NetAlly® recently introduced the CyberScope™, the world’s first handheld cyber security analyzer. You might look at it and say it seems an awful lot like the LinkRunner®10G or EtherScope® nXG that is currently available, but there are some important differences, and the devices are focused on different markets. While the current LinkRunner 10G and EtherScope nXG focus on Wired and Wireless network analysis, starting at the physical layer, the CyberScope expands on this with specific security capabilities that leverage Nmap, a popular network and endpoint scanning application. CyberScope fully integrates Nmap into its AutoTest and Discovery workflows, with test results logging and team collaboration in Link-Live. In addition, CyberScope features a new Nmap app with an easy-to-use GUI, profiles, and support for the Nmap Scripting Engine, or NSE. Before we go too far down the security rabbit hole let’s talk about what vulnerability assessments are and why they are important from a high level.
What is Vulnerability Assessment?
According to Wikipedia a vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. As the NetAlly handheld tools are geared towards information technology professionals in the physical cabling and networking verticals, our “system” is comprised of the networking equipment providing connectivity and any device connected to said network. Vulnerability assessments are performed alongside a process known as “penetration testing” (or pen testing) which is where a security expert tries to find, and potentially exploit, vulnerabilities. As an example, a pen tester might be asked to ensure proper password policies are being adhered to. Some of the steps performed can consist of both direct attacks against the network using exploit tools, while some could be more social in nature using phishing attempts.
Proactive and reactive vulnerability assessments
Depending on the type of tests being performed these can either be proactive or reactive. The example of password policy tests is more of a proactive test. These types of tests can be scripted to be performed randomly at set intervals if you know how to create scripts in Python or other programming languages. You could also follow the common vulnerabilities and exposures, or CVEs, feeds for new alerts. When a new alert is issued a scan should be performed if it is pertinent to your system. An example of a reactive test would be where you find some interesting traffic logs on your firewall for a software application in your system. Upon investigating the logs you determine there is an exploit being used and your system is compromised, at this point you need to determine what your full risk is and how many other components on your system are either a) actively exploited or b) vulnerable. Being reactive in cybersecurity brings with it extensive risks. Imagine if you were compromised with a ransomware attack. How much of your business will be impacted by being locked out of all or a portion of your digital footprint? Will you still be able to operate, or will you be at a stand-still?
Being proactive isn’t just about testing against known CVE’s though. Being proactive with your vulnerability assessments enables you to create a known baseline, allowing abnormalities to stick out more in the logs. Digital threats are becoming increasingly smarter and complex while also being easier to performed. While the Internet has been great for spreading knowledge to further humanity, as with all things there is a darker side that exists. Attackers can obtain personal information through massive dumps, enabling attackers to find commonly used passwords for gaining access to systems.
Using NMAP for vulnerability assessments
When performing vulnerability assessments, whether they be proactive or reactive, one of the core applications used is called Nmap. This application is generally referred to as a network scanning tool, the results of the scan will then be used to either a) perform a risk analysis and/or b) feed a list of hosts/devices into another tool to actively attempt to exploit. Nmap can be installed on most any computer device out there running either Linux, Windows, or macOS. Typically, Nmap is ran from the command line interface, or CLI, leveraging various “switches” which cause Nmap to operate in different ways. This is one of the main issues with penetration testing and other “red team tools” is the complexity behind some of them.
The CyberScope aims to provide a higher level of confidence in your vulnerability assessment results by creating efficient and repeatable processes for performing the assessments by anybody through a graphical user interface. As we’ll see in the next few blog posts, we will introduce you to the concept of the Nmap Scripting Engine and how you can leverage that to ensure that when you are reviewing your Discovery results for example in Link-Live you have a high level of confidence of the data to perform a risk analysis against.
For additional CyberScope resources visit cyberscope.netally.com