These icons link to social bookmarking sites where readers can share and discover new web pages.

Two Vulnerability Scanning Tools Evaluated

November 3, 2009 by ADMIN · 2 Comments

By Bozidar Spirovski, CISSP, MCSA, MCP

We have mentioned our favorite vulnerability scanning tools before.

But a lot of time has passed since, so it is time to put these tools against each other and evaluate the quality of the results received when scanning the same target.

The Test Environment

The tested vulnerability scanning tools were installed on a Windows 7 Pro PC.

Nessus server and client were installed and updated to the latest plugins.
Retina 5.10.18.2135 Evaluation version was downloaded and installed. The Evaluation version does not allow updates, so we used what updates are included in the build.

The target was Damn Vulnerable Linux (DVL) version 1.5 installed as a VMWARE host with bridged networking on the same host PC as the vulnerability scanning tools.

The network of the DVL target was bridged, and all firewalls (both of the host OS and the guest OS) were disabled.

The DVL was started with the following services, with default settings and content as included in the distro.

MySQL
HTTP
IPP Printer sharing which was active by default

The Scanning Process

Both scanners were started with setting on full port scan, with disabled safety of scanning, and all available plugins were activated.

Performance

The Nessus scanner took more then 88 minutes to complete the scan
The Retina scanner took 38 minutes to complete the scan

Results

Both scanners failed to identify the target operating system

The Nessus scanner identified the expected open ports, concluded that MySQL does not accept connections from unauthorized IP’s. On the Web server, it identified a significant number of vulnerabilites, and collected information from HTTP through web mirroring. On a repeat scan, it regenerated the same results
You can download the full report of the Nessus Scan Here
The Retina scanner identified HTTP and TCP port 631 (IPP Printer Sharing). It did not identify the MySQL port as open. On the Web server, it identified a significant number of vulnerabilites, but did not collect any information from the HTTP server. On a repeat scan it missed the HTTP port and only identified the MySQL port.
You can download the full report of the Retina Scan Here

Conclusions

Both scanners performed a very well vulnerability identification but missed the OS identification. Also, both manifested flaws:

Nessus missed the IPP port every time
Retina manifested erroneous scan results, identifying different ports and vulnerabilities during different sessions - while no configuration changes were made to the test environment.

In terms of speed, Retina performed much faster. In terms of scan depth, Nessus has a small advantage, since it includes a web mirroring tool that is very helpful in HTTP.

It can be clearly concluded that these tools cannot be used as the sole source of information when performing a vulnerability test.

One must also utilize network mapping (NMAP, LanGuard), OS identification (NMAP) and specific application vulnerability scanners (ParosProxy, WebScarab for Web) for maximum effect.

In a direct comparison, Nessus wins simply because Retina manifested erroneous results on repeat scans.

* * *

Stay Informed With ISR News Alerts:

* * *

Author: Bozidar Spirovski of Information Security Short Takes

Occupation: Information Security Expert
CISSP #301565
MCSA, MCP ID# 2448347
Send comments, requests or general inquiry to shortinfosec _at_ gmail dot com
Visit my LinkedIn profile at http://www.linkedin.com/in/spirovskibozidar

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.

Filed under: Bozidar Spirovski, Breach, D&O Liability, FEATURE ARTICLE, Financial, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, national security, privacy

Tags: (ISC)2, 2009, access, Anthony M. Freed, best practices, Bozidar Spirovski, Breach, breaches, bypass, CGEIT, CIPP, CISA, CISM, CISSP, computer, Computer forensics, confidential, consumer product liability, control, Costs, CPA, criminal, CSI, cyber security, cyber-crime, cybersecurity, D and O liability, Data, disposal, DRI, due diligence, DVL, Economy, electronic database, evidence analysis, Finance, Financial, Financial Identity, Financial InfoSec, governance, guidlines, hackers, hardware, Helix, homeland Security, how to. tutorial, ID, identity thief, IIA, infection. patches, Infoduciary, Information, Information Fiduciary, Information Security Short /takes, Information-Security-Resources.com, InfoSec, infrastructure, ISACA, ISR, ISSA, Kevin M. Nixon, LanGuard, law, legal, liability, malware, message, misuse, Nessus, News, NMAP, online fraud, ParosProxy, privacy rights, process, Retina, risk, Scuba, Security, Security Assessment for Databases, Security Information Event Management, self-spreading, SIEM, storage, System, systems, tagged, theft, third party, toolkit, vendors, VMware, WebScarab, Windows, zero day attack

2 Responses to “Two Vulnerability Scanning Tools Evaluated”

Chris Carpinello Says:
November 4th, 2009 at 12:08 pm
This article fails to deliver any depth or insight about Nessus or Retina. There’s plenty of opportunity for the author to share his expertise like explaining the usefulness of the web mirroring tool or illustrating how successive Retina scans produced erroneous results. As someone who uses Retina frequently, I’d like to be aware of any faults it has.

