CyberCop 5.5

Network Associates’ (NAI’s) CyberCop Scanner 5.5 can help you track down security vulnerabilities across your network. Like the other scanner products I’ve evaluated in this series of reviews, CyberCop Scanner will scan all TCP/IP devices for vulnerabilities. However, for this review, I’ll focus on using this scanner product in a Windows NT environment only.

Features and Benefits
Out of the box, CyberCop Scanner scans for 732 different security vulnerabilities—you can use the software’s Auto Update feature to increase the number of vulnerabilities the product scans for. NAI releases program updates monthly. In addition to vulnerability assessment, CyberCop Scanner also audits your security policy settings (e.g., password expiration and account lockout options), just as Shavlik Technologies’ InspectorScan does, and tests for Intrusion Detection Systems (IDS—i.e., tracking, logging, and responding to potential attacks on the network).

NAI redesigned the GUI in this newest version of CyberCop Scanner to make the product more intuitive to use. A new Auto Fix feature lets you automatically repair problems the program identifies when you run a security scan. CyberCop Scanner stores vulnerabilities in an ODBC-compliant database complete with links to further information on each vulnerability. The software’s reporting engine works via Microsoft Management Console (MMC) and uses Crystal Reports 6.0 to generate reports.

With this new version, you can customize your scans based on the OS you want to target—a feature that lets you scan for vulnerabilities using specific OS checks instead of scanning for vulnerabilities that don’t exist in the particular OS you are auditing. CyberCop Scanner can also identify hosts and their OSs without performing any vulnerability scans. The software creates a graphical network map during the scan process that identifies each IP device it detects. Systems administrators and security professionals can capitalize on CyberCop Scanner’s support for Visual Basic (VB) scripting to create custom scan modules. CyberCop Scanner also includes a Custom Audit Scripting Language (CASL) Scripting Tool for creating custom scan tests for any IP device or protocol.

Installation and Use
At a minimum, NAI recommends that you install CyberCop Scanner on a Pentium 100MHz system with 64MB of RAM and 48MB of hard disk space. CyberCop Scanner will run on both NT and Red Hat Linux 5.2. For this review, I installed the software on a Pentium III 500MHz system running NT 4.0 Service Pack 6a (SP6a) with 512MB of RAM.

Before I ran CyberCop Scanner, I used the product’s Auto Update utility so I could scan for the latest vulnerabilities. After multiple retries, the utility finally downloaded and updated the software. When you run CyberCop Scanner for the first time, you must answer a few configuration questions before you can use the scanner portion of the product. Although NAI has redesigned the GUI for this latest version, as Screen 1 shows, the product was still difficult to navigate. My copy of CyberCop Scanner didn’t ship with a manual; instead, the CD-ROM included documentation in PDF format.

After a few clicks and some investigation, I learned how to set the option to configure my scans. CyberCop Scanner lets you use a dialog box to enter a range of hosts you want to scan, or you can edit the included hosts.txt file to enter multiple host IP addresses or ranges you want to scan. I edited the hosts.txt file and entered my entire networks IP range. Unlike most of its competitors, CyberCop Scanner does not use scan profiles. Instead, you select each vulnerability that you want to scan for from the configuration menu.

I selected every possible vulnerability check and clicked the play button icon to start my scan. CyberCop Scanner took a whopping 26 minutes to scan one host, much longer than any other security scanner I've evaluated. NAI claims that CyberCop Scanner tests for more vulnerabilities than its competitors, which might attribute to the long period of time the software takes to perform a scan. Or, a difference of default timeout settings among the different products could have caused this delay. CyberCop Scanner has 732 different vulnerability tests vs. the 600 in Internet Security Systems' (ISS’) Internet Scanner product. During the scans, you can double-click each host you're scanning and view the scan modules that are currently running.

After my scan finished, I viewed the Network Map, which displays cute little graphics of PCs and routers identifying my hosts and every IP device that the software detected on the network. Although this map displays well, CyberCop Scanner does not offer the ability to print or export the network map. Without this functionality, I don’t see a lot of value in the Network Map function. The reporting module launches MMC to display the Crystal Reports created reports. As Screen 2 shows, the reports are well organized and easy to navigate. The MMC plugin lets you customize and filter your reports.

CyberCop Scanner can automatically fix certain vulnerabilities. This option is a bit dangerous, especially when the software, unlike BindView’s HackerShield, does not let you reverse any changes that it makes. You can, however, create a backup of your Registry, perform the autofix, and hope for the best. But, most systems administrators might prefer a safer way of making changes. CyberCop Scanner and HackerShield are the only products I've reviewed that let you automatically fix some vulnerabilities. Both products can repair only problems that you can fix by changing Registry keys. If you need to repair a vulnerability by using a Microsoft hotfix, you must still manually install these hotfixes.

CyberCop Scanner automatically rated the threat of each vulnerability it found as low, medium, or high. The software found the same number of vulnerabilities as one of its competitors, ISS' Internet Scanner, but rated certain so-called vulnerabilities as low risk, while Internet Scanner rated the same vulnerabilities as medium risk. As I mentioned in my review of ISS Internet Scanner, the security software industry needs to standardize on the classifications of vulnerabilities and their level of risk. One organization, MITRE [http://www.mitre.org] has created a Common Vulnerabilities and Exploits (CVE) database that many software vendors are following. However, the current CVE only goes as far as to verify and number each vulnerability; it does not rank them by risk level.

Could Have Been a Competitor
I wasn’t impressed with the amount of time it took CyberCop Scanner to scan my hosts, and I did not see any evidence that it can find more NT-related vulnerabilities than its competitors. However, I was impressed with the product's CASL Scripting Tool and the fact that you can use VB to customize test scripts.

With its flexible pricing options and large vulnerability database, CyberCop Scanner competes with the other scanning products on the market. A 25-node license costs $2550, which puts this software in the same price range as its competitors. However, CyberCop Scanner won’t replace BindView’s HackerShield in the Ultimate Security Toolkit. However, with the benefit of VB scripting and the CASL Scripting Tool, it might complement HackerShield in the toolkit. Maybe in a future review, I'll compare the developer's kit that comes with WebTrends Security Analyzer with CyberCop Scanner's tools. If you'd like to see these two tools compared head to head, email me at [email protected] and let me know.