Vulnerability Assessment

Tools
Information Assurance
Tools Report
Fifth Edition
September 25, 2009
Vulnerability
Assessment
EX
Distribution Statement A
S E R VICE
C E L L E NC E
I NF
O R MA T
IO
Approved for public release; distribution is unlimited.
Table of Contents
SECTION 1
Introduction. . . . . . . . . . . . . 1
1.1 Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Report Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
SECTION 2
I
T Risk Management
Overview. . . . . . . . . . . . . . . 5
2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Growth in IT Incidents and Vulnerabilities. . . . . . . . . . . . . 5
2.3 What is Risk Management?. . . . . . . . . . . . . . . . . . . . . . . 6
SECTION 3
A
utomated Vulnerability
Assessment Tools. . . . . . . . 9
3.1 How Vulnerability Assessment

Tools Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Definition Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 How Vulnerability Assessment Tools Can Be
Incorporated into a Security Plan . . . . . . . . . . . . . . . . 11
SECTION 4
Tool Collection . . . . . . . . . 13
4.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 Tool Selection Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SECTION 5
V
ulnerability
Analysis Tools. . . . . . . . . . 15
Acunetix Web Vulnerability Scanner. . . . . . . . . . . . . . . . . 16

AppDetective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
ASG Information Assurance Application (IA2). . . . . . . . . . 18
BigFix Security Configuration and Vulnerability
Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Computer Oracle and Password (COPS). . . . . . . . . . . . . . . 20
CORE IMPACT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
DominoScan II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
DumpSec v2.8.6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
eTrust Policy Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Fortiscan Vulnerability Management. . . . . . . . . . . . . . . . . . 25
GFI LANguard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Gideon SecureFusion Vulnerability Management. . . . . . . 27
Host Based Security System (HBSS). . . . . . . . . . . . . . . . . . 28
Internet Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Lumension Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
MBSA 2.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . 32

Metasploit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
N-Stalker Web Application Security Scanner. . . . . . . . . 34
nCircle IP360. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Nessus Vulnerability Scanner. . . . . . . . . . . . . . . . . . . . . . . 36
NetIQ Secure Configuration Manager. . . . . . . . . . . . . . . . 37
Network Mapper (Nmap). . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Nikto v2.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Orascan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Paros Proxy v3.2.0Alpha. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Proventia Network Enterprise Scanner. . . . . . . . . . . . . . . 42
proVM Auditor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
QualysGuard Vulnerability Management. . . . . . . . . . . . . .44
Rational AppScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Retina Network Security Scanner. . . . . . . . . . . . . . . . . . . . 46
SAINT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Second Look. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
SecureScout NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
SecureScout Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Security Auditors Research Assistant (SARA) v7.9.1. . . . 51
Security Administrators Tool for Analyzing
Networks (SATAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
SNScan v1.05. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
ThreatGuard Secutor Magnus . . . . . . . . . . . . . . . . . . . . . . 54
Triumfant Resolution Manager . . . . . . . . . . . . . . . . . . . . . . 55
Typhon III. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
WebInspect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
WebScarab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
SECTION 6
Related Resources . . . . . . 59
SECTION 7
R
ecommended
SECTION 8
Resources . . . . . . . . . . . . . 61
Definitions. . . . . . . . . . . . . 63
SECTION 9 u
Definitions of Acronyms
and Key Terms . . . . . . . . . 65
IA Tools Report
SECTION 1
Introduction
The Information Assurance Technology Analysis Center (IATAC) provides the Department of
Defense (DoD) with emerging scientific and technical information to support Information
Assurance (IA) and defensive information operations. IATAC is one of 10 Information Analysis
Centers (IAC) sponsored by DoD and managed by the Defense Technical Information Center
(DTIC). IACs are formal organizations chartered by DoD to facilitate the use of existing scientific
and technical information. Scientists, engineers, and information specialists staff each IAC.
IACs establish and maintain comprehensive knowledge bases that include historical, technical,
scientific, and other data and information, which are collected worldwide. Information
collections span a wide range of unclassified, limited-distribution, and classified information
appropriate to the requirements of sponsoring technical communities. IACs also collect, maintain,
and develop analytical tools and techniques, including databases, models, and simulations.
IATACs mission is to provide DoD with a central
point of access for information on emerging
technologies in IA and cyber security. These include
technologies, tools, and associated techniques for
detection of, protection against, reaction to, and
recovery from information warfare and cyber attacks
that target information, information-based processes,
information systems, and information technology.
Specific areas of study include IA and cyber security
threats and vulnerabilities, scientific and
technological research and development, and
technologies, standards, methods, and tools through
which IA and cyber security objectives are being or
may be accomplished.
As an IAC, IATACs basic services include collecting,
analyzing, and disseminating IA scientific and
technical information; responding to user inquiries;
database operations; current awareness activities
(e.g., the IAnewsletter, IA Digest, IA/Information
Operations Events Scheduler, and IA Research
Update); and publishing State-of-the-Art Reports,
Critical Review and Technology Assessments reports,
and Tools Reports.
The IA Tools Database is one of the knowledge bases

maintained by IATAC. This knowledge base contains
information on a wide range of intrusion detection,
vulnerability analysis, firewall applications, and
anti-malware tools. Information for the IA Tools
Database is obtained via open-source methods,
including direct interface with various agencies,
organizations, and vendors. Periodically, IATAC
publishes a Tools Report to summarize and elucidate
a particular subset of the tools information in the
IATAC IA Tools Database that addresses a specific
IA or cyber security challenge. To ensure applicability
to Warfighter and Research and Development
Community (Program Executive Officer/Program
Manager) needs, the topic areas for Tools Reports
are solicited from the DoD IA community or based
on IATACs careful ongoing observation and analysis
of the IA and cyber security tools and technologies
about which that community expresses a high
level of interest.
IA Tools Report
Section 1 Introduction
Inquiries about IATAC capabilities, products, and

services may be addressed to:
Gene Tyler, Director
13200 Woodland Park Road, Suite 6031
Herndon, VA 20171
Phone:
703/984-0775
Fax:
703/984-0773
Email:
iatac@dtic.mil
URL:
http://iac.dtic.mil/iatac
SIPRNET: https://iatac.dtic.mil
1.1
Purpose
exploitation of which would negatively affect the

confidentiality, integrity, or availability of the system
or its data. The type and level of detail of information
provided among tools varies greatly. Although some
can identify only a minimal set of vulnerabilities,
others can perform a greater degree of analysis and
provide detailed recommended countermeasures.
The most recent development in vulnerability
management is the ability for a tool to scan for
vulnerabilities, analyze the impact of the
vulnerability, determine a solution, identify the
appropriate patches and security fixes, and finally,
even deploy those patches in real time.
This report provides a brief background on

information technology (IT) risk assessment and risk
management concepts, a short primer on
vulnerability assessment tools, and an index of
vulnerability assessment tools contained in the
IATAC IA Tools Database. Moreover, the report
provides users with an understanding of why
engaging in risk management activities such as
conducting vulnerability and risk assessments is an
important aspect of assuring your critical IT assets
ability to effectively support your critical missions.
Finally, this report provides a summary of the
characteristics and capabilities of publicly available
vulnerability assessment tools. IATAC does not
endorse, recommend, or evaluate the effectiveness of
any specific tools. The written descriptions are based
solely on the suppliers claims and are intended only
to highlight the capabilities and features of each tool.
These descriptions do not reflect the opinion of
IATAC. It is up to the readers of this document to
assess which product, if any, might best meet their
needs. Technical questions concerning this report
may be addressed to iatac@dtic.mil.
The majority of the tools identified in the IA Tools

Database are available on the Internet, and many are
used by crackers in the first stage of an attack:
vulnerability information gathering. Penetration
tools, which perform destructive actions (i.e., denial
of service attacks), are excluded from this category.
Sniffers and Trojan Horse programs also are
excluded. Although many network utilities (i.e., host,
finger) are valuable in identifying vulnerabilities on a
host, they are often an automated component of
vulnerability analysis tools, and therefore are not
individually described in the database. The database
includes commercial products, individually
developed tools, government-owned tools, and
research tools. The database was built by gathering as
much open-source data, analyzing that data, and
summarizing information regarding the basic
description, requirements, availability, and contact
information for each vulnerability analysis tool
collected. Generally, the commercially developed
products are available. The government and
academic tools, however, are reserved for specific
projects and organizations.
1.2
1.3
Scope
Currently, the IATAC database contains descriptions

of numerous tools that can be used to support
vulnerability and risk assessment activities.
Vulnerability analysis tools are programs that help
automate the identification of vulnerabilities in a
network or system. Vulnerabilities can be defined as
weaknesses in a systems security scheme,
IA Tools Report
Report Organization
This report is organized into eight sections. Section 1

provides an introduction to IATAC and the
vulnerability analysis tools report. Section 2
summarizes the fundamentals of IT risk assessment
and risk management. Section 3 provides background
information on how automated vulnerability
assessment tools work. Section 4 explains the
Section 1 Introduction
classification of tools highlighted in this report, how

they were selected, and the schema of the IA Tools
Database. Section 5 includes a listing of currently
available host, network, Web-application, and
database-application vulnerability scanners as well
as tools able to manage vulnerabilities in all of the
scanning areas as well as apply patches. Sections 6
and 7 provide recommended resources that are
related to the topic of vulnerability assessment and
definitions associated with this report. Finally,
Sections 8 and 9 contain IA-related definitions and
acronyms, respectively.
IA Tools Report
SECTION 2
2.1
IT Risk Management Overview
Background
Critical Infrastructures, both cyber and physical,

provide the foundation for and enable the
functioning of every facet of American Society. [2] In
view of the heightened concerns about the wide
variety of threats and hazards that our nation faces
and the potential impact on the ability of our critical
infrastructure to resiliently support overarching
missions, the executive branch has issued a number
of actions that assign responsibilities, direct
planning, and enhance training to protect the
nations critical infrastructure and respond to all
types of threats. Homeland Security Presidential
Directive 7 (HSPD-7), Critical Infrastructure
Identification, Prioritization, and Protection (dated
December 2003), and The National Strategy to Secure
Cyberspace and The National Strategy for the Physical
Protection of Critical Infrastructures and Key Assets
(both dated February 2003) specifically address the
different threats and protection/assurance of the
nations most vital resources by providing
overarching policy guidance. These all focused on
defensive strategies, and HSPD-7 did not address the
protection of federal government information
systems. The Comprehensive National Cybersecurity
Initiative (CNCI), codified in the classified directive
known as National Security Presidential Directive
(NSPD)-54/HSPD-7, aims to unify defensive missions
in cyber security with those of law enforcement,
intelligence, counterintelligence, and military to
defend against the full spectrum of threats to the
nations critical infrastructure.
In the constantly evolving world of IT, ensuring that
our vital systems remain operational is of paramount
importance and in line with the national strategy. To
this end, Secretary Janet Napolitano of the
Department of Homeland Security (DHS) has adopted
a policy of being prepared for all risks that can
occur [9] to assure the resiliency of our nations
critical infrastructures. Cyber assets obviously make
up a significant portion of our nations critical assets

and also provide support to even more critical assets
by acting as a critical supporting infrastructure asset.
2.2
Growth in IT Incidents and Vulnerabilities
Automated attacks on information systems, and

especially attacks against Internet-connected
systems, continue to grow at such an exponential rate
that they are viewed as almost commonplace. In fact,
as of 2004, Carnegie Mellons Computer Emergency
Response Team (CERT) stopped tracking the number
of incidents reported per year because they believe it
provides little information with regard to assessing
the scope and impact of attacks. [1] The number of
incidents reported from 1988 through the end of 2003
is listed in Figure 1. Carnegie Mellons CERT now
tracks data on the number of vulnerabilities that are
reported each year. Figure 2 lists the number of
vulnerabilities that were reported from 1995 through
the end of the third quarter of 2008.
Along with the continually increasing number of
incidents and the rising number of known
vulnerabilities, the speed at which systems are
attacked is also continuing to accelerate. Identifying
vulnerabilities and addressing them in a timely
manner is crucial to maintaining a secure
environment and saves money in the long run. The
vulnerability that the Conficker worm exploited was
discovered in September 2008, and Microsoft released
a batch in October 2008. The Conficker was not
released until November 2008 and had multiple
variants labeled Conficker A - Conficker E (up until
the time of writing). Minimal estimates for Conficker
infections is around three million, while more
realistic estimates are around nine million to 15
million total infections. [11] The economic impact
ranges from the hundreds of millions to billions of
dollars to address the exploit. If more people had
identified the vulnerability and applied patches when
Microsoft first released them, Conficker would have
been a non-issue.
IA Tools Report
Section 2 IT Risk Management Overview
2.3
What is Risk Management?
Many different risk assessment and management

