Automated Tools for Testing Computer System VulnerabilityDiscusses automated tools for testing computer system vulnerability. Examines basic requirements for vulnerability testing tools and describes the different functional classes of tools. Offers general recommendations about the selection and distribution of such tools. |
Common terms and phrases
access control active tests active tools Artificial Intelligence automated attack Change detection tests checksums computer security computer system vulnerability configuration review tests content and protection COPS critical files Data Encryption Standard default determine Distributed Testing distribution of vulnerability distribution process document electronic mailing lists Encryption ensure errors example executed exploited file protection fingerd FIPS Pub 112 guidelines hackers identification and authentication implement Internet worm large number masquerade modification network host network security administrator network worms NIST operating system organization organization's security officer organizational security package passive tests passive tools password file perform personal computers plant Trojan horses procedures Remote reporting remote system rlogin security policy Security Profile Inspector Security Toolkit single vulnerability tests Source code specific vulnerabilities SPI/UNIX stand-alone system system administrator system binaries system files system managers system vulnerability tests tools are available unauthorized UNIX user files VAX/VMS Vulnerability Testing Objectives vulnerability testing program vulnerability testing tools
Popular passages
Page ii - (3) have responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems...
Page 31 - The identification of any commercial product or trade name does not imply endorsement or recommendation by the National Institute of Standards and Technology.
Page 1 - ... Hackers, however, continue to successfully exploit these security weaknesses and undermine the integrity and confidentiality of sensitive government information. Between April 1990 and May 1991, computer systems at 34 DOD sites attached to the Internet were successfully penetrated by foreign hackers. The hackers exploited well-known security weaknesses — many of which were exploited in the past by other hacker groups. These weaknesses persist because of inadequate attention to computer security,...
Page 12 - The single vulnerability tests have a narrow scope; the system vulnerability tests exhibit a broad scope. The simplest vulnerability testing programs test for a single specific vulnerability. For example, a test might simply check for unprotected start-up files. By using a series of such tests, it is possible to identify common vulnerabilities. However, such tests do not consider the complete ramifications of the vulnerabilities. The cumulative effect of a vulnerability may be far greater than it...
Page 12 - The cumulative effect of a vulnerability may be far greater than it appears. For example, unprotected start-up files allow users to plant Trojan horses. If user X's start-up files are unprotected, and X can modify the password file, any user may masquerade as any other user. This is a simple example; more realistic scenarios can become much more complex. A single vulnerability test would identify the unprotected start-up files.
Page 11 - Active tests are intrusive in nature; they identify vulnerabilities by exploiting them. Passive tests only examine the system; they infer the existence of vulnerabilities from the state of the system. Consider the example of a password-based identification and authentication system. A password testing program might actually attempt to login with a small set of "easy
Page 12 - System vulnerability testing is more useful than a collection of single vulnerability tests. It is not always possible to correct every specific item flagged by vulnerability testing. A system vulnerability test will assist the administrator in determining the total risk (to the system) posed by a specific vulnerability.
Page 1 - To ensure that an acceptable level of security is achieved, the administrator should utilize automated tools to regularly perform system vulnerability tests. The tests examine a system for vulnerabilities that can result from improper use of controls or mismanagement.
Page 11 - Tests may mimic an attacker or simply browse through the system in more typical auditing fashion. Tests may run on the system undergoing audit or may execute on a remote system.
Page 7 - For instance, ownership is the set of individuals who are authorized to use a password. FIPS Pub 112 states that "Personal passwords used to authenticate identity shall be owned (ie, known) only by the individual having that identity.