• Author / Uploaded
• Don Baraka Daniel

Citation preview

Tools

Information Assurance Tools Report

Fifth Edition September 25, 2009

Vulnerability Assessment

EX

Distribution Statement A S E R VICE

C E L L E NC E

I NF

N

I

N

O R MA T

IO

Approved for public release; distribution is unlimited.

Table of Contents SECTION 1

u

Introduction. . . . . . . . . . . . . 1

1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Report Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

SECTION 2

u

I T Risk Management

Overview. . . . . . . . . . . . . . . 5

2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Growth in IT Incidents and Vulnerabilities. . . . . . . . . . . . . 5 2.3 What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . 6

SECTION 3

u

A utomated Vulnerability

Assessment Tools. . . . . . . . 9

3.1 How Vulnerability Assessment Tools Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2 Definition Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.3 How Vulnerability Assessment Tools Can Be Incorporated into a Security Plan . . . . . . . . . . . . . . . . 11

SECTION 4

u

Tool Collection . . . . . . . . . 13

4.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Tool Selection Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . 13

SECTION 5

u

V ulnerability

Analysis Tools. . . . . . . . . . 15

Acunetix® Web Vulnerability Scanner. . . . . . . . . . . . . . . . . 16 AppDetective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 ASG Information Assurance Application (IA2). . . . . . . . . . 18 BigFix® Security Configuration and Vulnerability Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Computer Oracle and Password (COPS). . . . . . . . . . . . . . . 20 CORE IMPACT™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 DominoScan II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 DumpSec v2.8.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 eTrust® Policy Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Fortiscan Vulnerability Management. . . . . . . . . . . . . . . . . . 25 GFI LANguard®. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Gideon SecureFusion Vulnerability Management. . . . . . . 27 Host Based Security System (HBSS). . . . . . . . . . . . . . . . . . 28 Internet Scanner® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Lumension Scan™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 MBSA 2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

McAfee® Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . 32 Metasploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 N-Stalker® Web Application Security Scanner. . . . . . . . . 34 nCircle® IP360. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Nessus® Vulnerability Scanner. . . . . . . . . . . . . . . . . . . . . . . 36 NetIQ® Secure Configuration Manager. . . . . . . . . . . . . . . . 37 Network Mapper (Nmap®). . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Nikto v2.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Orascan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Paros Proxy v3.2.0Alpha. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Proventia® Network Enterprise Scanner. . . . . . . . . . . . . . . 42 proVM Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 QualysGuard® Vulnerability Management. . . . . . . . . . . . . .44 Rational AppScan® . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Retina Network Security Scanner. . . . . . . . . . . . . . . . . . . . 46 SAINT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Second Look™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 SecureScout® NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 SecureScout® Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Security Auditor’s Research Assistant (SARA) v7.9.1. . . . 51 Security Administrator’s Tool for Analyzing Networks (SATAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 SNScan v1.05. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 ThreatGuard® Secutor Magnus . . . . . . . . . . . . . . . . . . . . . . 54 Triumfant Resolution Manager® . . . . . . . . . . . . . . . . . . . . . . 55 Typhon III. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 WebInspect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 WebScarab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

SECTION 6

u

Related Resources . . . . . . 59

SECTION 7

u

R ecommended

SECTION 8

u

Resources . . . . . . . . . . . . . 61

Definitions. . . . . . . . . . . . . 63

SECTION 9 u Definitions of Acronyms and Key Terms . . . . . . . . . 65

IA Tools Report

i

SECTION 1

u

Introduction

The Information Assurance Technology Analysis Center (IATAC) provides the Department of Defense (DoD) with emerging scientific and technical information to support Information Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center (DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific and technical information. Scientists, engineers, and information specialists staff each IAC. IACs establish and maintain comprehensive knowledge bases that include historical, technical, scientific, and other data and information, which are collected worldwide. Information collections span a wide range of unclassified, limited-distribution, and classified information appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain, and develop analytical tools and techniques, including databases, models, and simulations. IATAC’s mission is to provide DoD with a central point of access for information on emerging technologies in IA and cyber security. These include technologies, tools, and associated techniques for detection of, protection against, reaction to, and recovery from information warfare and cyber attacks that target information, information-based processes, information systems, and information technology. Specific areas of study include IA and cyber security threats and vulnerabilities, scientific and technological research and development, and technologies, standards, methods, and tools through which IA and cyber security objectives are being or may be accomplished. As an IAC, IATAC’s basic services include collecting, analyzing, and disseminating IA scientific and technical information; responding to user inquiries; database operations; current awareness activities (e.g., the IAnewsletter, IA Digest, IA/Information Operations Events Scheduler, and IA Research Update); and publishing State-of-the-Art Reports, Critical Review and Technology Assessments reports, and Tools Reports.

The IA Tools Database is one of the knowledge bases maintained by IATAC. This knowledge base contains information on a wide range of intrusion detection, vulnerability analysis, firewall applications, and anti-malware tools. Information for the IA Tools Database is obtained via open-source methods, including direct interface with various agencies, organizations, and vendors. Periodically, IATAC publishes a Tools Report to summarize and elucidate a particular subset of the tools information in the IATAC IA Tools Database that addresses a specific IA or cyber security challenge. To ensure applicability to Warfighter and Research and Development Community (Program Executive Officer/Program Manager) needs, the topic areas for Tools Reports are solicited from the DoD IA community or based on IATAC’s careful ongoing observation and analysis of the IA and cyber security tools and technologies about which that community expresses a high level of interest.

IA Tools Report

1

Section 1 Introduction

Inquiries about IATAC capabilities, products, and services may be addressed to: Gene Tyler, Director 13200 Woodland Park Road, Suite 6031 Herndon, VA 20171 Phone: 703/984-0775 Fax: 703/984-0773 Email: [email protected] URL: http://iac.dtic.mil/iatac SIPRNET: https://iatac.dtic.mil

1.1

Purpose

exploitation of which would negatively affect the confidentiality, integrity, or availability of the system or its data. The type and level of detail of information provided among tools varies greatly. Although some can identify only a minimal set of vulnerabilities, others can perform a greater degree of analysis and provide detailed recommended countermeasures. The most recent development in vulnerability management is the ability for a tool to scan for vulnerabilities, analyze the impact of the vulnerability, determine a solution, identify the appropriate patches and security fixes, and finally, even deploy those patches in real time.

This report provides a brief background on information technology (IT) risk assessment and risk management concepts, a short primer on vulnerability assessment tools, and an index of vulnerability assessment tools contained in the IATAC IA Tools Database. Moreover, the report provides users with an understanding of why engaging in risk management activities such as conducting vulnerability and risk assessments is an important aspect of assuring your critical IT asset’s ability to effectively support your critical missions. Finally, this report provides a summary of the characteristics and capabilities of publicly available vulnerability assessment tools. IATAC does not endorse, recommend, or evaluate the effectiveness of any specific tools. The written descriptions are based solely on the suppliers’ claims and are intended only to highlight the capabilities and features of each tool. These descriptions do not reflect the opinion of IATAC. It is up to the readers of this document to assess which product, if any, might best meet their needs. Technical questions concerning this report may be addressed to [email protected].

The majority of the tools identified in the IA Tools Database are available on the Internet, and many are used by crackers in the first stage of an attack: vulnerability information gathering. Penetration tools, which perform destructive actions (i.e., denial of service attacks), are excluded from this category. Sniffers and Trojan Horse programs also are excluded. Although many network utilities (i.e., host, finger) are valuable in identifying vulnerabilities on a host, they are often an automated component of vulnerability analysis tools, and therefore are not individually described in the database. The database includes commercial products, individually developed tools, government-owned tools, and research tools. The database was built by gathering as much open-source data, analyzing that data, and summarizing information regarding the basic description, requirements, availability, and contact information for each vulnerability analysis tool collected. Generally, the commercially developed products are available. The government and academic tools, however, are reserved for specific projects and organizations.

1.2

1.3

Scope

Currently, the IATAC database contains descriptions of numerous tools that can be used to support vulnerability and risk assessment activities. Vulnerability analysis tools are programs that help automate the identification of vulnerabilities in a network or system. Vulnerabilities can be defined as weaknesses in a system’s security scheme,

2

IA Tools Report

Report Organization

This report is organized into eight sections. Section 1 provides an introduction to IATAC and the vulnerability analysis tools report. Section 2 summarizes the fundamentals of IT risk assessment and risk management. Section 3 provides background information on how automated vulnerability assessment tools work. Section 4 explains the

Section 1 Introduction

classification of tools highlighted in this report, how they were selected, and the schema of the IA Tools Database. Section 5 includes a listing of currently available host, network, Web-application, and database-application vulnerability scanners as well as tools able to manage vulnerabilities in all of the scanning areas as well as apply patches. Sections 6 and 7 provide recommended resources that are related to the topic of vulnerability assessment and definitions associated with this report. Finally, Sections 8 and 9 contain IA-related definitions and acronyms, respectively.

IA Tools Report

3

SECTION 2 2.1

u

IT Risk Management Overview

Background

Critical Infrastructures, both cyber and physical, “provide the foundation for and enable the functioning of every facet of American Society.” [2] In view of the heightened concerns about the wide variety of threats and hazards that our nation faces and the potential impact on the ability of our critical infrastructure to resiliently support overarching missions, the executive branch has issued a number of actions that assign responsibilities, direct planning, and enhance training to protect the nation’s critical infrastructure and respond to all types of threats. Homeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection (dated December 2003), and The National Strategy to Secure Cyberspace and The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (both dated February 2003) specifically address the different threats and protection/assurance of the nation’s most vital resources by providing overarching policy guidance. These all focused on defensive strategies, and HSPD-7 did not address the protection of federal government information systems. The Comprehensive National Cybersecurity Initiative (CNCI), codified in the classified directive known as National Security Presidential Directive (NSPD)-54/HSPD-7, aims to unify defensive missions in cyber security with those of law enforcement, intelligence, counterintelligence, and military to defend against the full spectrum of threats to the nation’s critical infrastructure. In the constantly evolving world of IT, ensuring that our vital systems remain operational is of paramount importance and in line with the national strategy. To this end, Secretary Janet Napolitano of the Department of Homeland Security (DHS) has adopted “a policy of being prepared for all risks that can occur” [9] to assure the resiliency of our nation’s critical infrastructures. Cyber assets obviously make

up a significant portion of our nation’s critical assets and also provide support to even more critical assets by acting as a critical supporting infrastructure asset.

2.2

Growth in IT Incidents and Vulnerabilities

Automated attacks on information systems, and especially attacks against Internet-connected systems, continue to grow at such an exponential rate that they are viewed as almost commonplace. In fact, as of 2004, Carnegie Mellon’s Computer Emergency Response Team (CERT) stopped tracking the number of incidents reported per year because they believe it “provides little information with regard to assessing the scope and impact of attacks.” [1] The number of incidents reported from 1988 through the end of 2003 is listed in Figure 1. Carnegie Mellon’s CERT now tracks data on the number of vulnerabilities that are reported each year. Figure 2 lists the number of vulnerabilities that were reported from 1995 through the end of the third quarter of 2008. Along with the continually increasing number of incidents and the rising number of known vulnerabilities, the speed at which systems are attacked is also continuing to accelerate. Identifying vulnerabilities and addressing them in a timely manner is crucial to maintaining a secure environment and saves money in the long run. The vulnerability that the Conficker worm exploited was discovered in September 2008, and Microsoft released a batch in October 2008. The Conficker was not released until November 2008 and had multiple variants labeled Conficker A - Conficker E (up until the time of writing). Minimal estimates for Conficker infections is around three million, while more realistic estimates are around nine million to 15 million total infections. [11] The economic impact ranges from the hundreds of millions to billions of dollars to address the exploit. If more people had identified the vulnerability and applied patches when Microsoft first released them, Conficker would have been a non-issue.

