of repairing or providing a remedy for a vulnerability, and thus the potential of being exploited. Vulnerability scanning products that have been on the market for approximately a decade are used to identify and evaluate how secure a network and its devices are. The original vulnerability scanning products were developed for specific purposes, such as scanning only Windows desktops, applications or network devices, but these tools now scan complete networks and associated nodes.

Vulnerability scanners search for known problems such as misconfigured application servers and components such as switches and routers; out-of-date applications; and applications enabled by default, but shouldn't be. Vulnerability analyzers are also security oriented, so they often look for information leakage from systems through DNS and other methods such as Simple Network Management Protocol (SNMP) and Windows registry.

There are two types of vulnerability analyzers. Network-based, vulnerability-assessment scanners focus on identifying issues with systems and services running on systems in a given network, such as HTTP, FTP and Simple Mail Transfer Protocol (SMTP), and what vulnerabilities exist in those services. Network assessment scanners usually do not provide as detailed information or give you granular control of specific systems as host-based assessment scanners, but they do provide more detailed service and network information.

Host-based scanners deployed as agents on individual machines identify system-level vulnerabilities such as file permissions, user account properties and registry settings. They typically report results to a centralized database from which reports are generated and administration is performed. Host-oriented patch tools focus on the myriad patches needed to keep Windows servers up to date, while network vulnerability analyzers look for more than missing patches.

As we all know, new vulnerabilities are published with alarming frequency, so keeping your vulnerability analyzer current is essential. The available tools typically have a comprehensive set of tests, though, in some cases, custom tests might need to be developed to examine specific conditions on the network.

Before you start scanning your network, be careful. Vulnerability analyzers need to be used with extreme care. Most configuration tools have options to disable dangerous or denial-of-service scanning, but that isn't always sufficient to keep them up, and if you're not careful they will crash your systems. You certainly can't just install the software on your system to keep scanning it over and over. Even if you don't get consistent crashes,  the tools use multiple methods to probe your network, and you will eventually cause a race condition (two signals in multithread environment racing each other to influence the output first) or load-related problem, which will cause the software to crash something. Certainly not a good thing in an industrial setting.

As we know, though, useful tools developed for IT are not always a good fit for industrial setting. The popular open source Nessus vulnerability assessment product, which is used to test a number of PLCs under consideration by CERN, caused 25% of the control devices/PLCs under test to fail. Therefore, it's a good idea to test your product offline with a sample of all the devices on your control network before installing on your live system. If not, you could find out the meaning of the "ping of death" as it relates to your career.

Now that you understand what the tools try to do, how are tests conducted? Most vulnerability analyzers take a three-phase approach to testing:

1. Map the network. Given a network range by the security manager, the tool attempts to determine which IP addresses are in use by discovering what's on the network, and what is running on the network.

2. The tool then attempts to determine which applications and services are running on these systems, and the configurations of the found systems. A variety of techniques, ranging from simply trying to connect (a port scan) to gathering actual socket information out of SNMP, are used to discover systems and services, including spotting services running on nonstandard ports, and what operating systems were running on each system.

3. The tool then employs a long series of tests to find out if each system is susceptible to a known bug or problem. Smarter products iterate between phases two and three, learning more and using that information to launch more tests. Others prune their decision tree to save time, and minimize the risk of overloading the target systems.

Because of the number of alarms the scanning process creates, a side-effect is that the Intrusion Detection System (IDS) can be overwhelmed. To help manage this flood of data, you might use recently released, open-source Threadfix to "consolidate and de-duplicate imported results" by giving security managers and professionals a central location to store and track software vulnerabilities with trending reports for up-to-date security statuses of their applications.

With the increased use of commercial-off-the-shelf technology in the industrial sector, vulnerability assessment tools are likely soon to become another tool in our arsenal for providing safe, reliable control systems. However, we know not everything is as easy as it appears, so if you think that members of the industrial networking community should take a closer look at the use and deployment of vulnerability assessment tools in a working group, or perhaps create a technical report on how to properly use them in an industrial setting, please contact the author, who will put all respondents in touch with each other.