Sie sind auf Seite 1von 74

Tools

Information Assurance
Tools Report

Fifth Edition
September 25, 2009

Vulnerability
Assessment

EX

Distribution Statement A
S E R VICE

C E L L E NC E

I NF

O R MA T

IO

Approved for public release; distribution is unlimited.

Table of Contents
SECTION 1

Introduction. . . . . . . . . . . . . 1

1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Report Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

SECTION 2

I
T Risk Management

Overview. . . . . . . . . . . . . . . 5

2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Growth in IT Incidents and Vulnerabilities. . . . . . . . . . . . . 5
2.3 What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . 6

SECTION 3

A
utomated Vulnerability

Assessment Tools. . . . . . . . 9

3.1 How Vulnerability Assessment


Tools Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Definition Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 How Vulnerability Assessment Tools Can Be
Incorporated into a Security Plan . . . . . . . . . . . . . . . . 11

SECTION 4

Tool Collection . . . . . . . . . 13

4.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 Tool Selection Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . 13

SECTION 5

V
ulnerability

Analysis Tools. . . . . . . . . . 15

Acunetix Web Vulnerability Scanner. . . . . . . . . . . . . . . . . 16


AppDetective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ASG Information Assurance Application (IA2). . . . . . . . . . 18
BigFix Security Configuration and Vulnerability
Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Computer Oracle and Password (COPS). . . . . . . . . . . . . . . 20
CORE IMPACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
DominoScan II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
DumpSec v2.8.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
eTrust Policy Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Fortiscan Vulnerability Management. . . . . . . . . . . . . . . . . . 25
GFI LANguard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Gideon SecureFusion Vulnerability Management. . . . . . . 27
Host Based Security System (HBSS). . . . . . . . . . . . . . . . . . 28
Internet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Lumension Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
MBSA 2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . 32


Metasploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
N-Stalker Web Application Security Scanner. . . . . . . . . 34
nCircle IP360. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Nessus Vulnerability Scanner. . . . . . . . . . . . . . . . . . . . . . . 36
NetIQ Secure Configuration Manager. . . . . . . . . . . . . . . . 37
Network Mapper (Nmap). . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Nikto v2.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Orascan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Paros Proxy v3.2.0Alpha. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Proventia Network Enterprise Scanner. . . . . . . . . . . . . . . 42
proVM Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
QualysGuard Vulnerability Management. . . . . . . . . . . . . .44
Rational AppScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Retina Network Security Scanner. . . . . . . . . . . . . . . . . . . . 46
SAINT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Second Look. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
SecureScout NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
SecureScout Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Security Auditors Research Assistant (SARA) v7.9.1. . . . 51
Security Administrators Tool for Analyzing
Networks (SATAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
SNScan v1.05. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
ThreatGuard Secutor Magnus . . . . . . . . . . . . . . . . . . . . . . 54
Triumfant Resolution Manager . . . . . . . . . . . . . . . . . . . . . . 55
Typhon III. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
WebInspect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
WebScarab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

SECTION 6

Related Resources . . . . . . 59

SECTION 7

R
ecommended

SECTION 8

Resources . . . . . . . . . . . . . 61

Definitions. . . . . . . . . . . . . 63

SECTION 9 u
Definitions of Acronyms
and Key Terms . . . . . . . . . 65

IA Tools Report

SECTION 1

Introduction

The Information Assurance Technology Analysis Center (IATAC) provides the Department of
Defense (DoD) with emerging scientific and technical information to support Information
Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis
Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center
(DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific
and technical information. Scientists, engineers, and information specialists staff each IAC.
IACs establish and maintain comprehensive knowledge bases that include historical, technical,
scientific, and other data and information, which are collected worldwide. Information
collections span a wide range of unclassified, limited-distribution, and classified information
appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain,
and develop analytical tools and techniques, including databases, models, and simulations.
IATACs mission is to provide DoD with a central
point of access for information on emerging
technologies in IA and cyber security. These include
technologies, tools, and associated techniques for
detection of, protection against, reaction to, and
recovery from information warfare and cyber attacks
that target information, information-based processes,
information systems, and information technology.
Specific areas of study include IA and cyber security
threats and vulnerabilities, scientific and
technological research and development, and
technologies, standards, methods, and tools through
which IA and cyber security objectives are being or
may be accomplished.
As an IAC, IATACs basic services include collecting,
analyzing, and disseminating IA scientific and
technical information; responding to user inquiries;
database operations; current awareness activities
(e.g., the IAnewsletter, IA Digest, IA/Information
Operations Events Scheduler, and IA Research
Update); and publishing State-of-the-Art Reports,
Critical Review and Technology Assessments reports,
and Tools Reports.

The IA Tools Database is one of the knowledge bases


maintained by IATAC. This knowledge base contains
information on a wide range of intrusion detection,
vulnerability analysis, firewall applications, and
anti-malware tools. Information for the IA Tools
Database is obtained via open-source methods,
including direct interface with various agencies,
organizations, and vendors. Periodically, IATAC
publishes a Tools Report to summarize and elucidate
a particular subset of the tools information in the
IATAC IA Tools Database that addresses a specific
IA or cyber security challenge. To ensure applicability
to Warfighter and Research and Development
Community (Program Executive Officer/Program
Manager) needs, the topic areas for Tools Reports
are solicited from the DoD IA community or based
on IATACs careful ongoing observation and analysis
of the IA and cyber security tools and technologies
about which that community expresses a high
level of interest.

IA Tools Report

Section 1 Introduction

Inquiries about IATAC capabilities, products, and


services may be addressed to:
Gene Tyler, Director
13200 Woodland Park Road, Suite 6031
Herndon, VA 20171
Phone:
703/984-0775
Fax:
703/984-0773
Email:
iatac@dtic.mil
URL:
http://iac.dtic.mil/iatac
SIPRNET: https://iatac.dtic.mil

1.1

Purpose

exploitation of which would negatively affect the


confidentiality, integrity, or availability of the system
or its data. The type and level of detail of information
provided among tools varies greatly. Although some
can identify only a minimal set of vulnerabilities,
others can perform a greater degree of analysis and
provide detailed recommended countermeasures.
The most recent development in vulnerability
management is the ability for a tool to scan for
vulnerabilities, analyze the impact of the
vulnerability, determine a solution, identify the
appropriate patches and security fixes, and finally,
even deploy those patches in real time.

This report provides a brief background on


information technology (IT) risk assessment and risk
management concepts, a short primer on
vulnerability assessment tools, and an index of
vulnerability assessment tools contained in the
IATAC IA Tools Database. Moreover, the report
provides users with an understanding of why
engaging in risk management activities such as
conducting vulnerability and risk assessments is an
important aspect of assuring your critical IT assets
ability to effectively support your critical missions.
Finally, this report provides a summary of the
characteristics and capabilities of publicly available
vulnerability assessment tools. IATAC does not
endorse, recommend, or evaluate the effectiveness of
any specific tools. The written descriptions are based
solely on the suppliers claims and are intended only
to highlight the capabilities and features of each tool.
These descriptions do not reflect the opinion of
IATAC. It is up to the readers of this document to
assess which product, if any, might best meet their
needs. Technical questions concerning this report
may be addressed to iatac@dtic.mil.

The majority of the tools identified in the IA Tools


Database are available on the Internet, and many are
used by crackers in the first stage of an attack:
vulnerability information gathering. Penetration
tools, which perform destructive actions (i.e., denial
of service attacks), are excluded from this category.
Sniffers and Trojan Horse programs also are
excluded. Although many network utilities (i.e., host,
finger) are valuable in identifying vulnerabilities on a
host, they are often an automated component of
vulnerability analysis tools, and therefore are not
individually described in the database. The database
includes commercial products, individually
developed tools, government-owned tools, and
research tools. The database was built by gathering as
much open-source data, analyzing that data, and
summarizing information regarding the basic
description, requirements, availability, and contact
information for each vulnerability analysis tool
collected. Generally, the commercially developed
products are available. The government and
academic tools, however, are reserved for specific
projects and organizations.

1.2

1.3

Scope

Currently, the IATAC database contains descriptions


of numerous tools that can be used to support
vulnerability and risk assessment activities.
Vulnerability analysis tools are programs that help
automate the identification of vulnerabilities in a
network or system. Vulnerabilities can be defined as
weaknesses in a systems security scheme,

IA Tools Report

Report Organization

This report is organized into eight sections. Section 1


provides an introduction to IATAC and the
vulnerability analysis tools report. Section 2
summarizes the fundamentals of IT risk assessment
and risk management. Section 3 provides background
information on how automated vulnerability
assessment tools work. Section 4 explains the

Section 1 Introduction

classification of tools highlighted in this report, how


they were selected, and the schema of the IA Tools
Database. Section 5 includes a listing of currently
available host, network, Web-application, and
database-application vulnerability scanners as well
as tools able to manage vulnerabilities in all of the
scanning areas as well as apply patches. Sections 6
and 7 provide recommended resources that are
related to the topic of vulnerability assessment and
definitions associated with this report. Finally,
Sections 8 and 9 contain IA-related definitions and
acronyms, respectively.

IA Tools Report

SECTION 2
2.1

IT Risk Management Overview

Background

Critical Infrastructures, both cyber and physical,


provide the foundation for and enable the
functioning of every facet of American Society. [2] In
view of the heightened concerns about the wide
variety of threats and hazards that our nation faces
and the potential impact on the ability of our critical
infrastructure to resiliently support overarching
missions, the executive branch has issued a number
of actions that assign responsibilities, direct
planning, and enhance training to protect the
nations critical infrastructure and respond to all
types of threats. Homeland Security Presidential
Directive 7 (HSPD-7), Critical Infrastructure
Identification, Prioritization, and Protection (dated
December 2003), and The National Strategy to Secure
Cyberspace and The National Strategy for the Physical
Protection of Critical Infrastructures and Key Assets
(both dated February 2003) specifically address the
different threats and protection/assurance of the
nations most vital resources by providing
overarching policy guidance. These all focused on
defensive strategies, and HSPD-7 did not address the
protection of federal government information
systems. The Comprehensive National Cybersecurity
Initiative (CNCI), codified in the classified directive
known as National Security Presidential Directive
(NSPD)-54/HSPD-7, aims to unify defensive missions
in cyber security with those of law enforcement,
intelligence, counterintelligence, and military to
defend against the full spectrum of threats to the
nations critical infrastructure.
In the constantly evolving world of IT, ensuring that
our vital systems remain operational is of paramount
importance and in line with the national strategy. To
this end, Secretary Janet Napolitano of the
Department of Homeland Security (DHS) has adopted
a policy of being prepared for all risks that can
occur [9] to assure the resiliency of our nations
critical infrastructures. Cyber assets obviously make

up a significant portion of our nations critical assets


and also provide support to even more critical assets
by acting as a critical supporting infrastructure asset.

2.2

Growth in IT Incidents and Vulnerabilities

Automated attacks on information systems, and


especially attacks against Internet-connected
systems, continue to grow at such an exponential rate
that they are viewed as almost commonplace. In fact,
as of 2004, Carnegie Mellons Computer Emergency
Response Team (CERT) stopped tracking the number
of incidents reported per year because they believe it
provides little information with regard to assessing
the scope and impact of attacks. [1] The number of
incidents reported from 1988 through the end of 2003
is listed in Figure 1. Carnegie Mellons CERT now
tracks data on the number of vulnerabilities that are
reported each year. Figure 2 lists the number of
vulnerabilities that were reported from 1995 through
the end of the third quarter of 2008.
Along with the continually increasing number of
incidents and the rising number of known
vulnerabilities, the speed at which systems are
attacked is also continuing to accelerate. Identifying
vulnerabilities and addressing them in a timely
manner is crucial to maintaining a secure
environment and saves money in the long run. The
vulnerability that the Conficker worm exploited was
discovered in September 2008, and Microsoft released
a batch in October 2008. The Conficker was not
released until November 2008 and had multiple
variants labeled Conficker A - Conficker E (up until
the time of writing). Minimal estimates for Conficker
infections is around three million, while more
realistic estimates are around nine million to 15
million total infections. [11] The economic impact
ranges from the hundreds of millions to billions of
dollars to address the exploit. If more people had
identified the vulnerability and applied patches when
Microsoft first released them, Conficker would have
been a non-issue.

IA Tools Report

Section 2 IT Risk Management Overview

2.3

What is Risk Management?

Many different risk assessment and management


methodologies exist within the public and private
domains. Therefore, to fully understand risk
management, it is important to first define and
understand risk. According to the Merriam Webster
Dictionary, risk is defined as the possibility of loss or
injury. Insurance companies often view risk as the
the degree or probability of such loss. [3] Although
there are numerous definitions of risk, all definitions
are composed of three basic components
XXAssets (i.e., read it as impact of loss),
XXThreats (i.e., read it as all possible hazards),
XXVulnerabilities.

Figure 1

Number of Security Incidents report (19882003)

Figure 2

Number of Vulnerabilities Reported (1995Third Quarter 2008)

IA Tools Report

Assets
An asset in the general sense is firm property or
information that is of significant value (known as a
critical asset). In risk management, an asset refers to
the amount of damage losing a firm asset will cause
if something bad occurs. Given that most enterprise
networks have hundreds or thousands of networked
information systems, vulnerability analysis and
assessment by manual methods are virtually
impossible. In addition, it is impossible to
completely ensure that all assets are secure.
Therefore, it is imperative that information security
managers and system owners focus on identifying
only their critical assetsthose assets without which
the organizations key missions would be significantly
degraded or cease to function. This is a key part of the
risk assessment process.

Section 2 IT Risk Management Overview

Threats
Risks to critical assets can come from a variety of
threats that can be considered possible hazards and
usually fall into three categories
XXMan-made (intentional),
XXNatural disaster,
XXAccidental (unintentional) disruptions.

Therefore, an effective approach to threats will


consider the full spectrum of threats and hazards,
including natural disasters (e.g., floods, fires,
hurricanes), domestic or international criminal
activity, construction mishaps such as cutting fiber
optic lines, and others types of incidents.
Vulnerabilities
Vulnerabilities are often defined as openings or
pathways that a given threat can exploit to do harm to
a critical asset. With the three main components of
risk in mind, a picture of risk can be formulated. Risk
is viewed as the area where all three circles overlap,
as illustrated in Figure 3.
Articulated as a mathematical formula, risk looks like
the following
Risk = Threat x Vulnerability x Cost of Asset

Figure 3

Components of Risk Diagram

Because our world is constantly changing, risk


management is an ongoing activity. For example,
technology is continually evolving, especially in the
IT world, which introduces new vulnerabilities.
Threats continue to evolve as well and sometimes
even what is designated as a critical asset changes
because the needs and priorities of an organization
change. Risk management can save resources, time,
and even lives.

We can now more fully define risk as being a function


of the likelihood that a specific hazard/threat will
exploit a given vulnerability and that the resulting
impact of loss of the critical asset will cause
significant degradation or even mission failure
of the organization.
With a firm understanding of risk, risk management
can now be defined. Typically, risk management is a
process for identifying and prioritizing the cost of
assets, threats, and vulnerabilities, then making
rational decisions regarding the expenditure of
resources and the implementation of countermeasures to reduce risk of loss associated with the
exploitation of critical assets. Figure 4 illustrates the
risk assessment and management processes.

IA Tools Report

Section 2 IT Risk Management Overview

Figure 4

Risk Assessment and Management Process

From this point forward, this report focuses on the


vulnerability portion of the risk equation.

IA Tools Report

SECTION 3 u Automated Vulnerability


Assessment Tools
3.1
How Vulnerability Assessment
Tools Work
Vulnerability assessment tools, in general, work by
attempting to automate the first three steps often
employed by hackers: 1) perform a footprint analysis,
2) enumerate targets, 3) test/obtain access through
user privilege manipulation (see Table 1). The
vulnerability assessment tools evaluate networkattached devices (servers, desktops, switches, routers,
etc.) for vulnerable or potentially vulnerable
situations. Often the vulnerabilities that are
identified by these tools are programming flaws;
however, some tools provide enough data that an
analyst can uncover design, implementation, and
configuration vulnerabilities.
In the case of network-based tools, a network
footprint analysis is performed by scanning for
accessible hosts. The tools enumerate available
network services (e.g., file transfer protocol, hypertext
transfer protocol) on each host as accessible hosts are
identified. As part of the enumeration services,
scanners attempt to identify vulnerabilities through
banner grabbing, port status, protocol compliance,
service behavior, or exploitation. These terms are
defined in Section 3.2 of this document.
Some advantages to vulnerability assessment tools
are that they
XXMore clearly define an asset,
XXDiscover technological and network

vulnerabilities,
XXProvide multi-perspective view points,
XXHelp properly scope the analysis,
XXReference public catalogs,
XXHighlight design, implementation, and

configuration vulnerabilities.

When a scanner finds a host with open ports, it checks


those ports for vulnerabilities to known attacks. Most
scanners include exploit tests that verify whether a
given service or application is vulnerable. Most
scanning tools perform tests based on their database
of vulnerabilities. Just as anti-virus products must be
constantly updated with new signatures, assessment
tools must be continually updated with revisions to
their vulnerability databases. If a vulnerability is not
included in a tools database, it cannot be detected
through scanning.

3.2

Definition Box

Hackers Methodology A common approach to


system exploitation
1.

Perform a footprint analysis

2.

Enumerate targets

3.

Test/obtain access through user privilege manipulation

4.

Escalate privileges

5.

Gather additional passwords and secrets

6.

Install backdoors

7.

Leverage the compromised system

Table 1 Hackers Methodology

Banner Grabbing
This term refers to grabbing information that a
network service broadcasts about itself. For example:
Opening a telnet session to a mail server might yield
the following message: 220 mailhost.company.com
ESMTP service (Netscape Messaging Server 4.15
Patch 7 [built September 11, 2001]).
This example banner reveals the specific type of mail
server that is running and its patch level. Similarly, a
telnet connection to a Web server might yield
information such as the following

IA Tools Report

Section 3 Automated Vulnerability Assessment Tools

HTTP/1.1 200 OK
Date: Wed, 02 Jul 2003 22:03:21 GMT
Server: Apache/1.3.27 (Win32) PHP/4.2.2
X-Powered-By: PHP/4.2.1
Connection: close
Content-Type: text/html
In this case, the banner reveals the time on the Web
server, the Web server type and version, an accessible
scripting language (hypertext preprocessor [PHP]),
and the operating system on which it is running.

Port Status
This term refers to checking to determine which
network ports are open to allow connections to
applications. For network services that use
Transmission Control Protocol (TCP), this is done by
sending a TCP connect () request to ports on the
remote system. If the queried port is listening, the
connect () fails and the port is considered closed.
There are several other methods of checking port
status such as TCP synchronize [Synchronize] scans,
TCP finish [Final] scans, and so forth, that are beyond
the scope of this report.

Protocol Compliance
This term refers to the way an application or operating
system adheres to a standard procedure for data
processing or transmission. One of the most common
ways of using protocol compliance to identify remote
systems is to interrogate the TCP stack. By monitoring
the header information of outbound packets, it is
possible to make accurate guesses regarding the
remote operating system. By examining the Time To
Live on the packet, its Window Size, the Dont
Fragment bit, and the Type of Service, it is possible in
many cases to determine exactly which
implementation of the TCP stack is on the remote
system. (See Figure 5.) Determining the TCP stack
narrows the number of possible operating systems,
sometimes identifying the exact operating system.

10

IA Tools Report

Figure 5

TCP Connection (3-way Handshake)

Service Behavior
This term refers to the way a network service responds
to remote requests. Different implementations of a
given type of service may result in slightly different
behavior from remote requests. For example, a help
command response from a sendmail email server is
different from the result from a postfix email server.

Exploitation
Computer network exploitation (CNE) refers to the
enabling operations and intelligence collection
capabilities conducted through the use of computer
networks to gather data from target or adversary
automated information systems or networks. [14]
CNE can be accomplished through a variety of means
such as packet sniffing, hijacking TCP connections,
port scanning, and address resolution protocol (ARP)
spoofing. For example: ARP spoofing is a technique
used to exploit ethernet networks. This type of
spoofing can be used in two different ways
XXSending fake, or spoofed, ARP messages to an

ethernet local area network,


XXAs part of a man-in-the-middle attack.
The first means of exploitation is accomplished by
sending frames that contain false media access
control addresses, thus confusing network devices,
such as network switches. The resulting effect is that
the frames that are intended for one machine can be
mistakenly sent to another (allowing the packets to be
sniffed) or an unreachable host (a denial of service
attack). The second means of exploitation is
accomplished by forwarding all traffic through a host
with the use of ARP spoofing and then analyzing the
frames for passwords and other information.

Section 3 Automated Vulnerability Assessment Tools

3.3
How Vulnerability Assessment Tools
Can Be Incorporated into a Security Plan
Security plans are a critical aspect of a firm or
organizations secure operations. Security plans, or
more precisely, system security plans, are specific
guidelines and procedures to accomplish the secure
setup, operation, and maintenance of an information
system. To effectively implement a system security
plan for a large infrastructure, it is necessary to
leverage security technology to automate the
important and otherwise time-consuming aspects of
the security operations.
Tools for scanning are invaluable for gaining a
snapshot in time of the vulnerabilities that exist on a
given network at a given point in time. Most scanning
tools include a reporting option or module that
explains the vulnerabilities detected and provides a
ranking of the criticality of each problem (e.g., high,
medium, low). To enhance the security of your
systems, assessments should be performed on a
routine basis. This will provide the users and
administrators assurance that the system is free from
malicious code. Just as thousands of vulnerabilities
are reported each year, systems must be scanned at
regular and frequent intervals to ensure that they are
not susceptible to attack. In addition, when new hosts
are connected to the system, networks must be
checked for the risks that these new systems might
bring to the overall network. Checks must also be
conducted when newly discovered weaknesses in
existing applications and operating systems are
announced. After all, a fundamental tenet of
security is that a chain is only as strong as its weakest
link and a wall is only as strong as its weakest point.
Smart attackers are going to seek out that weak point
and concentrate their attention there. [13] A single
host that is vulnerable to attack puts the entire
network at risk.
The identification of vulnerabilities on a system is
only half the challenge. The other half of the challenge
is fixing the vulnerabilities that are found. Identified
vulnerabilities can be corrected via patches,
updating, or even reconfiguring the system. Finding
the time and money to correct the vulnerability can

be a challenge. The system and network


administrators must work with management to share
the information that was found during the assessment
and weigh the costs of correcting the vulnerability
against the benefits. There are tools that can
automatically patch a large number of vulnerabilities
and systems, but are often very expensive. Managers
and administrators need to understand their
environment and choose a solution that fits. A
manager can choose not to spend the money on a
more robust patch management solution, but must
realize that man-power must replace what he or she
has chosen not to purchase in an automated solution.
Unfortunately, scanning tools suffer from false
positive problems and false negative problems in
vulnerability identification that are similar to antivirus products. A false positive means that a tool finds
a vulnerability that does not exist. For example, a
particular scanner may report that a network server is
a Windows 2000 system that is vulnerable to a known
Microsoft Internet Information Server (IIS) Web
server bug, when in fact, the server is a Linux system
running the Apache Web server. A false negative
means that a tool fails to find an existing
vulnerability. An example of this behavior could be
when a particular tool tests a network host and fails to
discover that it is remotely exploitable through an
anonymous login.
Ultimately, common sense must be applied to all
findings to ensure that meaningful vulnerabilities
are corrected; however, time should not be wasted
on erroneous results. Finding the right balance can
sometimes be difficult. One potential strategy for
reducing the number of false positives and false
negatives is to run two different scanners against a
given network and compare the results. In most
cases, the results of both tools will complement each
other so that no weaknesses are overlooked. In all
cases, it is necessary to have a knowledgeable and
responsible security professional who can effectively
leverage security tools to manage the security
operations of an organization.

IA Tools Report

11

SECTION 4
4.1

Tool Collection

Classification

Existing community relationships were leveraged


during the process of data gathering on the tools.
Collection activities included Internet searches to
identify additional corporations, professional
organizations, and universities with involvement in
vulnerability analysis.
The tools described in the IATAC IA Tools Database
can be categorized within one or more of the topical
areas listed below
XXHost scanningHost-scanning tools scan critical

system files, active processes, file shares, and the


configuration and patch level of a particular
system. The results produced from this type of tool
are usually very detailed because they run on the
host system at the same permission level as the
user conducting the scan. Although host-based
tools provide very detailed results, sometimes the
volume of data that is produced from these scans
(i.e., when conducted across several hosts) can be
difficult to aggregate and correlate to produce
results [Imagine an administrator trying to
physically visit and test 1,000workstations.]).
XXNetwork scanningNetwork-scanning tools scan
available network services for vulnerabilities
through banner grabbing, port status, protocol
compliance, service behavior, or exploitation.
XXWeb application scanningWeb applicationscanning tools designed specifically for the Web
are a specialized form of network or host scanner
that interrogates Web servers or scan Web source
code for known vulnerabilities (e.g., DominoScan).
These tools often search for the presence of
default accounts, directory traversal attacks,
form validation errors, insecure cgi-bin
files, demonstration Web pages, and
other vulnerabilities.
XXDatabase application scanningDatabase
application-scanning tools that are specifically
designed for databases are a unique form of

network scanner. These tools interrogate database


servers for known vulnerabilities
(e.g., AppDetective).
XXVulnerability and patch managementThe category
of Vulnerability and Patch Management has tools
that wrap up many aspects of vulnerability
management. These tools address vulnerabilities,
policy compliance, patch management,
configuration management and reporting.
These are meant to be all-in-one solutions that
make managing very large networks and
domains efficient and require as little manpower
as possible.