Trackbacks

Two Vulnerability Scanning Tools Evaluated : Information Security … | Hack In The Box . Net

Tell us what you're thinking...

Editor's Pick - Best Anti-Spyware Download
Advocacy
- Electronic Frontier Foundation
- Internet Security Alliance
Business Technology
- BizTech - The Wall Street Journal
- Geekfluence
- Information Week
- InfoWorld - Business Tech & IT
- TechPitch
- TechWeb
- Telecom, Security and P2P
Class Action Litigation Resources
- Class Action News Wire
- Class Action World
- Stanford Law Class Action Clearinghouse
Education Infosec
- Educational Security Incidents (ESI)
Financial InfoSec
- A.E. Feldman Blog
- Bank Info Security
Financial Watch
- Bear Market Investments
- BusinessWeek BX
- Footnoted.org - The Fine Print
- MarketWatch
- SeekingAlpha Investor Analysis
- Silicon Investor
- Telegraph UK
- The Deal Economy
- The Mess That Greenspan Made
- The Oxen Group
Government
- Compliance Online
- Federal Computer Week
- Government Computer News
- Government Contracting News Wire
- Government Technology
- GovernmentSecurity.Org
- Homeland Security Watch
- N.I.S.T. Resources
- Obama’s Security Strategy
- Telegraph UK
- US - CERT
Identity Theft News
- I’ve Been Mugged
- ID Experts Blog
- Identity Theft Assistance Center
- Identity Theft Info
- Identity Theft Resource Center
IDG Network
- CIO Online
- ComputerWorld
- CSO Online
- IDG Connect
- InfoWorld
- ITWorld - An Open Exchange
- MacWorld
- NetworkWorld
- PCWorld
- The Industry Standard
InfoSec
- Armit Williams Blog
- Best of Security News
- Bruce Schneier on Security
- C.E.R.I.A.S.
- CERIAS Blog
- CGI Security
- CIO Forum - South Africa
- CISSP
- Cyber Security Institute
- Cyber Strategies
- Didier Stevens Blog
- FireEye Malware Intelligence Lab
- FrequencyX Blog
- Graves Concerns - Subjunctive Blog
- Hack in the Box
- HowUnSecure
- IIA Security Portal - Australia
- Information Security Short Takes
- Insecure Realities
- Laptop Security Blog
- Last In - First Out
- Lauren Weinstein’s Blog
- Mu Dynamics Blog
- Neohapsis Labs
- Oonnoonny
- Risk and Threat Management
- SecuObs - L’observatoire
- Securosis
- TaoSecurity
- The Breach Blog - Evan Francen
- The DarkNet UK
- The Hacker Diaries
- The InfoSec Blog
- The Tech Herald - Security
- Threat Post
- ThreatChaos - Richard Stiennon
Mortgage Industry
- Housing Doom
- Mortgage Lender Implode
Payments Industry
- Merchant Bill Of Rights
- Payment Systems Blog
- Payments News
- PCI Auditor Community Site
- Pin Payments Blog - HomeATM
- Society of Payment Security Pros
- StorefrontBacktalk
- The Merchant Maven
Privacy Rights Issues
- Emergent Chaos
- Info/Law - Harvard
- Pogo Was Right - Privacy News
- Privacy Camp
- Privacy Rights Clearing House
- PrivacyLaw.org
- The Cutting Edge News
Security Breach Aggregators
- Open Security Foundation
Technology and Law
- Computer Crime Research Center
- CTF Legal Blog
- Cyber Crime & Doing Time
- Tech Law Forum
- Technology & Marketing Law
- The Complex Litigator
- Tsibouris & Associates Law Blog
Technology News
- Ars Technica
- Current Tech
- H-Plus Magazine
- Rob the Geek - New Zealand
- TechBlips
ISR News Feed
- Online Money Mules Aide Theft and Fraud
  By Robert Siciliano, Identity Theft Expert Shipping scams are a common tactic criminals use in which they employ mules to receive goods bought with stolen credit card numbers, who then ship to people who buy them in online auctions. The mules in this process are essentially facilitating selling hot goods and money laundering.
- Effective Security Policy Messaging Important
  By Christopher Burgess, Senior Security Adviser Clearly communicate that, in fact, there are secrets. Once employees understand that they have a responsibility to protect the enterprise, the chasm between the security professional and the rest of the staff not only shrinks, it disappears. Far too often, security policies arrive as a reaction, as opposed to a proactive management of risk. Through this process, the enterprise will acknowledge security as forethought, not an afterthought.
- Windows Security Logs and MS Log Parser
  By Bozidar Spirovski, CISSP, MCSA, MCP Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commercial, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!
- ATM on Craigslist Loaded with Card Data
