On Vulnerability Scanning – Part 2

Thus do many calculations lead to victory, and few calculations to defeat: how much more no calculation at all! It is by attention to this point that I can foresee who is likely to win or lose.
Sun Tzu, Art of War

This is the 2nd part of my Vulnerability scanning post.

Background:
A friend of mine asked me if I can give my advice about vulnerability scanning. He is enrolled in an infosec class in one of the universities here. He said this vulnerability scanning is an educational project for them.

Here are his questions:

  • Is it legal to perform a vulnerability scan from external source?
  • Do I have recommendation on how should they do the vulnerability scanning?
  • What are the standard parameters/elements of the vulnerability scanning that they should used in this vulnerability assessment exercise?
  • Their group agreed to do scanning on the “Company X”. Again, any advice on possible legal and other complications?
  • Is security “Company Y” providing a secure online vulnerability assessment tool?

On the first part of the post, I focused on the planning, high level objectives and scoping of the project. This post discusses the feedback on the other items.

Is it legal to perform a vulnerability scan from external source?

Most of vulnerability scan and assessment tools that I know of have legal implications. The legal complexity mainly depends on the which country or jurisdiction “Company X” operates. At the very least the students should know applicable laws in their respective countries. At the end of the day, it will be the lawyer and/or legal expert who can say if its legal or not so I may not the best candidate to answer this question.

Do I have recommendation on how should they do the vulnerability scanning?

For the vulnerability scan I directly participated, the usual setup is that entity being scanned and assessed provided consent and scans were made inside their network. So the key concepts here are consent and internal scanning. The target of my scans are within a defined network, and what is vulnerability being  searched have are clearly identified. The purpose of our vulnerability scan exercise is to notify and let IT admins address the “vulnerable” machines and mitigate risk of malware infection.

Their initial scope points to doing website scanning to “Company X” who is operating in “Country W” territory. They will do white hat (most probably website vulnerability scan), but the boundary between white hat (and grey hat) and black may not be clear. So for our examples sake, I reminded them that they should know the law of country W, for example if it will be in the Philippines maybe they should review Cybercrime Prevention Act of 2012 (RA 10175) and Electronic Commerce Act (RA 8792). Overall  this can be a very tricky situation especially if they will not engage Company X and do proper disclosure.

On motives, I told him to answer a simple question:

What will be the difference of the scanning they will do with what other malicious groups  (e.g. hackers) will do?

If they cannot differentiate theirs versus the bad actors in the net, then they may be inviting trouble.

Scrutinizing their initial plan I found out some interesting point : “Company X” operates in “Country W” is not entirely true. “Company X” is part of “Country W” government branch offices. So we got testers who are “Country W” citizens, operating in “Country W” territory doing vulnerability testing against “Company X” who is part of “Country Y” government. To summarize: original plan is inviting bigger trouble.

So I suggested that they do internal testing with Company X, get Company X consent and at least do responsible disclosure of the vulnerability if they find something. More on responsible disclosure can be read here

Is security “Company Y” providing a secure online vulnerability assessment tool?
I haven’t tried “Company Y”, but I know they are indirect competitor to my current company, so it might not be the unbiased feedback giver. I saw “Company Y” folks in RSA conference, and they seems cool and tech savvy. In RSAC, we always say, “we (RD guys) are all friends here when we are in RSA as it is the marketing dudes on the booths who are the one battling out the marketing mumbo jumbo. And “we are all part of a bigger ecosystem”, but in reality, there is really “Coopetition”. Coopetition is a portmanteau of cooperation and competition.

I suggested to them that they register at “Company Y” website, read the EULA/Disclaimer if their Free Online VA tool and assess “Company Y” tools capability. Just take note that in infosec nothing is really “free”.