4.2

Tool Selection Criteria

The selected tools meet the following three criteria


XXDefinitionThese tools satisfy the objective,

approach, and methodology of a vulnerability


analysis tool based on the definition of
vulnerability.
XXSpecificity to vulnerability analysisThe primary
function of these tools is vulnerability analysis or
vulnerability management. These tools may also
be used during the first stages of a penetration
attack as a way of identifying the target systems
weaknesses and helping to fine-tune the attack.
Penetration test tools, whose primary purpose is to
exploit identified vulnerabilities and cause
damage or destruction to the target system, are not
included.
XXCurrent availabilityThe tools that are included in
this report are currently available from the
Government, academia, or commercial sources, or
as freeware on the Internet. Some tools that were
included in previous versions of this report are no
longer available or have been renamed. All tools
from previous releases of this report that are no
longer available have been removed.

IA Tools Report

13

SECTION 5

Vulnerability Analysis Tools

Section 5 summarizes pertinent information, providing users a brief description of available


vulnerability analysis tools and vendor contact information. Again, IATAC does not endorse,
recommend, or evaluate the effectiveness of these tools. The written descriptions are drawn
from vendors information and are intended only to highlight the capabilities or features of
each product. It is up to the reader to assess which product, if any, may best suit his or her
security needs.
Trademark Disclaimer
The authors have made a best effort to indicate
registered trademarks where they apply, based on
searches in the U.S. Patent and Trademark Office
Trademark Electronic Search System for live
registered trademarks for all company, product, and
technology names. There is a possibility, however,
that due to the large quantity of such names in this
report, some trademarks may have been overlooked
in our research. We apologize in advance for any
trademarks that may have been inadvertently
excluded, and invite the trademark registrants to
contact the IATAC to inform us of their trademark
status so we can appropriately indicate these
trademarks in our next revision. Note that we have
not indicated non-registered and non-U.S.
registered trademarks due to the inability to
research these effectively.

Type

The type of tool, or category in which this tool


belongs, e.g., Web Application Scanning

Operating
System

The operating system(s) on which the tool runs. If the


tool is an appliance, this field will contain a not
applicable symbol (N/A) because the operating
system is embedded in the tool.

Hardware

The third-party hardware platform(s) on which the


tool runs, plus any significant additional hardware
requirements, such as minimum amount of random
access memory or free disk space. If the tool is an
appliance, this field will contain a not applicable
symbol (N/A) because the hardware is incorporated
into the tool.

License

The type of license under which the tool is


distributed, e.g., Commercial, Freeware, GNU
Public License

NIAP
Validated

An indication of whether the product has received a


validation by the National Information Assurance
Partnership (NIAP) under the Common Criteria,
Federal Information Processing Standard 140, or
another certification standard for which NIAP
performs validations. If no such validation has been
performed, this field will be blank.

Common
Criteria

If the tool has received a Common Criteria


certification, the Evaluation Assurance Level and
date of that certification. If no such certification has
been performed, this field will be blank.

Developer

The individual or organization responsible for


creating and/or distributing the tool

URL

The Uniform Resource Locator (URL) of the Web


page from which the tool can be obtained
(downloaded or purchased), or in some cases, the
Web page at which the supplier can be notified with
a request to obtain the tool

Legend For Tables


For each tool described in this section, a table is
provided that provides certain information about that
tool. This information includes

IATAC does not endorse any of the following product evaluations.


IA Tools Report

15

Vulnerability Analysis Tools

Acunetix Web Vulnerability Scanner


Abstract
Acunetixs engineers have focused on Web security
since 1997 and have developed tools for Web site
analysis and vulnerability detection.

Acunetix Web Vulnerability Scanner


Type

Web Application Scanning

Operating System

Windows XP, Vista, 2000, server 2003

Hardware
Requirements

1 gigabyte (GB) random access memory


(RAM), 100 megabyte (MB) disk space

XXAcuSensor Technology;

License

Commercial (Free Trial Copy)

XXAn automatic Javascript analyzer allowing for

NIAP Validated

Features

security testing of Ajax and Web 2.0 applications;


XXStructured Query Language (SQL) injection and
cross-site scripting (XSS) `testing;
XXVisual macro recorder allows for testing Web
forms and password protected areas;
XXReporting facilities including VISA Payment
Card Industry (PCI) compliance reports;
XXMulti-threaded scanner crawls hundreds of
thousands of pages;
XXCrawler detects Web server type and
application language;
XXAcunetix crawls and analyzes Web sites, including
flash content, SOAP, and AJAX;
XXPort scans a Web server and runs security checks
against network services running on the server.

16

IA Tools Report

Common Criteria
Rating
Developer

Acunetix

Availability

http://www.acunetix.com/
vulnerability-scanner/

Vulnerability Analysis Tools

AppDetective
Abstract
A network-based, vulnerability assessment scanner,
AppDetective discovers database applications within
an infrastructure and assesses their security strength.
In contrast to piecemeal solutions, AppDetective
modules allow enterprises to assess two primary
application tiersapplication/middleware, and
back-end databasesthrough a single interface.
Backed by a proven security methodology and
extensive knowledge of application level
vulnerabilities, AppDetective locates, examines,
reports, and fixes security holes and
misconfigurations. As a result, enterprises can
proactively harden their database applications
while at the same time improving and simplifying
routine audits.

AppDetective
Type

Database Scanning

Operating System

Windows XP, Server 2003,

Hardware
Requirements

750 Megahertz (MHz) central processing


unit (CPU), 512MB RAM, 300 MB Disk
Space

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Application Security, Inc.

Availability

http://www.appsecinc.com/products/
appdetective/

Features
XXAutomated database discovery and inventory,
XXUser rghts management,
XXJob scheduling,
XXDatabase-specific vulnerability assessment,
XXCompliance mapping,
XX
Outside-in and inside-in vulnerability testing,
XXIndustry leading database vulnerability

knowledge base,
XXAutomated information gathering and analysis,
XXScalable database scanning,
XXAdvanced, customizable reporting.

IA Tools Report

17

Vulnerability Analysis Tools

ASG Information Assurance Application (IA2)


Abstract
ASGs Information Assurance Application (IA)
automates the reporting requirements of DISA. IA
automatically parses, stores, tracks, and reports on
the Defense Information Systems Agencys (DISA)
Security Readiness Review, third party vulnerability
scanner results, and DISAs Security Checklists.

ASG Information Assurance Application (IA2)


Type

Vulnerability and Patch Management

Operating System
Hardware
Requirements
License

Commercial

NIAP Validated

IA has the ability to synchronize the local database


with the third party vulnerability scanners as well as
the DISA Security Readiness Review scripts. All of the
data from each source is combined and cross
referenced giving a complete view of your
environment. IA also incorporates a robust
reporting solution allowing for tracking, trending
and ad hoc reporting.

Features
XXFederal Information Security Management Act

of 2002 (FISMA) automation,


XXVulnerability gap analysis,
XXScanner cross-referencing,
XXInformation drilldown,
XXAutomated security checklist,
XXAccepts third party scan,
XXAdvanced reporting,
XXTrending,
XXAutomatically updates signatures,
XXAutomatic reporting,
XXAd Hoc reporting,
XXSecure communication,
XXSecure data storage,
XXDistributed architecture,
XXWindows authentication,
XXRole-based security.

Supported Scanners
XXFoundstone,
XXHarris STAT,
XXeEye,
XXNessus,
XXnCircle.

18

IA Tools Report

Common Criteria
Rating
Developer

Atlantic Systems Group, Inc. (ASG)

Availability

http://www.asg.cc/IA2/

Vulnerability Analysis Tools

BigFix Security Configuration and Vulnerability


Management Suite
Abstract

XXCreate flexible, on-demand ad-hoc custom

Offered as part of the BigFix Security Configuration


and Vulnerability Management suite, BigFix
Vulnerability Management reduces risk across the
enterprise for all assets, whether they are fixed or
mobile, desktops, laptops, or servers. Through a
repository of vulnerability assessment policies, BigFix
provides organizations with the ability to assess their
managed systems against Open Vulnerability
Assessment Language (OVAL)-based vulnerability
definitions. Each managed endpoint quietly and
continuously evaluates the state of the endpoint, and
reports on any non-compliant policy in real-time by
leveraging the power of BigFix Unified Management
platform. Additionally, the BigFix high performance
architecture enables the industrys fastest time to
remediation and closely bridges assessment with
remediatiation by applying necessary patch and
configuration policies.

queries and reports;


XXSecurity Content Automation Protocol
(SCAP) validated.
BigFix Security Configuration and Vulnerability
Management Suite
Type

Vulnerability and Patch Management

Operating System

Windows Server 2000/2003/2008

Hardware
Requirements
License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

BigFix

Availability

http://www.bigfix.com/content/
vulnerability-management

Features
XXAssess managed endpoints against known

vulnerabilities using pre-defined, out-of-the-box


OVAL-based policy definitions;
XXIdentify and eliminate known vulnerabilities
across hundreds of thousands of endpoints
using automated policy enforcement or
manual deployment;
XXContinuously enforce policies on or off
the network;
XXMap all vulnerabilities to industry standards to
provide Common Vulnerabilities and Exposures
(CVE) and Common Vulnerability Scoring System
references and links to the National Vulnerability
Database (NVD);
XXIntegrate with BigFix Patch Management and
Security Configuration Management for
comprehensive assessment and remediation
of identified vulnerabilities;

IA Tools Report

19

Vulnerability Analysis Tools

Computer Oracle and Password (COPS)


Abstract
Computer Oracle and Password (COPS) is a security
toolkit that examines a system for a number of
known weaknesses, and it alerts the system
administrator to these weaknesses. In some cases, it
can automatically correct these problems.

Computer Oracle and Password (COPS)


Type

Database Scanning

Operating System

Unix

Hardware
Requirements
License

Freeware

NIAP Validated
Common Criteria
Rating

20

IA Tools Report

Developer

Dan Farmer

Availability

http://ftp.cerias.purdue.edu/pub/tools/unix/
scanners

Vulnerability Analysis Tools

CORE IMPACT
Abstract

XXDemonstrate the consequences of a successful

CORE IMPACT Pro is a comprehensive software


solution for assessing the security of network systems,
endpoint systems, email users, and Web applications.
Backed by Core Securitys ongoing vulnerability
research and threat expertise, IMPACT Pro allows
you to get in-depth visibility of your organizations
network and application vulnerabilities.

attack by replicating local attacks against backend resources;


XXGet actionable data necessary for focusing
development resources on remediating proven
security issues.

