After finding potential security holes, the next step is to confirm whether they’re indeed vulnerabilities in the context of your environment. Before you test, perform some manual searching. You can research websites and vulnerability databases, such as these:
- Common Vulnerabilities and Exposures ( http://cve.mitre.org/cve )
- US-CERT Vulnerability Notes Database ( www.kb.cert.org/vuls )
- NIST National Vulnerability Database ( http://nvd.nist.gov )
These sites list known vulnerabilities — at least the formally classified ones.
If you don’t want to research your potential vulnerabilities and can jump right into testing, you have a couple of options:
Manual assessment: You can assess the potential vulnerabilities by connecting to the ports that are exposing the service or application and poking around in these ports. You should manually assess certain systems (such as web applications). The vulnerability reports in the preceding databases often disclose how to do this — at least generally. If you have a lot of free time, performing these tests manually might work for you.
Automated assessment: Manual assessments are a great way to learn, but people usually don’t have the time for most manual steps. If you’re like me, you’ll scan for vulnerabilities automatically when you can and then dig around manually as needed.
Many great vulnerability assessment scanners test for flaws on specific platforms (such as Windows and Linux) and types of networks (either wired or wireless). They test for specific system vulnerabilities and some focus around standards like the SANS Critical Security Controls and the Open Web Application Security Project ( www.owasp.org ). Some scanners can map out the business logic within a web application; others can map out a view of the network; others can help software developers test for code flaws. The drawback to these tools is that they find only individual vulnerabilities; they often don’t necessarily aggregate and correlate vulnerabilities across an entire network.
As with most good security tools, you pay for Nexpose. It isn’t the least expensive tool, but you definitely get what you pay for, especially when it comes to others taking you seriously (such as when PCI DSS compliance is required of your business). There’s also a free version Nexpose dubbed the Community Edition for scanning smaller networks with less features. Additional vulnerability scanners that work well include QualysGuard ( www.qualys.com ) and GFI LanGuard ( www.gfi.com/products-and- solutions/network-security-solutions )