  By Robert Siciliano, Identity Theft Expert I started looking on e-bay and found plenty of new and used ATMs ranging from $500-2500 but quickly determined I didn’t want to pay $300 for shipping. Next was Craigslist, where I quickly found an ad from a bar north of Boston. They were selling pool tables, Budweiser neon signs and an ATM for $750.
- ISAlliance: Cyber Security is Economic Issue
  By Anthony M. Freed, Information-Security-Resources.com Managing Editor "First, the President is correct in his appreciation of the need to view cyber security as not just a technical and security issue, but as an economic one as well. In the 21st century - the digital century - economics and security are opposite sides of the same coin. You cannot affect one without impacting the other." ~ Congressional Testimony
- Innovative Analytic Tool Empowers Investors
  By Anthony M. Freed, Information-Security-Resources.com Managing Editor An innovative new investor analytic tool made its public debut today, and it offers an exciting look at what may well be the future of online trading for both market experts and arm-chair analysts alike. Trefis, named for its focus on trends, forecasts, and insights, is revolutionary in its forward-looking approach to stock analysis which, incorporates a more intuitive look at the relationship between a company's product divisions and its stock price.
- SaaS and the Need for Enterprise Architecture
  Coby Royer, Technical Product Manager for Symplified Acquisition and deployment of real solutions is now within grasp of business owners (seemingly) without the need for conventional IT delivery and support. But many questions may go unanswered without engagement of EA, and latent risks (such as compliance and security) may turn into real issues.
- New IBM Analytics For Business Intelligence
  BY Mel Duvall, Chief Content Officer at CIOZone In its recently released Global CIO Study, IBM found that 83% of respondents identified business intelligence and analytics as the best way to help enhance their organizations' competitiveness. At the company's Information on Demand conference in Las Vegas, IBM outlined a series of new products and services. It includes tools to analyze the increasing volumes of unstructured data found on Web sites, on social networking sites and in digital files.
- Revolving Door of Abuse: Procurement Fraud
  By Michael O'Connor, President of IronClad Consulting Kellogg, Brown & Root (KBR) was responsible for the kickback fraud that occurred in the US v. Khan case, and has been the focus of many other cases of procurement fraud within the LOGCAP project. Since combat operations began in 2001, DCAA has referred to criminal investigators 32 cases of suspected fraud that were associated with all wartime-support contracts. Of those, the vast majority were related to the Logistics Civil Augmentation Program.
- ISAlliance to Testify for Senate Judiciary
  From The Internet Security Alliance Larry Clinton, president of the Internet Security Alliance (ISA), will testify tomorrow at a U.S. Senate Judiciary Terrorism and Homeland Security Subcommittee hearing titled, Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace.
- Increase Your Information Security IQ
  By Robert Siciliano, Identity Theft Expert People who generally have to much time on their hands read my posts. Or they simply enjoy my train wreck world view. Anyway there are some fantastic resources that I draw from that help me to break down the complicated issues revolving around how to keep the bad guy from draining your bank account. The following make me look good (not to insult them):
- Fifteen More Smart Grid Privacy Concerns
  By Rebecca Herold (The Privacy Professor) CIPP, CISSP, CISM, CISA, FLMI Wouldn't it be a good idea to have privacy certifications for the organizations that are part of the large smart grid and for the smart meters to help ensure they are appropriately addressing privacy and providing households with informed decision-making capabilities for how the information collected from their homes through these devices are used?
- 2010 Defense Authorization Act Spending
  By Richard Stiennon, Chief Research Analyst, IT-Harvest On October 28th President Obama signed into law the National Defense Authorization Act for Fiscal Year 2010. OK, so more people are needed. Now, let’s talk money. How much money is provided in the 2010 Defense Authorization Act for Cyber Defense? A lot.
- What Could Possibly Be Worse Than A Virus?
  By Robert Siciliano, Identity Theft Expert Once a predator uses your Internet connection to go to into the bowels of the web, your Internet Protocol address, which is connected to your ISP billing address, is now considered one that is owned by a criminal. If law enforcement happens to be chatting with that person, who’s using your Internet connection to trade lurid porn, then someone may eventually knock on your door at 3 AM with a battering ram. And in freakish and relatively new twist, hackers can use a virus to crack your network and gain remote control access, and then store illicit porn on your hard drive.
- DLP is Short for Disturbing Lack of Process?
  By Danny Lieberman, Security Expert and Founder of Software Associates The question is not lack of process but whether or not security is being used to help enforce business process in the relevant areas of product safety, customer service, employee workplace security and information protection in business-to-business relationships.
- HITECH Act and Protecting Health Privacy
  By Doug Pollack, Chief Marketing Officer for ID Experts These new regulations come at a time when healthcare breaches are on the rise; according to the 2009 ITRC Breach Stats Report healthcare breaches account for over 66 percent of all records breached this year, up from 20 percent in 2008. In fact, some of the largest names in healthcare suffered data breaches.
- Congressional Leak Spotlights P2P User Act
  By Robert Siciliano, Identity Theft Expert Congress is still considering the Informed P2P User Act, a law that would supposedly make it safer to use peer-to-peer file sharing software, an effort that is similar to banning mosquitoes from sucking blood. It just isn’t happening...
- Microsoft Threat Assessment & Modeling
  By Bozidar Spirovski, CISSP, MCSA, MCP Every organization has some form of Information Security Risk Assessment - some perform a formal risk assessment, others simply use their practical experience. There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice.
- ISAlliance To Release Cyber Security Report
  From The Internet Security Alliance The ISA will release a new cybersecurity report, which proposes frameworks for taking key issues in the Obama Administration’s “Cyberspace Policy Review” document to the next level, in an effort to achieve tangible progress. The report will include frameworks for creating a new, practical model for information sharing; addressing the international nature of cybersecurity issues; developing a market for adopting good security standards and practices; building a highly educated digital workforce; and managing the global IT supply chain.
- Report: Globalization of Malware Production
  By Simon Heron, CISSP Internet Security Analyst Hackers are spreading their operational bases further around the world, according to threat analysis from managed security firm, Network Box. Not only should we all be wary about what links we click on in emails, social networking sites and IM, but we should examine what data we put online.
Feedback
- Brian Carroll on Effective Security Policy Messaging Important
- Vedicsoft Solutions IT Consulting Company | Business Intelligence … | Management Business Wisdom on New IBM Analytics For Business Intelligence
- Taming Business Intelligence for CXOs | CMS Report | Management Business Wisdom on New IBM Analytics For Business Intelligence
- Innovative Analytic Tool Empowers Investors : Information Security … | inversiones inmobiliarias - Zentrica Inversiones on Innovative Analytic Tool Empowers Investors
- securitywhispers » Blog Archive » About smart grid on Fifteen More Smart Grid Privacy Concerns
- Michael Bacon on Fifteen More Smart Grid Privacy Concerns
- uberVU - social comments on 2010 Defense Authorization Act Spending
- Michael Bacon on What Could Possibly Be Worse Than A Virus?
- uberVU - social comments on What Could Possibly Be Worse Than A Virus?
- uberVU - social comments on DLP is Short for Disturbing Lack of Process?

Information Security Resources

Two Vulnerability Scanning Tools Evaluated

Trackbacks

Business

Editor's Pick - Best Anti-Spyware Download

Advocacy

Business Technology

Class Action Litigation Resources

Education Infosec

Financial InfoSec

Financial Watch

Government

Identity Theft News

IDG Network

InfoSec

Mortgage Industry

Payments Industry

Privacy Rights Issues

Security Breach Aggregators

Technology and Law

Technology News

ISR News Feed

Feedback