Features
XXGather system information via Network Discovery,

Port Scanner, and operating system (OS) and


Service Identification modules;
XXIdentify critical OS, service, and application
vulnerabilities with a constantly updated library
of Commercial-Grade Exploits;
XXDemonstrate the consequences of a breach by
replicating the steps an attacker would take,
including opening command shells, browsing file
systems, and seeking administrative privileges;
XXEmulate multistaged threats that leverage
compromised systems as beachheads to
launch internal attacks against backend
network resources;
XXRun tests without installing modules on
compromised systems, or altering them
in any way;
XXGenerate reports containing actionable data for
prioritizing remediation, demonstrating security
improvements, and complying with regulations;
XXCORE IMPACT Pro enables you to test Web
applications against XSS (URL-based), SQL
Injection, Blind SQL Injection, and Remote
File Inclusion for PHP applications;
XXIdentify weaknesses in Web applications,
Web servers, and associated databases
with no false positives;
XXDynamically generate exploits that can
compromise security weaknesses in
custom applications;

CORE IMPACT
Type

Network Scanning

Operating System

Windows XP, Windows Vista

Hardware
Requirements

3 Gigahertz (GHz) Pentium 4+ CPU, 1 GB+


RAM, 1 GB+ Disk space, 1024x768+
resolution

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Core Security Technologies

Availability

http://www.coresecurity.com/content/
core-impact-overview

IA Tools Report

21

Vulnerability Analysis Tools

DominoScan II
Abstract

XXUnique Spidering capability offering

Specially developed to present the attackers eye view


of the security issues surrounding Lotus Domino
Web servers and bespoke Notes applications.
Running on Microsoft Windows, DominoScan II
(DSII) has the capability to audit Lotus Domino Web
Servers running on any operating system. Using an
NGSSoftwaredeveloped technique (Database
Structure Enumeration) allows DSII to interrogate
every view, form, and agent within a database, even
if access control list (ACL) access protection has been
invoked. It will perform an exhaustive range of tests
on each document, auditing over one hundred
sensitive and default databases and subjecting all
documents to a vigorous set of vulnerability
assessment checks.

intelligent scanning;
XXAbility to scan as an authenticated user;
XXAbility to perform QuickHit audit;
XXVulnerability link to CVE.

Features
XXAttempts to gain access to over 100 sensitive/

default databases;
XXWeb Administrator template access using
ReplicaID;
XXWeb Administrator template access using
buffer truncation;
XX
cache.dsk access using buffer truncation;
XXDirectory traversal;
XXDatabase browsing;
XXAudits bespoke databases;
XXUnique database structure
enumeration technology;
XXFinds hidden and visible views;
XXDefault Navigator Access;
XXAttempts to bypass default Navigator protection;
XXEvaluates database design;
XXChecks every document for Edit access;
XXAttempts a forced search;
XXReadEntries & ReadViewEntries access;
XXReporting in HyperText Markup Language
(HTML) (Static/Dynamic), eXtensible Markup
Language (XML), Text file, rich text format, and
Open Database Connectivity (Microsoft) database;
XXFast, easy to use, and highly configurable;
XXCan perform focused audits;

22

IA Tools Report

DominoScan II
Type

Web Application Scanning

Operating System

Windows 2003, 200, XP, NT 4.0

Hardware
Requirements

500 MHz Pentium III, 512 MB RAM, 20


MB Disk Space

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Next Generation Security Software

Availability

http://www.nextgenss.com/products/
internet-security/dominoscan.php

Vulnerability Analysis Tools

DumpSec v2.8.6
Abstract
SomarSofts DumpSec is a security auditing program
for Microsoft Windows NT/XP/200x. It dumps the
permissions (Discretionary Access Control Lists and
audit settings (System Access Control Lists) for the
file system, registry, and printers and shares in a
concise, readable format, so that holes in system
security are readily apparent. DumpSec also dumps
user, group, and replication information.

DumpSec v2.8.6
Type

Host Scanning

Operating System

Windows NT/XP/200x

Hardware
Requirements
License

Freeware

NIAP Validated
Common Criteria
Rating
Developer

SomarSoft

Availability

www.somarsoft.com

IA Tools Report

23

Vulnerability Analysis Tools

eTrust Policy Compliance


Abstract
eTrust Policy Compliance provides enterprises with
the tools and information necessary to eliminate one
of the most overlooked threats to networks
misconfigured assets. eTrust Policy Compliance
helps organizations identify and compare the
security configurations of their critical business
assets to an established baseline and provides the
configuration remediation and measures progress
through risk-based reporting. eTrust Policy
Compliance provides a comprehensive policy and
configuration assessment process to mitigate risk and
ensure compliance with security policies,
government regulations, and industry standards.

Features
XXIdentify misconfigured IT assets,
XXCreate secure configuration baselines and

monitor deviations,
XXProvide configuration remediation and measure

progress through risk-based reporting,


XXOffer extensible tools and open interfaces for

custom security configuration management.

24

IA Tools Report

eTrust Policy Compliance


Type

Network Scanning

Operating System

Linux, Windows, Unix

Hardware
Requirements
License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Computer Associates

Availability

http://www3.ca.com/solutions/Product.
aspx?ID=165

Vulnerability Analysis Tools

Fortiscan Vulnerability Management


Abstract

XXDelivers patch management with ready-to-

FortiScan provides a centrally managed, enterprisescale solution that enables organizations to close IT
compliance gaps, and implement continuous
monitoring in order to audit, evaluate, and comply
with internal, industry, and regulatory policies for IT
controls and security at the OS level. Organizations
realize quick time-to-value with easy to install,
intuitive, high value standard compliance policies
(National Institute of Standards and Technology
[NIST] SCAP, Federal Desktop Core Configuration
(FDCC), PCI data security standard (DSS), SarbanesOxley Act (SOX), Gramm-Leach Bliley Act (GLBA),
Health Insurance Portability and Accountability Act
(HIPAA) ready out of the box with regular updates by
FortiGuard to ensure OS regulatory compliance
requirements are met. FortiScan dedicated hardware
appliances easily plug into the network for fast
deployment. FortiScan integrates endpoint
vulnerability management, industry and federal
compliance, patch management, remediation,
auditing, and reporting into a single, unified
appliance for immediate results. A centralized
administration console facilitates management of
multiple FortiScan appliances across the enterprise.

deploy remediation and enforcement actions


allowing network managers to change
configurations and potentially mitigate weak
settings, including disabling an application
or denying a network request;
XXReduced errors, repeatable processes, and
predictable results delivered with extensive
libraries of templates that enable IT staff to
leverage industry standard best practices that
produce measurable results.
Fortiscan Vulnerability Management
Type

Vulnerability and Patch Management

Operating System

N/A

Hardware
Requirements

Vendor Supplied Hardware

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Fortinet

Availability

http://www.fortinet.com/products/
fortiscan/

Features
XXIdentifies security vulnerabilities and finds

compliance exposures on hosts, servers,


and throughout the network transparently to
end users;
XXNetwork discovery, asset prioritization, and
profile-based scanning;
XXIndustry, regulatory and best practices, including
templates for ISO 17799, SOX, HIPAA, GLBA, NIST,
SCAP, and FISMA;
XXAudits and monitors across heterogeneous
systems and provides industry standard
benchmarks for information security compliance
audits for operating systems;
XXAids compliance for regulatory mandates with
360-degree reporting and analysis, and views;

IA Tools Report

25

Vulnerability Analysis Tools

GFI LANguard
Abstract
Scans a network and ports to detect, assess, and
correct security vulnerabilities with minimal
administrative effort. GFI LANguard performs
network scans using vulnerability check databases
based on OVAL and SysAdmin, Audit, Network,
Security (SANS) Top 20, providing over 15,000
vulnerability checks.
XXPatch ManagementGFI LANguard has built in

patch management features that can


automatically download missing Microsoft
security updates, as well as automatically deploy
the missing Microsoft patches or service packs
over the network at the end of scheduled scans.
XXHardware and Software ManagementGFI
LANguards network auditing feature retrieves
hardware information on memory, processors,
display adapters, storage devices, motherboard
details, printers, and ports in use and monitors
any changes that may occur. GFI LANguard can
also monitor a software baseline, informing
administrators when a new program is
installed and can automatically uninstall
unauthorized applications.

26

IA Tools Report

GFI LANguard
Type

Vulnerability and Patch Management

Operating System

Windows, Mac OS, Linux

Hardware
Requirements

1 GHz CPU, 512 MB RAM, 500 MB Disk


space (Minimum. Scanning more hosts
requires higher specs. See documentation
for details)

License

CommercialFree version available

NIAP Validated
Common Criteria
Rating
Developer

GFI

Availability

http://www.gfi.com/lannetscan

Vulnerability Analysis Tools

Gideon SecureFusion
Vulnerability Management
Abstract

XXBandwidth throttling,

Part of the SecureFusion suite, Vulnerability


Management scans for thousands of known
vulnerabilities in operating systems, infrastructure,
network applications, and databases. The
vulnerability signatures are updated on a daily
basis and provide checks for the most recent
security vulnerabilities.

XXMassive scalability,

The SecureFusion Portal provides a complete view of


assets, vulnerabilities, configuration details, and
policy compliance metrics. Instead of outdated
spreadsheets and cumbersome tools that cannot
correlate data, the SecureFusion Portal helps you
intelligently analyze your IT environment regarding
unmanaged assets, vulnerabilities, improper settings,
and the reasons behind failed compliance checks.

XXDynamic report building,


XXAutomated scheduling.

Gideon SecureFusion Vulnerability Management


Type

Vulnerability and Patch Management

Operating System
Hardware
Requirements
License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Gideon Technologies

Availability

http://www.thegideongroup.com/
vulnerability-management.asp

SecureFusion is built on the additive intelligence of


four core capabilities
XXAsset discoveryperforms continuous audits of

managed and unmanaged assets with no impact


to the network;
XXVulnerability managementconducts ongoing,
active vulnerability detection and reporting for
operating systems, infrastructure, network
applications, and databases;
XXConfiguration managementcontinuously
compares system configuration and compliance
with IT security standards;
XXPolicy managementinitiates, reviews, publishes,
and maintains security policies.
Vulnerability Management offers
XXEnd-to-end automation and workflow,
XXSystem patch reporting,
XXResults filtering,
XXAutomated signature updates,
XXTarget blacklisting,

IA Tools Report

27

Vulnerability Analysis Tools

Host Based Security System (HBSS)


Abstract

XXHost Intrusion Prevention System (HIPS);

The Host Based Security System (HBSS) baseline is a


flexible, commercial off-the-shelf (COTS)-based
application. It monitors, detects, and counters against
known cyber threats to the DoD Enterprise. Under
the sponsorship of the Enterprise-wide Information
Assurance and Computer Network Defense Solutions
Steering Group (ESSG), the HBSS solution will be
attached to each host (server, desktop, and laptop) in
DoD. The system will be managed by local
administrators and configured to address known
exploit traffic using an Intrusion Prevention System
(IPS) and host firewall. DISA Information Assurance/
Network Operations Program Executive Office
(PEO-IAN) is providing the program management
and supporting the deployment of this solution.

XXEnforces security policy;

Scope
The scope of the HBSS deployment is worldwide.
This vast effort requires a large support infrastructure
to be in place. DISA PEO-IAN has instituted support
services to enable the comprehensive
implementation of the HBSS system to all the
combatant commands, services, agencies, and
field activities.

Features
XXePolicy Orchestrator (ePO) management suite;
XXCentral security manager;
XXEnables the installation, management, and

configuration of the HBSS components;


XXView reports to help monitor deployments,

vulnerabilities, and protection levels;


XXMcAfee Agent (MA);
XXProvides local management of all HBSS products

collocated on the host;


XXRuns silently in the background to gather
information and events from managed systems;
XXSends collected data to the ePO server;
XXManages modules and software updates of other
HBSS products on the host system;
XXEnforces policies on the host machines;

28

IA Tools Report

XXAdds a robust layer of protection to the MA

end-point asset that includes known and


unknown buffer overflow exploit protection,
prevention of malicious code installation/
execution, and identification of activities that
deviate from DoD or organizational policy;
XXAsset Information (formerly referred to as
the INFOCON);
XXGenerates snapshots of asset configurations
to facilitate detection of changes made to
authorized baselines;
XXRogue System Detection (RSD);
XXDetects all systems connecting to the network;
XXIdentifies unmanaged (or Rogue) systems present
on the network;
XXPolicy Auditor (PA);
XXScans remote computers to determine compliance
with defined policies;
XXIdentifies host vulnerabilities on the network.
Host Based Security System (HBSS)
Type

Vulnerability and Patch Management

Operating System

Windows

Hardware
Requirements
License

Commercial/Government

NIAP Validated
Common Criteria
Rating
Developer

DISADoD

Availability

http://www.disa.mil/news/pressresources/
factsheets/hbss.html

Vulnerability Analysis Tools

Internet Scanner
Abstract
The Internet Scanner vulnerability assessment
application minimizes risk by identifying the security
holes or vulnerabilities in the network so the user can
protect the network before an attack occurs.
Internet Scanner can identify more than 1,300 types
of networked devices on a network, including
desktops, servers, routers/switches, firewalls, security
devices, and application routers. Internet Scanner
analyzes the configurations, patch levels, operating
systems, and installed applications to find
vulnerabilities that could be exploited by hackers
trying to gain unauthorized access.