IA Tools Report

5

Section 2 IT Risk Management Overview

2.3

What is Risk Management?

Many different risk assessment and management methodologies exist within the public and private domains. Therefore, to fully understand risk management, it is important to first define and understand “risk.” According to the Merriam Webster Dictionary, risk is defined as the “possibility of loss or injury.” Insurance companies often view risk as the “the degree or probability of such loss.” [3] Although there are numerous definitions of risk, all definitions are composed of three basic components— XXAssets (i.e., read it as “impact of loss”), XXThreats (i.e., read it as “all possible hazards”), XXVulnerabilities.

Figure 1

Number of Security Incidents report (1988–2003)

Figure 2

Number of Vulnerabilities Reported (1995–Third Quarter 2008)

6

IA Tools Report

Assets An asset in the general sense is firm property or information that is of significant value (known as a critical asset). In risk management, an asset refers to the amount of damage losing a firm asset will cause if something bad occurs. Given that most enterprise networks have hundreds or thousands of networked information systems, vulnerability analysis and assessment by manual methods are virtually impossible. In addition, it is impossible to completely ensure that all assets are secure. Therefore, it is imperative that information security managers and system owners focus on identifying only their critical assets—those assets without which the organization’s key missions would be significantly degraded or cease to function. This is a key part of the risk assessment process.

Section 2 IT Risk Management Overview

Threats Risks to critical assets can come from a variety of threats that can be considered possible hazards and usually fall into three categories— XXMan-made (intentional), XXNatural disaster, XXAccidental (unintentional) disruptions.

Therefore, an effective approach to threats will consider the full spectrum of threats and hazards, including natural disasters (e.g., floods, fires, hurricanes), domestic or international criminal activity, construction mishaps such as cutting fiber optic lines, and others types of incidents. Vulnerabilities Vulnerabilities are often defined as openings or pathways that a given threat can exploit to do harm to a critical asset. With the three main components of risk in mind, a picture of risk can be formulated. Risk is viewed as the area where all three circles overlap, as illustrated in Figure 3. Articulated as a mathematical formula, risk looks like the following— Risk = Threat x Vulnerability x Cost of Asset

Figure 3

Components of Risk Diagram

Because our world is constantly changing, risk management is an ongoing activity. For example, technology is continually evolving, especially in the IT world, which introduces new vulnerabilities. Threats continue to evolve as well and sometimes even what is designated as a critical asset changes because the needs and priorities of an organization change. Risk management can save resources, time, and even lives.

We can now more fully define risk as being a function of the likelihood that a specific hazard/threat will exploit a given vulnerability and that the resulting impact of loss of the critical asset will cause significant degradation or even mission failure of the organization. With a firm understanding of risk, risk management can now be defined. Typically, risk management is a process for identifying and prioritizing the cost of assets, threats, and vulnerabilities, then making rational decisions regarding the expenditure of resources and the implementation of countermeasures to reduce risk of loss associated with the exploitation of critical assets. Figure 4 illustrates the risk assessment and management processes.

IA Tools Report

7

Section 2 IT Risk Management Overview

Figure 4

Risk Assessment and Management Process

From this point forward, this report focuses on the vulnerability portion of the risk equation.

8

IA Tools Report

SECTION 3 u Automated Vulnerability Assessment Tools 3.1 How Vulnerability Assessment Tools Work Vulnerability assessment tools, in general, work by attempting to automate the first three steps often employed by hackers: 1) perform a footprint analysis, 2) enumerate targets, 3) test/obtain access through user privilege manipulation (see Table 1). The vulnerability assessment tools evaluate networkattached devices (servers, desktops, switches, routers, etc.) for vulnerable or potentially vulnerable situations. Often the vulnerabilities that are identified by these tools are programming flaws; however, some tools provide enough data that an analyst can uncover design, implementation, and configuration vulnerabilities. In the case of network-based tools, a network footprint analysis is performed by scanning for accessible hosts. The tools enumerate available network services (e.g., file transfer protocol, hypertext transfer protocol) on each host as accessible hosts are identified. As part of the enumeration services, scanners attempt to identify vulnerabilities through banner grabbing, port status, protocol compliance, service behavior, or exploitation. These terms are defined in Section 3.2 of this document. Some advantages to vulnerability assessment tools are that they— XXMore clearly define an asset, XXDiscover technological and network

vulnerabilities, XXProvide multi-perspective view points, XXHelp properly scope the analysis, XXReference public catalogs, XXHighlight design, implementation, and

configuration vulnerabilities.

When a scanner finds a host with open ports, it checks those ports for vulnerabilities to known attacks. Most scanners include exploit tests that verify whether a given service or application is vulnerable. Most scanning tools perform tests based on their database of vulnerabilities. Just as anti-virus products must be constantly updated with new signatures, assessment tools must be continually updated with revisions to their vulnerability databases. If a vulnerability is not included in a tool’s database, it cannot be detected through scanning.

3.2

Definition Box

Hacker’s Methodology – A common approach to system exploitation— 1.

Perform a footprint analysis

2.

Enumerate targets

3.

Test/obtain access through user privilege manipulation

4.

Escalate privileges

5.

Gather additional passwords and secrets

6.

Install backdoors

7.

Leverage the compromised system

Table 1 Hacker’s Methodology

Banner Grabbing This term refers to grabbing information that a network service broadcasts about itself. For example: Opening a telnet session to a mail server might yield the following message: 220 mailhost.company.com ESMTP service (Netscape Messaging Server 4.15 Patch 7 [built September 11, 2001]). This example banner reveals the specific type of mail server that is running and its patch level. Similarly, a telnet connection to a Web server might yield information such as the following—

IA Tools Report

9

Section 3 Automated Vulnerability Assessment Tools

HTTP/1.1 200 OK Date: Wed, 02 Jul 2003 22:03:21 GMT Server: Apache/1.3.27 (Win32) PHP/4.2.2 X-Powered-By: PHP/4.2.1 Connection: close Content-Type: text/html In this case, the banner reveals the time on the Web server, the Web server type and version, an accessible scripting language (hypertext preprocessor [PHP]), and the operating system on which it is running.

Port Status This term refers to checking to determine which network ports are open to allow connections to applications. For network services that use Transmission Control Protocol (TCP), this is done by sending a TCP connect () request to ports on the remote system. If the queried port is listening, the connect () fails and the port is considered closed. There are several other methods of checking port status such as TCP synchronize [Synchronize] scans, TCP finish [Final] scans, and so forth, that are beyond the scope of this report.

Protocol Compliance This term refers to the way an application or operating system adheres to a standard procedure for data processing or transmission. One of the most common ways of using protocol compliance to identify remote systems is to interrogate the TCP stack. By monitoring the header information of outbound packets, it is possible to make accurate guesses regarding the remote operating system. By examining the Time To Live on the packet, its Window Size, the Don’t Fragment bit, and the Type of Service, it is possible in many cases to determine exactly which implementation of the TCP stack is on the remote system. (See Figure 5.) Determining the TCP stack narrows the number of possible operating systems, sometimes identifying the exact operating system.

10

IA Tools Report

Figure 5

TCP Connection (3-way Handshake)

Service Behavior This term refers to the way a network service responds to remote requests. Different implementations of a given type of service may result in slightly different behavior from remote requests. For example, a “help” command response from a sendmail email server is different from the result from a postfix email server.

Exploitation Computer network exploitation (CNE) refers to the “enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.” [14] CNE can be accomplished through a variety of means such as packet sniffing, hijacking TCP connections, port scanning, and address resolution protocol (ARP) spoofing. For example: ARP spoofing is a technique used to exploit ethernet networks. This type of spoofing can be used in two different ways— XXSending fake, or spoofed, ARP messages to an

ethernet local area network, XXAs part of a “man-in-the-middle attack.” The first means of exploitation is accomplished by sending frames that contain false media access control addresses, thus confusing network devices, such as network switches. The resulting effect is that the frames that are intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack). The second means of exploitation is accomplished by forwarding all traffic through a host with the use of ARP spoofing and then analyzing the frames for passwords and other information.

Section 3 Automated Vulnerability Assessment Tools

3.3 How Vulnerability Assessment Tools Can Be Incorporated into a Security Plan Security plans are a critical aspect of a firm or organization’s secure operations. Security plans, or more precisely, system security plans, are specific guidelines and procedures to accomplish the secure setup, operation, and maintenance of an information system. To effectively implement a system security plan for a large infrastructure, it is necessary to leverage security technology to automate the important and otherwise time-consuming aspects of the security operations. Tools for scanning are invaluable for gaining a snapshot in time of the vulnerabilities that exist on a given network at a given point in time. Most scanning tools include a reporting option or module that explains the vulnerabilities detected and provides a ranking of the criticality of each problem (e.g., high, medium, low). To enhance the security of your systems, assessments should be performed on a routine basis. This will provide the users and administrators assurance that the system is free from malicious code. Just as thousands of vulnerabilities are reported each year, systems must be scanned at regular and frequent intervals to ensure that they are not susceptible to attack. In addition, when new hosts are connected to the system, networks must be checked for the risks that these new systems might bring to the overall network. Checks must also be conducted when newly discovered weaknesses in existing applications and operating systems are announced. After all, “a fundamental tenet of security is that a chain is only as strong as its weakest link and a wall is only as strong as its weakest point. Smart attackers are going to seek out that weak point and concentrate their attention there.” [13] A single host that is vulnerable to attack puts the entire network at risk. The identification of vulnerabilities on a system is only half the challenge. The other half of the challenge is fixing the vulnerabilities that are found. Identified vulnerabilities can be corrected via patches, updating, or even reconfiguring the system. Finding the time and money to correct the vulnerability can

be a challenge. The system and network administrators must work with management to share the information that was found during the assessment and weigh the costs of correcting the vulnerability against the benefits. There are tools that can automatically patch a large number of vulnerabilities and systems, but are often very expensive. Managers and administrators need to understand their environment and choose a solution that fits. A manager can choose not to spend the money on a more robust patch management solution, but must realize that man-power must replace what he or she has chosen not to purchase in an automated solution. Unfortunately, scanning tools suffer from false positive problems and false negative problems in vulnerability identification that are similar to antivirus products. A false positive means that a tool finds a vulnerability that does not exist. For example, a particular scanner may report that a network server is a Windows® 2000 system that is vulnerable to a known Microsoft Internet Information Server (IIS) Web server bug, when in fact, the server is a Linux system running the Apache Web server. A false negative means that a tool fails to find an existing vulnerability. An example of this behavior could be when a particular tool tests a network host and fails to discover that it is remotely exploitable through an anonymous login. Ultimately, common sense must be applied to all findings to ensure that meaningful vulnerabilities are corrected; however, time should not be wasted on erroneous results. Finding the right balance can sometimes be difficult. One potential strategy for reducing the number of false positives and false negatives is to run two different scanners against a given network and compare the results. In most cases, the results of both tools will complement each other so that no weaknesses are overlooked. In all cases, it is necessary to have a knowledgeable and responsible security professional who can effectively leverage security tools to manage the security operations of an organization.