methodologies exist within the public and private
domains. Therefore, to fully understand risk
management, it is important to first define and
understand risk. According to the Merriam Webster
Dictionary, risk is defined as the possibility of loss or
injury. Insurance companies often view risk as the
the degree or probability of such loss. [3] Although
there are numerous definitions of risk, all definitions
are composed of three basic components
XXAssets (i.e., read it as impact of loss),
XXThreats (i.e., read it as all possible hazards),
XXVulnerabilities.
Figure 1
Number of Security Incidents report (19882003)
Figure 2
Number of Vulnerabilities Reported (1995Third Quarter 2008)
IA Tools Report
Assets
An asset in the general sense is firm property or
information that is of significant value (known as a
critical asset). In risk management, an asset refers to
the amount of damage losing a firm asset will cause
if something bad occurs. Given that most enterprise
networks have hundreds or thousands of networked
information systems, vulnerability analysis and
assessment by manual methods are virtually
impossible. In addition, it is impossible to
completely ensure that all assets are secure.
Therefore, it is imperative that information security
managers and system owners focus on identifying
only their critical assetsthose assets without which
the organizations key missions would be significantly
degraded or cease to function. This is a key part of the
risk assessment process.
Threats
Risks to critical assets can come from a variety of
threats that can be considered possible hazards and
usually fall into three categories
XXMan-made (intentional),
XXNatural disaster,
XXAccidental (unintentional) disruptions.
Therefore, an effective approach to threats will

consider the full spectrum of threats and hazards,
including natural disasters (e.g., floods, fires,
hurricanes), domestic or international criminal
activity, construction mishaps such as cutting fiber
optic lines, and others types of incidents.
Vulnerabilities
Vulnerabilities are often defined as openings or
pathways that a given threat can exploit to do harm to
a critical asset. With the three main components of
risk in mind, a picture of risk can be formulated. Risk
is viewed as the area where all three circles overlap,
as illustrated in Figure 3.
Articulated as a mathematical formula, risk looks like
the following
Risk = Threat x Vulnerability x Cost of Asset
Figure 3
Components of Risk Diagram
Because our world is constantly changing, risk

management is an ongoing activity. For example,
technology is continually evolving, especially in the
IT world, which introduces new vulnerabilities.
Threats continue to evolve as well and sometimes
even what is designated as a critical asset changes
because the needs and priorities of an organization
change. Risk management can save resources, time,
and even lives.
We can now more fully define risk as being a function

of the likelihood that a specific hazard/threat will
exploit a given vulnerability and that the resulting
impact of loss of the critical asset will cause
significant degradation or even mission failure
of the organization.
With a firm understanding of risk, risk management
can now be defined. Typically, risk management is a
process for identifying and prioritizing the cost of
assets, threats, and vulnerabilities, then making
rational decisions regarding the expenditure of
resources and the implementation of countermeasures to reduce risk of loss associated with the
exploitation of critical assets. Figure 4 illustrates the
risk assessment and management processes.
IA Tools Report
Figure 4
Risk Assessment and Management Process
From this point forward, this report focuses on the

vulnerability portion of the risk equation.
IA Tools Report
SECTION 3 u Automated Vulnerability

Assessment Tools
3.1
How Vulnerability Assessment
Tools Work
Vulnerability assessment tools, in general, work by
attempting to automate the first three steps often
employed by hackers: 1) perform a footprint analysis,
2) enumerate targets, 3) test/obtain access through
user privilege manipulation (see Table 1). The
vulnerability assessment tools evaluate networkattached devices (servers, desktops, switches, routers,
etc.) for vulnerable or potentially vulnerable
situations. Often the vulnerabilities that are
identified by these tools are programming flaws;
however, some tools provide enough data that an
analyst can uncover design, implementation, and
configuration vulnerabilities.
In the case of network-based tools, a network
footprint analysis is performed by scanning for
accessible hosts. The tools enumerate available
network services (e.g., file transfer protocol, hypertext
transfer protocol) on each host as accessible hosts are
identified. As part of the enumeration services,
scanners attempt to identify vulnerabilities through
banner grabbing, port status, protocol compliance,
service behavior, or exploitation. These terms are
defined in Section 3.2 of this document.
Some advantages to vulnerability assessment tools
are that they
XXMore clearly define an asset,
XXDiscover technological and network
vulnerabilities,
XXProvide multi-perspective view points,
XXHelp properly scope the analysis,
XXReference public catalogs,
XXHighlight design, implementation, and
configuration vulnerabilities.
When a scanner finds a host with open ports, it checks

those ports for vulnerabilities to known attacks. Most
scanners include exploit tests that verify whether a
given service or application is vulnerable. Most
scanning tools perform tests based on their database
of vulnerabilities. Just as anti-virus products must be
constantly updated with new signatures, assessment
tools must be continually updated with revisions to
their vulnerability databases. If a vulnerability is not
included in a tools database, it cannot be detected
through scanning.
3.2
Definition Box
Hackers Methodology A common approach to

system exploitation
1.
Perform a footprint analysis
2.
Enumerate targets
3.
Test/obtain access through user privilege manipulation
4.
Escalate privileges
5.
Gather additional passwords and secrets
6.
Install backdoors
7.
Leverage the compromised system
Table 1 Hackers Methodology
Banner Grabbing
This term refers to grabbing information that a
network service broadcasts about itself. For example:
Opening a telnet session to a mail server might yield
the following message: 220 mailhost.company.com
ESMTP service (Netscape Messaging Server 4.15
Patch 7 [built September 11, 2001]).
This example banner reveals the specific type of mail
server that is running and its patch level. Similarly, a
telnet connection to a Web server might yield
information such as the following
IA Tools Report
Section 3 Automated Vulnerability Assessment Tools
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2003 22:03:21 GMT
Server: Apache/1.3.27 (Win32) PHP/4.2.2
X-Powered-By: PHP/4.2.1
Connection: close
Content-Type: text/html
In this case, the banner reveals the time on the Web
server, the Web server type and version, an accessible
scripting language (hypertext preprocessor [PHP]),
and the operating system on which it is running.
Port Status
This term refers to checking to determine which
network ports are open to allow connections to
applications. For network services that use
Transmission Control Protocol (TCP), this is done by
sending a TCP connect () request to ports on the
remote system. If the queried port is listening, the
connect () fails and the port is considered closed.
There are several other methods of checking port
status such as TCP synchronize [Synchronize] scans,
TCP finish [Final] scans, and so forth, that are beyond
the scope of this report.
Protocol Compliance
This term refers to the way an application or operating
system adheres to a standard procedure for data
processing or transmission. One of the most common
ways of using protocol compliance to identify remote
systems is to interrogate the TCP stack. By monitoring
the header information of outbound packets, it is
possible to make accurate guesses regarding the
remote operating system. By examining the Time To
Live on the packet, its Window Size, the Dont
Fragment bit, and the Type of Service, it is possible in
many cases to determine exactly which
implementation of the TCP stack is on the remote
system. (See Figure 5.) Determining the TCP stack
narrows the number of possible operating systems,
sometimes identifying the exact operating system.
10
IA Tools Report
Figure 5
TCP Connection (3-way Handshake)
Service Behavior
This term refers to the way a network service responds
to remote requests. Different implementations of a
given type of service may result in slightly different
behavior from remote requests. For example, a help
command response from a sendmail email server is
different from the result from a postfix email server.
Exploitation
Computer network exploitation (CNE) refers to the
enabling operations and intelligence collection
capabilities conducted through the use of computer
networks to gather data from target or adversary
automated information systems or networks. [14]
CNE can be accomplished through a variety of means
such as packet sniffing, hijacking TCP connections,
port scanning, and address resolution protocol (ARP)
spoofing. For example: ARP spoofing is a technique
used to exploit ethernet networks. This type of
spoofing can be used in two different ways
XXSending fake, or spoofed, ARP messages to an
ethernet local area network,

XXAs part of a man-in-the-middle attack.
The first means of exploitation is accomplished by
sending frames that contain false media access
control addresses, thus confusing network devices,
such as network switches. The resulting effect is that
the frames that are intended for one machine can be
mistakenly sent to another (allowing the packets to be
sniffed) or an unreachable host (a denial of service
attack). The second means of exploitation is
accomplished by forwarding all traffic through a host
with the use of ARP spoofing and then analyzing the
frames for passwords and other information.
Section 3 Automated Vulnerability Assessment Tools
3.3
How Vulnerability Assessment Tools
Can Be Incorporated into a Security Plan
Security plans are a critical aspect of a firm or
organizations secure operations. Security plans, or
more precisely, system security plans, are specific
guidelines and procedures to accomplish the secure
setup, operation, and maintenance of an information
system. To effectively implement a system security
plan for a large infrastructure, it is necessary to
leverage security technology to automate the
important and otherwise time-consuming aspects of
the security operations.
Tools for scanning are invaluable for gaining a
snapshot in time of the vulnerabilities that exist on a
given network at a given point in time. Most scanning
tools include a reporting option or module that
explains the vulnerabilities detected and provides a
ranking of the criticality of each problem (e.g., high,
medium, low). To enhance the security of your
systems, assessments should be performed on a
routine basis. This will provide the users and
administrators assurance that the system is free from
malicious code. Just as thousands of vulnerabilities
are reported each year, systems must be scanned at
regular and frequent intervals to ensure that they are
not susceptible to attack. In addition, when new hosts
are connected to the system, networks must be
checked for the risks that these new systems might
bring to the overall network. Checks must also be
conducted when newly discovered weaknesses in
existing applications and operating systems are
announced. After all, a fundamental tenet of
security is that a chain is only as strong as its weakest
link and a wall is only as strong as its weakest point.
Smart attackers are going to seek out that weak point
and concentrate their attention there. [13] A single
host that is vulnerable to attack puts the entire
network at risk.
The identification of vulnerabilities on a system is
only half the challenge. The other half of the challenge
is fixing the vulnerabilities that are found. Identified
vulnerabilities can be corrected via patches,
updating, or even reconfiguring the system. Finding
the time and money to correct the vulnerability can
be a challenge. The system and network

administrators must work with management to share
the information that was found during the assessment
and weigh the costs of correcting the vulnerability
against the benefits. There are tools that can
automatically patch a large number of vulnerabilities
and systems, but are often very expensive. Managers
and administrators need to understand their
environment and choose a solution that fits. A
manager can choose not to spend the money on a
more robust patch management solution, but must
realize that man-power must replace what he or she
has chosen not to purchase in an automated solution.
Unfortunately, scanning tools suffer from false
positive problems and false negative problems in
vulnerability identification that are similar to antivirus products. A false positive means that a tool finds
a vulnerability that does not exist. For example, a
particular scanner may report that a network server is
a Windows 2000 system that is vulnerable to a known
Microsoft Internet Information Server (IIS) Web
server bug, when in fact, the server is a Linux system
running the Apache Web server. A false negative
means that a tool fails to find an existing
vulnerability. An example of this behavior could be
when a particular tool tests a network host and fails to
discover that it is remotely exploitable through an
anonymous login.
Ultimately, common sense must be applied to all
findings to ensure that meaningful vulnerabilities
are corrected; however, time should not be wasted
on erroneous results. Finding the right balance can
sometimes be difficult. One potential strategy for
reducing the number of false positives and false
negatives is to run two different scanners against a
given network and compare the results. In most
cases, the results of both tools will complement each
other so that no weaknesses are overlooked. In all
cases, it is necessary to have a knowledgeable and
responsible security professional who can effectively
leverage security tools to manage the security
operations of an organization.
IA Tools Report
11
SECTION 4
4.1
Tool Collection
Classification
Existing community relationships were leveraged

during the process of data gathering on the tools.
Collection activities included Internet searches to
identify additional corporations, professional
organizations, and universities with involvement in
vulnerability analysis.
The tools described in the IATAC IA Tools Database
can be categorized within one or more of the topical
areas listed below
XXHost scanningHost-scanning tools scan critical
system files, active processes, file shares, and the

configuration and patch level of a particular
system. The results produced from this type of tool
are usually very detailed because they run on the
host system at the same permission level as the
user conducting the scan. Although host-based
tools provide very detailed results, sometimes the
volume of data that is produced from these scans
(i.e., when conducted across several hosts) can be
difficult to aggregate and correlate to produce
results [Imagine an administrator trying to
physically visit and test 1,000workstations.]).
XXNetwork scanningNetwork-scanning tools scan
available network services for vulnerabilities
through banner grabbing, port status, protocol
compliance, service behavior, or exploitation.
XXWeb application scanningWeb applicationscanning tools designed specifically for the Web
are a specialized form of network or host scanner
that interrogates Web servers or scan Web source
code for known vulnerabilities (e.g., DominoScan).
These tools often search for the presence of
default accounts, directory traversal attacks,
form validation errors, insecure cgi-bin
files, demonstration Web pages, and
other vulnerabilities.
XXDatabase application scanningDatabase
application-scanning tools that are specifically
designed for databases are a unique form of
network scanner. These tools interrogate database

servers for known vulnerabilities
(e.g., AppDetective).
XXVulnerability and patch managementThe category
of Vulnerability and Patch Management has tools
that wrap up many aspects of vulnerability
management. These tools address vulnerabilities,
policy compliance, patch management,
configuration management and reporting.
These are meant to be all-in-one solutions that
make managing very large networks and
domains efficient and require as little manpower
as possible.
4.2
Tool Selection Criteria
The selected tools meet the following three criteria