Features

Internet Scanner
Type

Network Scanning

Operating System

Windows 2000 Professional/SP4,


Windows Server 2003 Standard SP1,
Windows XP Professional SP1a

Hardware
Requirements

1.2 GHz CPU, 512 MB RAM, 650 MB disk


space (minimum)

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Internet Security SystemsOwned by


IBM

Availability

http://www-935.ibm.com/services/us/index.
wss/offering/iss/a1027208

XXUnlimited asset identification,


XXDynamic check assignment,
XXCommon policy editor,
XXReal-time display,
XXVulnerability catalog,
XXComprehensive reporting,
XXCentralized vulnerability management features,
XXEnterprise-class scalability,
XXRemote scanning,
XXEnterprise reporting,
XXAutomatic security content updates,
XXCommand scheduler,
XXAsset management,
XXReal-time display,
XXUser administration.

IA Tools Report

29

Vulnerability Analysis Tools

Lumension Scan
Abstract
Lumension Scan, a component of Lumension
Vulnerability Management, is a complete stand-alone,
network-based scanning solution that performs a
comprehensive external scan of all devices connected
to your network, both managed and unmanaged.
Once assets are identified, the powerful, yet easy-touse Lumension Scan detects weaknesses on these
devices before they can be exploited.

Lumension Scan
Type

Network Scanning

Operating System

Windows XP Pro SP2+, Windows Server


2003 SP1+, Windows Server 2003 R2+

Hardware
Requirements

2 GHz CPU, 1 GB RAM, 20 GB disk space,


1024x768 Monitor Resolution

License

Commercial

NIAP Validated

Features

Common Criteria
Rating

XXRapid and complete asset discovery and inventory

Developer

Lumension

Availability

http://www.lumension.com/vulnerabilitymanagement/software-vulnerabilityassessment.jsp?rpLangCode=1&rpMenu
Id=150835

of all devices on the network,


XXThorough and accurate network-based software
and configuration vulnerability assessment,
XXRisk-based vulnerability prioritization for
identified threats,
XXContinuously updated vulnerability database for
orderly remediation,
XXComprehensive management and audit reporting.

30

IA Tools Report

Vulnerability Analysis Tools

MBSA 2.1
Abstract
Microsoft Baseline Security Analyzer (MBSA) is
an easy-to-use tool that helps small and medium
businesses determine their security state in
accordance with Microsoft security
recommendations and offers specific remediation
guidance. Improve your security management
process by using MBSA to detect common security
misconfigurations and missing security updates on
your computer systems. Built on the Windows Update
Agent and Microsoft Update infrastructure, MBSA
ensures consistency with other Microsoft
management products, including Microsoft Update
(MU), Windows Server Update Services (WSUS),
Systems Management Server (SMS), System Center
Configuration Manager (SCCM) 2007, and Small
Business Server.

MBSA 2.1
Type

Host Scanning

Operating System

Windows XP, Vista, Windows Server


2003, 2008

Hardware
Requirements

x86, IA64, x64

License

Free

NIAP Validated
Common Criteria
Rating
Developer

Microsoft

Availability

http://technet.microsoft.com/en-us/
security/cc184924.aspx

MBSA 2.1 is the latest version of Microsofts free


security and vulnerability assessment scan
tool for administrators, security auditors, and
IT professionals.
MBSA 2.1 offers Windows Vista and Windows Server
2008 compatibility, a revised user interface, 64-bit
support, improved Windows Embedded support, and
compatibility with the latest versions of the Windows
Update Agent based on MU.
MBSA 2.1 is also compatible with MU, Windows
Server Update Services 2.0 and 3.0, the SMS Inventory
Tool for Microsoft Update, and SCCM 2007.

IA Tools Report

31

Vulnerability Analysis Tools

McAfee Vulnerability Manager


Abstract
McAfee Vulnerability Manager (formerly McAfee
Foundstone Enterprise) uses a priority-based
approach that combines vulnerability, asset data, and
countermeasures to help you make more informed
decisions. It uses threat intelligence and correlation
data to determine how emerging threats and
vulnerabilities on networked systems affect your risk
profile, so that you deploy resources where they are
needed most. Improve operational efficiency and
security protection while meeting tough mandates
outlined in SOX, FISMA, HIPAA, and PCI DSS.
Vulnerability Manager is available as software or a
secure, hardened appliance. Both increase the
efficiency of your existing resources, resulting in
a low cost of ownership. If you prefer a hosted
option, choose the McAfee Vulnerability
Management Service.
It performs credential-based scans of UNIX, Cisco
IOS, and Microsoft Windows platforms for correct
patching. The Content Release Calendar provides
automatic updates, including new OS support,
vulnerability scan scripts, and compliance checks.
Vulnerability Manager integrates with your existing
technologies and with other McAfee products,
leveraging your investments. McAfee Network
Security Platform correlates Vulnerability Manager
data to inform you of the most relevant threats
targeting your systems. McAfee Risk and Compliance
Manager (formerly McAfee Preventsys) collects data
from Vulnerability Manager to calculate risks,
monitor risk scores, and automate compliance
reporting. McAfee ePolicy Orchestrator feeds asset
and system protection data into Vulnerability
Manager for accurate assessments.

32

IA Tools Report

McAfee Vulnerability Manager


Type

Vulnerability and Patch Management

Operating System

Windows Server 2000 or 2003

Hardware
Requirements

Dual core or dual processor CPU at 2 GHz,


RAM 2 GB, 80 GB disk space, ethernet
interface. Preconfigured vendor supplied
appliances also available.

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

McAfee

Availability

http://www.mcafee.com/us/enterprise/
products/risk_and_vulnerablity_
management/vulnerability_manager.html

Vulnerability Analysis Tools

Metasploit
Abstract
The Metasploit Framework is a development platform
for creating security tools and exploits. The
framework is used by network security professionals
to perform penetration tests, system administrators
to verify patch installations, product vendors to
perform regression testing, and security researchers
world-wide. The framework is written in the Ruby
programming language and includes components
written in C and assembler.
The framework consists of tools, libraries, modules,
and user interfaces. The basic function of the
framework is a module launcher, allowing the user to
configure an exploit module and launch it at a target
system. If the exploit succeeds, the payload is
executed on the target and the user is provided with a
shell to interact with the payload.

Metasploit
Type

Network Scanning

Operating System

Windows, Linux, Mac

Hardware
Requirements
License

Open Source

NIAP Validated
Common Criteria
Rating
Developer

Metasploit, LLC

Availability

http://www.metasploit.com/home/

IA Tools Report

33

Vulnerability Analysis Tools

N-Stalker Web Application Security Scanner


Abstract
N-Stalker Web Application Security Scanner 2009 is a
Web Security Assessment solution developed by
N-Stalker. By incorporating the N-Stealth HTTP
Security Scanner and its 39,000 Web Attack
Signature database, along with a patent-pending
Component-oriented Web Application Security
Assessment technology, N-Stalker is a security tool for
developers, system/security administrators, IT
auditors, and staff.

Features
XXN-Stalker is a security assessment tool designed to

crawl and evaluate custom Web Applications. It


does not rely on out-of-box signatures.
XXN-Stalker is used for either custom or out-of-shelf
Web applications, including large financial
customers, government agencies, foreign
intelligence services, and armed forces.
XXN-Stalker will inspect common Web application
vulnerabilities, including Open Web Application
Security Project Top 10, Common Weakness
Enumeration Top 25 (see cwe.mitre.org), and a
wide range of issues that affect overall security.
XXN-Stalker will scan for both Web server
infrastructure and application layers. Currently,
there are more than 39,000 Web attack signatures
included in our database to identify weakness in a
Web server and third-party software components.
XXN-Stalker implements its own patent-pending
component-oriented Web application security
analysis technology, an assessment methodology.

34

IA Tools Report

N-Stalker Web Application Security Scanner


Type

Web Application Scanning

Operating System

Windows (Windows 2000 or later)

Hardware
Requirements

1 GB RAM, 500 MB disk space

License

Commercial, Free

NIAP Validated
Common Criteria
Rating
Developer

N-Stalker

Availability

http://nstalker.com/products

Vulnerability Analysis Tools

nCircle IP360
Abstract
As a component of nCircles security risk and
compliance management suite, IP360 is a
vulnerability and risk management system,
enabling enterprises and government agencies to
costeffectively measure and manage their security
risk. IP360 comprehensively profiles all networked
devices and their applications, vulnerabilities, and
configurations, and includes coverage for over 25,000
conditions (operating systems, applications,
vulnerabilities, and configurations), providing the
ideal foundation for assessing every system on the
network. IP360s agentless architecture is designed
for rapid deployment and ease of management across
large, globally distributed networks.

nCircle IP360
Type

Vulnerability and Patch Management

Operating System

N/A

Hardware
Requirements

Vendor supplied scanning appliance

License

Commercial

NIAP Validated

Yes

Common Criteria
Rating

EAL3 May 16, 2005

Developer

nCircle

Availability

http://www.ncircle.com/index.
php?s=products_ip360

Features
XXComprehensive, agentless discovery and profiling

of all network assets for over 25,000 conditions;


XXEnterprise scalability, ease of deployment, and

operational effectiveness;
XXIntegrated network topology risk analysis for

identifying the highest priority vulnerabilities;


XXIntegrated Web application scanning to identify

security risk in Web applications;


XXFlexible reporting across all levels of the enterprise.

IA Tools Report

35

Vulnerability Analysis Tools

Nessus Vulnerability Scanner


Abstract
The Nessus vulnerability scanner is an active scanner,
featuring high-speed discovery, asset profiling, and
vulnerability analysis of the users security posture.
Nessus scanners can be distributed throughout an
entire enterprise, inside demilitarized zones, and
across physically separate networks. They can also be
made available for ad hoc scanning, daily scans, and
quick-response audits. When managed with the
Security Center, vulnerability recommendations can
be sent to the responsible parties, remediation can be
tracked, and security patches can be audited.

Features
XXAgentless scanning (patch and

configuration auditing),
XXHigh-speed vulnerability identification,
XXComplete network assessment and discovery.

36

IA Tools Report

Nessus Vulnerability Scanner


Type

Network Scanning

Operating System

Windos, Linux, Mac OS, Unix

Hardware
Requirements
License

Commercial
Free for personal use

NIAP Validated
Common Criteria
Rating
Developer

Teneble Network Security

Availability

http://www.nessus.org/nessus/

Vulnerability Analysis Tools

NetIQ Secure Configuration Manager


Abstract
NetIQ Secure Configuration Manager audits system
configurations and compares them to corporate
policies, previous snapshots, and/or other systems. It
also leverages this configuration information to
reliably identify vulnerabilities and exposures, using
the latest security updates.
NetIQ Secure Configuration Manager allows you to
demonstrate regulatory compliance and manage IT
risks via scored reporting to direct remediation
efforts toward issues of highest priority.

Features

NetIQ Secure Configuration Manager


Type

Vulnerability and Patch Management

Operating System

Windows XP Pro, 2000, 2003 Server

Hardware
Requirements
License

Commercial

NIAP Validated

Yes

Common Criteria
Rating

EAL2 July 09, 2007

Developer

netIQ

Availability

http://www.netiq.com/products/vsm/
default.asp

XXNetIQ ensures configuration changes are

identified and controlled. Secure Configuration


Manager creates an inventory and baseline of
existing system configurations, then compares
results against a standard configuration image to
highlight deviations.
XXSecure Configuration Manager contains packaged
security policy templates that align with
regulations and standards, providing the
intelligence necessary to document and
demonstrate compliance with auditors. Rolebased exception and workflow management helps
enforce secure separation of duties.
XXNetIQ Secure Configuration Manager identifies
systems exposed to and/or compromised by the
latest exploits, including worms, viruses, and
blended threats.
XXAcross the enterprise, NetIQ Secure Configuration
Manager measures the level of threats posed by
vulnerabilities and compliance exceptions
weighted by the importance of managed assets.
XXNetIQ Secure Configuration Manager is SCAP
Validated and NIAP Common Criteria certified,
ensuring it meets the most stringent federal
government guidelines on interoperability and
secure design.

IA Tools Report

37

Vulnerability Analysis Tools

Network Mapper (Nmap)


Abstract
Network Mapper (Nmap) is a free open-source utility
for network exploration or security auditing. It was
designed to rapidly scan large networks, although it
works fine against single hosts. Nmap uses raw
Internet protocol (IP) packets in novel ways to
determine what hosts are available on the network,
what services (application name and version) those
hosts are offering, what OSs (and OS versions) they
are running, what type of packet filters/firewalls are
in use, and dozens of other characteristics. Nmap
runs on most types of computers, and console and
graphical versions are available.

