Review of the three Top Remote Vulnerability Scanning services

posted onJuly 18, 2001
by hitbsecnews

THE AMAZING NUMBER of security vulnerabilities in operating systems and networking products revealed each week is enough to give any administrator a headache. Keeping track of all of the known threats to your network and systems could be a full-time job in and of itself. Online network vulnerability scanners are a good solution. These Web-based services scan your networks on a periodic basis to identify security weaknesses and report the vulnerabilities they find. Currently, most of these services can scan only Internet-facing systems, spotting vulnerabilities in publicly accessible servers such as Web servers, FTP servers, and mail servers.

InfoWorld looked at three network scanning services, FoundScan from Foundstone, QualysGuard from Qualys, and SecureScan Perimeter from VigilantE . To test these scanners, InfoWorld set up default installations of various servers and ran two scans. On the first scan, they had an Apache Server running on RedHat Linux, a Serv-U FTP server running on Windows 2000, and an IIS (Internet Information Server) 4.0 server running on Windows NT with Service Pack 6a installed. On the second scan, InfoWorld changed the FTP server to ProFTPd running on RedHat Linux, kept the Apache server, and removed the IIS server....

Services spot insecurities

By Mandy Andress writing for InfoWorld

Shopping for a scanning service

THE AMAZING NUMBER of security vulnerabilities in operating systems and networking products revealed each week is enough to give any administrator a headache. Keeping track of all of the known threats to your network and systems could be a full-time job in and of itself.

Online network vulnerability scanners are a good solution. These Web-based services scan your networks on a periodic basis to identify security weaknesses and report the vulnerabilities they find. Currently, most of these services can scan only Internet-facing systems, spotting vulnerabilities in publicly accessible servers such as Web servers, FTP servers, and mail servers.

We looked at three network scanning services, FoundScan from Foundstone, QualysGuard from Qualys, and SecureScan Perimeter from VigilantE. To test these scanners, we set up default installations of various servers and ran two scans. On the first scan, we had an Apache Server running on RedHat Linux, a Serv-U FTP server running on Windows 2000, and an IIS (Internet Information Server) 4.0 server running on Windows NT with Service Pack 6a installed. On the second scan, we changed the FTP server to ProFTPd running on RedHat Linux, kept the Apache server, and removed the IIS server.

The servers resided behind a firewall (using Network Address Translation) with only the necessary service ports open. The FTP server was on the standard port 21. The IIS server was on the standard HTTP port 80, and the Apache server resided on port 8080. All servers were accessible from the Internet when the scans were performed.

All three services proved worthy of a Consider score. They were very adept at finding high risk vulnerabilities on the IIS server, including the infamous Unicode vulnerability (Microsoft Security Bulletin MS00-078) that allows an attacker to execute code. And in all cases, recommendations for the IIS issues were easy and straightforward: Install the relevant patches from Microsoft and delete sample files and directories.

Nevertheless, our test results indicated important differences in the methodologies used by each service. In particular, FoundScan more accurately identified specific vulnerabilities and produced fewer false positives (i.e., finding vulnerabilities where none exist) than QualysGuard or SecureScan, making it more suitable for strict security monitoring. On the other hand, QualysGuard and SecureScan were more helpful than FoundScan in providing an overall picture of our servers and identifying misconfigurations.

Foundstone FoundScan

The FoundScan service was developed using Foundstone's own attack-and-penetration testing methodology. FoundScan is a managed service, so Foundstone consultants work closely with you to understand your environment. They also set up a VPN connection into your internal network to scan those systems.

By default, FoundScan scans low and high port ranges, but the list can be customized for your environment. Reports, which are e-mailed to you, are retained for a period of time to allow for trend reporting. The data is stored in Foundstone's Security Operations Center behind a combination of firewalls, intrusion detection systems, and filtering routers. The databases are encrypted, hardened, and assigned appropriate access controls, so the information about your servers is well-protected.

The Web-based report shows your network topology and what hosts, operating systems, and network services were discovered. It also gives you a score based on the number and severity of discovered problems and a trend analysis of the past 20 scans. If you drill down in the report, you can find the specific vulnerabilities discovered during the scan and recommendations about fixing them.

Because FoundScan is built on Foundstone's own technology, new vulnerabilities can be added as often as Foundstone would like. The process to understand, test, and integrate a new vulnerability usually takes a few days. In the meantime, Foundstone consultants work with their clients to help them secure and protect their servers from newly discovered vulnerabilities.

In our tests, FoundScan identified fewer issues than either SecureScan or QualysGuard, discovering only three issues in the first scan, versus 18 and 14 for SecureScan and QualysGuard respectively. But FoundScan was much more accurate in its assessments.