XXDefinitionThese tools satisfy the objective,
approach, and methodology of a vulnerability

analysis tool based on the definition of
vulnerability.
XXSpecificity to vulnerability analysisThe primary
function of these tools is vulnerability analysis or
vulnerability management. These tools may also
be used during the first stages of a penetration
attack as a way of identifying the target systems
weaknesses and helping to fine-tune the attack.
Penetration test tools, whose primary purpose is to
exploit identified vulnerabilities and cause
damage or destruction to the target system, are not
included.
XXCurrent availabilityThe tools that are included in
this report are currently available from the
Government, academia, or commercial sources, or
as freeware on the Internet. Some tools that were
included in previous versions of this report are no
longer available or have been renamed. All tools
from previous releases of this report that are no
longer available have been removed.
IA Tools Report
13
SECTION 5
Vulnerability Analysis Tools
Section 5 summarizes pertinent information, providing users a brief description of available

vulnerability analysis tools and vendor contact information. Again, IATAC does not endorse,
recommend, or evaluate the effectiveness of these tools. The written descriptions are drawn
from vendors information and are intended only to highlight the capabilities or features of
each product. It is up to the reader to assess which product, if any, may best suit his or her
security needs.
Trademark Disclaimer
The authors have made a best effort to indicate
registered trademarks where they apply, based on
searches in the U.S. Patent and Trademark Office
Trademark Electronic Search System for live
registered trademarks for all company, product, and
technology names. There is a possibility, however,
that due to the large quantity of such names in this
report, some trademarks may have been overlooked
in our research. We apologize in advance for any
trademarks that may have been inadvertently
excluded, and invite the trademark registrants to
contact the IATAC to inform us of their trademark
status so we can appropriately indicate these
trademarks in our next revision. Note that we have
not indicated non-registered and non-U.S.
registered trademarks due to the inability to
research these effectively.
Type
The type of tool, or category in which this tool

belongs, e.g., Web Application Scanning
Operating
System
The operating system(s) on which the tool runs. If the

tool is an appliance, this field will contain a not
applicable symbol (N/A) because the operating
system is embedded in the tool.
Hardware
The third-party hardware platform(s) on which the

tool runs, plus any significant additional hardware
requirements, such as minimum amount of random
access memory or free disk space. If the tool is an
appliance, this field will contain a not applicable
symbol (N/A) because the hardware is incorporated
into the tool.
License
The type of license under which the tool is

distributed, e.g., Commercial, Freeware, GNU
Public License
NIAP
Validated
An indication of whether the product has received a

validation by the National Information Assurance
Partnership (NIAP) under the Common Criteria,
Federal Information Processing Standard 140, or
another certification standard for which NIAP
performs validations. If no such validation has been
performed, this field will be blank.
Common
Criteria
If the tool has received a Common Criteria

certification, the Evaluation Assurance Level and
date of that certification. If no such certification has
been performed, this field will be blank.
Developer
The individual or organization responsible for

creating and/or distributing the tool
URL
The Uniform Resource Locator (URL) of the Web

page from which the tool can be obtained
(downloaded or purchased), or in some cases, the
Web page at which the supplier can be notified with
a request to obtain the tool
Legend For Tables

For each tool described in this section, a table is
provided that provides certain information about that
tool. This information includes
IATAC does not endorse any of the following product evaluations.

IA Tools Report
15
Acunetix Web Vulnerability Scanner

Abstract
Acunetixs engineers have focused on Web security
since 1997 and have developed tools for Web site
analysis and vulnerability detection.
Acunetix Web Vulnerability Scanner

Type
Web Application Scanning
Operating System
Windows XP, Vista, 2000, server 2003
Hardware
Requirements
1 gigabyte (GB) random access memory

(RAM), 100 megabyte (MB) disk space
XXAcuSensor Technology;
License
Commercial (Free Trial Copy)
XXAn automatic Javascript analyzer allowing for
NIAP Validated
Features
security testing of Ajax and Web 2.0 applications;

XXStructured Query Language (SQL) injection and
cross-site scripting (XSS) `testing;
XXVisual macro recorder allows for testing Web
forms and password protected areas;
XXReporting facilities including VISA Payment
Card Industry (PCI) compliance reports;
XXMulti-threaded scanner crawls hundreds of
thousands of pages;
XXCrawler detects Web server type and
application language;
XXAcunetix crawls and analyzes Web sites, including
flash content, SOAP, and AJAX;
XXPort scans a Web server and runs security checks
against network services running on the server.
16
IA Tools Report
Common Criteria
Rating
Developer
Acunetix
Availability
http://www.acunetix.com/
vulnerability-scanner/
AppDetective
Abstract
A network-based, vulnerability assessment scanner,
AppDetective discovers database applications within
an infrastructure and assesses their security strength.
In contrast to piecemeal solutions, AppDetective
modules allow enterprises to assess two primary
application tiersapplication/middleware, and
back-end databasesthrough a single interface.
Backed by a proven security methodology and
extensive knowledge of application level
vulnerabilities, AppDetective locates, examines,
reports, and fixes security holes and
misconfigurations. As a result, enterprises can
proactively harden their database applications
while at the same time improving and simplifying
routine audits.
AppDetective
Type
Database Scanning
Operating System
Windows XP, Server 2003,
Hardware
Requirements
750 Megahertz (MHz) central processing

unit (CPU), 512MB RAM, 300 MB Disk
Space
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Application Security, Inc.
Availability
http://www.appsecinc.com/products/
appdetective/
Features
XXAutomated database discovery and inventory,
XXUser rghts management,
XXJob scheduling,
XXDatabase-specific vulnerability assessment,
XXCompliance mapping,
XX
Outside-in and inside-in vulnerability testing,
XXIndustry leading database vulnerability
knowledge base,
XXAutomated information gathering and analysis,
XXScalable database scanning,
XXAdvanced, customizable reporting.
IA Tools Report
17
ASG Information Assurance Application (IA2)

Abstract
ASGs Information Assurance Application (IA)
automates the reporting requirements of DISA. IA
automatically parses, stores, tracks, and reports on
the Defense Information Systems Agencys (DISA)
Security Readiness Review, third party vulnerability
scanner results, and DISAs Security Checklists.
ASG Information Assurance Application (IA2)

Type
Vulnerability and Patch Management
Operating System
Hardware
Requirements
License
Commercial
NIAP Validated
IA has the ability to synchronize the local database

with the third party vulnerability scanners as well as
the DISA Security Readiness Review scripts. All of the
data from each source is combined and cross
referenced giving a complete view of your
environment. IA also incorporates a robust
reporting solution allowing for tracking, trending
and ad hoc reporting.
Features
XXFederal Information Security Management Act
of 2002 (FISMA) automation,

XXVulnerability gap analysis,
XXScanner cross-referencing,
XXInformation drilldown,
XXAutomated security checklist,
XXAccepts third party scan,
XXAdvanced reporting,
XXTrending,
XXAutomatically updates signatures,
XXAutomatic reporting,
XXAd Hoc reporting,
XXSecure communication,
XXSecure data storage,
XXDistributed architecture,
XXWindows authentication,
XXRole-based security.
Supported Scanners
XXFoundstone,
XXHarris STAT,
XXeEye,
XXNessus,
XXnCircle.
18
IA Tools Report
Common Criteria
Rating
Developer
Atlantic Systems Group, Inc. (ASG)
Availability
http://www.asg.cc/IA2/

Management Suite
Abstract
XXCreate flexible, on-demand ad-hoc custom
Offered as part of the BigFix Security Configuration

and Vulnerability Management suite, BigFix
Vulnerability Management reduces risk across the
enterprise for all assets, whether they are fixed or
mobile, desktops, laptops, or servers. Through a
repository of vulnerability assessment policies, BigFix
provides organizations with the ability to assess their
managed systems against Open Vulnerability
Assessment Language (OVAL)-based vulnerability
definitions. Each managed endpoint quietly and
continuously evaluates the state of the endpoint, and
reports on any non-compliant policy in real-time by
leveraging the power of BigFix Unified Management
platform. Additionally, the BigFix high performance
architecture enables the industrys fastest time to
remediation and closely bridges assessment with
remediatiation by applying necessary patch and
configuration policies.
queries and reports;

XXSecurity Content Automation Protocol
(SCAP) validated.
Management Suite
Type
Operating System
Windows Server 2000/2003/2008
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
BigFix
Availability
http://www.bigfix.com/content/
vulnerability-management
Features
XXAssess managed endpoints against known
vulnerabilities using pre-defined, out-of-the-box

OVAL-based policy definitions;
XXIdentify and eliminate known vulnerabilities
across hundreds of thousands of endpoints
using automated policy enforcement or
manual deployment;
XXContinuously enforce policies on or off
the network;
XXMap all vulnerabilities to industry standards to
provide Common Vulnerabilities and Exposures
(CVE) and Common Vulnerability Scoring System
references and links to the National Vulnerability
Database (NVD);
XXIntegrate with BigFix Patch Management and
Security Configuration Management for
comprehensive assessment and remediation
of identified vulnerabilities;
IA Tools Report
19
Computer Oracle and Password (COPS)

Abstract
Computer Oracle and Password (COPS) is a security
toolkit that examines a system for a number of
known weaknesses, and it alerts the system
administrator to these weaknesses. In some cases, it
can automatically correct these problems.
Computer Oracle and Password (COPS)

Type
Database Scanning
Operating System
Unix
Hardware
Requirements
License
Freeware
NIAP Validated
Common Criteria
Rating
20
IA Tools Report
Developer
Dan Farmer
Availability
http://ftp.cerias.purdue.edu/pub/tools/unix/
scanners
CORE IMPACT
Abstract
XXDemonstrate the consequences of a successful
CORE IMPACT Pro is a comprehensive software

solution for assessing the security of network systems,
endpoint systems, email users, and Web applications.
Backed by Core Securitys ongoing vulnerability
research and threat expertise, IMPACT Pro allows
you to get in-depth visibility of your organizations
network and application vulnerabilities.
attack by replicating local attacks against backend resources;

XXGet actionable data necessary for focusing
development resources on remediating proven
security issues.
Features
XXGather system information via Network Discovery,
Port Scanner, and operating system (OS) and

Service Identification modules;
XXIdentify critical OS, service, and application
vulnerabilities with a constantly updated library
of Commercial-Grade Exploits;
XXDemonstrate the consequences of a breach by
replicating the steps an attacker would take,
including opening command shells, browsing file
systems, and seeking administrative privileges;
XXEmulate multistaged threats that leverage
compromised systems as beachheads to
launch internal attacks against backend
network resources;
XXRun tests without installing modules on
compromised systems, or altering them
in any way;
XXGenerate reports containing actionable data for
prioritizing remediation, demonstrating security
improvements, and complying with regulations;
XXCORE IMPACT Pro enables you to test Web
applications against XSS (URL-based), SQL
Injection, Blind SQL Injection, and Remote
File Inclusion for PHP applications;
XXIdentify weaknesses in Web applications,
Web servers, and associated databases
with no false positives;
XXDynamically generate exploits that can
compromise security weaknesses in
custom applications;
CORE IMPACT
Type
Network Scanning
Operating System
Windows XP, Windows Vista
Hardware
Requirements
3 Gigahertz (GHz) Pentium 4+ CPU, 1 GB+