Features
XXFlexibleNmap supports dozens of advanced

techniques for mapping out networks filled with


IP filters, firewalls, routers, and other obstacles.
XXPowerfulNmap has been used to scan huge
networks of literally hundreds of thousands of
machines.
XXPortableMost operating systems are supported,
including Linux, Microsoft Windows, and Unix
based systems.
XXEasyAlthough Nmap offers a rich set of
advanced features for power users, the user can
start out as simply as nmap -v -A targethost.
Both traditional command line and graphical
user interface (GUI) versions are available to suit
your preference.
XXFreeNmap is available for free download,
and also comes with full source code that the
user may modify and redistribute under the terms
of the license.
XXWell DocumentedSignificant effort has been put
into comprehensive and up-to-date pages, white
papers, and tutorials.
XXSupportedAlthough Nmap comes with no
warranty, it is well supported by the community.

38

IA Tools Report

Network Mapper (Nmap)


Type

Network Scanning

Operating System

Linux, MS Windows, Unix

Hardware
Requirements
License

Open Source

NIAP Validated
Common Criteria
Rating
Developer

Insecure.org

Availability

http://nmap.org/

Vulnerability Analysis Tools

Nikto v2.03
Abstract

XXUsers can add a custom scan database,

Nikto is an Open Source (general public license) Web


server scanner that performs comprehensive tests
against Web servers for multiple items, including over
3,500 potentially dangerous files/common gateway
interfaces (CGI), versions on over 900 servers, and
version specific problems on over 250 servers. Scan
items and plugins are frequently updated and can be
automatically updated.

XXSupports automatic code/check updates (with

Features
XXUses rfps LibWhisker as a base for all

network funtionality,
XXMain scan database in comma separated variable

(CSV) format for easy updates,


XXFingerprint servers via favicon.ico files,
XXDetermines OK vs NOT FOUND responses
for file type, if possible,
XXDetermines CGI directories for each server,
if possible,
XXSwitch hypertext transfer protocol (HTTP)
versions as needed so that the server understands
requests properly,
XXSecure Sockets Layer Support (Unix with OpenSSL
or maybe Windows with ActiveStates Practical
Extraction and Report Language [PERL]/NetSSL),
XXOutput to file in plain text, HTML or CSV,
XXPlugin support (standard PERL),
XXChecks for outdated server software,
XXProxy support (with authentication),
XXHost authentication (Basic),
XXWatches for bogus OK responses,
XXAttempts to perform educated guesses for
Authentication realms,
XXCaptures/prints any Cookies received,
XXMutate mode to go fishing on Web servers
for odd items,
XXBuilds Mutate checks based on robots.txt entries
(if present),
XXScan multiple ports on a target to find Web servers
(can integrate Nmap for speed, if available),
XXMultiple intrusion detection system
evasion techniques,

Web access),
XXMultiple host/port scanning (scan list files),
XXUsername guessing plugin via the cgiwrap

program and Apache user methods.


Nikto v2.03
Type

Web Application Scanning

Operating System

Unix, Linux, Windows

Hardware
Requirements
License

Open Source

NIAP Validated
Common Criteria
Rating
Developer

Cirt.net

Availability

http://www.cirt.net/nikto2

IA Tools Report

39

Vulnerability Analysis Tools

Orascan
Abstract
OraScan is a multi-environment auditing application
developed to assess the security of Oracle Web
applications. The finely detailed level of auditing
supported by OraScan allows systems administrators
and security professionals to gain full control of
security issues surrounding online applications and
front-end servers.

Orascan
Type

Database Scanning

Operating System

Microsoft Windows 2003, Microsoft


Windows 2000, Microsoft Windows XP,
Microsoft Windows NT Version 4.0
(Service Pack 4)

Hardware
Requirements
License

OraScan performs robust, in-depth security


vulnerability audits, seeking out potential problem
areas such as
XXSQL injection,
XXXSS,
XXPoor Web server configuration.

In addition, OraScan can be deployed to audit the


configuration of Internet authentication service Web
servers, ensuring that the Web application portion of
your database software architecture is free of any
security weaknesses.

40

IA Tools Report

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Next Generation Security Software

Availability

http://www.ngssoftware.com/products/
internet-security/orascan.php

Vulnerability Analysis Tools

Paros Proxy v3.2.0Alpha


Abstract
Paros Proxy v3.2.0Alpha is a Java-based Web proxy for
assessing Web application vulnerability. It supports
editing/viewing HTTP/HTTP Secure (HTTPS)
messages on the fly to change items such as cookies
and form fields. It includes a Web traffic recorder,
Web spider, hash calculator, and a scanner for testing
common Web application attacks, such as SQL
injection and XSS.

Paros Proxy v3.2.0Alpha


Type

Web Application Scanning

Operating System

All OSs supporting Java 1.4+

Hardware
Requirements

N/A

License

Freeware

NIAP Validated
Common Criteria
Rating
Developer

Paros

Availability

http://www.parosproxy.org/index.shtml

IA Tools Report

41

Vulnerability Analysis Tools

Proventia Network Enterprise Scanner


Abstract
Proventia Network Enterprise Scanner is the next
generation of the Internet scanner vulnerability
assessment tool. Proventia Network Enterprise
Scanner is a vulnerability protection system for
the entire network that is enhanced with an
integrated workflow vulnerability management
subsystem and Proventia Enterprise Scanner that
enables the user to drive protection measures
throughout an infrastructure.

Features
XXVulnerability assessment,
XXComplete vulnerability management

and protection,

Scan and block capabilities through Proventia


Network Enterprise Scanner and Proventia
Network Intrusion Prevention System,
Correlation through the SiteProtector Security
Fusion module.
Proventia Network Enterprise Scanner
Type

Network Scanning

Operating System

N/A

Hardware
Requirements

Vendor supplied scanning appliance

License

Commercial

NIAP Validated

XXScanning-optimized Linux kernel,

Common Criteria
Rating

XXHardened and secure,

Developer

IBM

Availability

http://www-935.ibm.com/services/us/index.
wss/offering/iss/a1027216

XXMultiple scan ports,


XXApplication fingerprinting,
XXWorkflow,
XXReporting,
XXAsset identification,
XXAsset classification,
XXScan windows,
XXAutomation,
XXScan load balancing/teaming,
XXFlexible deployment options,
XXFlexible policy management,
XXWeb-based local management,
XXCentralized management mystem: Proventia

Network Scanner is centrally managed using


Proventia Management SiteProtector.
SiteProtector is a scalable system that allows staff
to control, monitor, and analyze events from a
centralized console. SiteProtector improves
security through correlation and integration with
other security products, including
Active/passive scanning through Proventia
Network Enterprise Scanner and Proventia
Network Anomaly Detection,

42

IA Tools Report

Vulnerability Analysis Tools

proVM Auditor
Abstract
Prolific Solutions proVM Auditor is a vulnerability
management tool that uses the output from multiple
vulnerability and compliance scanners and
aggregates the information into a single view. proVM
Auditor presents vulnerability data in meaningful
views via a vulnerability matrixthat makes
managing, tracking, and resolving vulnerabilities
simpler and less resource-intensive.

Features
XXExpedites compliance reviews
XXMaps vulnerabilities to DoD 8500.2 IA Controls
XXFacilitates/standardizes C&A processes

proVM Auditor
Type

Vulnerability and Patch Management

Operating System

Windows

Hardware
Requirements

N/A

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Prolific Solutions

Availability

http://www.prolific-solutions.net/products.
htm

XXStreamlines administration efforts


XXStandard views of vulnerability data
XXReduces manual compliance efforts
XXSmall footprint; simple to use; does not

require installation
XXAccepts scanner output from the following

Vulnerability Scanners:
eEye Retina
Lumension PatchLink
DISA SRRs
DISA Gold Disk
Application Security AppDetective
Tenable Nessus
Nmap
Other tools commercial or private can be
added upon request

IA Tools Report

43

Vulnerability Analysis Tools

QualysGuard Vulnerability Management


Abstract

XXEasy access to concise, auto-generated reports

QualysGuard Vulnerability Management (VM)


automates the life cycle of network auditing and
vulnerability management across the enterprise,
including network discovery and mapping, asset
prioritization, vulnerability assessment reporting,
and remediation tracking according to business risk.
QualysGuard delivers continuous protection against
the latest worms and security threats without the
substantial cost, resource, and deployment issues
associated with traditional software. As an on
demand Software-as-a-Service (SaaS) solution, there
is no infrastructure to deploy or manage.

via a Web browser;


XXExecutive Dashboard provides real-time
illustration of risk;
XXGraph and trend reports for managers;
XXDetailed technical reports with verified
remediation actions for technicians;
XXSANS Top 20 Report provides industry baseline;
XXRisk analysis report predicts the likelihood
of exposure;
XXCVE and Security Focus-linked and Bugtraqreferenced vulnerability checks with detailed
remediation instructions;
XXCustomizable reports for flexible, on demand
reporting by business units for executives and
managers;
XXExport reports to HTML, Microsoft Hypertext
Archive, portable document format, CSV, and
XML formats.

QualysGuard VM enables small to large


organizations to effectively manage their
vulnerabilities and maintain control over their
network security with centralized reports, verified
remedies, and full remediation workflow capabilities
with trouble tickets. QualysGuard provides
comprehensive reports on vulnerabilities, including
severity levels, time-to-fix estimates, and impact on
business, plus trend analysis on security issues.

Features
XXVulnerability KnowledgeBase that incorporates

over 6,000 unique checks;


XXNon-intrusive detection techniques;
XXInference-based scanning engine;
XXAuthenticated or unauthenticated
scanning capabilities;
XXInternal and external scanning;
XXScans are configurable for optimum
performance and minimum network load.;
XXUnique fingerprints for over 2,000 operating
systems, applications, and protocols;
XXCustomization of scans to scan for specific ports/
services and specific vulnerabilities;
XXSchedule and automated network discovery and
vulnerability scan tasks on a daily, weekly, or
monthly basis;
XXAutomated daily updates to the QualysGuard
vulnerability KnowledgeBase;

44

IA Tools Report

QualysGuard Vulnerability Management


Type

Network Scanning

Operating System

N/A

Hardware
Requirements

Vendor supplied scanning appliance

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Qualys

Availability

http://www.qualys.com/products/qg_suite/
vulnerability_management/

Vulnerability Analysis Tools

Rational AppScan
Abstract
IBM Rational Web application security software helps
IT and security professionals protect against the
threat of attacks and data breaches. Involving more
testers in the application security process results in
higher quality, more secure applications at a
reasonable cost.
Rational offers Web application security solutions,
including new malware detection capabilities,
through the IBM Rational AppScan family of
products. AppScan can be used for vulnerability
scanning in all stages of application development and
by testers with or without security expertise.

Rational AppScan
Type

Web Application Scanning

Operating System

Windows XP, Server 2003

Hardware
Requirements

3 GHz CPU, 2 GB+ RAM, 200 MB disk


space for installation plus at least 10 GB
free space for logs

License
NIAP Validated
Common Criteria
Rating
Developer

IBM Rational

Availability

http://www-01.ibm.com/software/
awdtools/appscan/

Features
XXAppScan Build EditionEmbeds Web

application security testing into the build


management workflow,
XXAppScan Developer EditionAutomates
application security scanning for
non-security professionals,
XXAppScan Enterprise EditionWeb-based, multiuser solution providing centralized application
security scanning and reporting,
XXAppScan Express EditionProvides affordable
Web application security for smaller organizations,
XXAppScan OnDemandIdentifies and prioritizes
Web Application Security vulnerabilities via
SaaS Model,
XXAppScan OnDemand Production Site Monitoring
Monitors production Web content and sites for
security vulnerabilities via SaaS Model,
XXAppScan Reporting ConsoleProvides centralized
reporting on Web application vulnerability data,
XXAppScan Standard EditionDesktop solution to
automate Web application security testing,
XXAppScan Tester EditionIntegrated Web
application security testing in the quality
assurance process.

IA Tools Report

45

Vulnerability Analysis Tools

Retina Network Security Scanner


Abstract
Retina Network Security Scanner is a professionalgrade security solution with a lengthy track record of
success. Retina contains all the integrated security
and threat management tools needed to effectively
identify and remediate the network vulnerabiities
that lead to exposure and malicious attacks.

