Performance of automated network vulnerability scanning at remediating security issues

This paper evaluates how large portion of an enterprises network security holes that would be remediated if one would follow the remediation guidelines provided by seven automated network vulnerability scanners. Remediation performance was assessed for both authenticated and unauthenticated scans. The overall findings suggest that a vulnerability scanner is a usable security assessment tool, given that credentials are available for the systems in the network. However, there are issues with the method: manual effort is needed to reach complete accuracy and the remediation guidelines are oftentimes very cumbersome to study. Results also show that a scanner more accurate in terms of remediating vulnerabilities generally also is better at detecting vulnerabilities, but is in turn also more prone to false alarms. This is independent of whether the scanner is provided system credentials or not.

[1]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[2]  Vadim Okun,et al.  Web Application Scanners: Definitions and Functions , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[3]  T. S. Eugene Ng,et al.  The Impact of Virtualization on Network Performance of Amazon EC2 Data Center , 2010, 2010 Proceedings IEEE INFOCOM.

[4]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[5]  Khurram Shahzad,et al.  A Tool for Automatic Enterprise Architecture Modeling , 2011, CAiSE Forum.

[6]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[7]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[8]  Teodor Sommestad,et al.  A quantitative evaluation of vulnerability scanning , 2011, Inf. Manag. Comput. Secur..

[9]  R. Warner Applied Statistics: From Bivariate through Multivariate Techniques [with CD-ROM]. , 2007 .

[10]  Karen A. Scarfone,et al.  The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2009 .

[11]  Richard McDougall,et al.  Virtualization performance: perspectives and challenges ahead , 2010, OPSR.

[12]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[13]  Xinming Ou,et al.  SAT-solving approaches to context-aware enterprise network security management , 2009, IEEE Journal on Selected Areas in Communications.

[14]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[15]  Susan Snedakar Vulnerability Assessment Tools , 2007 .

[16]  S. M. Welberg,et al.  Vulnerability management tools for COTS software - A comparison , 2008 .

[17]  Steve W. Manzuik,et al.  Network Security Assessment: From Vulnerability to Patch , 2006 .

[18]  Vadim Okun,et al.  Building a Test Suite for Web Application Scanners , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[19]  Xiaohong Jiang,et al.  Analyzing and Modeling the Performance in Xen-Based Virtual Cluster Environment , 2010, 2010 IEEE 12th International Conference on High Performance Computing and Communications (HPCC).