RAM, 1 GB+ Disk space, 1024x768+
resolution
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Core Security Technologies
Availability
http://www.coresecurity.com/content/
core-impact-overview
IA Tools Report
21
DominoScan II
Abstract
XXUnique Spidering capability offering
Specially developed to present the attackers eye view

of the security issues surrounding Lotus Domino
Web servers and bespoke Notes applications.
Running on Microsoft Windows, DominoScan II
(DSII) has the capability to audit Lotus Domino Web
Servers running on any operating system. Using an
NGSSoftwaredeveloped technique (Database
Structure Enumeration) allows DSII to interrogate
every view, form, and agent within a database, even
if access control list (ACL) access protection has been
invoked. It will perform an exhaustive range of tests
on each document, auditing over one hundred
sensitive and default databases and subjecting all
documents to a vigorous set of vulnerability
assessment checks.
intelligent scanning;
XXAbility to scan as an authenticated user;
XXAbility to perform QuickHit audit;
XXVulnerability link to CVE.
Features
XXAttempts to gain access to over 100 sensitive/
default databases;
XXWeb Administrator template access using
ReplicaID;
XXWeb Administrator template access using
buffer truncation;
XX
cache.dsk access using buffer truncation;
XXDirectory traversal;
XXDatabase browsing;
XXAudits bespoke databases;
XXUnique database structure
enumeration technology;
XXFinds hidden and visible views;
XXDefault Navigator Access;
XXAttempts to bypass default Navigator protection;
XXEvaluates database design;
XXChecks every document for Edit access;
XXAttempts a forced search;
XXReadEntries & ReadViewEntries access;
XXReporting in HyperText Markup Language
(HTML) (Static/Dynamic), eXtensible Markup
Language (XML), Text file, rich text format, and
Open Database Connectivity (Microsoft) database;
XXFast, easy to use, and highly configurable;
XXCan perform focused audits;
22
IA Tools Report
DominoScan II
Type
Operating System
Windows 2003, 200, XP, NT 4.0
Hardware
Requirements
500 MHz Pentium III, 512 MB RAM, 20

MB Disk Space
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Next Generation Security Software
Availability
http://www.nextgenss.com/products/
internet-security/dominoscan.php
DumpSec v2.8.6
Abstract
SomarSofts DumpSec is a security auditing program
for Microsoft Windows NT/XP/200x. It dumps the
permissions (Discretionary Access Control Lists and
audit settings (System Access Control Lists) for the
file system, registry, and printers and shares in a
concise, readable format, so that holes in system
security are readily apparent. DumpSec also dumps
user, group, and replication information.
DumpSec v2.8.6
Type
Host Scanning
Operating System
Windows NT/XP/200x
Hardware
Requirements
License
Freeware
NIAP Validated
Common Criteria
Rating
Developer
SomarSoft
Availability
www.somarsoft.com
IA Tools Report
23
eTrust Policy Compliance

Abstract
eTrust Policy Compliance provides enterprises with
the tools and information necessary to eliminate one
of the most overlooked threats to networks
misconfigured assets. eTrust Policy Compliance
helps organizations identify and compare the
security configurations of their critical business
assets to an established baseline and provides the
configuration remediation and measures progress
through risk-based reporting. eTrust Policy
Compliance provides a comprehensive policy and
configuration assessment process to mitigate risk and
ensure compliance with security policies,
government regulations, and industry standards.
Features
XXIdentify misconfigured IT assets,
XXCreate secure configuration baselines and
monitor deviations,
XXProvide configuration remediation and measure
progress through risk-based reporting,

XXOffer extensible tools and open interfaces for
custom security configuration management.
24
IA Tools Report
eTrust Policy Compliance

Type
Network Scanning
Operating System
Linux, Windows, Unix
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Computer Associates
Availability
http://www3.ca.com/solutions/Product.
aspx?ID=165
Fortiscan Vulnerability Management

Abstract
XXDelivers patch management with ready-to-
FortiScan provides a centrally managed, enterprisescale solution that enables organizations to close IT
compliance gaps, and implement continuous
monitoring in order to audit, evaluate, and comply
with internal, industry, and regulatory policies for IT
controls and security at the OS level. Organizations
realize quick time-to-value with easy to install,
intuitive, high value standard compliance policies
(National Institute of Standards and Technology
[NIST] SCAP, Federal Desktop Core Configuration
(FDCC), PCI data security standard (DSS), SarbanesOxley Act (SOX), Gramm-Leach Bliley Act (GLBA),
Health Insurance Portability and Accountability Act
(HIPAA) ready out of the box with regular updates by
FortiGuard to ensure OS regulatory compliance
requirements are met. FortiScan dedicated hardware
appliances easily plug into the network for fast
deployment. FortiScan integrates endpoint
vulnerability management, industry and federal
compliance, patch management, remediation,
auditing, and reporting into a single, unified
appliance for immediate results. A centralized
administration console facilitates management of
multiple FortiScan appliances across the enterprise.
deploy remediation and enforcement actions

allowing network managers to change
configurations and potentially mitigate weak
settings, including disabling an application
or denying a network request;
XXReduced errors, repeatable processes, and
predictable results delivered with extensive
libraries of templates that enable IT staff to
leverage industry standard best practices that
produce measurable results.
Fortiscan Vulnerability Management
Type
Operating System
N/A
Hardware
Requirements
Vendor Supplied Hardware
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Fortinet
Availability
http://www.fortinet.com/products/
fortiscan/
Features
XXIdentifies security vulnerabilities and finds
compliance exposures on hosts, servers,

and throughout the network transparently to
end users;
XXNetwork discovery, asset prioritization, and
profile-based scanning;
XXIndustry, regulatory and best practices, including
templates for ISO 17799, SOX, HIPAA, GLBA, NIST,
SCAP, and FISMA;
XXAudits and monitors across heterogeneous
systems and provides industry standard
benchmarks for information security compliance
audits for operating systems;
XXAids compliance for regulatory mandates with
360-degree reporting and analysis, and views;
IA Tools Report
25
GFI LANguard
Abstract
Scans a network and ports to detect, assess, and
correct security vulnerabilities with minimal
administrative effort. GFI LANguard performs
network scans using vulnerability check databases
based on OVAL and SysAdmin, Audit, Network,
Security (SANS) Top 20, providing over 15,000
vulnerability checks.
XXPatch ManagementGFI LANguard has built in
patch management features that can

automatically download missing Microsoft
security updates, as well as automatically deploy
the missing Microsoft patches or service packs
over the network at the end of scheduled scans.
XXHardware and Software ManagementGFI
LANguards network auditing feature retrieves
hardware information on memory, processors,
display adapters, storage devices, motherboard
details, printers, and ports in use and monitors
any changes that may occur. GFI LANguard can
also monitor a software baseline, informing
administrators when a new program is
installed and can automatically uninstall
unauthorized applications.
26
IA Tools Report
GFI LANguard
Type
Operating System
Windows, Mac OS, Linux
Hardware
Requirements
1 GHz CPU, 512 MB RAM, 500 MB Disk

space (Minimum. Scanning more hosts
requires higher specs. See documentation
for details)
License
CommercialFree version available
NIAP Validated
Common Criteria
Rating
Developer
GFI
Availability
http://www.gfi.com/lannetscan
Gideon SecureFusion
Vulnerability Management
Abstract
XXBandwidth throttling,
Part of the SecureFusion suite, Vulnerability

Management scans for thousands of known
vulnerabilities in operating systems, infrastructure,
network applications, and databases. The
vulnerability signatures are updated on a daily
basis and provide checks for the most recent
security vulnerabilities.
XXMassive scalability,
The SecureFusion Portal provides a complete view of

assets, vulnerabilities, configuration details, and
policy compliance metrics. Instead of outdated
spreadsheets and cumbersome tools that cannot
correlate data, the SecureFusion Portal helps you
intelligently analyze your IT environment regarding
unmanaged assets, vulnerabilities, improper settings,
and the reasons behind failed compliance checks.
XXDynamic report building,

XXAutomated scheduling.
Gideon SecureFusion Vulnerability Management

Type
Operating System
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Gideon Technologies
Availability
http://www.thegideongroup.com/
vulnerability-management.asp
SecureFusion is built on the additive intelligence of

four core capabilities
XXAsset discoveryperforms continuous audits of
managed and unmanaged assets with no impact

to the network;
XXVulnerability managementconducts ongoing,
active vulnerability detection and reporting for
operating systems, infrastructure, network
applications, and databases;
XXConfiguration managementcontinuously
compares system configuration and compliance
with IT security standards;
XXPolicy managementinitiates, reviews, publishes,
and maintains security policies.
Vulnerability Management offers
XXEnd-to-end automation and workflow,
XXSystem patch reporting,
XXResults filtering,
XXAutomated signature updates,
XXTarget blacklisting,
IA Tools Report
27
Host Based Security System (HBSS)

Abstract
XXHost Intrusion Prevention System (HIPS);
The Host Based Security System (HBSS) baseline is a

flexible, commercial off-the-shelf (COTS)-based
application. It monitors, detects, and counters against
known cyber threats to the DoD Enterprise. Under
the sponsorship of the Enterprise-wide Information
Assurance and Computer Network Defense Solutions
Steering Group (ESSG), the HBSS solution will be
attached to each host (server, desktop, and laptop) in
DoD. The system will be managed by local
administrators and configured to address known
exploit traffic using an Intrusion Prevention System
(IPS) and host firewall. DISA Information Assurance/
Network Operations Program Executive Office
(PEO-IAN) is providing the program management
and supporting the deployment of this solution.
XXEnforces security policy;
Scope
The scope of the HBSS deployment is worldwide.
This vast effort requires a large support infrastructure
to be in place. DISA PEO-IAN has instituted support
services to enable the comprehensive
implementation of the HBSS system to all the
combatant commands, services, agencies, and
field activities.
Features
XXePolicy Orchestrator (ePO) management suite;
XXCentral security manager;
XXEnables the installation, management, and
configuration of the HBSS components;

XXView reports to help monitor deployments,
vulnerabilities, and protection levels;

XXMcAfee Agent (MA);
XXProvides local management of all HBSS products
collocated on the host;

XXRuns silently in the background to gather
information and events from managed systems;
XXSends collected data to the ePO server;
XXManages modules and software updates of other
HBSS products on the host system;
XXEnforces policies on the host machines;
28
IA Tools Report
XXAdds a robust layer of protection to the MA
end-point asset that includes known and

unknown buffer overflow exploit protection,
prevention of malicious code installation/
execution, and identification of activities that
deviate from DoD or organizational policy;
XXAsset Information (formerly referred to as
the INFOCON);
XXGenerates snapshots of asset configurations
to facilitate detection of changes made to
authorized baselines;
XXRogue System Detection (RSD);
XXDetects all systems connecting to the network;
XXIdentifies unmanaged (or Rogue) systems present
on the network;
XXPolicy Auditor (PA);
XXScans remote computers to determine compliance
with defined policies;
XXIdentifies host vulnerabilities on the network.
Host Based Security System (HBSS)
Type
Operating System
Windows
Hardware
Requirements
License
Commercial/Government
NIAP Validated
Common Criteria
Rating
Developer
DISADoD
Availability
http://www.disa.mil/news/pressresources/
factsheets/hbss.html
Internet Scanner
Abstract
The Internet Scanner vulnerability assessment
application minimizes risk by identifying the security
holes or vulnerabilities in the network so the user can
protect the network before an attack occurs.
Internet Scanner can identify more than 1,300 types
of networked devices on a network, including
desktops, servers, routers/switches, firewalls, security
devices, and application routers. Internet Scanner
analyzes the configurations, patch levels, operating
systems, and installed applications to find
vulnerabilities that could be exploited by hackers
trying to gain unauthorized access.
Features
Internet Scanner
Type
Network Scanning
Operating System
Windows 2000 Professional/SP4,

Windows Server 2003 Standard SP1,
Windows XP Professional SP1a
Hardware
Requirements
1.2 GHz CPU, 512 MB RAM, 650 MB disk

space (minimum)
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Internet Security SystemsOwned by

IBM
Availability
http://www-935.ibm.com/services/us/index.
wss/offering/iss/a1027208
XXUnlimited asset identification,

XXDynamic check assignment,
XXCommon policy editor,
XXReal-time display,
XXVulnerability catalog,
XXComprehensive reporting,
XXCentralized vulnerability management features,
XXEnterprise-class scalability,
XXRemote scanning,
XXEnterprise reporting,
XXAutomatic security content updates,
XXCommand scheduler,
XXAsset management,
XXReal-time display,
XXUser administration.
IA Tools Report
29
Lumension Scan
Abstract
Lumension Scan, a component of Lumension
Vulnerability Management, is a complete stand-alone,
network-based scanning solution that performs a
comprehensive external scan of all devices connected
to your network, both managed and unmanaged.
Once assets are identified, the powerful, yet easy-touse Lumension Scan detects weaknesses on these
devices before they can be exploited.
Lumension Scan
Type
Network Scanning
Operating System
Windows XP Pro SP2+, Windows Server

