I made a huge mistake in this post. N-Circle does not offer passive vulnerability scanning. Instead of changeing the content (which I don't believe in for other than minor spelling and gramatical items) I am leaving this at both ends of the Post. Once more N-Circle does not offer PVS. Tenable does and Mu is sort of a varient.
Ok I have confession to make.
I have been ignoring an entire dimension of the SCADA scanning discussion.
I have ignored it for two reasons.
1. It just isn't that fun because it doesn't generate as much of a conundrum to argue about.
2. The thread started with a discussion of active and I wanted to stress the overall importance of scanning vs not, even if it means some risk.
Passive Vulnerability Scanning (PVS) is essentially sniffing network traffic and using known characteristics to identify systems that are likely to have vulnerabilities.
The guru's will probably jump all over me here but it is basically matching network traffic signatures to likely OS's, Patch levels, and applications and then linking that data to vulnerability information.
It isn't that new. I was following some Snort items similar to this a few years ago. They were comparing the snort rules hits against know characteristics from a variant of NMAP's fingerprints (or maybe it was QUESO... Whatever) and using that to passively identify OS and patch level.
The key here (and why it is germane to the SCADA Scanning discussion) is that passive vulnerability detection does not require you to touch the vulnerable system at all. This means that there is no realistic chance of causing a problem on it. You set up a mirror port and sniff the traffic. That is the only impact to the PCN.
Let's be clear here there are some weaknesses to doing it this way.
- You only see systems who's traffic passes the monitored port so you can miss a lot depending on where you locate the sniff point.
- There is only so much data you can acquire about a system based on watching its traffic and not interacting with it (though admittedly this is a surprisingly large amount).
- It will have false positives (though there are mechanisms to weed those out)
- It is not nearly as effective at identification and verification actual vulnerabilities.
But it is nearly risk free.
If you work in a shop that realistically has no chance of using a scan to identify your weaknesses this is a very good option.
It is also a good option as a preliminary investigation method before doing more intrusive actions.
Those actions still need to happen (as a matter of fact they probably already are without your knowledge) but this can buffer both the political and real risk.
There are a couple of companies doing this and I have already mentioned three.
N-Circle has been doing PVS for a while and integrates it neatly with the ability to match it against what active attacks are occurring. - Not True
Both MUSecurity and Tenable are developing signatures specific to SCADA.
The differentiators in this field is likely to be the quality and quantity of the matching, the collation of their library to your specific needs, and ease of monitoring/management.
Tenable probably has a lead in the SCADA side of this because of their engagement with Dale at Digitalbond but N-Circle is leading overall. - I'll stand by the first statment I was flat out wrong on the second
Update:
I made a huge mistake in this post. N-Circle does not offer passive vulnerability scanning. Instead of changeing the content (which I don't believe in for other than minor spelling and gramatical items) I am leaving this at both ends of the Post. Once more N-Circle does not offer PVS. Tenable does and Mu is sort of a varient.
No comments:
Post a Comment