How To Manage A System Vulnerability Management Program

Transcription

1 System Vulnerability Management Definitions White Paper October 12, Altiris Inc. All rights reserved.

2 ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate via a common Web-based console and repository. For more information, visit NOTICE The content in this document represents the current view of Altiris as of the date of publication. Because Altiris responds continually to changing market conditions, this document should not be interpreted as a commitment on the part of Altiris. Altiris cannot guarantee the accuracy of any information presented after the date of publication. Copyright 2005, Altiris, Inc. All rights reserved. Altiris, Inc. 588 West 400 South Lindon, UT Phone: (801) Fax: (801) BootWorks U.S. Patent No. 5,764,593. RapiDeploy U.S. Patent No. 6,144,992. Altiris, BootWorks, Inventory Solution, PC Transplant, RapiDeploy, and RapidInstall are registered trademarks of Altiris, Inc. in the United States. Carbon Copy is a registered trademark licensed to Altiris, Inc. in the United States and a registered trademark of Altiris, Inc. in other countries. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and names are the property of their respective owners. Information in this document is subject to change without notice. For the latest documentation, visit

3 CONTENTS System Vulnerability Management... 1 Patching 1 Vulnerability Scanner 1 Vulnerability Remediation 1 System Security Audit and Compliance 2 Antivirus status 2 Proactive policy checking against a modified or customized NSA, NIST, CIS policy 2 Security patches 2 Authorized software 2 Authorized hardware 2 Personal firewalls 3 Network Access Control 3 Summary

4

5 SYSTEM VULNERABILITY MANAGEMENT The category of System Vulnerability Management is a broad category that contains both proactive and reactive system security components, each of which solves a particular problem. These components include: Patching Vulnerability scanning Vulnerability remediation System security audit and compliance Network access control Patching Patching products are typically used by IT operations staff to identify and apply key missing patches for operational and security issues. Operational issues could be considered memory leaks, bugs that crash systems, and so on. Security patches usually eliminate a defect in an operating system or an application that could allow a hacker or unauthorized user to tamper with or steal valuable information or data. They often do this by either planting a worm or another such element that can affect an entire network or allow an outsider to take control of a system in order to gain access to the network. Vulnerability Scanner Vulnerability scanners attack all IP addresses, mostly at the network layer, in order to find industry known vulnerabilities. Industry known vulnerabilities are collected in public depositories such as BUGTAQ, CVE, and so on. Vulnerability scanners can be intrusive as they try to exploit the vulnerabilities. Some vulnerability scanners can also look at lower-level system configuration settings. Vulnerability Remediation Most industry known vulnerabilities are eliminated either by applying the appropriate patch or by changing a system configuration. However, vulnerability scanners do not remediate. Most remediation occurs by using a patching product that applies the appropriate patch that eliminates key vulnerabilities. Some products will take in the results of a vulnerability scanner and tie the vulnerability to the appropriate patch or configuration setting. They will then apply the patch or make the appropriate configuration change. