icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

SANS Top 20 2006 Q4 Update and Scanning Polices

‹ Previous Post
Interview with Thomas Ptacek
Blog Home
Next Post ›
Log Correlation Engine Rules Update

The SANS organization released an update of the "Top 20" list of security issues organizations should be concerned about. The updated list includes many specific vulnerabilities, as well as generic guidelines. This blog entry shows how Nessus, the Passive Vulnerability Scanner, the Security Center and the Log Correlation Engine can be used to monitor for SANS Top 20 issues. Active vulnerability scanning policies for both Nessus 3 and the Security Center are also included here.

Specific Recommendations

The Top 20 guide is divided into different sections such as "W1 Internet Explorer" and "C5 Media Players". Some sections specify very specific vulnerabilities by CVE entry. In those cases, we've made sure to highlight the specific Nessus and Passive Vulnerability Scanner (PVS) plugins which can perform tests related to these issues. The specific active Nessus checks for the referenced CVE entries are included in the scanning policies below. Other sections are more generic and require interpretation by each organization. This blog entry also identifies strategies that can be used to generically monitor a network for these issues.

Patch Auditing with Nessus

Throughout this blog entry, we will make reference to specific Nessus checks to perform an audit. A majority of these audits (especially the client side tests) are accomplished with patch audits. If you are not familiar with using credentials to audit UNIX or Windows hosts to perform a patch audit, you should read the "Nessus Credentials Checks for UNIX and Windows" paper.

W1 - Internet Explorer

Microsoft has released many patches for IE. Performing a credentialed patch audit with Nessus will test for all security patches, including those for IE. Having said that, the "Top 20" policy specifies specific CVE entries and those have been used to map specific Nessus checks for testing IE in the scanning policies below.

There are no "remote" ways to identify IE issues without credentials with Nessus 3. Some of the issues identified in by the "Top 20" list can be monitored for passively with the PVS, but not all of them.

W2 - Windows Libraries

As with Internet Explorer, performing a credentialed patch audit with Nessus covers all of the security issues relating to Windows patch audits. Very few of the checks can be performed with network scans or passive monitoring. The specific Nessus checks related to the CVEs listed in this section are included in the scanning policies below.

W3 - Microsoft Office

Similar to the previous sections, the bulk of these checks is performed with patch audits. Some of these can be monitored for with the PVS, such as ID #3365.

W4 - Windows Services

Unlike previous entires, many of these checks can be performed with network scans that don't require credentials. In most cases though, Tenable provides both a network check as well as a patch audit for the Windows Services vulnerabilities identified here.

One vulnerability in particular was MS06-040. Tenable has previously blogged about how this particular security issue can be discovered with passive scanning, active scanning and patch auditing.

Nessus plugins indicated by the CVE entries in this section for both active scanning and patch auditing are included in the scanning policies below.

W5 - Windows Configuration Weaknesses

This section discussed password strength polices, default passwords as well as specific issues related to "NULL" passwords and Windows domains.  There were no specific vulnerabilities mentioned, just configuration issues. As such, there were no specific Nessus checks added to the scanning policies below.

Having said that, the entire Nessus "Windows: User management" plugin family as well as the generic "Windows" plugin family have checks which are very relevant to this section of the "Top 20" report.

For Security Center or Direct Feed subscribers, Nessus 3 can be used to audit the password policy for specific Windows servers. Tenable has blogged about this sort of testing in the past.

M1 - Mac OS X

The "Top 20" report identified a variety of client and server side issues specifically for Apple's OS X operating systems. All of these issues can be tested for with a credentialed patch audit of OS X. Tenable has previously blogged about how to accomplish this here.

All of the CVE issues identified with this section are covered with active Nessus checks, Nessus patch audits and PVS rules. All related Nessus active scans and patch audits are included in the vulnerability polices below.

U1 - Unix Configuration Weaknesses

This section combines several concepts for hardening and locking down UNIX systems, as well as tips for monitoring them once they are installed. Since no specific vulnerabilities were mentioned, there aren't any specific Nessus checks added to the scanning policies below.

This section specified many strategies and recommendations for locking down and monitoring UNIX servers. Tenable customers should keep in mind:

  • The Log Correlation Engine (LCE) can be used to monitor UNIX logs as well as network activity to discover SSH, Telnet and FTP brute force attacks.
  • Security Center and Direct Feed customers can perform configuration audits of UNIX servers to see if they have been hardened to CIS standards, as well as NIST and NSA recommended configurations. This includes password strength policies.
  • In addition to network vulnerability scans, Nessus can perform full patch audits of most major UNIX OSes.
  • For monitoring all network ports in real time (in lieu of performing a full port scan) consider using the PVS.

C1 - Web Applications

This section detailed issues with Cross Site Scripting, SQL Injection and many other issues relating to web applications. There are 1000s (if not more) of specific web application vulnerabilities that have been publicly disclosed. A Nessus active scan can find most of these, however, to find all issues with your specific applications, SANS recommends a source code review. Having said that, keep the following in mind:

  • Nessus has a specific plugin family for Web Server vulnerabilities.
  • Nessus also has specific plugin families for both CGI abuses, as well as abuses due to Cross Site Scripting.
  • Tenable writes network checks for Nessus, as well as for the PVS, for most publicly disclosed web application issues.
  • The PVS includes plugin families for Web Servers as well as CGI issues.

C2 - Database Software

SANS identified major vulnerabilities in most available Database solutions. These have all been cross linked with Nessus plugins and have been included in the scanning policies below. Most of these checks do not require credentials, but some Microsoft SQL checks do require credentials.

