IPkey.com
information security
monitoring & management
Information Security Bulletin
March 2004
Feature Story:
Trust (but verify!) - Part II: Vulnerability Scanning
In the January issue, I described the use of firewall reporting tools to verify that actual Internet activity was in accordance with the IT policies and procedures of your organization.
This concern came about because of the complexity of today's firewall rules, and the fact that many of us are forced to just assume that they are working correctly. If there were something wrong, we would know about it, right? Not so, we said.
Part I of this story dealt with our ability to accurately see what your firewall is doing with existing traffic with firewall analysis. While this is exceptionally useful in reporting 'normal' traffic, it doesn't help you know how your firewall will deal with abnormal traffic. Rogue traffic can enter your network through open ports on your firewall and consists of denial of service attacks, exploits, intrusion attempts etc. It's vital to understand how effectively your firewall deals with both expected and unexpected situations. These are the Parts I and II of this 2-part ISB.
Now, there is really only one way to know how effectively any security device is working - you try to break it. You test it by exposing it (in a controlled environment) to everything that will be thrown at it in the real world. There are many, many potential ways to 'break' a firewall, each of which can be successful under the right circumstances. Some exploits work on specific equipment, some on specific firmware or software versions and some on the configuration. Indeed, there are hundreds, if not thousands, of possible exploits.
Now, to sit down and try each of these manually would take an enormous amount of time and expense, so along came scripts. The first people to try and automate this tedious process were hackers. They wanted to be able to scan large numbers of computers to look for vulnerabilities they could exploit. Hackers wrote scripts that would do this, and these tools have evolved over time into a very elaborate toolkit. These tools are used today by hackers and commonly downloaded by their imitators, the script kiddies.
Hackers and IT security professionals are always in a cat and mouse game. The IT pros have to think like a hacker to be able to stop them; just like a cop has to understand the criminal mind. Fortunately, IT security pros got together and created scripts to perform a similar, but different task. Instead of looking for a few exploits on a very large number of computers, the pros were much more concerned with testing a very large number of known exploits on just a few machines. Their interest was in defending these computers from known exploits. These scripts evolved over time into the highly sophisticated tools today known as Vulnerability Scanning or VScans.
Vulnerability Scanning has now volved into a real-world auditing tool of your computer's and network's exposure to exploits. These can be hackers, viruses, worms and all kinds of other threats that can compromise and damage your network. Like viruses, these change and mutate daily, so a key factor is that the scripts and exploits be constantly updated. ->
IPkey Hot Links!
Security
Solutions
Evaluation
Remediation
Monitoring
Management
Recovery
New!
InfoSecurity
Center
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
Managed
Monitoring
Start your
free
30 day trial today
Learn more
/
Register
or call
(866) 330-1010
-> The key benefit of such VScans is that you gain the expertise of literally dozens of security engineers whose function is nothing other than finding and testing new security holes. They test routers, firewalls, operating systems, applications and sometimes discover new vulnerabilities. For example, check out Qualys' recent discovery of a security hole in Microsoft WINS.
The most common type of Vulnerability Scan is called a Perimeter Scan. This tests your IT defenses against an attack from the Internet, using commonly known exploits. It is typically performed by a third party from a secure server, and takes anywhere from a few minutes to several hours to run.
Another common type of Vulnerability Scan is performed within the firewall. This is called an Intranet Scan. While this is far more revealing than a Perimeter Scan, it can be more difficult to perform. The reason for this is that the device that performs the scan must be 'inside' the firewall.
This requires that you bring in a computer with all the software loaded to perform the scan. Furthermore, the software needs to be updated to be aware of the latest exploits to test. However, there are better solutions. The highly rated VScan provider Qualys sells a rugged plug-in device called an Intranet Scanner. This works in conjunction with their web based service to 'proxy' their remote scanning through an encrypted tunnel to securely scan your internal network.
One of the first things I noticed after performing VScans on internal networks is that servers that I knew to have been patched by Microsoft Windows Update were still testing as being vulnerable to some exploits. This was quite a shock to me and prompted me to call Qualys. I asked if they tested for the actual vulnerability, or if they simply tested for the presence of the Microsoft patch that supposedly fixed the vulnerability. They assured me that it was the actual vulnerability that was tested. This clearly left me with no conclusion other than to assume that either the Microsoft Security Updates had not installed correctly, or that they were ineffective even when properly installed. This is the real value in third party Vulnerability Scanning; you get the truth, good or bad.
Now after you perform either a Perimeter or Intranet Scan, you get a very comprehensive report. This ranks vulnerabilities on a scale of 1 (Information) to 5 (Urgent) and provides comprehensive information about each one. What I really like about the product is that it gives you a hyperlink to whatever fix is available for the issue. It's almost a one-click-fix!
One question that is often asked is, "Will a scan affect our systems?" The answer is that a VScan service should be non-intrusive in that it should not impact your normal IT operations. In fact, the Qualys VScans allow you to 'dial-in' how intensive the testing should be. Of course, the less intensive it is, the longer it takes. Personally, I almost always schedule scans for my clients after hours, just in case.
Final Thought
The good news about Vulnerability Scanning is that it's one of the best values in IT security. There is just no excuse not to do it. A single scan of your firewall can tell reveal hidden vulnerabilities. It's also inexpensive enough to do regularly. A single IP scan costs $45 and can drop to as low as $25 with a 12 pack. It's our job to find the best values out there and this one is a no-brainer.
What should a Vulnerability Scan Report look like?
The more extensive the testing, the more complex the results will be. This can result in a lot of data That's why it's important for the reports to be well-organized and clear. View a sample report. Notice the '+' signs in the section headers that expand the summary data.
You may feel a little overwhelmed the first time you look at one of these reports because there is so much information. A good product will organize and summarize this detail in an understandable format, and rank the risks of each vulnerability. It's wise to have a security specialist to help at first. What you really want to see in a report is what's wrong, how bad is it and how do I fix it.? One feature I look for is a direct link to the vendor for a patch or update that resolves the vulnerability. Another is to track and trend progress over time and vulnerabilities that have been fixed.
ISB Takeaway #1:
Doing a
Vulnerability Scan is about as exciting as getting your credit report. There
may be a problem there you have never heard of, but it's better to know and
get it resolved.
ISB Takeaway #2:
New vulnerabilities are found in Windows weekly. New worms and viruses are continually unleashed on the Internet daily this year. That's why a critical feature of any Vulnerability Scanning service is at least a daily update of it's vulnerability database and the ongoing development of scripts or other tools to test for new vulnerabilities on the target system.
The ISB is a
monthly email newsletter published by
IPkey.com, your source for affordable information security monitoring
and management. IPkey.com is part of Meridian Group, a New Mexico
based corporation serving the IT needs of its clients for 14 years. We
encourage you to forward ISB to your co-workers, colleagues and
friends. To subscribe or unsubscribe to the ISB newsletter, email us
at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
I invite you to call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month:
Anti-Virus Strategies for 2004
All contents copyright (C) 2003 Meridian Group Inc.