270 likes | 289 Vues
ENSDV. Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova. Introduction. Emerging Technology Early-to-market technologies ideal targets for attack Vulnerabilities with wireless and Internet Protocol
E N D
ENSDV Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova
Introduction • Emerging Technology • Early-to-market technologies ideal targets for attack • Vulnerabilities with wireless and Internet Protocol • Tenable Nessus scanner - de-facto industry scanner [7] • Design and Implementation of an Enhanced Network Scanner • Performance Analysis of ENSDV • Lessons Learnt and Future Directions • Conclusion ENSDV / Cordova
Emerging Technology • NIST 800-82 Guide to Industrial Control Systems Security (ICS) [9] • Emerging Technology integrates wireless and Internet with ICS infrastructure • Integration introduces all the vulnerabilities and problems of Wireless and the Internet Protocol into ICS [6] [10] • Manual vulnerability discovery impossible ENSDV / Cordova
Vulnerabilities • Common Vulnerability Exploits (CVE) [1] • Several production meters identified as vulnerable ignored and used in production[6] • $8.1 billion stimulus to secure the Smart Grid [8] • many vulnerabilities ignored • TI’s encryption bug in CC2430 u-controller • Regulation, Management and Guidelines • reduces the risk to Smart Grids ENSDV / Cordova
Industrial Control Systems Adapted from Juniper Network White Paper on ICS 2009 ENSDV / Cordova
Secure the Smart Grid Adapted from Global Smart Energy 2009 Smart Meter Implementation Percentages by Country [3] ENSDV / Cordova
Nessus Vulnerability Scanner • Automatic scanning solution approved by NERC CIP for use with SCADA, AMI/AMR [7] • Vulnerability scanning relies on signatures of “known bad things” • Compliance checks compare a system against the “known good” • Flexible, reliable, robust, open source, customizable, automatic, GUI, CLI, option for safe checks/scans and still it is inadequate • Customize plug-ins to enhance operation to resolve inadequacy ENSDV / Cordova
Prototype – Difficulties Encountered • First attempted to procure meters and collection points • Cost prohibitive, proprietary constraints, minimal support • Inaccessible SCADA systems – focus on Servers/Workstations that control ICS, Smart Grids, LANs, WANs, Enterprise Systems • No Access to Nessus ProFeed scanner and SCADA plug-ins • Nessus Attack Script Language (NASL) [2] • new attack language to learn • Full functionality disabled in trial versions of HomeFeed • “buggy” when creating plug-ins ENSDV / Cordova
Prototype – Difficulties Encountered, cont’d • Request made for a full version of Nessus ProFeed • Unreadable SCADA plug-ins pre-compiled as .nbin binary files • Create VM environment with Fedora 12, and XP un-patched • Create custom plug-ins • 0-day vulnerability plug-in • audit scripts [4] [5] ENSDV / Cordova
Nessus Scanner • Centralized automatic scanning tool for most Operating Systems • Vulnerability scanning and Compliance checking • local or remote • Server/Client with GUI or CLI • Nessus Knowledgebase • designed with the idea to use results of scripts in other scans • Script Methodology -> write custom script • execute only if necessary • use other script results by use of dependency statements • share by saving to KB, upload report results, plug-ins • Plug-in is written and scans for only one vulnerability at a time ENSDV / Cordova
Methodology • Select the target and develop a baseline “gold” standard • Perform baseline scan and patch as necessary • Develop an enhanced plug-in for any newly indentified vulnerability and compliance check • Test plug-ins on prototype, lab, or test equipment • Compare baseline and subsequent scans • Repeat process at scheduled intervals per policy ENSDV / Cordova
Prototype Layout ENSDV / Cordova
Vulnerability Script Structure Header Section include scripts to be used with nessusd “compat.inc” Description Section register information “script_name(english:" iepeers.dll 0-day vulnerability …“ Attack Section Script code functions port = get_kb_item("Services/ssh"); if(!port)port = 22; ENSDV / Cordova