Features
XXDiscovers the assets in the network infrastructure,

including operating system platforms, networked


devices, databases, and third party or custom
applications. Retina also discovers wireless
devices and their configurations, ensuring these
connections can be audited for the appropriate
security settings. Additionally, Retina scans active
ports and confirms the services associated with
those ports.
XXImplements corporate policy driven scans to audit
internal security guidelines and ensure that
configuration requirements are enforced and
comply with defined standards. These custom
scans can also assist with meeting any regulatory
compliance requirements (e.g., SOX, HIPPAA, GLB,
PCI) customers may face.
XXRemotely identifies system level vulnerabilities to
mimic an attackers point of view, providing
information that an outsider would see about a
network. These remote checks do not require
administrator rights, providing an accurate
assessment, with fewer resources required to scan
across departments, locations, or geographies.
XXIncorporates a comprehensive vulnerabilities
database and scanning technology, allowing
users to proactively secure their networks
against attacks.
XXUpdates are automatically uploaded at the
beginning of each Retina session.

46

IA Tools Report

Retina Network Security Scanner


Type

Network Scanning

Operating System

Windows

Hardware
Requirements

256 MB RAM. Vendor-supplied appliance


also available.

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

eEye Digital Security

Availability

http://www.eeye.com/html/products/retina/
index.html

Vulnerability Analysis Tools

SAINT
Abstract
SAINTs Web-like, easy-to-use, GUI makes it easy to
scan networks. Every live system on the network is
screened for TCP and user datagram protocol (UDP)
services. For each service it finds running, it launches
a set of probes designed to detect anything that could
allow an attacker to gain unauthorized access, create
a denial of service, or gain sensitive information
about the network. When vulnerabilities are
detected, SAINT categorizes the results in several
ways, allowing users to target the data they find
most useful. SAINT can group vulnerabilities
according to severity, type, or count. It can provide
information about a particular host or groups of
hosts. SAINT describes each of the vulnerabilities
it locates and references CVE or Information
Assurance Vulnerability Alerts (IAVA), as well
as CERT advisories.

SAINT
Type

Network Scanning

Operating System

Unix/Linux platform

Hardware
Requirements

256 MB RAM, 150 MB disk space.


Vendor-supplied appliances also available.

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Saint Corporation

Availability

http://www.saintcorporation.com/products/
data_sheets/SAINT_data_sheet.pdf

Features
XXIncludes flexible/customizable scanning

options, including SANS/Federal Bureau of


Investigation Top 20;
XXScans anything with an IP address running TCP/
IP protocols;
XXIncludes extensive documentation and
online tutorials;
XXIncludes links to patches and new versions
of software;
XXRuns in remote mode;
XXIs easily set up to run unattended using the GUI;
XXProvides dynamic reporting capability that allows
the user to drill down to get more information
about the vulnerability and how to correct it;
XXCross-references vulnerabilities to IAVAs;
XXScans IPv4 or IPv6 addresses;
XXIncludes control panel that allows the user to stop,
pause, and resume scans, and to view results in
progress while the scan runs;
XXIs certified CVE-compatible by MITRE.

IA Tools Report

47

Vulnerability Analysis Tools

Second Look
Abstract
Second Look captures, and forensically preserves, a
computers volatile RAM. It analyzes the Linux
operating system kernel in live memory or via a
memory image, verifying its integrity and searching
for signs of rootkits or other subversive software that
have modified the executable kernel code or kernel
data structures.
With Second Look, analysts and investigators have a
tool that provides a comprehensive view of a system,
uninfluenced by any malware that might be running
on it. Information pulled directly out of memory
includes running processes, active network
connections, loaded kernel modules, and many other
essential system parameters. Second Look uncovers
hidden kernel modules, processes, and network
activity. Second Look integrates a real-time
disassembler that allows inspection of any function
or segment of kernel memory.
As threats to computer systems continue to increase
in sophistication, traditional post-mortem (dead box)
forensic analysis of hard disk contents is no longer
sufficient. Advanced exploits allow for the
implantation of rootkits and backdoors directly in
memory, without an actual file ever touching the disk.
Volatile memory must be acquired in a trustworthy
fashion, and analyzed with security software such as
Second Look.

48

IA Tools Report

Second Look
Type

Host Scanning

Operating System

Linux

Hardware
Requirements
License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Pikewerks

Availability

http://pikewerks.com/sl

Vulnerability Analysis Tools

SecureScout NX
Abstract
SecureScout NX is a third-generation scanning
solution that performs real-time testing of global
networks and firewalls. The architecture of
SecureScout NX implements a centralized console
to manage remote test engines and probes, enabling
users to quickly and repeatedly scan and report
vulnerabilities in distributed networks from a
single location.
SecureScout NX gives the user an impartial view of
whether firewalls have been configured correctly to
comply with security policies and protect the network.

SecureScout NX
Type

Network Scanning

Operating System

Windows 2000 SP3/SP4, Windows XP


SP1/SP2/SP3, Windows Server 2003
SP1/SP2 (32-bit versions of Windows only)

Hardware
Requirements
License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

NetVigilance

Availability

http://www.netvigilance.com/nx

SecureScout NX tests highlight information exposed


to the outside world that cyber criminals could
misuse to attack the organization. Diligent
assessment of internal systems enables an
organization to manage security risks and reduce
potential liability. SecureScout NX delivers the
knowledge needed to protect critical information
from intruders and prepare countermeasures,
making it difficult for attackers to get in.
NetVigilances security experts continually research
information sources for new vulnerabilities, and a
secure Web service site automatically updates
SecureScout NX. Through differential reporting,
users can benchmark their security level at various
points in time.

IA Tools Report

49

Vulnerability Analysis Tools

SecureScout Perimeter
Abstract
The SecureScout Perimeter service probes Internetconnected systems for vulnerabilities before hackers
find them. It identifies holes in an Internet
infrastructure, scanning beyond the firewall to any
device with an IP address.

SecureScout Perimeter
Type

Network Scanning

Operating System

Windows 2000 SP3/SP4, Windows XP


SP1/SP2/SP3, Windows Server 2003
SP1/SP2 (32-bit versions of Windows only)

Hardware
Requirements
License

Commercial

NIAP Validated
Common Criteria
Rating

50

IA Tools Report

Developer

NetVigilance

Availability

http://www.netvigilance.com/perimeter

Vulnerability Analysis Tools

Security Auditors Research Assistant


(SARA) v7.9.1
Abstract

Security Auditors Research Assistant (SARA) v7.9.1

The Security Auditors Research Assistant (SARA) is a


third-generation network security analysis tool.

Type

Network Scanning

Operating System

Unix, Linux, Windows (through CoLinux)

Features
XXOperates under Unix, Linux, Mac OS/X or

Windows (through coLinux) OS,


XXIntegrates the NVD,
XXAdapts to many firewalled environments,
XXSupports remote self-scan and application
programming interface facilities,
XXIs used for the Center for Internet Security
benchmark initiatives,
XXIncludes plug-in facility for third-party
applications,
XXIncludes CVE standards support (20040901),
XXHas enterprise search module,
XXHas stand-alone or daemon mode,
XXOffers free-use open SATAN-oriented license,
XXIs updated twice a month,
XXProvides user extension support,
XXBased on the SATAN model.

Hardware
Requirements
License

Freeware

NIAP Validated
Common Criteria
Rating
Developer

Advanced Research Corporation

Availability

http://www-arc.com/sara/

Advanced Researchs philosophy relies heavily on


software reuse. Rather than inventing a new module,
SARA is adapted to interface with other community
products. For instance, SARA interfaces with the
popular Nmap package for superior operating system
fingerprinting. Also, SARA provides a transparent
interface to SAMBA for session message block
security analysis. SARA is no longer being developed,
and v7.9.1 is the final release.

IA Tools Report

51

Vulnerability Analysis Tools

Security Administrators Tool for Analyzing


Networks (SATAN)
Abstract
Security Administrators Tool for Analyzing Networks
(SATAN) scans systems connected to the network
noting the existence of well-known, often-exploited
vulnerabilities. It examines a remote host or set of
hosts and gathers as much information as possible.

Security Administrators Tool for Analyzing


Networks (SATAN)
Type

Network Scanning

Operating System

Unix/Linux

Hardware
Requirements
License

Freeware

NIAP Validated
Common Criteria
Rating

52

IA Tools Report

Developer

Dan Farmer and Wietse Venema

Availability

http://ftp.cerias.purdue.edu/pub/tools/unix/
scanners

Vulnerability Analysis Tools

SNScan v1.05
Abstract
SNScan is a Windows-based simple network
management protocol (SNMP) detection utility that
can quickly and accurately identify SNMP-enabled
devices on a network. This utility can effectively
indicate devices that are potentially vulnerable to
SNMP-related security threats.

SNScan v1.05
Type

Network Scanning

Operating System

Windows

Hardware
Requirements
License

Freeware

NIAP Validated

SNScan allows for the scanning of SNMP-specific


ports (e.g., UDP 161, 193, 391, and 1993) and the use of
standard (i.e., public) as well as user-defined SNMP
community names. User-defined community names
may be used to more effectively evaluate the presence
of SNMP-enabled devices in more complex networks.

Common Criteria
Rating
Developer

Foundstone (A Division of McAfee)

Availability

http://www.foundstone.com/us/resources/
proddesc/snscan.htm

SNScan is intended for use by system and network


administrators as a fast and reliable utility for
information gathering. Although not indicating
whether SNMP-enabled devices are vulnerable to
specific threats, SNScan can quickly and accurately
identify potential areas of exposure to SNMPrelated vulnerabilities.

IA Tools Report

53

Vulnerability Analysis Tools

ThreatGuard Secutor Magnus


Abstract
Secutor Magnus is designed specifically to meet the
Common Security Configurations requirements set
forth by the Office of Management and Budget (OMB).
Built for the Information Security Automation
Program established by NIST, Magnus fully supports
a wide-scale action plan to quickly and continually
show that an organization has compliance under
control. The entire Secutor line of automated content
tools provides standardized assessments, contentdriven remediation, and complete mappings to
driving requirements with options to easily
document deviations from those requirements.

Features
XXTest NIST configurations to identify adverse

effects on system functionality,


XXAutomated enforcement,
XXRestrict administration to

authorized professionals,
XXEnsure new acquisitions use
standard configurations,
XXPatches,
XXAutomatically determines if computers have
all required security patches,
XXPerforms vulnerability assessment of operating
system and major applications,
XXProvide documentation of deviations
with rationale.

54

IA Tools Report

ThreatGuard Secutor Magnus


Type

Vulnerability and Patch Management

Operating System

Windows

Hardware
Requirements

Vendor Supplied appliance


also available

License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Threatguard

Availability

http://www.threatguard.com/products.htm

Vulnerability Analysis Tools

Triumfant Resolution Manager


Abstract

XXCompliance ManagementTriumfant Resolution

Triumfant Resolution Manager continuously scans


for unusual changes that are consistent with the
behavior and structure of malicious applications.
These include unusual auto-start methods, stealth
techniques such as those used by root kits, and
unusual firewall exceptions. As a result, malicious
attacks that are not detected by traditional signature
based tools are recognized by Triumfant in real time,
along with all of the changes to the machine
associated with the attack. Resolution Manager
immediately applies its deep analytics to verify
that it is indeed an attack and assesses the full
extent of the threat.

Manager applies security policies that are


customizable from the departmental level
down to individual machines. Triumfant also
provides policy templates for specific security
mandates, such as FDCC SCAP compliance and
PCI compliance.
XXVulnerability ManagementTriumfant uses the
NIST SCAP vulnerability database to scan each
computer for known software vulnerabilities,
identifying where missing patches create a
security exposure.
XXWhitelist/Blacklist ManagementTriumfant
deletes unauthorized software from endpoint
computers, and builds custom remediations to
ensure that no malicious code is left behind by the
deleted application.

Resolution Manager uses its diagnosis of the problem


and knowledge of the changes to the machine to
synthesize a surgical remediation. These
remediations do not delete the malicious executable;
they repair the damage from the attack, effectively
eliminating the need for costly re-imaging. The
information about the attack and the remediation
is captured so that Resolution Manager can scan
the entire population for any other occurrences of
the attack, and remediate machines where the attack
is detected.
Triumfant provides a comprehensive set of reports
that deliver visibility into the security readiness of
the endpoint environment from an executive
summary view down to the details of each machine.

Triumfant Resolution Manager


Type

Vulnerability and Patch Management

Operating System
Hardware
Requirements
License

Commercial

NIAP Validated

Yes

Common Criteria
Rating

EAL2+ March 31, 2009

Developer

Triumfant

Availability

http://www.triumfant.com/products.asp

Features
XXMalware detectionThe ability to detect changes

at a granular level allows Triumfant to detect,


analyze, and remediate malicious attacks in
real-time without the need for signatures or any
prior knowledge of the attack.
XXSecurity Configuration ManagementTriumfant
verifies that the organizations standard
portfolio of endpoint security software is
correctly deployed.

