Networks connected to the Internet are probed and scanned for vulnerabilities every minute. These could be deliberate attacks, as in the case of automated scanners or crackers running scans, or a consequence of infected systems propagating worms onto the enterprise network. Worms are the single most dominant threat on the Internet today—and their sophistication levels are increasing rapidly.
Nimda and Code Red were worms that exploited multiple vulnerabilities in systems to gain entry into and cripple large networks and parts of the Internet. These worms scan flaws in web servers and open shared networks to proliferate. Correspondingly, crackers use known vulnerabilities in networks to break into them.
Today, with improved scanning algorithms, it is possible for worms on the Internet to reach saturation levels in shorter periods than before. Known vulnerabilities are typically those published by software vendors. In most cases, patches for these worms are available. The timely installation of such patches and the reconfiguration of perimeter systems and other layered defenses can help an organization combat this menace.
An effective organizationwide vulnerability strategy treated as one of the most vital components of any enterprise information security program is essential. This article emphasizes a few steps that organizations must take toward building an enterprisewide vulnerability management strategy. Some of these steps may overlap with other organizational processes, such as asset identification, patch management, configuration management and release management. The key steps in the vulnerability management strategy are provided in Figure 1.
Once the assets that require management are identified, scanning tools can be selected based on the environment. A process for scanning these digital assets is subsequently established.
Key assets in an organization are usually identified and labeled based on their sensitivity and criticality. This asset identification scheme considers the losses faced by an organization when systems are compromised: the greater these losses, the more critical the effective implementation and management of security controls. Mitigating vulnerabilities associated with critical organizational assets is the most crucial part of a vulnerability management strategy. Digital assets, such as server/desktop and other information storage and processing systems, need to be assessed for vulnerabilities.
The type of technology implemented affects the kinds of vulnerabilities that can emerge. The selection of various technology components, such as the operating system, web servers, messaging systems and application servers, can determine how vulnerable any organization is to system attacks. Identifying these technology components plays a key role in determining appropriate vulnerability scanning tools.
Selecting the most suitable vulnerability assessment tools impacts how weaknesses in technologies and infrastructure are identified and reported. There are various tools (open source and commercial) that can detect vulnerabilities in technologies. Tools such as Nikto concentrate on detecting web-based vulnerabilities, while others, such as Nessus and Retina, can conduct comprehensive vulnerability assessments on all kinds of technologies.
Preventsys is an enterprise security management tool that can integrate results from multiple security tools such as ISS, Retina and Nessus, along with feeds from threat advisories, such as critical vulnerability exposures, to provide a comprehensive report on critical vulnerabilities. It also has a tracking system that can maintain a database of users defined by the roles they play in the organization and subsequently assign tasks to users based on specific vulnerabilities.
The frequency of vulnerability scanning must be identified for the various digital asset classes. Highly sensitive and mission-critical systems can be scanned frequently, while systems with lower criticality can be scanned at less frequent intervals.
The assessment phase deals with actual assessment techniques and analysis. Soon after the details of assets, technologies and scanning tools are identified, networks and infrastructure can be scanned, results analyzed and vulnerabilities categorized into high, medium and low levels of criticality.
Filtered scans allow assessments to be conducted without scaling down the defenses of the organization. This gives security staff an idea about the vulnerabilities visible to external attackers and helps prioritize vulnerabilities and their fixes.
In the case of e-commerce applications, the Internet and internal local area network (LAN) require scanning. This exposes vulnerabilities visible to potential attackers and internal users, as the firewall regulating access to an e-commerce application may be effective in blocking any vulnerable services running on the system.
Unfiltered scans can provide a clearer picture of vulnerabilities present on multiple systems. They can be system service vulnerabilities, application buffer overflows, cross-site scripting or other web vulnerabilities. Attackers usually break into a weak link and escalate their privileges. In short, certain vulnerabilities may be much more severe than they appear.