IA Tools Report

11

SECTION 4 4.1

u

Tool Collection

Classification

Existing community relationships were leveraged during the process of data gathering on the tools. Collection activities included Internet searches to identify additional corporations, professional organizations, and universities with involvement in vulnerability analysis. The tools described in the IATAC IA Tools Database can be categorized within one or more of the topical areas listed below— XXHost scanning—Host-scanning tools scan critical

system files, active processes, file shares, and the configuration and patch level of a particular system. The results produced from this type of tool are usually very detailed because they run on the host system at the same permission level as the user conducting the scan. Although host-based tools provide very detailed results, sometimes the volume of data that is produced from these scans (i.e., when conducted across several hosts) can be difficult to aggregate and correlate to produce results [Imagine an administrator trying to physically visit and test 1,000 workstations.]). XXNetwork scanning—Network-scanning tools scan available network services for vulnerabilities through banner grabbing, port status, protocol compliance, service behavior, or exploitation. XXWeb application scanning—Web applicationscanning tools designed specifically for the Web are a specialized form of network or host scanner that interrogates Web servers or scan Web source code for known vulnerabilities (e.g., DominoScan). These tools often search for the presence of default accounts, directory traversal attacks, form validation errors, insecure cgi-bin files, demonstration Web pages, and other vulnerabilities. XXDatabase application scanning—Database application-scanning tools that are specifically designed for databases are a unique form of

network scanner. These tools interrogate database servers for known vulnerabilities (e.g., AppDetective). XXVulnerability and patch management—The category of Vulnerability and Patch Management has tools that wrap up many aspects of vulnerability management. These tools address vulnerabilities, policy compliance, patch management, configuration management and reporting. These are meant to be all-in-one solutions that make managing very large networks and domains efficient and require as little manpower as possible.

4.2

Tool Selection Criteria

The selected tools meet the following three criteria— XXDefinition—These tools satisfy the objective,

approach, and methodology of a vulnerability analysis tool based on the definition of vulnerability. XXSpecificity to vulnerability analysis—The primary function of these tools is vulnerability analysis or vulnerability management. These tools may also be used during the first stages of a penetration attack as a way of identifying the target system’s weaknesses and helping to fine-tune the attack. Penetration test tools, whose primary purpose is to exploit identified vulnerabilities and cause damage or destruction to the target system, are not included. XXCurrent availability—The tools that are included in this report are currently available from the Government, academia, or commercial sources, or as freeware on the Internet. Some tools that were included in previous versions of this report are no longer available or have been renamed. All tools from previous releases of this report that are no longer available have been removed.

IA Tools Report

13

SECTION 5

u

Vulnerability Analysis Tools

Section 5 summarizes pertinent information, providing users a brief description of available vulnerability analysis tools and vendor contact information. Again, IATAC does not endorse, recommend, or evaluate the effectiveness of these tools. The written descriptions are drawn from vendors’ information and are intended only to highlight the capabilities or features of each product. It is up to the reader to assess which product, if any, may best suit his or her security needs. Trademark Disclaimer The authors have made a best effort to indicate registered trademarks where they apply, based on searches in the U.S. Patent and Trademark Office Trademark Electronic Search System for “live” registered trademarks for all company, product, and technology names. There is a possibility, however, that due to the large quantity of such names in this report, some trademarks may have been overlooked in our research. We apologize in advance for any trademarks that may have been inadvertently excluded, and invite the trademark registrants to contact the IATAC to inform us of their trademark status so we can appropriately indicate these trademarks in our next revision. Note that we have not indicated non-registered and non-U.S. registered trademarks due to the inability to research these effectively.

Type

The type of tool, or category in which this tool belongs, e.g., “Web Application Scanning”

Operating System

The operating system(s) on which the tool runs. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the operating system is embedded in the tool.

Hardware

The third-party hardware platform(s) on which the tool runs, plus any significant additional hardware requirements, such as minimum amount of random access memory or free disk space. If the tool is an appliance, this field will contain a “not applicable” symbol (N/A) because the hardware is incorporated into the tool.

License

The type of license under which the tool is distributed, e.g., Commercial, Freeware, GNU Public License

NIAP Validated

An indication of whether the product has received a validation by the National Information Assurance Partnership (NIAP) under the Common Criteria, Federal Information Processing Standard 140, or another certification standard for which NIAP performs validations. If no such validation has been performed, this field will be blank.

Common Criteria

If the tool has received a Common Criteria certification, the Evaluation Assurance Level and date of that certification. If no such certification has been performed, this field will be blank.

Developer

The individual or organization responsible for creating and/or distributing the tool

URL

The Uniform Resource Locator (URL) of the Web page from which the tool can be obtained (downloaded or purchased), or in some cases, the Web page at which the supplier can be notified with a request to obtain the tool

Legend For Tables For each tool described in this section, a table is provided that provides certain information about that tool. This information includes—

IATAC does not endorse any of the following product evaluations. IA Tools Report

15

Vulnerability Analysis Tools

Acunetix® Web Vulnerability Scanner Abstract Acunetix’s engineers have focused on Web security since 1997 and have developed tools for Web site analysis and vulnerability detection.

Acunetix® Web Vulnerability Scanner Type

Web Application Scanning

Operating System

Windows XP, Vista, 2000, server 2003

Hardware Requirements

1 gigabyte (GB) random access memory (RAM), 100 megabyte (MB) disk space

XXAcuSensor Technology;

License

Commercial (Free Trial Copy)

XXAn automatic Javascript analyzer allowing for

NIAP Validated

Features

security testing of Ajax and Web 2.0 applications; XXStructured Query Language (SQL) injection and cross-site scripting (XSS) `testing; XXVisual macro recorder allows for testing Web forms and password protected areas; XXReporting facilities including VISA Payment Card Industry (PCI) compliance reports; XXMulti-threaded scanner crawls hundreds of thousands of pages; XXCrawler detects Web server type and application language; XXAcunetix crawls and analyzes Web sites, including flash content, SOAP, and AJAX; XXPort scans a Web server and runs security checks against network services running on the server.

16

IA Tools Report

Common Criteria Rating Developer

Acunetix

Availability

http://www.acunetix.com/ vulnerability-scanner/

Vulnerability Analysis Tools

AppDetective Abstract A network-based, vulnerability assessment scanner, AppDetective discovers database applications within an infrastructure and assesses their security strength. In contrast to piecemeal solutions, AppDetective modules allow enterprises to assess two primary application tiers—application/middleware, and back-end databases—through a single interface. Backed by a proven security methodology and extensive knowledge of application level vulnerabilities, AppDetective locates, examines, reports, and fixes security holes and misconfigurations. As a result, enterprises can proactively harden their database applications while at the same time improving and simplifying routine audits.

AppDetective Type

Database Scanning

Operating System

Windows XP, Server 2003,

Hardware Requirements

750 Megahertz (MHz) central processing unit (CPU), 512MB RAM, 300 MB Disk Space

License

Commercial

NIAP Validated Common Criteria Rating Developer

Application Security, Inc.

Availability

http://www.appsecinc.com/products/ appdetective/

Features XXAutomated database discovery and inventory, XXUser rghts management, XXJob scheduling, XXDatabase-specific vulnerability assessment, XXCompliance mapping, XX “Outside-in” and “inside-in” vulnerability testing, XXIndustry leading database vulnerability

knowledge base, XXAutomated information gathering and analysis, XXScalable database scanning, XXAdvanced, customizable reporting.

IA Tools Report

17

Vulnerability Analysis Tools

ASG Information Assurance Application (IA2) Abstract ASG’s Information Assurance Application (IA²) automates the reporting requirements of DISA. IA² automatically parses, stores, tracks, and reports on the Defense Information Systems Agency’s (DISA) Security Readiness Review, third party vulnerability scanner results, and DISA’s Security Checklists.

ASG Information Assurance Application (IA2) Type

Vulnerability and Patch Management

Operating System Hardware Requirements License

Commercial

NIAP Validated

IA² has the ability to synchronize the local database with the third party vulnerability scanners as well as the DISA Security Readiness Review scripts. All of the data from each source is combined and cross referenced giving a complete view of your environment. IA² also incorporates a robust reporting solution allowing for tracking, trending and ad hoc reporting.

Features XXFederal Information Security Management Act

of 2002 (FISMA) automation, XXVulnerability gap analysis, XXScanner cross-referencing, XXInformation drilldown, XXAutomated security checklist, XXAccepts third party scan, XXAdvanced reporting, XXTrending, XXAutomatically updates signatures, XXAutomatic reporting, XXAd Hoc reporting, XXSecure communication, XXSecure data storage, XXDistributed architecture, XXWindows authentication, XXRole-based security.

Supported Scanners XXFoundstone, XXHarris STAT, XXeEye, XXNessus, XXnCircle.

18

IA Tools Report

Common Criteria Rating Developer

Atlantic Systems Group, Inc. (ASG)

Availability

http://www.asg.cc/IA2/

Vulnerability Analysis Tools

BigFix® Security Configuration and Vulnerability Management Suite Abstract

XXCreate flexible, on-demand ad-hoc custom

Offered as part of the BigFix Security Configuration and Vulnerability Management suite, BigFix Vulnerability Management reduces risk across the enterprise for all assets, whether they are fixed or mobile, desktops, laptops, or servers. Through a repository of vulnerability assessment policies, BigFix provides organizations with the ability to assess their managed systems against Open Vulnerability Assessment Language (OVAL)-based vulnerability definitions. Each managed endpoint quietly and continuously evaluates the state of the endpoint, and reports on any non-compliant policy in real-time by leveraging the power of BigFix Unified Management platform. Additionally, the BigFix high performance architecture enables the industry’s fastest time to remediation and closely bridges assessment with remediatiation by applying necessary patch and configuration policies.

queries and reports; XXSecurity Content Automation Protocol (SCAP) validated. BigFix Security Configuration and Vulnerability Management Suite Type

Vulnerability and Patch Management

Operating System

Windows Server 2000/2003/2008

Hardware Requirements License

Commercial

NIAP Validated Common Criteria Rating Developer

BigFix

Availability

http://www.bigfix.com/content/ vulnerability-management

Features XXAssess managed endpoints against known

vulnerabilities using pre-defined, out-of-the-box OVAL-based policy definitions; XXIdentify and eliminate known vulnerabilities across hundreds of thousands of endpoints using automated policy enforcement or manual deployment; XXContinuously enforce policies on or off the network; XXMap all vulnerabilities to industry standards to provide Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System references and links to the National Vulnerability Database (NVD); XXIntegrate with BigFix Patch Management and Security Configuration Management for comprehensive assessment and remediation of identified vulnerabilities;

IA Tools Report

19

Vulnerability Analysis Tools

Computer Oracle and Password (COPS) Abstract Computer Oracle and Password (COPS) is a security toolkit that examines a system for a number of known weaknesses, and it alerts the system administrator to these weaknesses. In some cases, it can automatically correct these problems.

Computer Oracle and Password (COPS) Type

Database Scanning

Operating System

Unix

Hardware Requirements License

Freeware

NIAP Validated Common Criteria Rating

20

IA Tools Report

Developer

Dan Farmer

Availability

http://ftp.cerias.purdue.edu/pub/tools/unix/ scanners

Vulnerability Analysis Tools

CORE IMPACT™ Abstract

XXDemonstrate the consequences of a successful

CORE IMPACT Pro is a comprehensive software solution for assessing the security of network systems, endpoint systems, email users, and Web applications. Backed by Core Security’s ongoing vulnerability research and threat expertise, IMPACT Pro allows you to get in-depth visibility of your organization’s network and application vulnerabilities.

attack by replicating local attacks against backend resources; XXGet actionable data necessary for focusing development resources on remediating proven security issues.

Features XXGather system information via Network Discovery,

Port Scanner, and operating system (OS) and Service Identification modules; XXIdentify critical OS, service, and application vulnerabilities with a constantly updated library of Commercial-Grade Exploits; XXDemonstrate the consequences of a breach by replicating the steps an attacker would take, including opening command shells, browsing file systems, and seeking administrative privileges; XXEmulate multistaged threats that leverage compromised systems as beachheads to launch internal attacks against backend network resources; XXRun tests without installing modules on compromised systems, or altering them in any way; XXGenerate reports containing actionable data for prioritizing remediation, demonstrating security improvements, and complying with regulations; XXCORE IMPACT Pro enables you to test Web applications against XSS (URL-based), SQL Injection, Blind SQL Injection, and Remote File Inclusion for PHP applications; XXIdentify weaknesses in Web applications, Web servers, and associated databases— with no false positives; XXDynamically generate exploits that can compromise security weaknesses in custom applications;

CORE IMPACT Type

Network Scanning

Operating System

Windows XP, Windows Vista

Hardware Requirements

3 Gigahertz (GHz) Pentium 4+ CPU, 1 GB+ RAM, 1 GB+ Disk space, 1024x768+ resolution

License

Commercial

NIAP Validated Common Criteria Rating Developer

Core Security Technologies

Availability

http://www.coresecurity.com/content/ core-impact-overview

IA Tools Report

21

Vulnerability Analysis Tools

DominoScan II Abstract

XXUnique Spidering capability offering

Specially developed to present the attacker’s eye view of the security issues surrounding Lotus Domino Web servers and bespoke Notes applications. Running on Microsoft Windows, DominoScan II (DSII) has the capability to audit Lotus Domino Web Servers running on any operating system. Using an NGSSoftware–developed technique (Database Structure Enumeration) allows DSII to interrogate every view, form, and agent within a database, even if access control list (ACL) access protection has been invoked. It will perform an exhaustive range of tests on each document, auditing over one hundred sensitive and default databases and subjecting all documents to a vigorous set of vulnerability assessment checks.

intelligent scanning; XXAbility to scan as an authenticated user; XXAbility to perform QuickHit audit; XXVulnerability link to CVE.

Features XXAttempts to gain access to over 100 sensitive/

default databases; XXWeb Administrator template access using ReplicaID; XXWeb Administrator template access using buffer truncation; XX ‘cache.dsk’ access using buffer truncation; XXDirectory traversal; XXDatabase browsing; XXAudits bespoke databases; XXUnique database structure enumeration technology; XXFinds hidden and visible views; XXDefault Navigator Access; XXAttempts to bypass default Navigator protection; XXEvaluates database design; XXChecks every document for Edit access; XXAttempts a forced search; XXReadEntries & ReadViewEntries access; XXReporting in HyperText Markup Language (HTML) (Static/Dynamic), eXtensible Markup Language (XML), Text file, rich text format, and Open Database Connectivity (Microsoft) database; XXFast, easy to use, and highly configurable; XXCan perform focused audits;

22

IA Tools Report

DominoScan II Type

Web Application Scanning

Operating System

Windows 2003, 200, XP, NT 4.0

Hardware Requirements

500 MHz Pentium III, 512 MB RAM, 20 MB Disk Space

License

Commercial

NIAP Validated Common Criteria Rating Developer

Next Generation Security Software

Availability

http://www.nextgenss.com/products/ internet-security/dominoscan.php

Vulnerability Analysis Tools

DumpSec v2.8.6 Abstract SomarSoft’s DumpSec is a security auditing program for Microsoft Windows NT/XP/200x. It dumps the permissions (Discretionary Access Control Lists and audit settings (System Access Control Lists) for the file system, registry, and printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group, and replication information.

DumpSec v2.8.6 Type

Host Scanning

Operating System

Windows NT/XP/200x

Hardware Requirements License

Freeware

NIAP Validated Common Criteria Rating Developer

SomarSoft

Availability

www.somarsoft.com

IA Tools Report

23

Vulnerability Analysis Tools

eTrust® Policy Compliance Abstract eTrust Policy Compliance provides enterprises with the tools and information necessary to eliminate one of the most overlooked threats to networks misconfigured assets. eTrust Policy Compliance helps organizations identify and compare the security configurations of their critical business assets to an established baseline and provides the configuration remediation and measures progress through risk-based reporting. eTrust Policy Compliance provides a comprehensive policy and configuration assessment process to mitigate risk and ensure compliance with security policies, government regulations, and industry standards.

Features XXIdentify misconfigured IT assets, XXCreate secure configuration baselines and

monitor deviations, XXProvide configuration remediation and measure

progress through risk-based reporting, XXOffer extensible tools and open interfaces for

custom security configuration management.

24

IA Tools Report

eTrust Policy Compliance Type

Network Scanning

Operating System

Linux, Windows, Unix

Hardware Requirements License

Commercial

NIAP Validated Common Criteria Rating Developer

Computer Associates

Availability

http://www3.ca.com/solutions/Product. aspx?ID=165

Vulnerability Analysis Tools

Fortiscan Vulnerability Management Abstract

XXDelivers patch management with ready-to-

FortiScan provides a centrally managed, enterprisescale solution that enables organizations to close IT compliance gaps, and implement continuous monitoring in order to audit, evaluate, and comply with internal, industry, and regulatory policies for IT controls and security at the OS level. Organizations realize quick time-to-value with easy to install, intuitive, high value standard compliance policies (National Institute of Standards and Technology [NIST] SCAP, Federal Desktop Core Configuration (FDCC), PCI data security standard (DSS), SarbanesOxley Act (SOX), Gramm-Leach Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) ready out of the box with regular updates by FortiGuard to ensure OS regulatory compliance requirements are met. FortiScan dedicated hardware appliances easily plug into the network for fast deployment. FortiScan integrates endpoint vulnerability management, industry and federal compliance, patch management, remediation, auditing, and reporting into a single, unified appliance for immediate results. A centralized administration console facilitates management of multiple FortiScan appliances across the enterprise.

deploy remediation and enforcement actions— allowing network managers to change configurations and potentially mitigate weak settings, including disabling an application or denying a network request; XXReduced errors, repeatable processes, and predictable results delivered with extensive libraries of templates that enable IT staff to leverage industry standard best practices that produce measurable results. Fortiscan Vulnerability Management Type

Vulnerability and Patch Management

Operating System

N/A

Hardware Requirements

Vendor Supplied Hardware

License

Commercial

NIAP Validated Common Criteria Rating Developer

Fortinet

Availability

http://www.fortinet.com/products/ fortiscan/

Features XXIdentifies security vulnerabilities and finds

compliance exposures on hosts, servers, and throughout the network transparently to end users; XXNetwork discovery, asset prioritization, and profile-based scanning; XXIndustry, regulatory and best practices, including templates for ISO 17799, SOX, HIPAA, GLBA, NIST, SCAP, and FISMA; XXAudits and monitors across heterogeneous systems and provides industry standard benchmarks for information security compliance audits for operating systems; XXAids compliance for regulatory mandates with 360-degree reporting and analysis, and views;

IA Tools Report

25

Vulnerability Analysis Tools

GFI LANguard® Abstract Scans a network and ports to detect, assess, and correct security vulnerabilities with minimal administrative effort. GFI LANguard performs network scans using vulnerability check databases based on OVAL and SysAdmin, Audit, Network, Security (SANS) Top 20, providing over 15,000 vulnerability checks. XXPatch Management—GFI LANguard has built in

patch management features that can automatically download missing Microsoft security updates, as well as automatically deploy the missing Microsoft patches or service packs over the network at the end of scheduled scans. XXHardware and Software Management—GFI LANguard’s network auditing feature retrieves hardware information on memory, processors, display adapters, storage devices, motherboard details, printers, and ports in use and monitors any changes that may occur. GFI LANguard can also monitor a software baseline, informing administrators when a new program is installed and can automatically uninstall unauthorized applications.

26

IA Tools Report

GFI LANguard Type

Vulnerability and Patch Management

Operating System

Windows, Mac OS, Linux

Hardware Requirements

1 GHz CPU, 512 MB RAM, 500 MB Disk space (Minimum. Scanning more hosts requires higher specs. See documentation for details)

License

Commercial—Free version available

NIAP Validated Common Criteria Rating Developer

GFI

Availability

http://www.gfi.com/lannetscan

Vulnerability Analysis Tools

Gideon SecureFusion Vulnerability Management Abstract

XXBandwidth throttling,

Part of the SecureFusion suite, Vulnerability Management scans for thousands of known vulnerabilities in operating systems, infrastructure, network applications, and databases. The vulnerability signatures are updated on a daily basis and provide checks for the most recent security vulnerabilities.

XXMassive scalability,

The SecureFusion Portal provides a complete view of assets, vulnerabilities, configuration details, and policy compliance metrics. Instead of outdated spreadsheets and cumbersome tools that cannot correlate data, the SecureFusion Portal helps you intelligently analyze your IT environment regarding unmanaged assets, vulnerabilities, improper settings, and the reasons behind failed compliance checks.

XXDynamic report building, XXAutomated scheduling.

Gideon SecureFusion Vulnerability Management Type

Vulnerability and Patch Management

Operating System Hardware Requirements License

Commercial

NIAP Validated Common Criteria Rating Developer

Gideon Technologies

Availability

http://www.thegideongroup.com/ vulnerability-management.asp

SecureFusion is built on the additive intelligence of four core capabilities— XXAsset discovery—performs continuous audits of

managed and unmanaged assets with no impact to the network; XXVulnerability management—conducts ongoing, active vulnerability detection and reporting for operating systems, infrastructure, network applications, and databases; XXConfiguration management—continuously compares system configuration and compliance with IT security standards; XXPolicy management—initiates, reviews, publishes, and maintains security policies. Vulnerability Management offers— XXEnd-to-end automation and workflow, XXSystem patch reporting, XXResults filtering, XXAutomated signature updates, XXTarget blacklisting,

IA Tools Report

27

Vulnerability Analysis Tools

Host Based Security System (HBSS) Abstract

XXHost Intrusion Prevention System (HIPS);

The Host Based Security System (HBSS) baseline is a flexible, commercial off-the-shelf (COTS)-based application. It monitors, detects, and counters against known cyber threats to the DoD Enterprise. Under the sponsorship of the Enterprise-wide Information Assurance and Computer Network Defense Solutions Steering Group (ESSG), the HBSS solution will be attached to each host (server, desktop, and laptop) in DoD. The system will be managed by local administrators and configured to address known exploit traffic using an Intrusion Prevention System (IPS) and host firewall. DISA Information Assurance/ Network Operations Program Executive Office (PEO-IAN) is providing the program management and supporting the deployment of this solution.

XXEnforces security policy;

Scope The scope of the HBSS deployment is worldwide. This vast effort requires a large support infrastructure to be in place. DISA PEO-IAN has instituted support services to enable the comprehensive implementation of the HBSS system to all the combatant commands, services, agencies, and field activities.

