Vulnerability scan: detects how many security vulnerabilities your Web system has.

The openness of the Internet makes Web systems face the threat of intrusion attacks, and building a secure Web system has always been the goal of people. A practical method is to establish a relatively easy-to-implement relatively secure system and establish a corresponding security auxiliary system according to certain security policies. Vulnerability scanner is such a type of security auxiliary system.
Vulnerability scanning is used to detect the security of computer systems or other network devices to identify security risks and vulnerabilities that can be exploited by hackers. As an essential means to ensure the security of Web information systems and networks, we need to carefully study and utilize them. It is worth noting that the vulnerability scanning software is a double-edged sword. Hackers use it to intrude into the system. After mastering it, the system administrator can effectively prevent hacker intrusion.

Four vulnerability scanning technologies

Vulnerability Scanning usually adopts two policies: passive and active. The so-called passive policy is based on the host and checks the system for inappropriate settings, vulnerable passwords, and other objects that conflict with security rules. The active policy is based on the network, it simulates attacks on the system by executing some script files and records the system's responses to detect the vulnerabilities. Passive policy scanning is called system security scanning, and active policy scanning is called network security scanning.

Vulnerability Scanning has the following four detection technologies:

1. Application-based detection technology. It uses a passive and non-destructive method to check Application Software Package settings and detect security vulnerabilities.

2. host-based detection technology. It uses a passive and non-destructive method to detect the system. Generally, it involves system kernel, file attributes, operating system patches, etc. This technology also includes password decryption and removal of some simple passwords. Therefore, this technology can accurately locate system problems and discover system vulnerabilities. Its disadvantage is that it is related to the platform and the upgrade is complicated.

3. Target-based vulnerability detection technology. It uses passive and non-destructive methods to check system and file attributes, such as databases and registration numbers. The message digest algorithm is used to check the number of encrypted files. The implementation of this technology is to run in a closed loop, constantly process files, system objectives, and system target attributes, and then generate the number of tests, which is compared with the original number of tests. Notify the administrator of any changes.

4. Network-based detection technology. It uses a positive and non-destructive method to test whether the system may be attacked or crashed. It uses a series of scripts to simulate system attacks and then analyzes the results. It also checks known network vulnerabilities. Network detection technology is often used for penetration experiments and security review. This technology can detect a series of platform vulnerabilities and is easy to install. However, it may affect the network performance.

Network vulnerability scan

Among the above four methods, WTI is most suitable for the risk assessment of our Web Information System. The scan principle and working principle are as follows: by remotely detecting services with different TCP/IP ports on the target host, record the target response. In this way, various information about the target host can be collected (for example, whether anonymous logon is enabled, whether there is a writable FTP directory, whether Telnet is enabled, and whether httpd is running as root ).

After obtaining information about the TCP/IP port of the target host and its corresponding network access service, it matches the vulnerability library provided by the network vulnerability scan system. If the matching conditions are met, the vulnerability exists. In addition, scanning the target host system for attacking security vulnerabilities, such as weak passwords, by simulating hacker attack techniques is also one of the implementation methods of the scanning module. If the attack is successfully simulated, the vulnerability exists.

In terms of matching principle, the network vulnerability scanner uses rule-based matching technology, that is, according to the analysis of security experts on Network System Security Vulnerabilities and hacker attack cases and the actual experience of system administrators on network system security configuration, a set of standard system vulnerability libraries are formed, then, based on the matching rules, the program automatically performs system vulnerability scan analysis.

Rules-based systems are a matching system based on rules pre-defined by experts. For example, if you find/cgi-bin/phf/cgi-bin/Count in the scanning of port TCP80. cgi: based on the experience of experts and the sharing and standardization of CGI programs, we can infer that the WWW Service has two CGI vulnerabilities. At the same time, it should be noted that rules-based matching systems have their own limitations, because the basic reasoning rules of such systems are generally arranged and planned based on known security vulnerabilities, many dangerous threats to network systems come from unknown security vulnerabilities, which are similar to PC anti-virus.

This vulnerability scanner is based on the browser/server (B/S) structure. It works as follows: after a user sends a scan command through the control platform, the control platform sends a scan request to the scanning module, the scan module immediately starts the corresponding sub-function module after receiving the request to scan the scanned host. By analyzing the information returned by the scanned host, the scan module returns the scan result to the control platform, and then the control platform displays the result to the user.

Another structure of the scanner is the plug-in program structure. You can write external test scripts for a specific vulnerability. Call the service detection plug-in to check services with different TCP/IP ports on the target host, save the results in the information library, call the corresponding plug-in program, and send the constructed data to the remote host, the detection results are also stored in the information library to provide the required information for other script operations, which improves the detection efficiency. For example, in an FTP service attack, you can first view the results returned by the Service detection plug-in. Only when you confirm that the target host server has enabled the FTP service, the corresponding Attack Script For an FTP service can be executed. A scanner using this plug-in structure allows anyone to construct their own attack test scripts without having to understand the principles of the scanner too much. This scanner can also be used as a platform to simulate hacker attacks. Scanners using this structure have a strong vitality. For example, the famous Nessus adopts this structure. The structure 2 of this network vulnerability scanner is based on the Client/Server (C/S) structure. The client mainly sets server-side scan parameters and collects scan information. The specific scanning work is completed by the server. Development Trend of Vulnerability Scanners

It is worth noting that the vulnerability scanning software has evolved from the first small programs specially compiled for UNIX systems that only have simple functions to the present, there have been multiple commercial programs running on various operating system platforms with complex functions. Future development trends include the following:

1. Use plug-ins or functional module technologies. Each plug-in encapsulates one or more vulnerability testing methods. The main scan program calls the plug-in method to perform scanning. By adding new plug-ins, you can add new features to the software and scan for more vulnerabilities. When the compilation specification of plug-ins is published, users or third-party companies can even write plug-ins themselves to expand the functions of the software. At the same time, this technology makes software upgrade and maintenance relatively simple and has very strong scalability.

2. Use a dedicated scripting language. This is actually a more advanced plug-in technology. You can use a dedicated scripting language to expand software features. The syntax of these scripting languages is usually relatively simple and easy to learn. You can use more than a dozen lines of code to customize a simple test and add new test items for the software. The use of the scripting language simplifies the programming of new plug-ins, making the expansion of software functions easier and more interesting.

3. From the vulnerability scanning program to the Security Evaluation Expert System. The earliest vulnerability scanning program simply listed the execution results of each scan test item and provided them directly to the tester without any analysis and processing of the information. At present, mature scanning systems can organize the scanning results of a single host, form reports, and provide some solutions to specific vulnerabilities. The disadvantage is the lack of an overall evaluation of network conditions, and there is no system solution for network security. In the future, security scanning systems should not only scan security vulnerabilities, but also help Network Information System Administrators intelligently assess the security status of the network and provide security suggestions, become a Security Evaluation Expert System.

Web System Risk Level Assessment

After the security scan of the Web information system is implemented, the security performance of the Web information system can be evaluated based on the scan results to give the risk situation of the Web Information System. Here, the risk assessment is based on the scan results and the security status of the Web Information System is classified based on the number of vulnerabilities in the Web Information System and the hazards of the vulnerabilities.

The risk assessment levels are as follows:

L. A: The scan results show that there are no vulnerabilities, but this does not indicate that the system has no vulnerabilities. Because many vulnerabilities have not yet been discovered, we can only test known vulnerabilities.

2. level B: vulnerabilities that leak server version information and are not very important, or provide services that are vulnerable to attacks, such as anonymous logon, this service may cause many other vulnerabilities.

3. Level C: vulnerabilities with low levels of hazards. For example, you can verify the existence of an account and list some page directories and file directories without causing any serious consequences.

4. Level D: vulnerabilities with a general degree of harm. For example, a Denial-of-Service vulnerability causes the Web Information System to fail to work normally, and allows hackers to gain access to important files.

5. Level E: vulnerabilities with severe hazards. If there is a buffer overflow vulnerability or a trojan backdoor, there is a vulnerability that allows hackers to gain root user permissions or Root User shell, and the root directory is set to be writable by general users.

In addition, we need to emphasize that the vulnerability is mainly caused by the improper configuration of the Web Information System and the weakness of the services it provides. We have described in detail how to use vulnerability scan for risk assessment. In fact, there is another very important issue that we cannot ignore. It is to check which services are provided by the Web information system, because it is directly related to the generation and harm of system vulnerabilities. On the one hand, Web information systems provide users with a variety of high-quality network services, including Http, Ftp, Smtp, Pop3, and so on. On the other hand, increasing services mean more risks. Each service must have some defects, which may be exploited by hackers to attack the system. Therefore, servers that provide specific services should open ports that are essential for providing services as much as possible, and disable services that are not related to server services, such as a machine that serves as www and ftp servers, only ports 80 and 25 should be opened, and other unrelated services should be turned off to reduce system vulnerabilities.

Therefore, we need to use relevant tools for the actual use of the Web system to effectively detect and handle the network services and ports opened by the system in a timely manner, and disable unnecessary services and ports to prevent hackers and illegal users from intruding into the information system. Obviously, this is a very arduous and long-term task. Managers need to invest considerable material and financial resources at the technical and management levels to ensure the security of Web information systems.