Critical applications require more than a mere vulnerability scan. Penetration tests furnishing a detailed analysis of the security posture will further reveal any unidentified vulnerabilities. Penetration tests are usually conducted using a combination of manual methods and scanners, and are more focused toward breaking security controls present on systems. As penetration testing requires high levels of skill along with a thorough knowledge of security vulnerabilities and exploit coding, these tests can be restricted to an organization's critical infrastructure. Most organizations tend to outsource penetration testing to vendors.
The results from unfiltered and filtered vulnerability scans are analyzed to eliminate false positives. Automated scanners use various techniques, such as banner grabs, to check and compare service version information with the information stored in their database. Sometimes, the scanner correlates this information with the list of vulnerabilities in its database without actually exploiting the vulnerability or even checking if patches have been applied. Incorrect reports may need to be manually corrected to show a final, accurate picture of all vulnerabilities.
Based on the impact of these vulnerabilities, each vulnerability can be rated according to severity levels (high, medium, low), along with the recommended fix. This helps prioritize the resolution of critical vulnerabilities.
Remediation of vulnerabilities needs to be tracked to closure. A final scan can be performed to ensure that vulnerabilities are eliminated.
In most cases, vulnerabilities discovered by automated scanners can be fixed by implementing patches, making patch management a vital component of any enterprise security strategy. A good patch management strategy can identify all patch upgrades required by infrastructure systems and applications. It is imperative that these patches undergo sufficient testing under multiple test environments of enterprise applications before they are applied to critical systems. Vulnerabilities found due to missing patches can be attributed to ineffective patch management processes and can be remedied by appropriate patch application.
Most enterprises have baseline configurations for their technology systems (e.g., a Windows server baseline details administrative access definitions and authentication mechanisms such as NTLMv2, audit events, password complexity, history and required services. Any vulnerabilities not addressed in the baseline configuration require tracking. For instance, when a vulnerability scan discovers the presence of character generation or echo services on Windows, it can lead to a denial-of-service attack. Baselines need to address this threat by making it mandatory for administrators to disable the simple TCP/IP services in Windows. In the absence of corporate guidelines, vulnerability assessments can set a precedent for the establishment of high-quality technology practices.
Compliance to Baselines
Vulnerabilities can also show any noncompliance to existing baseline configurations and policies.
Sometimes, unfiltered scan results can lead to noncompliance in firewall configurations. Filtered scans highlight inconsistencies or noncompliance to technology baselines (e.g., a password of four-character length may be found on a system account, which may be in direct violation of the enterprise's password policy of requiring a minimum of six characters).
Detecting and fixing vulnerabilities do not offer a complete solution. Companies need to continuously monitor and track the latest vulnerabilities and their corresponding fixes.
Business demands determine the installation of new infrastructure and disposal of old systems. A good vulnerability management strategy must take into account all new technologies implemented, including all changes to infrastructure. Organizational configuration management and change management processes need to be closely linked with vulnerability management processes. When newer technologies are implemented, the security team needs to keep a watch on upgrades and patches connected with newer software applications as well. Change management processes ought to address vulnerabilities that arise due to changes in version upgrades or authentication schemes.
Organizations must adopt a proactive approach toward vulnerability management wherein security staff tracks vulnerabilities through security advisories and vulnerability databases. Monitoring underground and full disclosure sites where vulnerabilities can be made available to the public, evaluating how these vulnerabilities can adversely impact the organization, and checking if adequate patches are being deployed to eliminate these vulnerabilities also form an integral part of this methodology. In cases where patches have not been released but vulnerabilities are publicly known, other layered defenses, such as intrusion prevention systems, may be configured to prevent the exploitation of such vulnerabilities.
Umesh Chavan, CISSP
is an information security professional with more than seven years of experience. He is a consultant with i-flex solutions, India, where he works with customers in the banking, finance, securities and insurance domains to strengthen their information security processes. Prior to this he worked with JP Morgan Chase, Larsen & Toubro Infotech Ltd. and CoreObjects. He is a specialist in various security domains, including information risk management and product development. Chavan is an active member of the Open Information System Security Group (OISSG).
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 5, 2005