2003 SP1+, Windows Server 2003 R2+
Hardware
Requirements
2 GHz CPU, 1 GB RAM, 20 GB disk space,

1024x768 Monitor Resolution
License
Commercial
NIAP Validated
Features
Common Criteria
Rating
XXRapid and complete asset discovery and inventory
Developer
Lumension
Availability
http://www.lumension.com/vulnerabilitymanagement/software-vulnerabilityassessment.jsp?rpLangCode=1&rpMenu
Id=150835
of all devices on the network,

XXThorough and accurate network-based software
and configuration vulnerability assessment,
XXRisk-based vulnerability prioritization for
identified threats,
XXContinuously updated vulnerability database for
orderly remediation,
XXComprehensive management and audit reporting.
30
IA Tools Report
MBSA 2.1
Abstract
Microsoft Baseline Security Analyzer (MBSA) is
an easy-to-use tool that helps small and medium
businesses determine their security state in
accordance with Microsoft security
recommendations and offers specific remediation
guidance. Improve your security management
process by using MBSA to detect common security
misconfigurations and missing security updates on
your computer systems. Built on the Windows Update
Agent and Microsoft Update infrastructure, MBSA
ensures consistency with other Microsoft
management products, including Microsoft Update
(MU), Windows Server Update Services (WSUS),
Systems Management Server (SMS), System Center
Configuration Manager (SCCM) 2007, and Small
Business Server.
MBSA 2.1
Type
Host Scanning
Operating System
Windows XP, Vista, Windows Server

2003, 2008
Hardware
Requirements
x86, IA64, x64
License
Free
NIAP Validated
Common Criteria
Rating
Developer
Microsoft
Availability
http://technet.microsoft.com/en-us/
security/cc184924.aspx
MBSA 2.1 is the latest version of Microsofts free

security and vulnerability assessment scan
tool for administrators, security auditors, and
IT professionals.
MBSA 2.1 offers Windows Vista and Windows Server
2008 compatibility, a revised user interface, 64-bit
support, improved Windows Embedded support, and
compatibility with the latest versions of the Windows
Update Agent based on MU.
MBSA 2.1 is also compatible with MU, Windows
Server Update Services 2.0 and 3.0, the SMS Inventory
Tool for Microsoft Update, and SCCM 2007.
IA Tools Report
31
McAfee Vulnerability Manager

Abstract
McAfee Vulnerability Manager (formerly McAfee
Foundstone Enterprise) uses a priority-based
approach that combines vulnerability, asset data, and
countermeasures to help you make more informed
decisions. It uses threat intelligence and correlation
data to determine how emerging threats and
vulnerabilities on networked systems affect your risk
profile, so that you deploy resources where they are
needed most. Improve operational efficiency and
security protection while meeting tough mandates
outlined in SOX, FISMA, HIPAA, and PCI DSS.
Vulnerability Manager is available as software or a
secure, hardened appliance. Both increase the
efficiency of your existing resources, resulting in
a low cost of ownership. If you prefer a hosted
option, choose the McAfee Vulnerability
Management Service.
It performs credential-based scans of UNIX, Cisco
IOS, and Microsoft Windows platforms for correct
patching. The Content Release Calendar provides
automatic updates, including new OS support,
vulnerability scan scripts, and compliance checks.
Vulnerability Manager integrates with your existing
technologies and with other McAfee products,
leveraging your investments. McAfee Network
Security Platform correlates Vulnerability Manager
data to inform you of the most relevant threats
targeting your systems. McAfee Risk and Compliance
Manager (formerly McAfee Preventsys) collects data
from Vulnerability Manager to calculate risks,
monitor risk scores, and automate compliance
reporting. McAfee ePolicy Orchestrator feeds asset
and system protection data into Vulnerability
Manager for accurate assessments.
32
IA Tools Report
McAfee Vulnerability Manager

Type
Operating System
Windows Server 2000 or 2003
Hardware
Requirements
Dual core or dual processor CPU at 2 GHz,

RAM 2 GB, 80 GB disk space, ethernet
interface. Preconfigured vendor supplied
appliances also available.
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
McAfee
Availability
http://www.mcafee.com/us/enterprise/
products/risk_and_vulnerablity_
management/vulnerability_manager.html
Metasploit
Abstract
The Metasploit Framework is a development platform
for creating security tools and exploits. The
framework is used by network security professionals
to perform penetration tests, system administrators
to verify patch installations, product vendors to
perform regression testing, and security researchers
world-wide. The framework is written in the Ruby
programming language and includes components
written in C and assembler.
The framework consists of tools, libraries, modules,
and user interfaces. The basic function of the
framework is a module launcher, allowing the user to
configure an exploit module and launch it at a target
system. If the exploit succeeds, the payload is
executed on the target and the user is provided with a
shell to interact with the payload.
Metasploit
Type
Network Scanning
Operating System
Windows, Linux, Mac
Hardware
Requirements
License
Open Source
NIAP Validated
Common Criteria
Rating
Developer
Metasploit, LLC
Availability
http://www.metasploit.com/home/
IA Tools Report
33
N-Stalker Web Application Security Scanner

Abstract
N-Stalker Web Application Security Scanner 2009 is a
Web Security Assessment solution developed by
N-Stalker. By incorporating the N-Stealth HTTP
Security Scanner and its 39,000 Web Attack
Signature database, along with a patent-pending
Component-oriented Web Application Security
Assessment technology, N-Stalker is a security tool for
developers, system/security administrators, IT
auditors, and staff.
Features
XXN-Stalker is a security assessment tool designed to
crawl and evaluate custom Web Applications. It

does not rely on out-of-box signatures.
XXN-Stalker is used for either custom or out-of-shelf
Web applications, including large financial
customers, government agencies, foreign
intelligence services, and armed forces.
XXN-Stalker will inspect common Web application
vulnerabilities, including Open Web Application
Security Project Top 10, Common Weakness
Enumeration Top 25 (see cwe.mitre.org), and a
wide range of issues that affect overall security.
XXN-Stalker will scan for both Web server
infrastructure and application layers. Currently,
there are more than 39,000 Web attack signatures
included in our database to identify weakness in a
Web server and third-party software components.
XXN-Stalker implements its own patent-pending
component-oriented Web application security
analysis technology, an assessment methodology.
34
IA Tools Report
N-Stalker Web Application Security Scanner

Type
Operating System
Windows (Windows 2000 or later)
Hardware
Requirements
1 GB RAM, 500 MB disk space
License
Commercial, Free
NIAP Validated
Common Criteria
Rating
Developer
N-Stalker
Availability
http://nstalker.com/products
nCircle IP360
Abstract
As a component of nCircles security risk and
compliance management suite, IP360 is a
vulnerability and risk management system,
enabling enterprises and government agencies to
costeffectively measure and manage their security
risk. IP360 comprehensively profiles all networked
devices and their applications, vulnerabilities, and
configurations, and includes coverage for over 25,000
conditions (operating systems, applications,
vulnerabilities, and configurations), providing the
ideal foundation for assessing every system on the
network. IP360s agentless architecture is designed
for rapid deployment and ease of management across
large, globally distributed networks.
nCircle IP360
Type
Operating System
N/A
Hardware
Requirements
Vendor supplied scanning appliance
License
Commercial
NIAP Validated
Yes
Common Criteria
Rating
EAL3 May 16, 2005
Developer
nCircle
Availability
http://www.ncircle.com/index.
php?s=products_ip360
Features
XXComprehensive, agentless discovery and profiling
of all network assets for over 25,000 conditions;

XXEnterprise scalability, ease of deployment, and
operational effectiveness;
XXIntegrated network topology risk analysis for
identifying the highest priority vulnerabilities;

XXIntegrated Web application scanning to identify
security risk in Web applications;

XXFlexible reporting across all levels of the enterprise.
IA Tools Report
35
Nessus Vulnerability Scanner

Abstract
The Nessus vulnerability scanner is an active scanner,
featuring high-speed discovery, asset profiling, and
vulnerability analysis of the users security posture.
Nessus scanners can be distributed throughout an
entire enterprise, inside demilitarized zones, and
across physically separate networks. They can also be
made available for ad hoc scanning, daily scans, and
quick-response audits. When managed with the
Security Center, vulnerability recommendations can
be sent to the responsible parties, remediation can be
tracked, and security patches can be audited.
Features
XXAgentless scanning (patch and
configuration auditing),
XXHigh-speed vulnerability identification,
XXComplete network assessment and discovery.
36
IA Tools Report
Nessus Vulnerability Scanner

Type
Network Scanning
Operating System
Windos, Linux, Mac OS, Unix
Hardware
Requirements
License
Commercial
Free for personal use
NIAP Validated
Common Criteria
Rating
Developer
Teneble Network Security
Availability
http://www.nessus.org/nessus/
NetIQ Secure Configuration Manager

Abstract
NetIQ Secure Configuration Manager audits system
configurations and compares them to corporate
policies, previous snapshots, and/or other systems. It
also leverages this configuration information to
reliably identify vulnerabilities and exposures, using
the latest security updates.
NetIQ Secure Configuration Manager allows you to
demonstrate regulatory compliance and manage IT
risks via scored reporting to direct remediation
efforts toward issues of highest priority.
Features
NetIQ Secure Configuration Manager

Type
Operating System
Windows XP Pro, 2000, 2003 Server
Hardware
Requirements
License
Commercial
NIAP Validated
Yes
Common Criteria
Rating
EAL2 July 09, 2007
Developer
netIQ
Availability
http://www.netiq.com/products/vsm/
default.asp
XXNetIQ ensures configuration changes are
identified and controlled. Secure Configuration

Manager creates an inventory and baseline of
existing system configurations, then compares
results against a standard configuration image to
highlight deviations.
XXSecure Configuration Manager contains packaged
security policy templates that align with
regulations and standards, providing the
intelligence necessary to document and
demonstrate compliance with auditors. Rolebased exception and workflow management helps
enforce secure separation of duties.
XXNetIQ Secure Configuration Manager identifies
systems exposed to and/or compromised by the
latest exploits, including worms, viruses, and
blended threats.
XXAcross the enterprise, NetIQ Secure Configuration
Manager measures the level of threats posed by
vulnerabilities and compliance exceptions
weighted by the importance of managed assets.
XXNetIQ Secure Configuration Manager is SCAP
Validated and NIAP Common Criteria certified,
ensuring it meets the most stringent federal
government guidelines on interoperability and
secure design.
IA Tools Report
37
Network Mapper (Nmap)

Abstract
Network Mapper (Nmap) is a free open-source utility
for network exploration or security auditing. It was
designed to rapidly scan large networks, although it
works fine against single hosts. Nmap uses raw
Internet protocol (IP) packets in novel ways to
determine what hosts are available on the network,
what services (application name and version) those
hosts are offering, what OSs (and OS versions) they
are running, what type of packet filters/firewalls are
in use, and dozens of other characteristics. Nmap
runs on most types of computers, and console and
graphical versions are available.
Features
XXFlexibleNmap supports dozens of advanced
techniques for mapping out networks filled with

IP filters, firewalls, routers, and other obstacles.
XXPowerfulNmap has been used to scan huge
networks of literally hundreds of thousands of
machines.
XXPortableMost operating systems are supported,
including Linux, Microsoft Windows, and Unix
based systems.
XXEasyAlthough Nmap offers a rich set of
advanced features for power users, the user can
start out as simply as nmap -v -A targethost.
Both traditional command line and graphical
user interface (GUI) versions are available to suit
your preference.
XXFreeNmap is available for free download,
and also comes with full source code that the
user may modify and redistribute under the terms
of the license.
XXWell DocumentedSignificant effort has been put
into comprehensive and up-to-date pages, white
papers, and tutorials.
XXSupportedAlthough Nmap comes with no
warranty, it is well supported by the community.
38
IA Tools Report
Network Mapper (Nmap)

Type
Network Scanning
Operating System
Linux, MS Windows, Unix
Hardware
Requirements
License
Open Source
NIAP Validated
Common Criteria
Rating
Developer
Insecure.org
Availability
http://nmap.org/
Nikto v2.03
Abstract
XXUsers can add a custom scan database,
Nikto is an Open Source (general public license) Web

server scanner that performs comprehensive tests
against Web servers for multiple items, including over
3,500 potentially dangerous files/common gateway
interfaces (CGI), versions on over 900 servers, and
version specific problems on over 250 servers. Scan
items and plugins are frequently updated and can be
automatically updated.
XXSupports automatic code/check updates (with
Features
XXUses rfps LibWhisker as a base for all
network funtionality,
XXMain scan database in comma separated variable
(CSV) format for easy updates,

XXFingerprint servers via favicon.ico files,
XXDetermines OK vs NOT FOUND responses
for file type, if possible,
XXDetermines CGI directories for each server,
if possible,
XXSwitch hypertext transfer protocol (HTTP)
versions as needed so that the server understands
requests properly,
XXSecure Sockets Layer Support (Unix with OpenSSL
or maybe Windows with ActiveStates Practical
Extraction and Report Language [PERL]/NetSSL),
XXOutput to file in plain text, HTML or CSV,
XXPlugin support (standard PERL),
XXChecks for outdated server software,
XXProxy support (with authentication),
XXHost authentication (Basic),
XXWatches for bogus OK responses,
XXAttempts to perform educated guesses for
Authentication realms,
XXCaptures/prints any Cookies received,
XXMutate mode to go fishing on Web servers
for odd items,
XXBuilds Mutate checks based on robots.txt entries
(if present),
XXScan multiple ports on a target to find Web servers
(can integrate Nmap for speed, if available),
XXMultiple intrusion detection system
evasion techniques,
Web access),
XXMultiple host/port scanning (scan list files),
XXUsername guessing plugin via the cgiwrap
program and Apache user methods.