Features XXePolicy Orchestrator (ePO) management suite; XXCentral security manager; XXEnables the installation, management, and

configuration of the HBSS components; XXView reports to help monitor deployments,

vulnerabilities, and protection levels; XXMcAfee Agent (MA); XXProvides local management of all HBSS products

collocated on the host; XXRuns silently in the background to gather information and events from managed systems; XXSends collected data to the ePO server; XXManages modules and software updates of other HBSS products on the host system; XXEnforces policies on the host machines;

28

IA Tools Report

XXAdds a robust layer of protection to the MA

end-point asset that includes known and unknown buffer overflow exploit protection, prevention of malicious code installation/ execution, and identification of activities that deviate from DoD or organizational policy; XXAsset Information (formerly referred to as the INFOCON); XXGenerates snapshots of asset configurations to facilitate detection of changes made to authorized baselines; XXRogue System Detection (RSD); XXDetects all systems connecting to the network; XXIdentifies unmanaged (or Rogue) systems present on the network; XXPolicy Auditor (PA); XXScans remote computers to determine compliance with defined policies; XXIdentifies host vulnerabilities on the network. Host Based Security System (HBSS) Type

Vulnerability and Patch Management

Operating System

Windows

Hardware Requirements License

Commercial/Government

NIAP Validated Common Criteria Rating Developer

DISA–DoD

Availability

http://www.disa.mil/news/pressresources/ factsheets/hbss.html

Vulnerability Analysis Tools

Internet Scanner® Abstract The Internet Scanner vulnerability assessment application minimizes risk by identifying the security holes or vulnerabilities in the network so the user can protect the network before an attack occurs. Internet Scanner can identify more than 1,300 types of networked devices on a network, including desktops, servers, routers/switches, firewalls, security devices, and application routers. Internet Scanner analyzes the configurations, patch levels, operating systems, and installed applications to find vulnerabilities that could be exploited by hackers trying to gain unauthorized access.

Features

Internet Scanner Type

Network Scanning

Operating System

Windows 2000 Professional/SP4, Windows Server 2003 Standard SP1, Windows XP Professional SP1a

Hardware Requirements

1.2 GHz CPU, 512 MB RAM, 650 MB disk space (minimum)

License

Commercial

NIAP Validated Common Criteria Rating Developer

Internet Security Systems–Owned by IBM

Availability

http://www-935.ibm.com/services/us/index. wss/offering/iss/a1027208

XXUnlimited asset identification, XXDynamic check assignment, XXCommon policy editor, XXReal-time display, XXVulnerability catalog, XXComprehensive reporting, XXCentralized vulnerability management features, XXEnterprise-class scalability, XXRemote scanning, XXEnterprise reporting, XXAutomatic security content updates, XXCommand scheduler, XXAsset management, XXReal-time display, XXUser administration.

IA Tools Report

29

Vulnerability Analysis Tools

Lumension Scan™ Abstract Lumension Scan, a component of Lumension Vulnerability Management, is a complete stand-alone, network-based scanning solution that performs a comprehensive external scan of all devices connected to your network, both managed and unmanaged. Once assets are identified, the powerful, yet easy-touse Lumension Scan detects weaknesses on these devices before they can be exploited.

Lumension Scan Type

Network Scanning

Operating System

Windows XP Pro SP2+, Windows Server 2003 SP1+, Windows Server 2003 R2+

Hardware Requirements

2 GHz CPU, 1 GB RAM, 20 GB disk space, 1024x768 Monitor Resolution

License

Commercial

NIAP Validated

Features

Common Criteria Rating

XXRapid and complete asset discovery and inventory

Developer

Lumension

Availability

http://www.lumension.com/vulnerabilitymanagement/software-vulnerabilityassessment.jsp?rpLangCode=1&rpMenu Id=150835

of all devices on the network, XXThorough and accurate network-based software and configuration vulnerability assessment, XXRisk-based vulnerability prioritization for identified threats, XXContinuously updated vulnerability database for orderly remediation, XXComprehensive management and audit reporting.

30

IA Tools Report

Vulnerability Analysis Tools

MBSA 2.1 Abstract Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products, including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007, and Small Business Server.

MBSA 2.1 Type

Host Scanning

Operating System

Windows XP, Vista, Windows Server 2003, 2008

Hardware Requirements

x86, IA64, x64

License

Free

NIAP Validated Common Criteria Rating Developer

Microsoft

Availability

http://technet.microsoft.com/en-us/ security/cc184924.aspx

MBSA 2.1 is the latest version of Microsoft’s free security and vulnerability assessment scan tool for administrators, security auditors, and IT professionals. MBSA 2.1 offers Windows Vista and Windows Server 2008 compatibility, a revised user interface, 64-bit support, improved Windows Embedded support, and compatibility with the latest versions of the Windows Update Agent based on MU. MBSA 2.1 is also compatible with MU, Windows Server Update Services 2.0 and 3.0, the SMS Inventory Tool for Microsoft Update, and SCCM 2007.

IA Tools Report

31

Vulnerability Analysis Tools

McAfee® Vulnerability Manager Abstract McAfee Vulnerability Manager (formerly McAfee Foundstone Enterprise) uses a priority-based approach that combines vulnerability, asset data, and countermeasures to help you make more informed decisions. It uses threat intelligence and correlation data to determine how emerging threats and vulnerabilities on networked systems affect your risk profile, so that you deploy resources where they are needed most. Improve operational efficiency and security protection while meeting tough mandates outlined in SOX, FISMA, HIPAA, and PCI DSS. Vulnerability Manager is available as software or a secure, hardened appliance. Both increase the efficiency of your existing resources, resulting in a low cost of ownership. If you prefer a hosted option, choose the McAfee Vulnerability Management Service. It performs credential-based scans of UNIX, Cisco IOS, and Microsoft Windows platforms for correct patching. The Content Release Calendar provides automatic updates, including new OS support, vulnerability scan scripts, and compliance checks. Vulnerability Manager integrates with your existing technologies and with other McAfee products, leveraging your investments. McAfee® Network Security Platform correlates Vulnerability Manager data to inform you of the most relevant threats targeting your systems. McAfee Risk and Compliance Manager (formerly McAfee Preventsys®) collects data from Vulnerability Manager to calculate risks, monitor risk scores, and automate compliance reporting. McAfee ePolicy Orchestrator® feeds asset and system protection data into Vulnerability Manager for accurate assessments.

32

IA Tools Report

McAfee Vulnerability Manager Type

Vulnerability and Patch Management

Operating System

Windows Server 2000 or 2003

Hardware Requirements

Dual core or dual processor CPU at 2 GHz, RAM 2 GB, 80 GB disk space, ethernet interface. Preconfigured vendor supplied appliances also available.

License

Commercial

NIAP Validated Common Criteria Rating Developer

McAfee

Availability

http://www.mcafee.com/us/enterprise/ products/risk_and_vulnerablity_ management/vulnerability_manager.html

Vulnerability Analysis Tools

Metasploit Abstract The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler. The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.

Metasploit Type

Network Scanning

Operating System

Windows, Linux, Mac

Hardware Requirements License

Open Source

NIAP Validated Common Criteria Rating Developer

Metasploit, LLC

Availability

http://www.metasploit.com/home/

IA Tools Report

33

Vulnerability Analysis Tools

N-Stalker® Web Application Security Scanner Abstract N-Stalker Web Application Security Scanner 2009 is a Web Security Assessment solution developed by N-Stalker. By incorporating the “N-Stealth HTTP Security Scanner” and its 39,000 Web Attack Signature database, along with a patent-pending Component-oriented Web Application Security Assessment technology, N-Stalker is a security tool for developers, system/security administrators, IT auditors, and staff.

Features XXN-Stalker is a security assessment tool designed to

crawl and evaluate custom Web Applications. It does not rely on out-of-box signatures. XXN-Stalker is used for either custom or out-of-shelf Web applications, including large financial customers, government agencies, foreign intelligence services, and armed forces. XXN-Stalker will inspect common Web application vulnerabilities, including Open Web Application Security Project Top 10, Common Weakness Enumeration Top 25 (see cwe.mitre.org), and a wide range of issues that affect overall security. XXN-Stalker will scan for both Web server infrastructure and application layers. Currently, there are more than 39,000 Web attack signatures included in our database to identify weakness in a Web server and third-party software components. XXN-Stalker implements its own patent-pending “component-oriented Web application security analysis” technology, an assessment methodology.

34

IA Tools Report

N-Stalker Web Application Security Scanner Type

Web Application Scanning

Operating System

Windows (Windows 2000 or later)

Hardware Requirements

1 GB RAM, 500 MB disk space

License

Commercial, Free

NIAP Validated Common Criteria Rating Developer

N-Stalker

Availability

http://nstalker.com/products

Vulnerability Analysis Tools

nCircle® IP360 Abstract As a component of nCircle’s security risk and compliance management suite, IP360 is a vulnerability and risk management system, enabling enterprises and government agencies to costeffectively measure and manage their security risk. IP360 comprehensively profiles all networked devices and their applications, vulnerabilities, and configurations, and includes coverage for over 25,000 conditions (operating systems, applications, vulnerabilities, and configurations), providing the ideal foundation for assessing every system on the network. IP360’s agentless architecture is designed for rapid deployment and ease of management across large, globally distributed networks.

nCircle IP360 Type

Vulnerability and Patch Management

Operating System

N/A

Hardware Requirements

Vendor supplied scanning appliance

License

Commercial

NIAP Validated

Yes

Common Criteria Rating

EAL3 – May 16, 2005

Developer

nCircle

Availability

http://www.ncircle.com/index. php?s=products_ip360

Features XXComprehensive, agentless discovery and profiling

of all network assets for over 25,000 conditions; XXEnterprise scalability, ease of deployment, and

operational effectiveness; XXIntegrated network topology risk analysis for

identifying the highest priority vulnerabilities; XXIntegrated Web application scanning to identify

security risk in Web applications; XXFlexible reporting across all levels of the enterprise.

IA Tools Report

35

Vulnerability Analysis Tools

Nessus® Vulnerability Scanner Abstract The Nessus vulnerability scanner is an active scanner, featuring high-speed discovery, asset profiling, and vulnerability analysis of the user’s security posture. Nessus scanners can be distributed throughout an entire enterprise, inside demilitarized zones, and across physically separate networks. They can also be made available for ad hoc scanning, daily scans, and quick-response audits. When managed with the Security Center, vulnerability recommendations can be sent to the responsible parties, remediation can be tracked, and security patches can be audited.

Features XXAgentless scanning (patch and

configuration auditing), XXHigh-speed vulnerability identification, XXComplete network assessment and discovery.

36

IA Tools Report

Nessus Vulnerability Scanner Type

Network Scanning

Operating System

Windos, Linux, Mac OS, Unix

Hardware Requirements License

Commercial – Free for personal use

NIAP Validated Common Criteria Rating Developer

Teneble Network Security

Availability

http://www.nessus.org/nessus/

Vulnerability Analysis Tools

NetIQ® Secure Configuration Manager Abstract NetIQ Secure Configuration Manager audits system configurations and compares them to corporate policies, previous snapshots, and/or other systems. It also leverages this configuration information to reliably identify vulnerabilities and exposures, using the latest security updates. NetIQ Secure Configuration Manager allows you to demonstrate regulatory compliance and manage IT risks via scored reporting to direct remediation efforts toward issues of highest priority.

Features

NetIQ Secure Configuration Manager Type

Vulnerability and Patch Management

Operating System

Windows XP Pro, 2000, 2003 Server

Hardware Requirements License

Commercial

NIAP Validated

Yes

Common Criteria Rating

EAL2 – July 09, 2007

Developer

netIQ

Availability

http://www.netiq.com/products/vsm/ default.asp

XXNetIQ ensures configuration changes are

identified and controlled. Secure Configuration Manager creates an inventory and baseline of existing system configurations, then compares results against a standard configuration image to highlight deviations. XXSecure Configuration Manager contains packaged security policy templates that align with regulations and standards, providing the intelligence necessary to document and demonstrate compliance with auditors. Rolebased exception and workflow management helps enforce secure separation of duties. XXNetIQ Secure Configuration Manager identifies systems exposed to and/or compromised by the latest exploits, including worms, viruses, and blended threats. XXAcross the enterprise, NetIQ Secure Configuration Manager measures the level of threats posed by vulnerabilities and compliance exceptions weighted by the importance of managed assets. XXNetIQ Secure Configuration Manager is SCAP Validated and NIAP Common Criteria certified, ensuring it meets the most stringent federal government guidelines on interoperability and secure design.

IA Tools Report

37

Vulnerability Analysis Tools

Network Mapper (Nmap®) Abstract Network Mapper (Nmap) is a free open-source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw Internet protocol (IP) packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what OSs (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and console and graphical versions are available.

Features XXFlexible—Nmap supports dozens of advanced

techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. XXPowerful—Nmap has been used to scan huge networks of literally hundreds of thousands of machines. XXPortable—Most operating systems are supported, including Linux, Microsoft Windows, and Unix based systems. XXEasy—Although Nmap offers a rich set of advanced features for power users, the user can start out as simply as nmap -v -A targethost. Both traditional command line and graphical user interface (GUI) versions are available to suit your preference. XXFree—Nmap is available for free download, and also comes with full source code that the user may modify and redistribute under the terms of the license. XXWell Documented—Significant effort has been put into comprehensive and up-to-date pages, white papers, and tutorials. XXSupported—Although Nmap comes with no warranty, it is well supported by the community.

38

IA Tools Report

Network Mapper (Nmap) Type

Network Scanning

Operating System

Linux, MS Windows, Unix

Hardware Requirements License

Open Source

NIAP Validated Common Criteria Rating Developer

Insecure.org

Availability

http://nmap.org/

Vulnerability Analysis Tools

Nikto v2.03 Abstract

XXUsers can add a custom scan database,

Nikto is an Open Source (general public license) Web server scanner that performs comprehensive tests against Web servers for multiple items, including over 3,500 potentially dangerous files/common gateway interfaces (CGI), versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated.

XXSupports automatic code/check updates (with

Features XXUses rfp’s LibWhisker as a base for all

network funtionality, XXMain scan database in comma separated variable

(CSV) format for easy updates, XXFingerprint servers via favicon.ico files, XXDetermines “OK” vs “NOT FOUND” responses for file type, if possible, XXDetermines CGI directories for each server, if possible, XXSwitch hypertext transfer protocol (HTTP) versions as needed so that the server understands requests properly, XXSecure Sockets Layer Support (Unix with OpenSSL or maybe Windows with ActiveState’s Practical Extraction and Report Language [PERL]/NetSSL), XXOutput to file in plain text, HTML or CSV, XXPlugin support (standard PERL), XXChecks for outdated server software, XXProxy support (with authentication), XXHost authentication (Basic), XXWatches for “bogus” OK responses, XXAttempts to perform educated guesses for Authentication realms, XXCaptures/prints any Cookies received, XXMutate mode to “go fishing” on Web servers for odd items, XXBuilds Mutate checks based on robots.txt entries (if present), XXScan multiple ports on a target to find Web servers (can integrate Nmap for speed, if available), XXMultiple intrusion detection system evasion techniques,

Web access), XXMultiple host/port scanning (scan list files), XXUsername guessing plugin via the cgiwrap

program and Apache user methods. Nikto v2.03 Type

Web Application Scanning

Operating System

Unix, Linux, Windows

Hardware Requirements License

Open Source

NIAP Validated Common Criteria Rating Developer

Cirt.net

Availability

http://www.cirt.net/nikto2

IA Tools Report

39

Vulnerability Analysis Tools

Orascan Abstract OraScan is a multi-environment auditing application developed to assess the security of Oracle Web applications. The finely detailed level of auditing supported by OraScan allows systems administrators and security professionals to gain full control of security issues surrounding online applications and front-end servers.

Orascan Type

Database Scanning

Operating System

Microsoft Windows 2003, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows NT Version 4.0 (Service Pack 4)

Hardware Requirements License

OraScan performs robust, in-depth security vulnerability audits, seeking out potential problem areas such as— XXSQL injection, XXXSS, XXPoor Web server configuration.

In addition, OraScan can be deployed to audit the configuration of Internet authentication service Web servers, ensuring that the Web application portion of your database software architecture is free of any security weaknesses.

40

IA Tools Report

Commercial

NIAP Validated Common Criteria Rating Developer

Next Generation Security Software

Availability

http://www.ngssoftware.com/products/ internet-security/orascan.php

Vulnerability Analysis Tools

Paros Proxy v3.2.0Alpha Abstract Paros Proxy v3.2.0Alpha is a Java-based Web proxy for assessing Web application vulnerability. It supports editing/viewing HTTP/HTTP Secure (HTTPS) messages on the fly to change items such as cookies and form fields. It includes a Web traffic recorder, Web spider, hash calculator, and a scanner for testing common Web application attacks, such as SQL injection and XSS.

Paros Proxy v3.2.0Alpha Type

Web Application Scanning

Operating System

All OSs supporting Java 1.4+

Hardware Requirements

N/A

License

Freeware

NIAP Validated Common Criteria Rating Developer

Paros

Availability

http://www.parosproxy.org/index.shtml

IA Tools Report

41

Vulnerability Analysis Tools

Proventia® Network Enterprise Scanner Abstract Proventia Network Enterprise Scanner is the next generation of the Internet scanner vulnerability assessment tool. Proventia Network Enterprise Scanner is a vulnerability protection system for the entire network that is enhanced with an integrated workflow vulnerability management subsystem and Proventia Enterprise Scanner that enables the user to drive protection measures throughout an infrastructure.

Features XXVulnerability assessment, XXComplete vulnerability management

and protection,

• Scan and block capabilities through Proventia Network Enterprise Scanner and Proventia Network Intrusion Prevention System, • Correlation through the SiteProtector Security Fusion module. Proventia Network Enterprise Scanner Type

Network Scanning

Operating System

N/A

Hardware Requirements

Vendor supplied scanning appliance

License

Commercial

NIAP Validated

XXScanning-optimized Linux kernel,

Common Criteria Rating

XXHardened and secure,

Developer

IBM

Availability

http://www-935.ibm.com/services/us/index. wss/offering/iss/a1027216

XXMultiple scan ports, XXApplication fingerprinting, XXWorkflow, XXReporting, XXAsset identification, XXAsset classification, XXScan windows, XXAutomation, XXScan load balancing/teaming, XXFlexible deployment options, XXFlexible policy management, XXWeb-based local management, XXCentralized management mystem: Proventia

Network Scanner is centrally managed using Proventia Management SiteProtector. SiteProtector is a scalable system that allows staff to control, monitor, and analyze events from a centralized console. SiteProtector improves security through correlation and integration with other security products, including— • Active/passive scanning through Proventia Network Enterprise Scanner and Proventia Network Anomaly Detection,

42

IA Tools Report

Vulnerability Analysis Tools

proVM Auditor Abstract Prolific Solutions’ proVM Auditor is a vulnerability management tool that uses the output from multiple vulnerability and compliance scanners and aggregates the information into a single view. proVM Auditor presents vulnerability data in meaningful views via a vulnerability matrix that makes managing, tracking, and resolving vulnerabilities simpler and less resource-intensive.

Features XXExpedites compliance reviews XXMaps vulnerabilities to DoD 8500.2 IA Controls XXFacilitates/standardizes C&A processes

proVM Auditor Type

Vulnerability and Patch Management

Operating System

Windows

Hardware Requirements

N/A

License

Commercial

NIAP Validated Common Criteria Rating Developer

Prolific Solutions

Availability

http://www.prolific-solutions.net/products. htm

XXStreamlines administration efforts XXStandard views of vulnerability data XXReduces manual compliance efforts XXSmall footprint; simple to use; does not

require installation XXAccepts scanner output from the following

Vulnerability Scanners: • eEye Retina • Lumension PatchLink • DISA SRRs • DISA Gold Disk • Application Security AppDetective • Tenable Nessus • Nmap • Other tools commercial or private can be added upon request

IA Tools Report

43

Vulnerability Analysis Tools

QualysGuard® Vulnerability Management Abstract

XXEasy access to concise, auto-generated reports

QualysGuard Vulnerability Management (VM) automates the life cycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. QualysGuard delivers continuous protection against the latest worms and security threats without the substantial cost, resource, and deployment issues associated with traditional software. As an on demand Software-as-a-Service (SaaS) solution, there is no infrastructure to deploy or manage.

via a Web browser; XXExecutive Dashboard provides real-time illustration of risk; XXGraph and trend reports for managers; XXDetailed technical reports with verified remediation actions for technicians; XXSANS Top 20 Report provides industry baseline; XXRisk analysis report predicts the likelihood of exposure; XXCVE and Security Focus-linked and Bugtraqreferenced vulnerability checks with detailed remediation instructions; XXCustomizable reports for flexible, on demand reporting by business units for executives and managers; XXExport reports to HTML, Microsoft Hypertext Archive, portable document format, CSV, and XML formats.

QualysGuard VM enables small to large organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities, including severity levels, time-to-fix estimates, and impact on business, plus trend analysis on security issues.

Features XXVulnerability KnowledgeBase that incorporates

over 6,000 unique checks; XXNon-intrusive detection techniques; XXInference-based scanning engine; XXAuthenticated or unauthenticated scanning capabilities; XXInternal and external scanning; XXScans are configurable for optimum performance and minimum network load.; XXUnique fingerprints for over 2,000 operating systems, applications, and protocols; XXCustomization of scans to scan for specific ports/ services and specific vulnerabilities; XXSchedule and automated network discovery and vulnerability scan tasks on a daily, weekly, or monthly basis; XXAutomated daily updates to the QualysGuard vulnerability KnowledgeBase;

44

IA Tools Report

QualysGuard Vulnerability Management Type

Network Scanning

Operating System

N/A

Hardware Requirements

Vendor supplied scanning appliance

License

Commercial

NIAP Validated Common Criteria Rating Developer

Qualys

Availability

http://www.qualys.com/products/qg_suite/ vulnerability_management/

Vulnerability Analysis Tools

Rational AppScan® Abstract IBM Rational Web application security software helps IT and security professionals protect against the threat of attacks and data breaches. Involving more testers in the application security process results in higher quality, more secure applications at a reasonable cost. Rational offers Web application security solutions, including new malware detection capabilities, through the IBM Rational AppScan family of products. AppScan can be used for vulnerability scanning in all stages of application development and by testers with or without security expertise.

Rational AppScan Type

Web Application Scanning

Operating System

Windows XP, Server 2003

Hardware Requirements

3 GHz CPU, 2 GB+ RAM, 200 MB disk space for installation plus at least 10 GB free space for logs

License NIAP Validated Common Criteria Rating Developer

IBM – Rational

Availability

http://www-01.ibm.com/software/ awdtools/appscan/

Features XXAppScan Build Edition—Embeds Web

application security testing into the build management workflow, XXAppScan Developer Edition—Automates application security scanning for non-security professionals, XXAppScan Enterprise Edition—Web-based, multiuser solution providing centralized application security scanning and reporting, XXAppScan Express Edition—Provides affordable Web application security for smaller organizations, XXAppScan OnDemand—Identifies and prioritizes Web Application Security vulnerabilities via SaaS Model, XXAppScan OnDemand Production Site Monitoring— Monitors production Web content and sites for security vulnerabilities via SaaS Model, XXAppScan Reporting Console—Provides centralized reporting on Web application vulnerability data, XXAppScan Standard Edition—Desktop solution to automate Web application security testing, XXAppScan Tester Edition—Integrated Web application security testing in the quality assurance process.

IA Tools Report

45

Vulnerability Analysis Tools

Retina Network Security Scanner Abstract Retina Network Security Scanner is a professionalgrade security solution with a lengthy track record of success. Retina contains all the integrated security and threat management tools needed to effectively identify and remediate the network vulnerabiities that lead to exposure and malicious attacks.

Features XXDiscovers the assets in the network infrastructure,

including operating system platforms, networked devices, databases, and third party or custom applications. Retina also discovers wireless devices and their configurations, ensuring these connections can be audited for the appropriate security settings. Additionally, Retina scans active ports and confirms the services associated with those ports. XXImplements corporate policy driven scans to audit internal security guidelines and ensure that configuration requirements are enforced and comply with defined standards. These custom scans can also assist with meeting any regulatory compliance requirements (e.g., SOX, HIPPAA, GLB, PCI) customers may face. XXRemotely identifies system level vulnerabilities to mimic an attacker’s point of view, providing information that an outsider would see about a network. These remote checks do not require administrator rights, providing an accurate assessment, with fewer resources required to scan across departments, locations, or geographies. XXIncorporates a comprehensive vulnerabilities database and scanning technology, allowing users to proactively secure their networks against attacks. XXUpdates are automatically uploaded at the beginning of each Retina session.

46

IA Tools Report

Retina Network Security Scanner Type

Network Scanning

Operating System

Windows

Hardware Requirements

256 MB RAM. Vendor-supplied appliance also available.

License

Commercial

NIAP Validated Common Criteria Rating Developer

eEye Digital Security

Availability

http://www.eeye.com/html/products/retina/ index.html

Vulnerability Analysis Tools

SAINT Abstract SAINT’s Web-like, easy-to-use, GUI makes it easy to scan networks. Every live system on the network is screened for TCP and user datagram protocol (UDP) services. For each service it finds running, it launches a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial of service, or gain sensitive information about the network. When vulnerabilities are detected, SAINT categorizes the results in several ways, allowing users to target the data they find most useful. SAINT can group vulnerabilities according to severity, type, or count. It can provide information about a particular host or groups of hosts. SAINT describes each of the vulnerabilities it locates and references CVE or Information Assurance Vulnerability Alerts (IAVA), as well as CERT advisories.

SAINT Type

Network Scanning

Operating System

Unix/Linux platform

Hardware Requirements

256 MB RAM, 150 MB disk space. Vendor-supplied appliances also available.

License

Commercial

NIAP Validated Common Criteria Rating Developer

Saint Corporation

Availability

http://www.saintcorporation.com/products/ data_sheets/SAINT_data_sheet.pdf

Features XXIncludes flexible/customizable scanning

options, including SANS/Federal Bureau of Investigation Top 20; XXScans anything with an IP address running TCP/ IP protocols; XXIncludes extensive documentation and online tutorials; XXIncludes links to patches and new versions of software; XXRuns in remote mode; XXIs easily set up to run unattended using the GUI; XXProvides dynamic reporting capability that allows the user to drill down to get more information about the vulnerability and how to correct it; XXCross-references vulnerabilities to IAVAs; XXScans IPv4 or IPv6 addresses; XXIncludes control panel that allows the user to stop, pause, and resume scans, and to view results in progress while the scan runs; XXIs certified CVE-compatible by MITRE.

IA Tools Report

47

Vulnerability Analysis Tools

Second Look™ Abstract Second Look captures, and forensically preserves, a computer’s volatile RAM. It analyzes the Linux operating system kernel in live memory or via a memory image, verifying its integrity and searching for signs of rootkits or other subversive software that have modified the executable kernel code or kernel data structures. With Second Look, analysts and investigators have a tool that provides a comprehensive view of a system, uninfluenced by any malware that might be running on it. Information pulled directly out of memory includes running processes, active network connections, loaded kernel modules, and many other essential system parameters. Second Look uncovers hidden kernel modules, processes, and network activity. Second Look integrates a real-time disassembler that allows inspection of any function or segment of kernel memory. As threats to computer systems continue to increase in sophistication, traditional post-mortem (dead box) forensic analysis of hard disk contents is no longer sufficient. Advanced exploits allow for the implantation of rootkits and backdoors directly in memory, without an actual file ever touching the disk. Volatile memory must be acquired in a trustworthy fashion, and analyzed with security software such as Second Look.

48

IA Tools Report

Second Look Type

Host Scanning

Operating System

Linux

Hardware Requirements License

Commercial

NIAP Validated Common Criteria Rating Developer

Pikewerks

Availability

http://pikewerks.com/sl

Vulnerability Analysis Tools

SecureScout® NX Abstract SecureScout NX is a third-generation scanning solution that performs real-time testing of global networks and firewalls. The architecture of SecureScout NX implements a centralized console to manage remote test engines and probes, enabling users to quickly and repeatedly scan and report vulnerabilities in distributed networks from a single location. SecureScout NX gives the user an impartial view of whether firewalls have been configured correctly to comply with security policies and protect the network.

SecureScout NX Type

Network Scanning

Operating System

Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)

Hardware Requirements License

Commercial

NIAP Validated Common Criteria Rating Developer

NetVigilance

Availability

http://www.netvigilance.com/nx

SecureScout NX tests highlight information exposed to the outside world that cyber criminals could misuse to attack the organization. Diligent assessment of internal systems enables an organization to manage security risks and reduce potential liability. SecureScout NX delivers the knowledge needed to protect critical information from intruders and prepare countermeasures, making it difficult for attackers to get in. NetVigilance’s security experts continually research information sources for new vulnerabilities, and a secure Web service site automatically updates SecureScout NX. Through differential reporting, users can benchmark their security level at various points in time.

IA Tools Report

49

Vulnerability Analysis Tools

SecureScout® Perimeter Abstract The SecureScout Perimeter service probes Internetconnected systems for vulnerabilities before hackers find them. It identifies holes in an Internet infrastructure, scanning beyond the firewall to any device with an IP address.

SecureScout Perimeter Type

Network Scanning

Operating System

Windows 2000 SP3/SP4, Windows XP SP1/SP2/SP3, Windows Server 2003 SP1/SP2 (32-bit versions of Windows only)

Hardware Requirements License

Commercial

NIAP Validated Common Criteria Rating

50

IA Tools Report

Developer

NetVigilance

Availability

http://www.netvigilance.com/perimeter

Vulnerability Analysis Tools

Security Auditor’s Research Assistant (SARA) v7.9.1 Abstract

Security Auditor’s Research Assistant (SARA) v7.9.1

The Security Auditor‘s Research Assistant (SARA) is a third-generation network security analysis tool.

Type

Network Scanning

Operating System

Unix, Linux, Windows (through CoLinux)

Features XXOperates under Unix, Linux, Mac OS/X or

Windows (through coLinux) OS, XXIntegrates the NVD, XXAdapts to many firewalled environments, XXSupports remote self-scan and application programming interface facilities, XXIs used for the Center for Internet Security benchmark initiatives, XXIncludes plug-in facility for third-party applications, XXIncludes CVE standards support (20040901), XXHas enterprise search module, XXHas stand-alone or daemon mode, XXOffers free-use open SATAN-oriented license, XXIs updated twice a month, XXProvides user extension support, XXBased on the SATAN model.

Hardware Requirements License

Freeware

NIAP Validated Common Criteria Rating Developer

Advanced Research Corporation

Availability

http://www-arc.com/sara/

Advanced Research‘s philosophy relies heavily on software reuse. Rather than inventing a new module, SARA is adapted to interface with other community products. For instance, SARA interfaces with the popular Nmap package for superior operating system fingerprinting. Also, SARA provides a transparent interface to SAMBA for session message block security analysis. SARA is no longer being developed, and v7.9.1 is the final release.

IA Tools Report

51

Vulnerability Analysis Tools

Security Administrator’s Tool for Analyzing Networks (SATAN) Abstract Security Administrator‘s Tool for Analyzing Networks (SATAN) scans systems connected to the network noting the existence of well-known, often-exploited vulnerabilities. It examines a remote host or set of hosts and gathers as much information as possible.

Security Administrator‘s Tool for Analyzing Networks (SATAN) Type

Network Scanning

Operating System

Unix/Linux

Hardware Requirements License

Freeware

NIAP Validated Common Criteria Rating

52

IA Tools Report

Developer

Dan Farmer and Wietse Venema

Availability

http://ftp.cerias.purdue.edu/pub/tools/unix/ scanners

Vulnerability Analysis Tools

SNScan v1.05 Abstract SNScan is a Windows-based simple network management protocol (SNMP) detection utility that can quickly and accurately identify SNMP-enabled devices on a network. This utility can effectively indicate devices that are potentially vulnerable to SNMP-related security threats.

SNScan v1.05 Type

Network Scanning

Operating System

Windows

Hardware Requirements License

Freeware

NIAP Validated

SNScan allows for the scanning of SNMP-specific ports (e.g., UDP 161, 193, 391, and 1993) and the use of standard (i.e., public) as well as user-defined SNMP community names. User-defined community names may be used to more effectively evaluate the presence of SNMP-enabled devices in more complex networks.

Common Criteria Rating Developer

Foundstone (A Division of McAfee)

Availability

http://www.foundstone.com/us/resources/ proddesc/snscan.htm

SNScan is intended for use by system and network administrators as a fast and reliable utility for information gathering. Although not indicating whether SNMP-enabled devices are vulnerable to specific threats, SNScan can quickly and accurately identify potential areas of exposure to SNMPrelated vulnerabilities.

IA Tools Report

53

Vulnerability Analysis Tools

ThreatGuard® Secutor Magnus Abstract Secutor Magnus is designed specifically to meet the Common Security Configurations requirements set forth by the Office of Management and Budget (OMB). Built for the Information Security Automation Program established by NIST, Magnus fully supports a wide-scale action plan to quickly and continually show that an organization has compliance under control. The entire Secutor line of automated content tools provides standardized assessments, contentdriven remediation, and complete mappings to driving requirements with options to easily document deviations from those requirements.

Features XXTest NIST configurations to identify adverse

effects on system functionality, XXAutomated enforcement, XXRestrict administration to

authorized professionals, XXEnsure new acquisitions use standard configurations, XXPatches, XXAutomatically determines if computers have all required security patches, XXPerforms vulnerability assessment of operating system and major applications, XXProvide documentation of deviations with rationale.

54

IA Tools Report

ThreatGuard Secutor Magnus Type

Vulnerability and Patch Management

Operating System

Windows

Hardware Requirements

Vendor Supplied appliance also available

License

Commercial

NIAP Validated Common Criteria Rating Developer

Threatguard

Availability

http://www.threatguard.com/products.htm

Vulnerability Analysis Tools

Triumfant Resolution Manager® Abstract

XXCompliance Management—Triumfant Resolution

Triumfant Resolution Manager continuously scans for unusual changes that are consistent with the behavior and structure of malicious applications. These include unusual auto-start methods, stealth techniques such as those used by root kits, and unusual firewall exceptions. As a result, malicious attacks that are not detected by traditional signature based tools are recognized by Triumfant in real time, along with all of the changes to the machine associated with the attack. Resolution Manager immediately applies its deep analytics to verify that it is indeed an attack and assesses the full extent of the threat.

Manager applies security policies that are customizable from the departmental level down to individual machines. Triumfant also provides policy templates for specific security mandates, such as FDCC SCAP compliance and PCI compliance. XXVulnerability Management—Triumfant uses the NIST SCAP vulnerability database to scan each computer for known software vulnerabilities, identifying where missing patches create a security exposure. XXWhitelist/Blacklist Management—Triumfant deletes unauthorized software from endpoint computers, and builds custom remediations to ensure that no malicious code is left behind by the deleted application.

Resolution Manager uses its diagnosis of the problem and knowledge of the changes to the machine to synthesize a surgical remediation. These remediations do not delete the malicious executable; they repair the damage from the attack, effectively eliminating the need for costly re-imaging. The information about the attack and the remediation is captured so that Resolution Manager can scan the entire population for any other occurrences of the attack, and remediate machines where the attack is detected. Triumfant provides a comprehensive set of reports that deliver visibility into the security readiness of the endpoint environment from an executive summary view down to the details of each machine.