C3 - P2P File Sharing Applications

The "Top 20" list also identifies ways to enumerate and monitor P2P software in use on your network. They did not specify specific vulnerabilities to scan for, however, Tenable customers can accomplish the following actions:

  • The PVS has an extensive library to identify P2P applications as well as their vulnerabilities, regardless if there are any local firewalls in use.
  • Nessus has an entire family dedicated to P2P application and vulnerability discovery.

C4 - Instant Messaging

As with P2P, the "Top 20" list also identifies security issues with instant messaging applications like Trillian and AIM. Tenable customers can approach monitoring IM applications very similar to what has been recommended for P2P apps.

C5 - Media Players

The "Top 20" list also includes a wide variety of issues with media players. During 2006, many viruses and malware was able to propagate by exploiting vulnerabilities with various media players. SANS specifically sites several dozen CVE entries which relate to these issues. Nessus can perform checks for all of these, but often requires credentials to perform a host audit. The PVS can also be used to monitor for many of these issues.

C6 - DNS Servers

SANS does not specify specific vulnerabilities related to DNS servers. However, they do address DNS recursion. Tenable has previously blogged about how both the PVS and Nessus can be used to identify mis-configured DNS servers here.

C7 - Backup Software

During 2006, many vulnerabilities were identified in enterprise backup solutions, some of these were also discovered by Tenable. SANS identified several CVE entries, most of which can be tested for with Nessus. These checks are included in the scanning policies below.

C8 - Security, Enterprise, and Directory Management Servers

As with backup software, SANS has also identified many issues surrounding enterprise software. This includes corporate anti-virus software, authentication software and even patch management systems. The Nessus checks which perform these audits are included in the scanning policies below.

N1 - VoIP Servers and Phones

A new category into the SANS "Top 20" list covers vulnerabilities associated with Voice Over IP technologies. Tenable researches vulnerabilities in these applications and has Nessus checks for the items identified by SANS. Many of these checks are also available for the PVS.

N2 - Network and Other Devices Common Configuration Weaknesses

Both Nessus and the PVS can be used to monitor network devices for vulnerabilities. SANS specifies example vulnerabilities in printers, routers, firewalls and many other devices. However, the database of equivalent checks available for Nessus and the PVS is much larger. When auditing a network device, consider the following:

  • Nessus has two entire families Cisco and SNMP, which focus on network security issues.
  • The PVS also has a family dedicated 100% to SNMP monitoring.
  • Active and passive OS fingerprinting includes network device discovery.
  • Nessus includes a wide variety of checks for network printers.

H1 - Excessive User Rights and Unauthorized Devices

SANS stresses that organizations should strive to remove unneeded devices and unneeded user privileges. This will be a very subjective process for each organization. Active scanning, credentialed scanning, passive network analysis and log analysis can be used to build a monitoring solution for almost any situation.

Tenable has blogged about this related subject several times. Perhaps, the most relevant blog entry would be about how all Tenable products can be used to monitor generic IT controls.

H2 - Users (Phishing/Spear Phishing)

Tenable does not specifically perform research or checks to look for users who have been victimized by a phishing attempt. Having said that, Tenable does help in many areas:

  • The PVS can be used to monitor network activity in realtime for potential "abuses" of the network. This includes systems (that have likely been compromised)  which send bulk emails with "The Bat!" software.
  • Both Nessus and PVS can be used to monitor the susceptibility of the network's email and web clients to client side attacks.
  • The LCE can be used to analyze web proxy logs and network traffic logs to analyze phishing instances if and when they occur. 

Z1 - Special Section: Zero Day Attacks and Prevention Strategies

SANS also identified several CVE entries which were used as "Zero Day" exploits throughout the year. The Nessus checks related to these vulnerabilities are included with the scan policies below. When monitoring for "Zero Day" vulnerabilities, Tenable customers should keep the following in mind:

  • Direct Feed customers (and Security Center users) have immediate access to the latest vulnerability checks.
  • PVS users also have access to the latest checks. Since PVS monitors 24x7, Tenable customers often have "early warning" of new vulnerabilities from the PVS.
  • Both the PVS and the LCE can be used to look for changes in network behavior. For example, one the the LCE's correlation scripts, the windows_crashes_and_restarts TASL, can alert when there has been a large number of "failed", "crashed" or "restarted" programs.

Nessus 3 Scanning Policy

Below is a text file that is a Nessus 3 scanning policy. The Nessus plugins enabled in this policy were derived from the SANS references to specific CVEs.

Download SANS-2006-Q4.conf

On UNIX, this policy can be invoked from the command line with the "-c" option to specify a Nessus "rc" file. Windows Nessus 3 users can save this file in their Nessus configuration directory which will have a path as follows: Documents and Settings / {User Name} / Tenable /  Nessus / Config

The "{User Name}" is the account name of the person using Nessus under Windows. Restarting the Nessus 3 Windows scanner will allow the user to see (and edit if desired) this policy under the "Manage Policies" link. This file is named SANS-2006-Q4.conf and will show up as a policy named "SANS-2006-Q4".

Security Center Scanning Policy

Tenable has also produce a vulnerability policy which reflects the Nessus checks outlined by the SANS Q4 2006 "Top 20" list. The files below should be downloaded to your /opt/sc3/admin/vpolicy directory.

Download 0024.ep

Download 0024.info

Download 0024.prefs

The polices are indicated as "0024". If you already have a policy using number 24, you should download these to a different directory, and rename then to something else, such as "0025". Once these files are in place, make sure they are owned and readable by user "tns" and the value "0024" is added to the vpolicy.txt file. The Security Center can make use of this file immediately and does not need to be restarted.

Using These Scans

Nessus and Security Center users should perform these scans using credentials. A majority of the Nessus plugins specified in these policies are patch audits or require host-based access to analyze local files and registry settings.

Filed Under: