The Top 10 Reports for Managing Vulnerabilities

Transcription

1 guide: The Top 10 Reports for Managing Vulnerabilities Top 10 Reports #1 Network Perimeter Map Report #2 Unknown Internal Devices Report #3 SANS Top 20 Vulnerabilities Report #4 25 Most Vulnerable Hosts Report #5 High Severity Technical Report #6 Web Application Scan Report #7 Vulnerability Trend Report #8 Risk Analysis Report #9 Open Tickets Report #10 Executive Review - Remediation Report

2 page 2 Introduction Most of us don t think twice as we sweep the perimeter of our homes before retiring at night or leaving for work in the morning. Why would we want anything less for the security of our networks and systems? An open door, unlocked window, or our keys lying on top of the front door mat these all represent openings for criminals (or even neighbors we know) to unravel the security fabric in our lives. In our IT infrastructure, open ports, available wireless access points and unpatched servers may result in the theft or compromise of critical customer data, along with the disruption of business operations. While we often can manage the vulnerabilities around our homes by spending a few minutes checking locks, etc., the task is much more difficult in a distributed organization with tens or hundreds of thousands of networked devices. Vulnerabilities in the IT infrastructure environment consist of the software flaws and configuration errors that are present in servers, desktops, notebooks, routers, wireless access points, networked printers and any other device with an IP address. The key benefits and advantages in implementing a lifecycle approach to vulnerability management are the increased protection across your environment before attacks occur and the documented assurance that your networks (internal and external) are safe. The increased levels of security assure the continuity of business across employees, customers and partners. Effective vulnerability management also serves to communicate the levels of IT risk to line-of-business owners and executives. IT administrators and operational staff are able to resolve problems more quickly and accurately. The reality today is that new vulnerabilities appear constantly and the ability to handle new flaws and misconfigurations requires an automated workflow and reporting structure. Pouring over extensive lists of raw vulnerability data is of limited worth when trying to measure security levels. Instead, concise reports containing the severity and business criticality of vulnerabilities and IT assets are required. Further, these allow access to proven remediation approaches and solutions. Security information needs to be collected, customized and presented to company management, auditors and regulators, in addition to security professionals and system administrators. The audience for this paper includes security professionals and managers, systems and network administrators, IT operations staff and others who must document, review and resolve vulnerable networks. Out of literally hundreds of different vulnerability management reports available, this paper introduces 10 of the most important reports and uses reports generated by Qualys vulnerability management solution, QualysGuard, for reference purposes. The reports are organized across the four key steps in the vulnerability management lifecycle shown below. Asset Discovery and Inventory Reports Asset Discovery and Inventory Build and maintain an up-to-date repository of IT asset information, including business impact and asset groupings. Vulnerability Assessment Test and document the effectiveness of both security policies and controls. Analysis and Correlation Add business intelligence through graphing, trending and understanding the relationships between vulnerabilities and asset types. Remediation and Verification Prioritize and resolve the vulnerability issues that are found and retest the assets for proof of correctness.

3 page 3 Asset Discovery and Inventory Reports The first step in the quest for managing vulnerabilities is to find where they exist. But even before that is achieved, an up-to-date repository of assets must be built and maintained. This repository will include all hosts or devices with an IP address. The type of information populated in the repository includes hardware, software, applications, services and configurations. QualysGuard gathers all this information in a two step process. The first step is network mapping, which identifies which hosts are live. The result is an accurate baseline of all connected devices, be they servers, destops, notebooks, routers, wireless access points, etc. After mapping, the second phase is initiated. This consists of powerful scans which gather additional information to round out the asset inventory. It s also important to determine the business impact for each asset. Business impact simply means the value a particular device has in relation to all others. All assets are not created equal; a test machine with individual access in a back room carries less risk of business interruption than a server with financial projections or personally identifiable information. Having current and accurate asset inventory information allows for greater accuracy when identifying which assets are impacted by a particular vulnerability. It reduces the time spent performing vulnerability scans as the vulnerability checks themselves are applied only on those devices where they may exist. The number of false positives (defined as reporting a vulnerability where one does not exist) is reduced by eliminating the unrealistic case of a Windows server reporting a vulnerability only found on Linux operating systems. Another benefit is in the remediation process. Efforts there will be more efficient when patches and fixes are applied to corresponding assets. While smaller organizations with Class C sized networks (up to 256 devices) may find they can complete the task of accounting for all devices attached to their network manually, this same approach will quickly spiral out of control when the networks total 10,000, 50,000 or 100,000+ devices across multiple subnets. The most time consuming task, however, lies in the appropriate classification of the assets once they have been identified. Since this is so arduous, companies without automation must decide which segment or subset of their assets to classify, often leaving out critical devices. Systems and networks are dynamic, they change and must be revisited. Rogue devices may added to the network without permissions and must be dealt with appropriately.

4 page 4 #1 Network Perimeter Map The Network Perimeter Map provides a view into the topology of your network for reference and documentation, by developing a baseline of each connected device. With each asset properly identified, users of QualysGuard may group them in any way they desire; by business unit, geography, platform, etc. These classifications are called asset groups. An asset may exist in multiple asset groups. Once discovered, a new device may be added to an existing asset group or a new asset group may be created. QualysGuard maps can be viewed in either graphical or text format. They show any device with an IP address that has been discovered; externally, or internally using an appliance. From within this report, users can drill down on a particular asset and view its detailed attributes, including what discovery method was used (DNS, ICMP, TCP, UDP or others), the domain name, the operating system and whether the asset may be scanned for vulnerabilities. Administrators can also initiate either on demand or scheduled scans for security assessments against specific asset groups. Figure 1: QualysGuard Network Perimeter Map

5 page 5 #2 Unknown Internal Devices This report lists all discovered devices which have not been approved by a company administrator. QualysGuard can detect rogue devices, including virtual hosts that could have possibly been placed on your network. This is important information to have when security administrators are reviewing the network to clean up and eliminate devices placed on the network for malicious purposes or simply those that pose additional risk because of missing patches, unwanted services, etc. This report should be run on daily basis to ensure maximum protection levels are upheld. Once discovered, scans are necessary to investigate the origin of these unknown devices. Lastly, the proper precautions must be taken to prevent further exposure from occurring. Figure 2: Unknown Devices Report Map Template Let s have a look at two screenshots involved in generating an Unknown Device Report. Figure 2 shows the map report template used to generate the actual report. Note the filter options which include multiple Host Types to include. Only Rogue host type is selected for this particular report. It should be noted that the column A is empty in Figure 3. A stands for Approved. In this case, all of the devices in this report have yet to be approved by a systems administrator. Figure 3: Unknown Devices Report Results

6 page 6 Vulnerability Assessment Reports Vulnerability assessment is the process of testing and documenting the effectiveness of both security policies and controls, by examining the network infrastructure for known bads. The assessments are performed across network devices and host systems, as well as the services and applications that run on top of them. Scan reports will show what vulnerabilities are present and where they are located, in order to direct administrators towards what needs fixing and in what priority order. This is the cornerstone for effective vulnerability management because this process identifies and communicates the software flaws, missing patches and misconfigurations that exist and pose security risks. In scanning live hosts, the mapping generated from the asset discovery step will be used. Asset discovery is the prelude to asset classifications, or groupings, which are further defined by business impact ratings. The severity assigned to each vulnerability will also be used to differentiate the flaws which present the highest danger of exposure. Included in the scan results is information describing the properties of the vulnerability, such as the impact, the type of device made vulnerable, cross references to external vulnerability classification systems (e.g. Bugtraq, CVSS, CVE) and links to other information sources. Also, solution recommendations are included to fix the exposure.

7 page 7 #3 SANS Top20 Vulnerabilities The third report in our Top 10 list is the SANS Top 20. In June, 2000, the SANS Institute, along with the FBI s National Infrastructure Protection Center, began publishing a list of the most critical internet security vulnerabilities. The SANS Institute is a trusted source for information security training, certification and research. This list was quickly adopted by organizations worldwide as a standard guide for understanding and assessing for the most dangerous areas of exposures. The list is a consensus of the flaws that require immediate attention, and is developed by leading security experts from multiple countries across the globe. Nearly every year since its beginning, SANS has updated the list to reflect the changes in threat vectors, noting the recent rise in client side, anti-virus and web application vulnerabilities. Figure 4: SANS Top 20 Report with Summary Vulnerability information The QualysGuard SANS Top 20 Report shows the results of vulnerability scans derived from the SANS list. Figure 4 shows the total vulnerabilities found in this assessment, along with the average security risk score. Also note that Qualys offers a SANS Top 20 Scan at no charge to organizations who wish to register: More detail into the specific SANS vulnerabilities that have been identified through the scan is present in Figure 5. This detail includes descriptions, impact and recommended solution. Figure 5: SANS Top 20 Report with Detailed Vulnerability information

8 page 8 #4 25 Most Vulnerable Hosts Across any organization, there are those systems that are in worse shape than others. Having a current listing of the hosts with the most critical flaws helps direct the efforts to resolve these issues and lowers the risk to the organization. QualysGuard delivers a ranking - beginning with the most vulnerable asset based upon the security risk of the assets. QualysGuard determines the security risk from the number and severity of vulnerabilities found during the last scan of each host. Vulnerabilities are weighted on a scale of 1 to 5, with 5 being the most severe. The business risk not only considers the security risk, but also factors in the business impact value placed on the asset. These business asset values are either Critical, High, Medium, Minor or Low. The 25 Most Vulnerable Hosts Report, as shown in Figure 6, lists those assets with the highest number of Severity 4 and 5 vulnerabilities. The hosts are listed in order beginning with the most vulnerable. The report details the number of Severity 4 and 5 vulnerabilities, the business risk and security risk ratings, and also all the asset groups associated with that host. Figure 6: 25 Most Vulnerable Hosts Report

9 page 9 #5 High Severity Technical Report Whenever full vulnerability reports are generated, there is a lot of information produced for each asset. While valuable, all this information takes time to digest. In some instances, time is of the essence and it is critical to quickly identify and resolve the most dangerous areas of exposure. In these cases, only the highest priority issues are able to garner scarce remediation resources, so only the most severe vulnerabilities are included here. This report presents information about the vulnerabilities with high severity levels only (4 and 5). As seen in Figure 7, only Level 4 and 5 vulnerabilities are listed. The report template filters out all vulnerabilities with severity rankings below Level 4, as well as all potential vulnerabilities (defined as those that cannot be fully verified) and those vulnerabilities categorized as information only. Figure 7: High Severity Report Summary Each high severity vulnerability may be viewed in depth for more specific information. This information includes the name, the date first detected and last detected, the port it where it was discovered, the vulnerability identifier, category, and last update, plus other details. It also lists the status (new, active, ignore, etc.). Figure 8 is an example of this detailed information for a Level 5 Microsoft IIS vulnerability with a status of New. Figure 8: High Severity Vulnerability Details

10 page 10 #6 Web Application Scan According to the SANS website at the number of vulnerabilities discovered in open source and custom web applications has grown to account for almost 50% of all vulnerabilities now discovered. The danger here manifests itself when trusted sites are transformed into masked areas used for phishing and other scams. Some of the web application vulnerabilities important to identify and remediate are cross site scripting, SQL injection and remote code execution. As a result, regularly scanning your Web applications is critical IT security component. As web application vulnerabilities are code related, frequent testing should occur during the development of applications as well as their actual deployment. Figure 9 shows how Web Application security threats can be proactively identified to prevent compromise. Figure 9: Web Application Scan Results

11 page 11 Analysis and Correlation Reports After asset information has been gathered and vulnerabilities have been identified, further analysis is often necessary to provide more insight into the security information. This is made feasible through the use of automated solutions to collect, store, compute and present the information through multiple views and in graphical formats. The vulnerability and asset information is kept in a repository where analytical engines can process it further. Examples of this advanced processing include presenting trends in vulnerabilities over time, and correlating known properties of a vulnerability (operating system, ports, services) with those of devices to see which are at highest risk for the presence of a specific vulnerability. As IT operations, systems administration and security move closer together for the goal of improved operational performance, it s critical for these groups to share information and workflows. For example, IT operations (support staff, help desk personnel) can assist with remediation tasks such as system patching if they have the necessary information about what systems are affected and what software to deploy. This information, along with an assigned individual responsible for action and a date for completion, is summarized in trouble tickets created by QualysGuard. This trouble ticketing helps ensure the timely and proper follow-up to vulnerability and configuration issues, while coordinating the smooth integration of efforts across IT groups. The QualysGuard analysis capability extends into areas such as reviewing the length of time trouble tickets remain open, the number of open trouble tickets in total and by severity, the vulnerabilities by status and severity, and changes in the business risk of asset groups over time. Correlating the severity of a vulnerability with the business value of an asset is important when determining which systems need immediate remediation. This approach results in a better use of resources than one where the most severe vulnerabilities are all resolved concurrently, regardless of whether a machine is used in a test bed or in a live production environment. In addition to the Analysis and Correlation Reports shown here, executive dashboards are a way to view business intelligence and trend results. As long as the dashboards are current and adaptable to changing requirements, they provide at-a-glance insight into a company s vulnerability and risk posture. Dashboards can easily track how long it takes to patch vulnerable systems, for example, or which servers consistently underperform relative to security policy. This aids managers in their understanding of how IT risk is being managed by security and administration teams.

12 page 12 #7 Vulnerability Trend Report The vulnerability trend report is based upon a specific time period (established by the user) and displays the trends, increasing or decreasing, of vulnerabilities by severity and across categories (types of assets). As with all QualysGuard reports, permissions to create and view the Vulnerability Trend Report is controlled by the user account settings. In Figure 10 below, the trend report was configured for a four month analysis. Another section of the Vulnerability Trend Report (shown in Figure 11), graphs the changes in business risk by asset group over time. QualysGuard allows you to create as many groups as you like and group assets into specific business units in any way desired (by geography, by function, by platform, etc.). Figure 10: Vulnerability Trend Summary Figure 12 shows two more trending graphs for vulnerabilities found by QualysGuard scans. Users have the flexibility to customize graph formats (pie charts, bar charts, etc.). In the Vulnerabilities by Severity over Time graph, the total number of vulnerabilities has decreased from June to September. This was lead by a drop in the Severity 1, 4 and 5 vulnerabilities, which offset a rise in the Severity 2 and 3 vulnerabilities during this time. Figure 11: Vulnerability Trend Business Risk Graph Figure 12: Vulnerability Trending by Severity and Status

13 page 13 #8 Risk Analysis Report This report may be run prior to an actual vulnerability scan. The user directs a vulnerability to be correlated with the attributes of a specified host or asset group. Analysis is performed to determine the exposure level this asset contains. The more matches the vulnerability has with the asset, across attributes such as operating system, ports and services, the higher the risk level. The Risk Analysis Report identifies the hosts that are likely exposed to the specified vulnerability. By comparing vulnerability exploit data to known information from past scans, QualysGuard is able to determine whether hosts are likely to be at risk to a new vulnerability - even before a scan is launched! For example, if you receive new information on Microsoft s Patch Tuesday, but cannot scan before the week-end to assess your environment, this report will deliver probabilities on which hosts will be most impacted in the interim. This information can then be used to develop an emergency action plan to protect you until full scanning and patching occurs. Figure 13: Risk Analysis Report

14 page 14 Remediation and Validation Reports Of course, it s not enough to simply identify the vulnerabilities or track their growth. The bottom line in the vulnerability management lifecycle is more results oriented to resolve the causes of those software flaws or configuration errors. At this point is where remediation comes into primary focus. Even when new patches are available, there may be a delay in applying them due to the time required for implementation, or fears about the potential impact to the availability and performance of IT assets. An example of this behavior is found in the Conficker Worm. The Conficker Worm exploits the MS08-67 vulnerability in the Microsoft Windows Server Service. Even though Microsoft released the patch for MS08-67 in October, 2008, the number of PCs infected since that time is estimated to be in the range of 5 to 10 million, primarily on corporate and government computers. Coordination of remediation efforts, often by using an automated trouble ticketing system, helps organizations proactively manage what needs to be fixed, and by whom. Automated notifications and reports allow for the workflow required to keep remediation tasks on target and prevent gaps in protection. The prioritization by business impact ensures the most valuable systems are addressed first. Less critical assets then may be handled on regularly scheduled dates, such as a monthly patch or configuration change cycle. After patching or implementing other configuration changes, rescanning IP addresses is necessary to ensure the fix is complete and no other issues have been created as a result of the change. Accurate and timely reporting is important at this stage because remediation tasks are often performed by a different team than the security group which identified the exposure. IT security will most likely perform the scan. Then, systems administrators or IT operations staff (helpdesk, support) will implement the fix. Remediation and validation reports are useful to achieve better understanding of how quickly and thoroughly your organization responds and resolves security issues. When results are less than desired, improvements in the incident management process can be made.