Triumfant Resolution Manager Type

Vulnerability and Patch Management

Operating System Hardware Requirements License

Commercial

NIAP Validated

Yes

Common Criteria Rating

EAL2+ – March 31, 2009

Developer

Triumfant

Availability

http://www.triumfant.com/products.asp

Features XXMalware detection—The ability to detect changes

at a granular level allows Triumfant to detect, analyze, and remediate malicious attacks in real-time without the need for signatures or any prior knowledge of the attack. XXSecurity Configuration Management—Triumfant verifies that the organization’s standard portfolio of endpoint security software is correctly deployed.

IA Tools Report

55

Vulnerability Analysis Tools

Typhon III Abstract Typhon III is a tool that identifies infrastructure and Web application. Capabilities include the fast and accurate identification of current and historical security vulnerabilities; the nonintrusive vulnerability scanner provides secure quality protection against current threats, including—

Typhon III Type

Web Application Scanning

Operating System

Windows 2003, 200, XP, NT 4.0 SP6a

Hardware Requirements

500 MHz CPU, 512 MB RAM, 20 MB disk space (minimum)

License

Commercial

XXRootkits,

NIAP Validated

XXPhishing, XXSQL Injection,

Common Criteria Rating

XXPharming,

Developer

Next Generation Security Software

Availability

http://www.nextgenss.com/products/ internet-security/ngs-typhon.php

XXConfidential Data Theft.

By providing a comprehensive security audit of all hosts in the network, from routers and printers through Web and database servers, Typhon III helps the network to stay secure from threats. Exposing weak passwords in a variety of protocols, it contains a full range of checks for common vulnerabilities and configuration errors. Typhon III can also audit Web applications using its integrated Web spider, a device that will locate every page and script on a Web site (even hidden, unlinked, and test files) and rigorously test for SQL injection and XSS flaws.

56

IA Tools Report

Vulnerability Analysis Tools

WebInspect Abstract HP WebInspect software is a Web application security assessment software designed to analyze today’s complex Web applications. It delivers fast scanning capabilities, broad assessment coverage, extensive vulnerability knowledge, and accurate Web application scanning results.

Features XXStatically analyze client-side Adobe

Flash applications; XXProduce faster scans and more accurate results

through the Simultaneous Crawl and Audit (SCA) technology; XXReduce false positives using Intelligent Engines designed to imitate a hacker’s methodology; XXIncrease testing throughput with support for multiple concurrent scans; XXEnter a URL, username, and password to quickly initiate a simple scan for immediate results; XXInnovative scan profiler assists you in optimizing the scan configuration to maximize the effectiveness and accuracy of the scan; XXDepth-first crawling option for Web sites that enforce order-dependent navigation; XXFingerprinting of Web framework using Smart Assessment technology to reduce unnecessary attacks.

HP WebInspect Type

Web Application Scanning

Operating System

Windows

Hardware Requirements License

Commercial

NIAP Validated Common Criteria Rating Developer

Hewlett Packard

Availability

https://h10078.www1.hp.com/cda/hpms/ display/main/hpms_content.jsp?zn=bto& cp=1-11-201-200^9570_4000_100__

IA Tools Report

57

Vulnerability Analysis Tools

WebScarab Abstract WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S)-based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

58

IA Tools Report

WebScarab Type

Web Application Scanning

Operating System

Windows, Linux, Mac, Unix

Hardware Requirements License

Freeware

NIAP Validated Common Criteria Rating Developer

Rogan Dawes of Corsaire Security

Availability

http://www.owasp.org/index.php/ Category:OWASP_ WebScarab_Project

SECTION 6

u

Related Resources

This provides additional references: books, Web sites, articles, and papers. References 1. Carnegie Mellon Software Engineering Institute CERT Coordination Center (n.d.). CERT/CC Statistics 1988-2008. http://www.cert.org/stats/ cert_stats.html. (Accessed June 3, 2009). 2. Homeland Security Advisory Council. Report of the Critical Infrastructure Task Report, January 2006. 3. Merriam-Webster Online Dictionary. http://www. merriam-webster.com/. (Accessed June 5, 2009). 4. Schultze, E. “Thinking Like a Hacker.” March 2002. http://pdf.textfiles.com/security/thinkhacker.pdf. (Accessed June 5, 2009). 5. Storms, Andrew (SANS Institute). “Using Vulnerability Tools To Develop an OCTAVE Risk Profile.” December 2003. http://www.sans.org/ reading_room/whitepapers/auditing/1353.php?por tal=813b67045603408ee90700647. Retrieved 13 March 2007. 6. U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk Management, May 2003. 7. U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm. (Accessed June 3, 2009). 8. U.S. Government, White House. Cyberspace Policy Review. http://www.whitehouse.gov/assets/ documents/Cyberspace_Policy_Review_final.pdf (Accessed June 5, 2009). 9. Spiegal Online International. “Away From the Politics of Fear” – Interview with Homeland Security Secretary Janet Napolitano. http://www. spiegel.de/international/world/0,1518,613330,00. html. (Accessed June 5, 2009).

10. SRI International; Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous points http:// mtc.sri.com/conficker. Updated March 19, 2009. (Accesed June 10, 2009). 11. Conficker working Group Home page. http://www. confickerworkinggroup.org/wiki/pmwiki.php 12. Cyber Secure Institute. Cyber Secure Institute on the Conficker Controversy. http:// cybersecureinstitute.org/blog/?p=15. (Accessed June 11, 2009). 13. Gregory Braunton, SANS institute. “B.A.S.E – A Security Assessment Methodology”. http://www. sans.org/reading_room/whitepapers/auditing/ b_a_s_e_–_a_security_assessment_ methodology_1587. (Accessed June 11, 2009). 14. Chairman of the Joint Cheifs of Staff of the Armed Forces. Joint Publication 3-13: Information Operations. February 13, 2006.

IA Tools Report

59

SECTION 7

u

Recommended Resources

Alberts, Christopher and Audrey Dorofee. Managing Information Security Risks: The OCTAVE Approach. Boston: Addison Wesley Professional, 2003. Braunton, Gregory (SANS Institute). B.A.S.E.—A Security Assessment Methodology, September 2004. Open Vulnerability Assessment Language http://oval.mitre.org Peltier, Thomas R., J. Peltier, and J.A.Blackley. Managing a Network Vulnerability Assessment. Boca Raton, FL: CRC Press LLC, 2003. Stoneburner, G., A. Goguen, and A. Feringa. Special Publication 800-30—Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST), 2002. U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk Management, 2003. U.S. Government, Department of Commerce. “Publication 199 - Standards for Security Categorization of Federal Information and Information Systems.” Federal Information Processing Standards (FIPS), 2004. U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm.

IA Tools Report

61

SECTION 8

u

Definitions

XXAll-hazards/Threat—Circumstances, events, or

people with the potential to cause harm to a system. The full spectrum of threats and hazards could include natural disasters (e.g., floods, fires, hurricanes), domestic or international criminal activity, accidental disruptions such as construction mishaps. XXCritical Asset—Those assets of such importance to an organization that without them the organization’s ability to execute its mission would be significantly degraded or suffer complete failure. XXFalse Negative—Refers to when a tool fails to find an existing vulnerability. XXFalse Positive—Refers to when a tool finds a vulnerability that does not exist. XXRisk—A function of the likelihood that a specific hazard/threat will exploit a given vulnerability and that the resulting impact of loss of the critical asset will cause significant degradation or even mission failure of the organization. Mathematically written risk is the following:

implementation. Exploitation would negatively affect the confidentiality, integrity, or availability of the system or its data. XXVulnerability Assessment—An examination of the ability of a system or application, including current security procedures and controls, to withstand assault. A vulnerability assessment may be used to a) identify weaknesses that could be exploited; and b) predict the effectiveness of additional security measures in protecting information resources from attack.

Threat x Vulnerability x Impact of Loss = Risk . XXRisk Assessment—The process evaluating the

impact of loss of an asset, the likely and probable threats, and the vulnerabilities of the asset. XXRisk Management—A process for identifying and prioritizing the impact of loss, threats, and vulnerabilities, and making rational decisions regarding the expenditure of resources and the implementation of countermeasures to reduce the risk of loss. XXScanning—A periodic examination of traffic activity, system files and permissions, and overall system configuration to determine whether further processing is required. XXVulnerability—Refers to a weakness in a system’s security scheme, which may include system security procedures, internal controls, or

IA Tools Report

63

SECTION 9

u

Definitions of Acronyms and Key Terms

Acronym or Term

Definition

ACL

Access Control List

ARP

Address Resolution Protocol

CERT

Computer Emergency Response Team

CGI

Common Gateway Interface

COPS

Computer Oracle and Password

COTS

Commercial Off-the-Shelf

CPU

Central Processing Unit

CSV

Comma Separated Variable

CVE

Common Vulnerabilities and Exposures

DHS

Department of Homeland Security

DISA

Defense Information Systems Agency

DoD

Department of Defense

DSII

DominoScan II

DSS

Data Security Standard

DTIC

Defense Technical Information Center

ePO

ePolicy Orchestrator

ESSG

Enterprise-Wide Information Assurance and Computer Network Defense Solutions Steering Group

FDCC

Federal Desktop Core Configuration

FISMA

Federal Information Security Management Act of 2002

GB

Gigabyte

GHz

Gigahertz

GLBA

Gramm-Leach Bliley Act

GUI

Graphical User Interface

HBSS

Host Based Security System

HIPAA

Health Insurance Portability and Accountability Act

HIPS

Host Intrusion Prevention System

HSPD-7

Homeland Security Presidential Directive 7

HTML

HyperText Markup Language

HTTP

Hypertext Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

IA

Information Assurance

IAC

Information Analysis Center

IATAC

Information Assurance Technology Analysis Center

IA Tools Report

65

Definitions of Acronyms and Key Terms

Acronym or Term

Definition

IAVA

Information Assurance Vulnerability Alert

IP

Internet Protocol

IPS

Intrusion Prevention System

IT

Information Technology

MB

Megabyte

MBSA

Microsoft Baseline Security Analyzer

MHz

Megahertz

MA

McAfee Agent

MU

Microsoft Update

NIAP

National Information Assurance Partnership

NIST

National Institute of Standards and Technology

Nmap

Network Mapper ®

NVD

National Vulnerability Database

OMB

Office of Management and Budget

OS

Operating System

OVAL

Open Vulnerability Assessment Language

PA

Policy Auditor

PCI

Payment Card Industry

PEO-IAN

Information Assurance/Network Operations Program Executive Office

PERL

Practical Extraction and Report Language

PHP

Hypertext Preprocessor

RAM

Random Access Memory

RSD

Rogue System Detection

SaaS

Software-as-a-Service

SANS

SysAdmin, Audit, Network, Security

SARA

Security Auditor’s Research Assistant

SATAN

Security Administrator’s Tool for Analyzing Networks

SCAP

Security Content Automation Protocol

SCCM

System Center Configuration Manager

SMS

Systems Management Server

SNMP

Simple Network Management Protocol

SOX

Sarbanes-Oxley Act

SQL

Structured Query Language

TCP

Transmission Control Protocol

UDP

User Datagram Protocol

66

IA Tools Report

Definitions of Acronyms and Key Terms

Acronym or Term

Definition

URL

Uniform Resource Locator

VM

Vulnerability Management

WSUS

Windows Server Update Services

XML

eXtensible Markup Language

XSS

Cross-Site Scripting

IA Tools Report

67