iepeers_dll_0day.nasl Code excerpts . . . include("compat.inc"); if (description) { script_id(50003); . . . script_name(english:" iepeers.dll 0-day vulnerability in Internet Explorer versions 6 or 7 "); script_summary(english:"Checks Internet Explorer version for 0-day free-after-use vulnerability."); … script_set_attribute(attribute:"risk_factor", value: "Medium"); . . . script_family(english:"Windows"); . . . script_dependencies("smb_hotfixes.nasl"); . . . script_require_ports(139, 445); } Header Description Attack Script ENSDV / Cordova
Nessus Vulnerability Enhanced Scan Result, cont’d Recommended Solution ENSDV / Cordova
Audit File Script Structure Check Type Section Define type of check and plugin version <check_type: “Unix”> … </check_type> Custom Item Section Custom script contents <custom_item> type:FILE_CONTENT_CHECK … expect:"PermitRootLogin no" </custom_item> ENSDV / Cordova
FC12 Audit File Script Check Type • <check_type:"Unix> • <custom_item> • type:FILE_CONTENT_CHECK • description:"Check if PermitRootLogin is set to no and not commented for server." • file:"/etc/ssh/sshd_config" • regex:"^ *[^#]*PermitRootLogin *" • expect:"PermitRootLogin no" • </custom_item> • </check_type> Custom Item Closing Tags ENSDV / Cordova
Nessus Audit Enhanced Scan Result, cont’d ENSDV / Cordova
Non-Credential Scan Results of ISSG lab subnets 60 and 62 6 out of 31 High Risk Problems Found ENSDV / Cordova
Credential Scan Results of ISSG lab subnets 60 and 62 19 out of 34 High Risk Problems Found ENSDV / Cordova
Performance Results ENSDV / Cordova Non-Credential Scan Credential Scan
Lessons Learnt • SCADA network testing not possible • Nessus Scanner de-facto standard • inadequate • NASL new language learned • time consuming tests • unforgiving syntax • Methodology shifted to consider sharing with Nessus community users for greater contribution • Credential scans take longer but are more comprehensive ENSDV / Cordova
Future Work • Continue meaningful research in a lab setup of MPS2530 development kit controllers with Nessus • Research compiler and interpreter for .nbinscript development for Smart Grid applications • Audit file and C+ integration for automatic update • Create custom plug-ins to check the ZigBee stack • Pseudo Random Number Generator (PRNG) • versions earlier than 2.3 exhibit this vulnerability • Extend audit files for OS specific registry keys and files • System alert if plug-in is removed from directory ENSDV / Cordova
Conclusion • Provided a survey of emerging technology • Developed methodology to enhance network scans • Created plug-ins to enhance the network scanner • Applied scans to ISSG lab • Detected many “bugs” in a mix of hardware and OS’s • BO’s, Remote Root Login, Telnet and SSH • Spent 9 months working on research and experiments ENSDV / Cordova
References [1] Common Vulnerabilities and Exposures (CVE) http://www-arc.com/sara/cve/cve.html [2] Deraison, Renaud, Reference Manual for Nessus Attack Scripting Language, Version 1.4.0, Manual at website at http://www.virtualblueness.net/nasl.html [3] Global Smart Energy White Paper at Website :http://www.smartgridnews.com/artman/uploads/1/Berst_NGA_Feb_2009. [4] Information on 0-day vulnerability discovered in the wild March 2010. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806 [5] Information on 0-day vulnerability discovered in the wild March 2010. http://secunia.com/advisories/cve_reference/CVE-2010-0806/ [6] Journal of Energy Security, Making a Secure Smart Grid a Reality, Sub-paragraph, Weaknesses in the Smart Grid, p. 3-7, October 2009. http://www.ensec.org/index.php?option= com_content&view=article&id= 218:making-a-secure-smart-grid-a-reality&catid=100:issuecontent&Itemid=352 [7] NERC approval of Nessus Scanner http://www.nessus.org/solutions/index.php?view=nerc [8] Smart Grid Stimulus Funding Revealed!, p.3, October 2009. http://earth2tech.com/2009/10/27/smart-grid-stimulus-funding-revealed/ [9] Stouffer,Keith and Falco, Joe and Scarfone, Karen Final Public Draft, Special Publication 800-82, Recommendations of the National Institute of Standards and Technology, Guide to Industrial Control Systems (ICS) Security http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf [10] Weiss, Joseph, “Current Status of Cyber Security of Control Systems”, Testimony of Joseph M. Weiss Control Systems Cyber Security Expert before the Committee on Commerce, Science, and Transportation U.S. Senate March 19, 2009 ENSDV / Cordova
Questions ? ? ENSDV / Cordova
Nessus Scanner Windows 7 Scan Report • Plug-in output Plug-in Output ENSDV / Cordova