IA Tools Report

55

Vulnerability Analysis Tools

Typhon III
Abstract
Typhon III is a tool that identifies infrastructure and
Web application. Capabilities include the fast and
accurate identification of current and historical
security vulnerabilities; the nonintrusive
vulnerability scanner provides secure quality
protection against current threats, including

Typhon III
Type

Web Application Scanning

Operating System

Windows 2003, 200, XP, NT


4.0 SP6a

Hardware
Requirements

500 MHz CPU, 512 MB RAM, 20 MB disk


space (minimum)

License

Commercial

XXRootkits,

NIAP Validated

XXPhishing,
XXSQL Injection,

Common Criteria
Rating

XXPharming,

Developer

Next Generation Security Software

Availability

http://www.nextgenss.com/products/
internet-security/ngs-typhon.php

XXConfidential Data Theft.

By providing a comprehensive security audit of all


hosts in the network, from routers and printers
through Web and database servers, Typhon III helps
the network to stay secure from threats. Exposing
weak passwords in a variety of protocols, it contains a
full range of checks for common vulnerabilities and
configuration errors. Typhon III can also audit Web
applications using its integrated Web spider, a device
that will locate every page and script on a Web site
(even hidden, unlinked, and test files) and rigorously
test for SQL injection and XSS flaws.

56

IA Tools Report

Vulnerability Analysis Tools

WebInspect
Abstract
HP WebInspect software is a Web application security
assessment software designed to analyze todays
complex Web applications. It delivers fast scanning
capabilities, broad assessment coverage, extensive
vulnerability knowledge, and accurate Web
application scanning results.

Features
XXStatically analyze client-side Adobe

Flash applications;
XXProduce faster scans and more accurate results

through the Simultaneous Crawl and Audit


(SCA) technology;
XXReduce false positives using Intelligent Engines
designed to imitate a hackers methodology;
XXIncrease testing throughput with support for
multiple concurrent scans;
XXEnter a URL, username, and password to quickly
initiate a simple scan for immediate results;
XXInnovative scan profiler assists you in optimizing
the scan configuration to maximize the
effectiveness and accuracy of the scan;
XXDepth-first crawling option for Web sites that
enforce order-dependent navigation;
XXFingerprinting of Web framework using
Smart Assessment technology to reduce
unnecessary attacks.

HP WebInspect
Type

Web Application Scanning

Operating System

Windows

Hardware
Requirements
License

Commercial

NIAP Validated
Common Criteria
Rating
Developer

Hewlett Packard

Availability

https://h10078.www1.hp.com/cda/hpms/
display/main/hpms_content.jsp?zn=bto&
cp=1-11-201-200^9570_4000_100__

IA Tools Report

57

Vulnerability Analysis Tools

WebScarab
Abstract
WebScarab is a framework for analysing applications
that communicate using the HTTP and HTTPS
protocols. It is written in Java, and is thus portable to
many platforms. WebScarab has several modes of
operation, implemented by a number of plugins. In its
most common usage, WebScarab operates as an
intercepting proxy, allowing the operator to review
and modify requests created by the browser before
they are sent to the server, and to review and modify
responses returned from the server before they are
received by the browser. WebScarab is able to
intercept both HTTP and HTTPS communication.
The operator can also review the conversations
(requests and responses) that have passed
through WebScarab.
WebScarab is designed to be a tool for anyone who
needs to expose the workings of an HTTP(S)-based
application, whether to allow the developer to debug
otherwise difficult problems, or to allow a security
specialist to identify vulnerabilities in the way that
the application has been designed or implemented.

58

IA Tools Report

WebScarab
Type

Web Application Scanning

Operating System

Windows, Linux, Mac, Unix

Hardware
Requirements
License

Freeware

NIAP Validated
Common Criteria
Rating
Developer

Rogan Dawes of Corsaire Security

Availability

http://www.owasp.org/index.php/
Category:OWASP_
WebScarab_Project

SECTION 6

Related Resources

This provides additional references: books, Web sites, articles, and papers.
References
1. Carnegie Mellon Software Engineering Institute
CERT Coordination Center (n.d.). CERT/CC
Statistics 1988-2008. http://www.cert.org/stats/
cert_stats.html. (Accessed June 3, 2009).
2. Homeland Security Advisory Council. Report
of the Critical Infrastructure Task Report,
January 2006.
3. Merriam-Webster Online Dictionary. http://www.
merriam-webster.com/. (Accessed June 5, 2009).
4. Schultze, E. Thinking Like a Hacker. March 2002.
http://pdf.textfiles.com/security/thinkhacker.pdf.
(Accessed June 5, 2009).
5. Storms, Andrew (SANS Institute). Using
Vulnerability Tools To Develop an OCTAVE Risk
Profile. December 2003. http://www.sans.org/
reading_room/whitepapers/auditing/1353.php?por
tal=813b67045603408ee90700647. Retrieved 13
March 2007.
6. U.S. Government, Intelligence Community.
Analytical Risk Management: A Course Guide for
Security Risk Management, May 2003.
7. U.S. Government, National Institute of Standards
and Technology, National Vulnerability Database.
Security Content Automation Protocol Validated
Products. http://nvd.nist.gov/scapproducts.cfm.
(Accessed June 3, 2009).
8. U.S. Government, White House. Cyberspace
Policy Review. http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf
(Accessed June 5, 2009).
9. Spiegal Online International. Away From the
Politics of Fear Interview with Homeland
Security Secretary Janet Napolitano. http://www.
spiegel.de/international/world/0,1518,613330,00.
html. (Accessed June 5, 2009).

10. SRI International; Phillip Porras, Hassen Saidi,


and Vinod Yegneswaran. An Analysis of
Confickers Logic and Rendezvous points http://
mtc.sri.com/conficker. Updated March 19, 2009.
(Accesed June 10, 2009).
11. Conficker working Group Home page. http://www.
confickerworkinggroup.org/wiki/pmwiki.php
12. Cyber Secure Institute. Cyber Secure Institute on
the Conficker Controversy. http://
cybersecureinstitute.org/blog/?p=15. (Accessed
June 11, 2009).
13. Gregory Braunton, SANS institute. B.A.S.E A
Security Assessment Methodology. http://www.
sans.org/reading_room/whitepapers/auditing/
b_a_s_e__a_security_assessment_
methodology_1587. (Accessed June 11, 2009).
14. Chairman of the Joint Cheifs of Staff of the Armed
Forces. Joint Publication 3-13: Information
Operations. February 13, 2006.

IA Tools Report

59

SECTION 7

Recommended Resources

Alberts, Christopher and Audrey Dorofee. Managing Information Security Risks: The OCTAVE Approach. Boston:
Addison Wesley Professional, 2003.
Braunton, Gregory (SANS Institute). B.A.S.E.A Security Assessment Methodology, September 2004.
Open Vulnerability Assessment Language http://oval.mitre.org
Peltier, Thomas R., J. Peltier, and J.A.Blackley. Managing a Network Vulnerability Assessment. Boca Raton, FL:
CRC Press LLC, 2003.
Stoneburner, G., A. Goguen, and A. Feringa. Special Publication 800-30Risk Management Guide for
Information Technology Systems. National Institute of Standards and Technology (NIST), 2002.
U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk
Management, 2003.
U.S. Government, Department of Commerce. Publication 199 - Standards for Security Categorization of Federal
Information and Information Systems. Federal Information Processing Standards (FIPS), 2004.
U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security
Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm.

IA Tools Report

61

SECTION 8

Definitions

XXAll-hazards/ThreatCircumstances, events, or

people with the potential to cause harm to a


system. The full spectrum of threats and hazards
could include natural disasters (e.g., floods, fires,
hurricanes), domestic or international criminal
activity, accidental disruptions such as
construction mishaps.
XXCritical AssetThose assets of such importance to
an organization that without them the
organizations ability to execute its mission would
be significantly degraded or suffer complete
failure.
XXFalse NegativeRefers to when a tool fails to find
an existing vulnerability.
XXFalse PositiveRefers to when a tool finds a
vulnerability that does not exist.
XXRiskA function of the likelihood that a specific
hazard/threat will exploit a given vulnerability
and that the resulting impact of loss of the critical
asset will cause significant degradation or even
mission failure of the organization.
Mathematically written risk is the following:

implementation. Exploitation would negatively


affect the confidentiality, integrity, or availability
of the system or its data.
XXVulnerability AssessmentAn examination of the
ability of a system or application, including
current security procedures and controls, to
withstand assault. A vulnerability assessment may
be used to a) identify weaknesses that could be
exploited; and b) predict the effectiveness of
additional security measures in protecting
information resources from attack.

Threat x Vulnerability x Impact of Loss = Risk .


XXRisk AssessmentThe process evaluating the

impact of loss of an asset, the likely and probable


threats, and the vulnerabilities of the asset.
XXRisk ManagementA process for identifying and
prioritizing the impact of loss, threats, and
vulnerabilities, and making rational decisions
regarding the expenditure of resources and the
implementation of countermeasures to reduce the
risk of loss.
XXScanningA periodic examination of traffic
activity, system files and permissions, and overall
system configuration to determine whether
further processing is required.
XXVulnerabilityRefers to a weakness in a systems
security scheme, which may include system
security procedures, internal controls, or

IA Tools Report

63

SECTION 9

Definitions of Acronyms and Key Terms

Acronym or Term

Definition

ACL

Access Control List

ARP

Address Resolution Protocol

CERT

Computer Emergency Response Team

CGI

Common Gateway Interface

COPS

Computer Oracle and Password

COTS

Commercial Off-the-Shelf

CPU

Central Processing Unit

CSV

Comma Separated Variable

CVE

Common Vulnerabilities and Exposures

DHS

Department of Homeland Security

DISA

Defense Information Systems Agency

DoD

Department of Defense

DSII

DominoScan II

DSS

Data Security Standard

DTIC

Defense Technical Information Center

ePO

ePolicy Orchestrator

ESSG

Enterprise-Wide Information Assurance and Computer Network Defense Solutions Steering Group

FDCC

Federal Desktop Core Configuration

FISMA

Federal Information Security Management Act of 2002

GB

Gigabyte

GHz

Gigahertz

GLBA

Gramm-Leach Bliley Act

GUI

Graphical User Interface

HBSS

Host Based Security System

HIPAA

Health Insurance Portability and Accountability Act

HIPS

Host Intrusion Prevention System

HSPD-7

Homeland Security Presidential Directive 7

HTML

HyperText Markup Language

HTTP

Hypertext Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

IA

Information Assurance

IAC

Information Analysis Center

IATAC

Information Assurance Technology Analysis Center

IA Tools Report

65

Definitions of Acronyms and Key Terms

Acronym or Term

Definition

IAVA

Information Assurance Vulnerability Alert

IP

Internet Protocol

IPS

Intrusion Prevention System

IT

Information Technology

MB

Megabyte

MBSA

Microsoft Baseline Security Analyzer

MHz

Megahertz

MA

McAfee Agent

MU

Microsoft Update

NIAP

National Information Assurance Partnership

NIST

National Institute of Standards and Technology

Nmap

Network Mapper

NVD

National Vulnerability Database

OMB

Office of Management and Budget

OS

Operating System

OVAL

Open Vulnerability Assessment Language

PA

Policy Auditor

PCI

Payment Card Industry

PEO-IAN

Information Assurance/Network Operations Program Executive Office

PERL

Practical Extraction and Report Language

PHP

Hypertext Preprocessor

RAM

Random Access Memory

RSD

Rogue System Detection

SaaS

Software-as-a-Service

SANS

SysAdmin, Audit, Network, Security

SARA

Security Auditors Research Assistant

SATAN

Security Administrators Tool for Analyzing Networks

SCAP

Security Content Automation Protocol

SCCM

System Center Configuration Manager

SMS

Systems Management Server

SNMP

Simple Network Management Protocol

SOX

Sarbanes-Oxley Act

SQL

Structured Query Language

TCP

Transmission Control Protocol

UDP

User Datagram Protocol

66

IA Tools Report

Definitions of Acronyms and Key Terms

Acronym or Term

Definition

URL

Uniform Resource Locator

VM

Vulnerability Management

WSUS

Windows Server Update Services

XML

eXtensible Markup Language

XSS

Cross-Site Scripting

IA Tools Report

67