Nikto v2.03
Type
Operating System
Unix, Linux, Windows
Hardware
Requirements
License
Open Source
NIAP Validated
Common Criteria
Rating
Developer
Cirt.net
Availability
http://www.cirt.net/nikto2
IA Tools Report
39
Orascan
Abstract
OraScan is a multi-environment auditing application
developed to assess the security of Oracle Web
applications. The finely detailed level of auditing
supported by OraScan allows systems administrators
and security professionals to gain full control of
security issues surrounding online applications and
front-end servers.
Orascan
Type
Database Scanning
Operating System
Microsoft Windows 2003, Microsoft

Windows 2000, Microsoft Windows XP,
Microsoft Windows NT Version 4.0
(Service Pack 4)
Hardware
Requirements
License
OraScan performs robust, in-depth security

vulnerability audits, seeking out potential problem
areas such as
XXSQL injection,
XXXSS,
XXPoor Web server configuration.
In addition, OraScan can be deployed to audit the

configuration of Internet authentication service Web
servers, ensuring that the Web application portion of
your database software architecture is free of any
security weaknesses.
40
IA Tools Report
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Availability
http://www.ngssoftware.com/products/
internet-security/orascan.php
Paros Proxy v3.2.0Alpha

Abstract
Paros Proxy v3.2.0Alpha is a Java-based Web proxy for
assessing Web application vulnerability. It supports
editing/viewing HTTP/HTTP Secure (HTTPS)
messages on the fly to change items such as cookies
and form fields. It includes a Web traffic recorder,
Web spider, hash calculator, and a scanner for testing
common Web application attacks, such as SQL
injection and XSS.
Paros Proxy v3.2.0Alpha

Type
Operating System
All OSs supporting Java 1.4+
Hardware
Requirements
N/A
License
Freeware
NIAP Validated
Common Criteria
Rating
Developer
Paros
Availability
http://www.parosproxy.org/index.shtml
IA Tools Report
41
Proventia Network Enterprise Scanner

Abstract
Proventia Network Enterprise Scanner is the next
generation of the Internet scanner vulnerability
assessment tool. Proventia Network Enterprise
Scanner is a vulnerability protection system for
the entire network that is enhanced with an
integrated workflow vulnerability management
subsystem and Proventia Enterprise Scanner that
enables the user to drive protection measures
throughout an infrastructure.
Features
XXVulnerability assessment,
XXComplete vulnerability management
and protection,
Scan and block capabilities through Proventia

Network Enterprise Scanner and Proventia
Network Intrusion Prevention System,
Correlation through the SiteProtector Security
Fusion module.
Proventia Network Enterprise Scanner
Type
Network Scanning
Operating System
N/A
Hardware
Requirements
License
Commercial
NIAP Validated
XXScanning-optimized Linux kernel,
Common Criteria
Rating
XXHardened and secure,
Developer
IBM
Availability
http://www-935.ibm.com/services/us/index.
wss/offering/iss/a1027216
XXMultiple scan ports,

XXApplication fingerprinting,
XXWorkflow,
XXReporting,
XXAsset identification,
XXAsset classification,
XXScan windows,
XXAutomation,
XXScan load balancing/teaming,
XXFlexible deployment options,
XXFlexible policy management,
XXWeb-based local management,
XXCentralized management mystem: Proventia
Network Scanner is centrally managed using

Proventia Management SiteProtector.
SiteProtector is a scalable system that allows staff
to control, monitor, and analyze events from a
centralized console. SiteProtector improves
security through correlation and integration with
other security products, including
Active/passive scanning through Proventia
Network Enterprise Scanner and Proventia
Network Anomaly Detection,
42
IA Tools Report
proVM Auditor
Abstract
Prolific Solutions proVM Auditor is a vulnerability
management tool that uses the output from multiple
vulnerability and compliance scanners and
aggregates the information into a single view. proVM
Auditor presents vulnerability data in meaningful
views via a vulnerability matrixthat makes
managing, tracking, and resolving vulnerabilities
simpler and less resource-intensive.
Features
XXExpedites compliance reviews
XXMaps vulnerabilities to DoD 8500.2 IA Controls
XXFacilitates/standardizes C&A processes
proVM Auditor
Type
Operating System
Windows
Hardware
Requirements
N/A
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Prolific Solutions
Availability
http://www.prolific-solutions.net/products.
htm
XXStreamlines administration efforts

XXStandard views of vulnerability data
XXReduces manual compliance efforts
XXSmall footprint; simple to use; does not
require installation
XXAccepts scanner output from the following
Vulnerability Scanners:
eEye Retina
Lumension PatchLink
DISA SRRs
DISA Gold Disk
Application Security AppDetective
Tenable Nessus
Nmap
Other tools commercial or private can be
added upon request
IA Tools Report
43
QualysGuard Vulnerability Management

Abstract
XXEasy access to concise, auto-generated reports
QualysGuard Vulnerability Management (VM)

automates the life cycle of network auditing and
vulnerability management across the enterprise,
including network discovery and mapping, asset
prioritization, vulnerability assessment reporting,
and remediation tracking according to business risk.
QualysGuard delivers continuous protection against
the latest worms and security threats without the
substantial cost, resource, and deployment issues
associated with traditional software. As an on
demand Software-as-a-Service (SaaS) solution, there
is no infrastructure to deploy or manage.
via a Web browser;

XXExecutive Dashboard provides real-time
illustration of risk;
XXGraph and trend reports for managers;
XXDetailed technical reports with verified
remediation actions for technicians;
XXSANS Top 20 Report provides industry baseline;
XXRisk analysis report predicts the likelihood
of exposure;
XXCVE and Security Focus-linked and Bugtraqreferenced vulnerability checks with detailed
remediation instructions;
XXCustomizable reports for flexible, on demand
reporting by business units for executives and
managers;
XXExport reports to HTML, Microsoft Hypertext
Archive, portable document format, CSV, and
XML formats.
QualysGuard VM enables small to large

organizations to effectively manage their
vulnerabilities and maintain control over their
network security with centralized reports, verified
remedies, and full remediation workflow capabilities
with trouble tickets. QualysGuard provides
comprehensive reports on vulnerabilities, including
severity levels, time-to-fix estimates, and impact on
business, plus trend analysis on security issues.
Features
XXVulnerability KnowledgeBase that incorporates
over 6,000 unique checks;

XXNon-intrusive detection techniques;
XXInference-based scanning engine;
XXAuthenticated or unauthenticated
scanning capabilities;
XXInternal and external scanning;
XXScans are configurable for optimum
performance and minimum network load.;
XXUnique fingerprints for over 2,000 operating
systems, applications, and protocols;
XXCustomization of scans to scan for specific ports/
services and specific vulnerabilities;
XXSchedule and automated network discovery and
vulnerability scan tasks on a daily, weekly, or
monthly basis;
XXAutomated daily updates to the QualysGuard
vulnerability KnowledgeBase;
44
IA Tools Report
QualysGuard Vulnerability Management

Type
Network Scanning
Operating System
N/A
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Qualys
Availability
http://www.qualys.com/products/qg_suite/
vulnerability_management/
Rational AppScan
Abstract
IBM Rational Web application security software helps
IT and security professionals protect against the
threat of attacks and data breaches. Involving more
testers in the application security process results in
higher quality, more secure applications at a
reasonable cost.
Rational offers Web application security solutions,
including new malware detection capabilities,
through the IBM Rational AppScan family of
products. AppScan can be used for vulnerability
scanning in all stages of application development and
by testers with or without security expertise.
Rational AppScan
Type
Operating System
Windows XP, Server 2003
Hardware
Requirements
3 GHz CPU, 2 GB+ RAM, 200 MB disk

space for installation plus at least 10 GB
free space for logs
License
NIAP Validated
Common Criteria
Rating
Developer
IBM Rational
Availability
http://www-01.ibm.com/software/
awdtools/appscan/
Features
XXAppScan Build EditionEmbeds Web
application security testing into the build

management workflow,
XXAppScan Developer EditionAutomates
application security scanning for
non-security professionals,
XXAppScan Enterprise EditionWeb-based, multiuser solution providing centralized application
security scanning and reporting,
XXAppScan Express EditionProvides affordable
Web application security for smaller organizations,
XXAppScan OnDemandIdentifies and prioritizes
Web Application Security vulnerabilities via
SaaS Model,
XXAppScan OnDemand Production Site Monitoring
Monitors production Web content and sites for
security vulnerabilities via SaaS Model,
XXAppScan Reporting ConsoleProvides centralized
reporting on Web application vulnerability data,
XXAppScan Standard EditionDesktop solution to
automate Web application security testing,
XXAppScan Tester EditionIntegrated Web
application security testing in the quality
assurance process.
IA Tools Report
45
Retina Network Security Scanner

Abstract
Retina Network Security Scanner is a professionalgrade security solution with a lengthy track record of
success. Retina contains all the integrated security
and threat management tools needed to effectively
identify and remediate the network vulnerabiities
that lead to exposure and malicious attacks.
Features
XXDiscovers the assets in the network infrastructure,
including operating system platforms, networked

devices, databases, and third party or custom
applications. Retina also discovers wireless
devices and their configurations, ensuring these
connections can be audited for the appropriate
security settings. Additionally, Retina scans active
ports and confirms the services associated with
those ports.
XXImplements corporate policy driven scans to audit
internal security guidelines and ensure that
configuration requirements are enforced and
comply with defined standards. These custom
scans can also assist with meeting any regulatory
compliance requirements (e.g., SOX, HIPPAA, GLB,
PCI) customers may face.
XXRemotely identifies system level vulnerabilities to
mimic an attackers point of view, providing
information that an outsider would see about a
network. These remote checks do not require
administrator rights, providing an accurate
assessment, with fewer resources required to scan
across departments, locations, or geographies.
XXIncorporates a comprehensive vulnerabilities
database and scanning technology, allowing
users to proactively secure their networks
against attacks.
XXUpdates are automatically uploaded at the
beginning of each Retina session.
46
IA Tools Report
Retina Network Security Scanner

Type
Network Scanning
Operating System
Windows
Hardware
Requirements
256 MB RAM. Vendor-supplied appliance

also available.
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
eEye Digital Security
Availability
http://www.eeye.com/html/products/retina/
index.html
SAINT
Abstract
SAINTs Web-like, easy-to-use, GUI makes it easy to
scan networks. Every live system on the network is
screened for TCP and user datagram protocol (UDP)
services. For each service it finds running, it launches
a set of probes designed to detect anything that could
allow an attacker to gain unauthorized access, create
a denial of service, or gain sensitive information
about the network. When vulnerabilities are
detected, SAINT categorizes the results in several
ways, allowing users to target the data they find
most useful. SAINT can group vulnerabilities
according to severity, type, or count. It can provide
information about a particular host or groups of
hosts. SAINT describes each of the vulnerabilities
it locates and references CVE or Information
Assurance Vulnerability Alerts (IAVA), as well
as CERT advisories.
SAINT
Type
Network Scanning
Operating System
Unix/Linux platform
Hardware
Requirements
256 MB RAM, 150 MB disk space.

Vendor-supplied appliances also available.
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Saint Corporation
Availability
http://www.saintcorporation.com/products/
data_sheets/SAINT_data_sheet.pdf
Features
XXIncludes flexible/customizable scanning
options, including SANS/Federal Bureau of

Investigation Top 20;
XXScans anything with an IP address running TCP/
IP protocols;
XXIncludes extensive documentation and
online tutorials;
XXIncludes links to patches and new versions
of software;
XXRuns in remote mode;
XXIs easily set up to run unattended using the GUI;
XXProvides dynamic reporting capability that allows
the user to drill down to get more information
about the vulnerability and how to correct it;
XXCross-references vulnerabilities to IAVAs;
XXScans IPv4 or IPv6 addresses;
XXIncludes control panel that allows the user to stop,
pause, and resume scans, and to view results in
progress while the scan runs;
XXIs certified CVE-compatible by MITRE.
IA Tools Report
47
Second Look
Abstract
Second Look captures, and forensically preserves, a
computers volatile RAM. It analyzes the Linux
operating system kernel in live memory or via a
memory image, verifying its integrity and searching
for signs of rootkits or other subversive software that
have modified the executable kernel code or kernel
data structures.
With Second Look, analysts and investigators have a
tool that provides a comprehensive view of a system,
uninfluenced by any malware that might be running
on it. Information pulled directly out of memory
includes running processes, active network
connections, loaded kernel modules, and many other
essential system parameters. Second Look uncovers
hidden kernel modules, processes, and network
activity. Second Look integrates a real-time
disassembler that allows inspection of any function
or segment of kernel memory.
As threats to computer systems continue to increase
in sophistication, traditional post-mortem (dead box)
forensic analysis of hard disk contents is no longer
sufficient. Advanced exploits allow for the
implantation of rootkits and backdoors directly in
memory, without an actual file ever touching the disk.
Volatile memory must be acquired in a trustworthy
fashion, and analyzed with security software such as
Second Look.
48
IA Tools Report
Second Look
Type
Host Scanning
Operating System
Linux
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Pikewerks
Availability
http://pikewerks.com/sl
SecureScout NX
Abstract
SecureScout NX is a third-generation scanning
solution that performs real-time testing of global
networks and firewalls. The architecture of
SecureScout NX implements a centralized console
to manage remote test engines and probes, enabling
users to quickly and repeatedly scan and report
vulnerabilities in distributed networks from a
single location.
SecureScout NX gives the user an impartial view of
whether firewalls have been configured correctly to
comply with security policies and protect the network.
SecureScout NX
Type
Network Scanning
Operating System
Windows 2000 SP3/SP4, Windows XP

SP1/SP2/SP3, Windows Server 2003
SP1/SP2 (32-bit versions of Windows only)
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
NetVigilance
Availability
http://www.netvigilance.com/nx
SecureScout NX tests highlight information exposed

to the outside world that cyber criminals could
misuse to attack the organization. Diligent
assessment of internal systems enables an
organization to manage security risks and reduce
potential liability. SecureScout NX delivers the
knowledge needed to protect critical information
from intruders and prepare countermeasures,
making it difficult for attackers to get in.
NetVigilances security experts continually research
information sources for new vulnerabilities, and a
secure Web service site automatically updates
SecureScout NX. Through differential reporting,
users can benchmark their security level at various
points in time.
IA Tools Report
49
SecureScout Perimeter
Abstract
The SecureScout Perimeter service probes Internetconnected systems for vulnerabilities before hackers
find them. It identifies holes in an Internet
infrastructure, scanning beyond the firewall to any
device with an IP address.
SecureScout Perimeter
Type
Network Scanning
Operating System
Windows 2000 SP3/SP4, Windows XP

SP1/SP2/SP3, Windows Server 2003
SP1/SP2 (32-bit versions of Windows only)
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
50
IA Tools Report
Developer
NetVigilance
Availability
http://www.netvigilance.com/perimeter
Security Auditors Research Assistant

(SARA) v7.9.1
Abstract
Security Auditors Research Assistant (SARA) v7.9.1
The Security Auditors Research Assistant (SARA) is a

third-generation network security analysis tool.
Type
Network Scanning
Operating System
Unix, Linux, Windows (through CoLinux)
Features
XXOperates under Unix, Linux, Mac OS/X or
Windows (through coLinux) OS,

XXIntegrates the NVD,
XXAdapts to many firewalled environments,
XXSupports remote self-scan and application
programming interface facilities,
XXIs used for the Center for Internet Security
benchmark initiatives,
XXIncludes plug-in facility for third-party
applications,
XXIncludes CVE standards support (20040901),
XXHas enterprise search module,
XXHas stand-alone or daemon mode,
XXOffers free-use open SATAN-oriented license,
XXIs updated twice a month,
XXProvides user extension support,
XXBased on the SATAN model.
Hardware
Requirements
License
Freeware
NIAP Validated
Common Criteria
Rating
Developer
Advanced Research Corporation
Availability
http://www-arc.com/sara/
Advanced Researchs philosophy relies heavily on

software reuse. Rather than inventing a new module,
SARA is adapted to interface with other community
products. For instance, SARA interfaces with the
popular Nmap package for superior operating system
fingerprinting. Also, SARA provides a transparent
interface to SAMBA for session message block
security analysis. SARA is no longer being developed,
and v7.9.1 is the final release.
IA Tools Report
51

Networks (SATAN)
Abstract
Security Administrators Tool for Analyzing Networks
(SATAN) scans systems connected to the network
noting the existence of well-known, often-exploited
vulnerabilities. It examines a remote host or set of
hosts and gathers as much information as possible.

Networks (SATAN)
Type
Network Scanning
Operating System
Unix/Linux
Hardware
Requirements
License
Freeware
NIAP Validated
Common Criteria
Rating
52
IA Tools Report
Developer
Dan Farmer and Wietse Venema
Availability
http://ftp.cerias.purdue.edu/pub/tools/unix/
scanners
SNScan v1.05
Abstract
SNScan is a Windows-based simple network
management protocol (SNMP) detection utility that
can quickly and accurately identify SNMP-enabled
devices on a network. This utility can effectively
indicate devices that are potentially vulnerable to
SNMP-related security threats.
SNScan v1.05
Type
Network Scanning
Operating System
Windows
Hardware
Requirements
License
Freeware
NIAP Validated
SNScan allows for the scanning of SNMP-specific

ports (e.g., UDP 161, 193, 391, and 1993) and the use of
standard (i.e., public) as well as user-defined SNMP
community names. User-defined community names
may be used to more effectively evaluate the presence
of SNMP-enabled devices in more complex networks.
Common Criteria
Rating
Developer
Foundstone (A Division of McAfee)
Availability
http://www.foundstone.com/us/resources/
proddesc/snscan.htm
SNScan is intended for use by system and network

administrators as a fast and reliable utility for
information gathering. Although not indicating
whether SNMP-enabled devices are vulnerable to
specific threats, SNScan can quickly and accurately
identify potential areas of exposure to SNMPrelated vulnerabilities.
IA Tools Report
53
ThreatGuard Secutor Magnus

Abstract
Secutor Magnus is designed specifically to meet the
Common Security Configurations requirements set
forth by the Office of Management and Budget (OMB).
Built for the Information Security Automation
Program established by NIST, Magnus fully supports
a wide-scale action plan to quickly and continually
show that an organization has compliance under
control. The entire Secutor line of automated content
tools provides standardized assessments, contentdriven remediation, and complete mappings to
driving requirements with options to easily
document deviations from those requirements.
Features
XXTest NIST configurations to identify adverse
effects on system functionality,

XXAutomated enforcement,
XXRestrict administration to
authorized professionals,
XXEnsure new acquisitions use
standard configurations,
XXPatches,
XXAutomatically determines if computers have
all required security patches,
XXPerforms vulnerability assessment of operating
system and major applications,
XXProvide documentation of deviations
with rationale.
54
IA Tools Report
ThreatGuard Secutor Magnus

Type
Operating System
Windows
Hardware
Requirements
Vendor Supplied appliance

also available
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Threatguard
Availability
http://www.threatguard.com/products.htm
Triumfant Resolution Manager

Abstract
XXCompliance ManagementTriumfant Resolution
Triumfant Resolution Manager continuously scans

for unusual changes that are consistent with the
behavior and structure of malicious applications.
These include unusual auto-start methods, stealth
techniques such as those used by root kits, and
unusual firewall exceptions. As a result, malicious
attacks that are not detected by traditional signature
based tools are recognized by Triumfant in real time,
along with all of the changes to the machine
associated with the attack. Resolution Manager
immediately applies its deep analytics to verify
that it is indeed an attack and assesses the full
extent of the threat.
Manager applies security policies that are

customizable from the departmental level
down to individual machines. Triumfant also
provides policy templates for specific security
mandates, such as FDCC SCAP compliance and
PCI compliance.
XXVulnerability ManagementTriumfant uses the
NIST SCAP vulnerability database to scan each
computer for known software vulnerabilities,
identifying where missing patches create a
security exposure.
XXWhitelist/Blacklist ManagementTriumfant
deletes unauthorized software from endpoint
computers, and builds custom remediations to
ensure that no malicious code is left behind by the
deleted application.
Resolution Manager uses its diagnosis of the problem

and knowledge of the changes to the machine to
synthesize a surgical remediation. These
remediations do not delete the malicious executable;
they repair the damage from the attack, effectively
eliminating the need for costly re-imaging. The
information about the attack and the remediation
is captured so that Resolution Manager can scan
the entire population for any other occurrences of
the attack, and remediate machines where the attack
is detected.
Triumfant provides a comprehensive set of reports
that deliver visibility into the security readiness of
the endpoint environment from an executive
summary view down to the details of each machine.
Triumfant Resolution Manager

Type
Operating System
Hardware
Requirements
License
Commercial
NIAP Validated
Yes
Common Criteria
Rating
EAL2+ March 31, 2009
Developer
Triumfant
Availability
http://www.triumfant.com/products.asp
Features
XXMalware detectionThe ability to detect changes
at a granular level allows Triumfant to detect,

analyze, and remediate malicious attacks in
real-time without the need for signatures or any
prior knowledge of the attack.
XXSecurity Configuration ManagementTriumfant
verifies that the organizations standard
portfolio of endpoint security software is
correctly deployed.
IA Tools Report
55
Typhon III
Abstract
Typhon III is a tool that identifies infrastructure and
Web application. Capabilities include the fast and
accurate identification of current and historical
security vulnerabilities; the nonintrusive
vulnerability scanner provides secure quality
protection against current threats, including
Typhon III
Type
Operating System
Windows 2003, 200, XP, NT

4.0 SP6a
Hardware
Requirements
500 MHz CPU, 512 MB RAM, 20 MB disk

space (minimum)
License
Commercial
XXRootkits,
NIAP Validated
XXPhishing,
XXSQL Injection,
Common Criteria
Rating
XXPharming,
Developer
Availability
http://www.nextgenss.com/products/
internet-security/ngs-typhon.php
XXConfidential Data Theft.
By providing a comprehensive security audit of all

hosts in the network, from routers and printers
through Web and database servers, Typhon III helps
the network to stay secure from threats. Exposing
weak passwords in a variety of protocols, it contains a
full range of checks for common vulnerabilities and
configuration errors. Typhon III can also audit Web
applications using its integrated Web spider, a device
that will locate every page and script on a Web site
(even hidden, unlinked, and test files) and rigorously
test for SQL injection and XSS flaws.
56
IA Tools Report
WebInspect
Abstract
HP WebInspect software is a Web application security
assessment software designed to analyze todays
complex Web applications. It delivers fast scanning
capabilities, broad assessment coverage, extensive
vulnerability knowledge, and accurate Web
application scanning results.
Features
XXStatically analyze client-side Adobe
Flash applications;
XXProduce faster scans and more accurate results
through the Simultaneous Crawl and Audit

(SCA) technology;
XXReduce false positives using Intelligent Engines
designed to imitate a hackers methodology;
XXIncrease testing throughput with support for
multiple concurrent scans;
XXEnter a URL, username, and password to quickly
initiate a simple scan for immediate results;
XXInnovative scan profiler assists you in optimizing
the scan configuration to maximize the
effectiveness and accuracy of the scan;
XXDepth-first crawling option for Web sites that
enforce order-dependent navigation;
XXFingerprinting of Web framework using
Smart Assessment technology to reduce
unnecessary attacks.
HP WebInspect
Type
Operating System
Windows
Hardware
Requirements
License
Commercial
NIAP Validated
Common Criteria
Rating
Developer
Hewlett Packard
Availability
https://h10078.www1.hp.com/cda/hpms/
display/main/hpms_content.jsp?zn=bto&
cp=1-11-201-200^9570_4000_100__
IA Tools Report
57
WebScarab
Abstract
WebScarab is a framework for analysing applications
that communicate using the HTTP and HTTPS
protocols. It is written in Java, and is thus portable to
many platforms. WebScarab has several modes of
operation, implemented by a number of plugins. In its
most common usage, WebScarab operates as an
intercepting proxy, allowing the operator to review
and modify requests created by the browser before
they are sent to the server, and to review and modify
responses returned from the server before they are
received by the browser. WebScarab is able to
intercept both HTTP and HTTPS communication.
The operator can also review the conversations
(requests and responses) that have passed
through WebScarab.
WebScarab is designed to be a tool for anyone who
needs to expose the workings of an HTTP(S)-based
application, whether to allow the developer to debug
otherwise difficult problems, or to allow a security
specialist to identify vulnerabilities in the way that
the application has been designed or implemented.
58
IA Tools Report
WebScarab
Type
Operating System
Windows, Linux, Mac, Unix
Hardware
Requirements
License
Freeware
NIAP Validated
Common Criteria
Rating
Developer
Rogan Dawes of Corsaire Security
Availability
http://www.owasp.org/index.php/
Category:OWASP_
WebScarab_Project
SECTION 6
Related Resources
This provides additional references: books, Web sites, articles, and papers.
References
1. Carnegie Mellon Software Engineering Institute
CERT Coordination Center (n.d.). CERT/CC
Statistics 1988-2008. http://www.cert.org/stats/
cert_stats.html. (Accessed June 3, 2009).
2. Homeland Security Advisory Council. Report
of the Critical Infrastructure Task Report,
January 2006.
3. Merriam-Webster Online Dictionary. http://www.
merriam-webster.com/. (Accessed June 5, 2009).
4. Schultze, E. Thinking Like a Hacker. March 2002.
http://pdf.textfiles.com/security/thinkhacker.pdf.
(Accessed June 5, 2009).
5. Storms, Andrew (SANS Institute). Using
Vulnerability Tools To Develop an OCTAVE Risk
Profile. December 2003. http://www.sans.org/
reading_room/whitepapers/auditing/1353.php?por
tal=813b67045603408ee90700647. Retrieved 13
March 2007.
6. U.S. Government, Intelligence Community.
Analytical Risk Management: A Course Guide for
Security Risk Management, May 2003.
7. U.S. Government, National Institute of Standards
and Technology, National Vulnerability Database.
Security Content Automation Protocol Validated
Products. http://nvd.nist.gov/scapproducts.cfm.
8. U.S. Government, White House. Cyberspace
Policy Review. http://www.whitehouse.gov/assets/
documents/Cyberspace_Policy_Review_final.pdf
9. Spiegal Online International. Away From the
Politics of Fear Interview with Homeland
Security Secretary Janet Napolitano. http://www.
spiegel.de/international/world/0,1518,613330,00.
html. (Accessed June 5, 2009).
10. SRI International; Phillip Porras, Hassen Saidi,

and Vinod Yegneswaran. An Analysis of
Confickers Logic and Rendezvous points http://
mtc.sri.com/conficker. Updated March 19, 2009.
(Accesed June 10, 2009).
11. Conficker working Group Home page. http://www.
confickerworkinggroup.org/wiki/pmwiki.php
12. Cyber Secure Institute. Cyber Secure Institute on
the Conficker Controversy. http://
cybersecureinstitute.org/blog/?p=15. (Accessed
June 11, 2009).
13. Gregory Braunton, SANS institute. B.A.S.E A
Security Assessment Methodology. http://www.
sans.org/reading_room/whitepapers/auditing/
b_a_s_e__a_security_assessment_
methodology_1587. (Accessed June 11, 2009).
14. Chairman of the Joint Cheifs of Staff of the Armed
Forces. Joint Publication 3-13: Information
Operations. February 13, 2006.
IA Tools Report
59
SECTION 7
Recommended Resources
Alberts, Christopher and Audrey Dorofee. Managing Information Security Risks: The OCTAVE Approach. Boston:
Addison Wesley Professional, 2003.
Braunton, Gregory (SANS Institute). B.A.S.E.A Security Assessment Methodology, September 2004.
Open Vulnerability Assessment Language http://oval.mitre.org
Peltier, Thomas R., J. Peltier, and J.A.Blackley. Managing a Network Vulnerability Assessment. Boca Raton, FL:
CRC Press LLC, 2003.
Stoneburner, G., A. Goguen, and A. Feringa. Special Publication 800-30Risk Management Guide for
Information Technology Systems. National Institute of Standards and Technology (NIST), 2002.
U.S. Government, Intelligence Community. Analytical Risk Management: A Course Guide for Security Risk
Management, 2003.
U.S. Government, Department of Commerce. Publication 199 - Standards for Security Categorization of Federal
Information and Information Systems. Federal Information Processing Standards (FIPS), 2004.
U.S. Government, National Institute of Standards and Technology, National Vulnerability Database. Security
Content Automation Protocol Validated Products. http://nvd.nist.gov/scapproducts.cfm.
IA Tools Report
61
SECTION 8
Definitions
XXAll-hazards/ThreatCircumstances, events, or
people with the potential to cause harm to a

system. The full spectrum of threats and hazards
could include natural disasters (e.g., floods, fires,
hurricanes), domestic or international criminal
activity, accidental disruptions such as
construction mishaps.
XXCritical AssetThose assets of such importance to
an organization that without them the
organizations ability to execute its mission would
be significantly degraded or suffer complete
failure.
XXFalse NegativeRefers to when a tool fails to find
an existing vulnerability.
XXFalse PositiveRefers to when a tool finds a
vulnerability that does not exist.
XXRiskA function of the likelihood that a specific
hazard/threat will exploit a given vulnerability
and that the resulting impact of loss of the critical
asset will cause significant degradation or even
mission failure of the organization.
Mathematically written risk is the following:
implementation. Exploitation would negatively

affect the confidentiality, integrity, or availability
of the system or its data.
XXVulnerability AssessmentAn examination of the
ability of a system or application, including
current security procedures and controls, to
withstand assault. A vulnerability assessment may
be used to a) identify weaknesses that could be
exploited; and b) predict the effectiveness of
additional security measures in protecting
information resources from attack.
Threat x Vulnerability x Impact of Loss = Risk .

XXRisk AssessmentThe process evaluating the
impact of loss of an asset, the likely and probable

threats, and the vulnerabilities of the asset.
XXRisk ManagementA process for identifying and
prioritizing the impact of loss, threats, and
vulnerabilities, and making rational decisions
regarding the expenditure of resources and the
implementation of countermeasures to reduce the
risk of loss.
XXScanningA periodic examination of traffic
activity, system files and permissions, and overall
system configuration to determine whether
further processing is required.
XXVulnerabilityRefers to a weakness in a systems
security scheme, which may include system
security procedures, internal controls, or
IA Tools Report
63
SECTION 9
Definitions of Acronyms and Key Terms
Acronym or Term
Definition
ACL
Access Control List
ARP
Address Resolution Protocol
CERT
Computer Emergency Response Team
CGI
Common Gateway Interface
COPS
Computer Oracle and Password
COTS
Commercial Off-the-Shelf
CPU
Central Processing Unit
CSV
Comma Separated Variable
CVE
Common Vulnerabilities and Exposures
DHS
Department of Homeland Security
DISA
Defense Information Systems Agency
DoD
Department of Defense
DSII
DominoScan II
DSS
Data Security Standard
DTIC
Defense Technical Information Center
ePO
ePolicy Orchestrator
ESSG
Enterprise-Wide Information Assurance and Computer Network Defense Solutions Steering Group
FDCC
Federal Desktop Core Configuration
FISMA
Federal Information Security Management Act of 2002
GB
Gigabyte
GHz
Gigahertz
GLBA
Gramm-Leach Bliley Act
GUI
Graphical User Interface
HBSS
Host Based Security System
HIPAA
Health Insurance Portability and Accountability Act
HIPS
Host Intrusion Prevention System
HSPD-7
Homeland Security Presidential Directive 7
HTML
HyperText Markup Language
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
IA
Information Assurance
IAC
Information Analysis Center
IATAC
Information Assurance Technology Analysis Center
IA Tools Report
65
Acronym or Term
Definition
IAVA
Information Assurance Vulnerability Alert
IP
Internet Protocol
IPS
Intrusion Prevention System
IT
Information Technology
MB
Megabyte
MBSA
Microsoft Baseline Security Analyzer
MHz
Megahertz
MA
McAfee Agent
MU
Microsoft Update
NIAP
National Information Assurance Partnership
NIST
National Institute of Standards and Technology
Nmap
Network Mapper
NVD
National Vulnerability Database
OMB
Office of Management and Budget
OS
Operating System
OVAL
Open Vulnerability Assessment Language
PA
Policy Auditor
PCI
Payment Card Industry
PEO-IAN
Information Assurance/Network Operations Program Executive Office
PERL
Practical Extraction and Report Language
PHP
Hypertext Preprocessor
RAM
Random Access Memory
RSD
Rogue System Detection
SaaS
Software-as-a-Service
SANS
SysAdmin, Audit, Network, Security
SARA
Security Auditors Research Assistant
SATAN
Security Administrators Tool for Analyzing Networks
SCAP
Security Content Automation Protocol
SCCM
System Center Configuration Manager
SMS
Systems Management Server
SNMP
Simple Network Management Protocol
SOX
Sarbanes-Oxley Act
SQL
Structured Query Language
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
66
IA Tools Report
Acronym or Term
Definition
URL
Uniform Resource Locator
VM
Vulnerability Management
WSUS
Windows Server Update Services
XML
eXtensible Markup Language
XSS
Cross-Site Scripting
IA Tools Report
67

Vulnerability Assessment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vulnerability Assessment

Uploaded by

Copyright:

Available Formats

Tools

Approved for public release; distribution is unlimited.

3.1 How Vulnerability Assessment

Acunetix Web Vulnerability Scanner. . . . . . . . . . . . . . . . . 16

McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . 32

The IA Tools Database is one of the knowledge bases

Inquiries about IATAC capabilities, products, and

exploitation of which would negatively affect the

This report provides a brief background on

The majority of the tools identified in the IA Tools

Currently, the IATAC database contains descriptions

This report is organized into eight sections. Section 1

classification of tools highlighted in this report, how

IT Risk Management Overview

Critical Infrastructures, both cyber and physical,

up a significant portion of our nations critical assets

Growth in IT Incidents and Vulnerabilities

Automated attacks on information systems, and

Section 2 IT Risk Management Overview

What is Risk Management?

Many different risk assessment and management

Number of Security Incidents report (19882003)

Number of Vulnerabilities Reported (1995Third Quarter 2008)

Section 2 IT Risk Management Overview

Therefore, an effective approach to threats will

Components of Risk Diagram

Because our world is constantly changing, risk

We can now more fully define risk as being a function

Section 2 IT Risk Management Overview

Risk Assessment and Management Process

From this point forward, this report focuses on the

SECTION 3 u Automated Vulnerability

When a scanner finds a host with open ports, it checks

Hackers Methodology A common approach to

Perform a footprint analysis

Test/obtain access through user privilege manipulation

Gather additional passwords and secrets

Leverage the compromised system

Table 1 Hackers Methodology

Section 3 Automated Vulnerability Assessment Tools

TCP Connection (3-way Handshake)

ethernet local area network,

Section 3 Automated Vulnerability Assessment Tools

be a challenge. The system and network

Existing community relationships were leveraged

system files, active processes, file shares, and the

network scanner. These tools interrogate database

Tool Selection Criteria

The selected tools meet the following three criteria

approach, and methodology of a vulnerability

Vulnerability Analysis Tools

Section 5 summarizes pertinent information, providing users a brief description of available

The type of tool, or category in which this tool

The operating system(s) on which the tool runs. If the

The third-party hardware platform(s) on which the

The type of license under which the tool is

An indication of whether the product has received a

If the tool has received a Common Criteria

The individual or organization responsible for

The Uniform Resource Locator (URL) of the Web

Legend For Tables

IATAC does not endorse any of the following product evaluations.

Vulnerability Analysis Tools

Acunetix Web Vulnerability Scanner