Scanning with credentials has opened a new frontier for security assessment. Here’s an analogy: traditional vulnerability scanning is like a mechanic evaluating a car just by looking at the outside and listening to the motor run. It’s useful but there is so much more information available by looking under the hood and plugging into the on-board diagnostics. That level of insight and internal perspective is what credentialed scanning lends to a security assessment. But even beyond the additional perspective, there are other benefits specific to control system environments that are worth noting. The number of people who use Nessus or other scanners who do not take advantage of credentialed scanning continually surprises me. Whether you are an owner/operator, an integrator, or consultant concerned with control system security, make sure you know what is available to you. Here are three reasons to get you started.
1.) Safer scanning
The notion that you cannot scan control system networks is an outdated excuse for maintaining security status quo. Can scanning cause fragile protocol stacks and services on many control system devices and applications to crash? Absolutely, we see it all the time. Can you scan intelligently, get valuable information, and not affect the production process? Yes, Digital Bond has been doing this for nearly ten years now.
Credentialed scanning offers a very safe way to get valuable security information from control system servers and workstations — what I like to call “low impact, high value”. It does this using normal network communication methods to connect with a Windows or Unix host. There is no unexpected traffic thrown at fragile application services, just the equivalent of an administrator connecting and issuing a few console commands. Example: Simple, non-credentialed port scanning has been know to cause problems in some control system components. A credentialed scanning feature known as a “netstat port scan” is able to scan all 65,535 TCP and UDP ports with only 784 packets — almost no impact. The odds of a credentialed scan causing an “availability problem” are near zero in my estimation.
2.) More accurate results
Just like the mechanic plugging into the on-board diagnostics, credentialed scanning can give a much more accurate and thorough picture. Part of vulnerability scanning is identifying missing patches that leave a machine open to compromise. I tested an old Windows 2000 machine that hasn’t been patched in ages. The results speak for themselves: without credentials, the scan identified 11 missing patches. With credentials: 180 missing patches. Guess which one is more accurate.
The netstat port scanning makes a good case here too. Ever try to identify open UDP ports? It can be a little tricky between the nature of the protocol itself and the rate-limiting most OSes impose on ICMP response messages. Credentialed scanning offers a much more accurate report of open ports.
3.) Customized auditing
Credentialed scanning, and more specifically, the Policy Compliance plugins, allow customized auditing of operating systems, applications, databases, file content — nearly all aspects of configuration that impacts security. Nessus offers baseline files for a variety of OSes, applications, standards, and policies. Our Bandolier project extends this feature to create security audit files for control system applications. We taught a class last week at S4 on using and customizing Bandolier and even covered creating your own audit files from scratch. Want to verify that your Telvent OASyS DNA application permissions are set correctly or that your PI server doesn’t have unnecessary trusts configured? This, along with thousands of other configuration settings, are measurable thanks to configuration auditing and Bandolier.
Traditional vulnerability scanning has its place – sometimes you need to see things from a non-credentialed perspective. Because there are other attack vectors, however, it makes sense to get as complete a picture as possible. Why not use your advantage over a potential attacker? Stop kicking the tires and let’s open up the hood.