A Comparative Evaluation of Automated Vulnerability Scans Versus Manual
Total Page:16
File Type:pdf, Size:1020Kb
CYBER 2018 : The Third International Conference on Cyber-Technologies and Cyber-Systems A Comparative Evaluation of Automated Vulnerability Scans versus Manual Penetration Tests on False-negative Errors Saed Alavi, Niklas Bessler, Michael Massoth Department of Computer Science Hochschule Darmstadt (h da) — University of Applied Sciences Darmstadt, and Center for Research in Security and Privacy (CRISP), Darmstadt, Germany E-mail: fsaed.alavi,[email protected], [email protected] Abstract—Security analysis can be done through different types knowledge. Then, we use two popular vulnerability scanners to of methods, which include manual penetration testing and au- generate automated vulnerability reports. We make use of the tomated vulnerability scans. These two different approaches proprietary software Nessus and the free software framework are often confused and believed to result in the same value. OpenVAS. In a final step, we validate both manually and To evaluate this, we have build a lab with several prepared automatically generated reports and determine error rates, vulnerabilities to simulate a typical small and medium-sized where we finally consider the knowledge, of building a self- enterprise. Then, we performed a real penetration test on the lab, and a vulnerability scan as well, and then compared the results. made lab environment, which has been totally absent up to Our conclusion shows, that the results obtained through both this point. types of security analysis are highly distinct. They differ in time This paper is organized as follows: Section II gives an expenditure and false-positive rate. Most importantly, we have overview of the relevant terminology. Section III summarize seen a remarkable higher false-negative rate in the vulnerability the research achievement of previous scientific publications on scan, which suggests that automated methods cannot replace this topic. In Section IV we explain all tasks of the particular manual penetration testing. However, the combination of both work packages in their chronological order. This includes how methods is a conceivable approach. we build the lab environment, our methodology used in the Keywords–Security analysis; penetration test; vulnerability scan. penetration test and how we configured the two vulnerability scanners. Section V provides our results and analysis. Section I. INTRODUCTION VI summarizes our conclusion. Finally, Section VII talks about Information technology (IT) security has become more and possible future work. more important, due to the increasing threat of cybercrime. Therefore the demand for security analysis of information II. BACKGROUND technology infrastructure is constantly growing. The purpose In this section, we introduce the terminology. We also of such a security analysis is to identify threats, estimate define several terms, due to lack of a standardized definitions. likelihood and potential consequences, which makes it possible Furthermore, we describe the two different error types, explain to determine a risk value eventually. Results are achieved their meaning in the context of a security analysis and point through different methods of security testing. However, these out their relevance. security tests can vary significantly in cost, scope, informative value and other characteristics. In this paper, we distinguish A. Security analysis between penetration tests (colloquially known as pentest) and Security analysis refers to the process of identifying se- vulnerability scans (abbreviated vuln scan). curity related issues and determining their estimate of risk as The goal of this research is to assess which method of well. The process of looking for vulnerabilities can be either in security analysis should be considered to be better relating to technical manner, including penetration tests and vulnerability false-positives errors as well as false-negative errors. In this scans. Or it is in organizational manner, e.g., business process paper, we focus on the false-negative rate. The reason for analysis or enter into a dialog with employees. We only cover this is, that this type of error is more severe. To accomplish the technical part. Furthermore, all findings shall be assessed in this research goal, we strictly separate the work in isolated their risk value and include recommendations for appropriate work packages as summarized in this section. The overall measures. As an example periodic security assessments are experimental setup is described in detail in Section IV. required in several security standards such as the Payment Card First, one of the authors builds a lab environment, which Industry Data Security Standard (PCI DSS) [1]. It requires represents a typical and representative IT infrastructure of a quarterly external vulnerability scans and external penetration small and medium enterprise. In addition, the computer sys- testing at least annually. tems are prepared with various vulnerabilities. Following this, a typical penetration test will be performed by another author, B. Risk who is in the role of a penetration tester. This happens without A risk is always associated with potential harm to an any knowledge of the previous work package (preparation of infrastructure, respectively to an whole organization. It consists the lab environment). Using this approach, we want to ensure of two factors: the potential impact and the probability of that all vulnerabilities are revealed in a proper way through real occurrence. Both values should be understood as estimates, pentesting and results are not influenced in any way by prior which are represented in a quantitative (e.g., amount of money) Copyright (c) IARIA, 2018. ISBN: 978-1-61208-683-5 1 CYBER 2018 : The Third International Conference on Cyber-Technologies and Cyber-Systems or qualitative (e.g., low, medium, high) form. Figure 1 shows G. False-negative error how we categorized the risk values for the penetration test. A false-negative error is a result, that wrongly indicates the absence of a given condition, where the condition is actually present. This type of error basically refers to an existing vulnerability, which is not found through testing. False-negative errors are very critical within the context of security analysis, because they result in unreported and thus unfixed vulnerabilities. III. RELATED WORK Some research achievement already has been accomplished when it comes to comparing manual and automated methods for security analysis. Therefore, we want to give an overview of the current state of research and show other scientific publications, which address the similar research question. Austin et al. [2] conducted a case study on two Electronic Figure 1. Risk matrix. Health Records (EHR) systems with the objective to compare different approaches of security analysis. In contrast to our research they have chosen two open source EHR systems as C. Penetration test subject for study and rather performed a White-box test on Penetration testing describes the simulation of a genuine computer software, whereas we performed a Grey-box pene- cyber attack. Its goal is to identify vulnerabilities, thereby tration test on a whole IT-infrastructure. In their publication, reducing security risks. This is done using a wide range of they distinguish between systematic and exploratory manual attack vectors to cover as much potential vulnerable points penetration testing, static analysis and automated penetration as possible. Components of such a test includes especially testing. The authors claim, that no single technique discovered extensive manual testing and automated tool sets for at least every type of vulnerability and almost no individual vulnera- common vulnerabilities. In contrast to a real attack, pentests bilities were found by more than one type of security analysis. differentiate in motivation, time expense and legality. Furthermore, they conclude, that systematic penetration testing was the most effective way. At the same time, static analysis D. Vulnerability scan and automated pentesting shouldn’t be relied on, because these two methods result in a higher rate of undiscovered vulnerabil- A vulnerability scanner is a computer program, which ities (false-negatives). However, automated penetration testing identifies known vulnerabilities in an automated way. Such was the most efficient detection technique, when it comes to Vulnerability scans can be performed either unauthenticated or found vulnerabilities per hour. authenticated. Running the scan with corresponding credentials often leads to lower error rates and results of higher quality. Holm [3] investigated in his research how many vul- Typically a vuln scan is very fast and do not require much nerabilities would be remediated if one would follow the technical knowledge, except in interpreting its results. It is a recommendations provided by an automated vuln scan. For common practice to perform a vulnerability scan and claim it this purpose both authenticated and unauthenticated scans of as pentest, although a pentest is actually ordered. seven different network vulnerability scanners were evaluated. The author concludes that “a vulnerability scanner is a usable security assessment tool, given that credentials are available E. Informative base of testing for the systems in the network”. However, they do not find Black-box testing refers to testing without knowing the all vulnerabilities and likewise do not provide a remediation internal structure of a system (correlates to the knowledge of guideline