For example, both SecureScan and QualysGuard identified a high-risk IIS vulnerability, in Remote Data Service (MS99-025), even though the server was properly configured to mitigate the risks of this attack. FoundScan uses a more sophisticated analysis approach and correctly determined that the IIS server was not vulnerable to the RDS attack.

FoundScan identified only two other issues in the first scan, and these dealt with releasing share information by attempting to access files with the .ida or .idq extension. SecureScan and QualysGuard identified many more issues with the IIS server, including the presence of the scripts directory, the IIS ADMPWD function for remote administration, and IIS sample code.

We like being informed that default files and directories are still present. FoundScan focuses on identifying vulnerabilities and minimizing false positives. If you are looking for a scanning service to help identify rogue servers and possible mis-configurations, this is not the service for you.

VigilantE SecureScan Perimeter

VigilantE combines commercial scanning applications and some in-house developed tools to perform vulnerability scans. Some of the products behind its SecureScan Perimeter service include Slayer icmp, ISS Internet Scanner, nmap, Nessus Security Scanner, and NAI CyberCop.

To launch a SecureScan scan, you enter the IP addresses into a form on VigilantE's Website and configure a few options, such as the company name that will appear on the report, the scan manager, and start time. The scan will start 24 hours after the request is made. While the scan is happening, the scan manager can pause and restart it as well as monitor its status.

Comprehensive reports are delivered in .pdf format, but they are stored on the VigilantE servers for only 14 days. After the two-week period, the reports are permanently deleted.

Because SecureScan is based on commercial products, the service isn't capable of identifying new vulnerabilities until they are incorporated into these products.

SecureScan identified the most issues in our tests. Like QualysGuard, it erroneously reported the RDS vulnerability on our IIS server but helpfully noted the default files and directories present. However, SecureScan performed better than QualysGuard in assessing our FTP servers. Whereas QualysGuard failed to identify the FTP server on either scan, SecureScan identified the FTP server and reported a general buffer overflow vulnerability associated with all FTP servers as well as some general FTP server security concerns, such as writable directories and open defaults.

SecureScan reported the same FTP vulnerabilities when scanning the Serv-U FTP and ProFTPd servers. These are generic FTP security issues which are good to be made aware of if you are trying to understand what servers and services reside on your network. However, SecureScan's recommendations for addressing these vulnerabilities were not very useful. When finding a writable FTP directory, SecureScan advised us to disable the FTP service. Considering that some FTP servers need at least one writable directory for incoming files, a more useful recommendation would have been preferable.

Qualys QualysGuard

Qualys uses an in-house developed methodology and distributed scan engine to perform its analysis. You launch a QualysGuard scan from a Web browser, and you can watch in real-time what the scan engine is doing and what vulnerabilities it has identified. You can then view the report online and print it.

Adding new vulnerabilities is a relatively easy process for Qualys because the company controls the entire environment. Currently, Qualys updates its vulnerability database daily. In the future, updates may occur more often.

In the number of issues identified in our tests, QualysGuard was a close second to SecureScan. As did SecureScan, QualysGuard identified many more issues with the IIS server than FoundScan, but wrongly reported the RDS vulnerability. Unlike FoundScan and SecureScan, QualysGuard did not identify the FTP server on either scan.

QualysGuard's reports contain detailed information about identified vulnerabilities and the risks they pose, and the reports include recommendations for handling each issue. Nevertheless, QualysGuard's reports are not as comprehensive as those of FoundScan or SecureScan.

The Conclusions of the Comparison

If you are looking for a service to help you manage your network vulnerabilities, FoundScan is the best choice. If all you want is a quick periodic check of your servers, QualysGuard or SecureScan are your best bets. Costs for these services are high, however. If you have just a few servers and the time available, it may be well worth your while to run Nessus (www.nessus.org), the open-source vulnerability scanner, against your systems.

Online scanners are helpful, but they should not be relied on entirely for your vulnerability analysis. They are not foolproof and complete reliance on their results may leave you with a false sense of security. You should continue to conduct internal reviews and tests to ensure the security of your servers. Most scanning services focus on the most common servers in use today. If you happen to be running a lesser-used product, its vulnerabilities might not be included in the scan.

Mandy Andress (mandy@arcsec.com) is president of ArcSec Technologies. Her new book, Surviving Security ( www.survivingsecurity.com ), was recently released.

---------------------------------------------

BOTTOM LINE

QualysGuard

BUSINESS CASE

The online, real-time approach of this service is great for quick scans that show your current security posture. If you are looking for a scanning service to use in this manner, QualysGuard is the best option.

TECHNOLOGY CASE

This service failed to identify the FTP server on either scan, a cause for concern. Otherwise, QualysGuard successfully identified the same vulnerabilities and configuration issues as SecureScan Perimeter.