15 page 15 #9 Open Tickets Report The QualysGuard native ticketing and remediation functions ensure outstanding issues are scheduled for completion and vulnerabilities are resolved before further damage is done. Each vulnerability is individually tracked until it is fixed. This automated remediation and trouble ticketing workflow generates tickets base on policy rules. These rules define specific criteria that trigger response actions when met. For example, a rule can be created such that a trouble ticket is opened whenever a Level 4 or 5 vulnerability is identified. The rule will establish the assigned individual, let s say the administrator who ran the scan, and the time period (perhaps two days) for remediation. The ninth report in our Top 10 list is the Open Tickets. As seen below in Figure 14, this lists the tickets and may be sorted by ticket number, status, due date or others. Each ticket is assigned a unique number with general information, vulnerability details, remediation history and required actions. Each ticket owner is also listed. Viewers of this report have the option of drilling down into the report to gain additional information associated with the ticket, such as its history. Figure 14: Open Tickets Report QualysGuard further aids in the remediation process by delivering automated ticket notification s. These notifications are sent to each user who has open trouble tickets assigned to them. The ticket statistics in the notification include the number of open tickets which are overdue (those past the scheduled resolution date) and the number which are not overdue, the tickets resolved and the tickets closed. A QualysGuard hyperlink is also included for recipients to easily click and check on the details of their assigned tickets.

16 page 16 #10 Executive Review Remediation Report In addition to providing the detail by user of the status of open tickets, QualysGuard also makes available summary levels for reviewing trouble tickets. Users select which asset groups and which users to include in the report settings. Figure 15 below is an example of the trouble ticket statistics presented; you see not only the number of tickets resolved and still open (by severity level), but also view the number overdue and the average time in days for ticket resolution. These statistics are very useful when assessing the performance of the groups involved in vulnerability resolution, and deliver metrics to gauge improvements made over time. Figure 15: Remediation Report Tickets by Severity and Open Tickets Figure 16 shows more ticket trending information in graphical format. These statistics are often required for weekly status meetings, presentations to management and to demonstrate achievement in Service Level Agreements (SLAs). You can see here the drastic increase in the number of open (and closed) tickets during the last week of this report, alerting executives at-a-glance to the increased activity. Figure 16: Remediation Report Aggregate Ticket Changes

17 page 17 Summary So there you have it the Top 10 Reports for Managing Vulnerabilities. By looking across the complete lifecycle of vulnerability management, starting with asset discovery and ending with remediation and verification, the breadth and depth of the information to be gathered, analyzed, stored and communicated is seen in full force. This is what makes true vulnerability management different that just vulnerability scanning. And this lifecycle approach, along with well defined and customizable reporting, is what sets Qualys apart. By providing easy to understand reports, such as the Network Perimeter Map, the SANS Top 20 Report, the High Severity Technical Report and the Remediation Report, QualysGuard delivers thorough overviews to executives along with the detailed breakdown and analysis for IT security, systems administration and IT operations. By combining hosts into asset groups, assigning business impact weightings and calculating Security Risk and Business Risk metrics, QualysGuard provides a solution that is quick to deploy and easy to use, resulting in increased security posture and compliance with regulatory and standards requirements. USA Qualys, Inc Bridge Parkway, Redwood Shores, CA T: 1 (650) sales@qualys.com UK Qualys, Ltd. Beechwood House, 2nd Floor, 10 Windsor Road, Slough, Berkshire, SL1 2EJ T: +44 (0) Germany Qualys GmbH München Airport, Terminalstrasse Mitte 18, München T: +49 (0) France Qualys Technologies Maison de la Défense, 7 Place de la Défense, Courbevoie T: +33 (0) Japan Qualys Japan K.K. Pacific Century Place 8F, Marunouchi, Chiyoda-ku, Tokyo T: United Arab Emirates Qualys FZE P.O Box 10559, Ras Al Khaimah, United Arab Emirates T: China Qualys Hong Kong Ltd. Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing T: Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 09/09