Shulou(Shulou.com)06/01 Report--

Pinching and counting, Party B has done more than a year of safety assessment work, encountered a lot of problems in the process of communicating with customers and reinforcement personnel, and also thought about how to improve it. Some ideas are written in this article, welcome criticism and correction.

Problems faced:

1. Customers and reinforcements believe that security assessment is all about scanning with a scanner and then throwing out a report. Who won't?

two。 In the intranet scan report, there are often thousands of high, medium and low risk loopholes that are prohibitive. How can you make the customer feel? how can you let the reinforcement staff live?

3. Evaluators, reinforcers and customers have different understandings of loopholes due to different "Dow" or different "positions", and wrangling occurs from time to time.

4. The high, medium and low risk marks in the scan report are not linked to the asset value and the importance of the business system, resulting in no secondary focus of reinforcement, and multiple reinforcement assessments can not reflect the degree of risk reduction.

Hope to achieve:

1. To treat thousands of high, medium and low risk loopholes differently, you can do cast-net scanning, not cast-net reinforcement.

two。 Try to face customers and reinforcement personnel from a more professional point of view, and further process the scanning results.

3. Link vulnerabilities with asset value and business systems, and treat security vulnerabilities differently to make the reinforcement work more operable.

Here are some ideas for deep processing scan reports

1. Vulnerability classification:

Operating system vulnerabilities: Microsoft, Unix, Linux, Solaris, etc.

Business software vulnerabilities: oracle,weblogic,struts2,PHP, etc.

Network and security device vulnerabilities: cisco,h4c, Huawei, etc.

Auxiliary program vulnerabilities: ftp,office,ie,openssh, etc.

two。 Degree of difficulty in exploiting vulnerabilities

High success rate of direct utilization:

Weak password

MS08-067 Struts

High success rate of indirect utilization:

IE vulnerability-need to create a * web page to entice users to click

Office vulnerability-need to send virus document, by opening virus document *

(there is an element of luck, and it can only be recruited in PC terminals.)

Loopholes with low success rates:

Some overflow vulnerabilities (highly related to user environment, version, language, etc.)

Partial program vulnerabilities (no off-the-shelf exp, code-level capabilities are required)

3. Authenticity and accuracy of vulnerabilities

Understanding the scanning principle of the scanner will help us to grasp the loopholes and eliminate the false positives in time.

Accurate scanning: this is an accurate scan, with few false positives.

Principle scanning: this scan is carried out according to the principle, and there may be false positives.

Version scan: this scan is carried out according to the version, there may be false positives.

Brute force cracking: this scan confirms that there is a guessable password for the XX service on the target host through brute force guessing.

4. Reinforcement train of thought

Reinforcement had better be carried out in a planned and step-by-step manner, and the reinforcement sequence refers to the importance of the business system.

Priority is given to strengthening loopholes with low cost and high success rate (weak passwords, etc.).

Operating system vulnerabilities: installation fixes are highly recommended

Business software vulnerabilities: need to assess the impact on business systems

Network and security device vulnerabilities: fewer

Helper vulnerabilities: pay special attention to whether auxiliary programs need to be used and whether there are replaceable programs. Pay special attention to some unnecessary vulnerabilities caused by the default installation.

5. Further, we may have to learn and pay attention to

Business loophole

Logic loophole

Physical loopholes and so on cannot be scanned by the scanner, but they have a great impact on the loopholes.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.