PROS
+ Provides real-time scanning
+ Easy-to-navigate report
+ Reports system configuration info

CONS
- Fails to identify FTP servers
- Reports a few false positives

PLATFORM INFO
n/a

COST
Annual subscriptions start at $1,995 per IP address; volume discounts, consulting available

COMPANY
Qualys, www.qualys.com

BOTTOM LINE
FoundScan
BUSINESS CASE
The monthly cost of this managed service may easily be recovered if it allows you to spend
your time on more valuable projects instead of watching for new vulnerabilities.

TECHNOLOGY CASE
FoundScan uses a sophisticated analysis approach that minimizes false positives. Reports
are well-secured and comprehensive, but difficult to navigate at times.

PROS
+ Identifies all servers
+ Accurately reports vulnerabilities
+ Provides comparative information

CONS
- Reports fewer issues than SecureScan or QualysGuard
- Does not comment on insecure default configurations

PLATFORM INFO
n/a

COST
$5,000 to $7,000 per month for Class C networks; discounts available for larger networks

COMPANY
Foundstone, www.foundstone.com

BOTTOM LINE
SecureScan Perimeter
BUSINESS CASE
This service incorporates a number of third-party scanning tools, so updates could lag
behind those of its competitors. Its report is the best we have seen, but the 24-hour
waiting period after requesting a scan may frustrate some customers.

TECHNOLOGY CASE
SecureScan identified all of our servers and pointed out important configuration
information that should be reviewed. It reported a few false positives, but we prefer
those to missing existing vulnerabilities.

PROS
+ Identifies all servers
+ Reports system configuration information

CONS
- Reports a number of false positives
- Requires 24 hours between request and scan

PLATFORM INFO
n/a

COST
Annual fees: $750 for unlimited scans of one IP address; $2,750 for five IPs; $4,750 for
10 IPs

COMPANY
VigilantE, www.vigilante.com

You have many options when choosing an online vulnerability scanner. Some companies, such
as Foundstone, have developed a complete managed service around their scanning system.
Others, such as Qualys, have developed a scanning service based on their own testing
methodology. And companies such as VigilantE combine commercial scanning products from
various vendors into a service offering.

Furthermore, some online vulnerability scanning service providers sell directly to the
end-user, but many cater their service to ISPs or MSPs (managed service providers) and
consulting companies that resell the service under their own brand name. For example,
eSecurityOnline rebrands the Qualys service as its own.

Naturally, the first step when selecting an online scanner is to determine your needs and
the information you are looking for. Some scanning services map out your network in
addition to performing scans; others provide only vulnerability assessments. Of course,
managed services, which focus on continuously scanning and monitoring your networks,
provide a more personal relationship than strictly do-it-yourself scanning services.

Most providers give you a trial scan to test their service, and we highly recommend you
take advantage of that offer. As in any scanning process, false positives and
misidentification do occur. A trial scan will help you better understand what to expect
from a provider.

In comparing service providers, you should look at four main areas: the scanning
methodology used, reports provided, frequency of vulnerability updates, and pricing. The
scanning methodology will help you understand how the service works. Did the service
provider develop all of its scanning tools in-house? Is it reselling commercial scanning
services? Does it focus on specific operating systems and applications?

The specific methodology used will most likely not be a deciding factor, but keep in mind
that services based in-house developed products have more control over the timeliness of
vulnerability updates than those based on commercial products.

The report is the most important aspect of any service. This is what you, the end-user,
will receive when your scan is complete. Does the report provide useful, helpful
information? The report should be easy to read and understand, offer help toward
protecting against the vulnerabilities it identifies, explain why each vulnerability needs
to be addressed, and assign a level of risk to each so you can prioritize your repair
efforts.

Another important consideration is where and how vulnerability assessment reports are
stored. Scanning services obtain very sensitive information that could cause harm to your
organization if it fell into the wrong hands. Stored reports should be encrypted and
accessible to you and only a few employees of the service provider. Ideally, the
encryption key should be controlled by you, but this isn't always feasible.

Timely vulnerability updates are very important. When new exploits are released, how long
does it take the scanner provider to add the new vulnerability to their scanning knowledge
base? Does the service provider inform you of new vulnerabilities to be aware of? Look for
a service that updates vulnerabilities every day.

Pricing for these scanning services is often complicated, but you get a wide variety of
options. Typically you can purchase unlimited scans for a single system, unlimited scans
for unlimited systems, or a set number of scans for use on any IP address. You should
easily find the option that works best for your company.

InfoWorld.

Source

Tags

Industry News

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes

Simplenews subscription

Stay informed - subscribe to our newsletter.
The subscriber's email address.
Keeping Knowledge Free for Over a Decade

Copyright © 2018 Hack In The Box. All rights reserved.

36th Floor, Menara Maxis, Kuala Lumpur City Centre 50088 Kuala Lumpur Malaysia
Tel: +603-2615-7299 Fax: +603-2615-0088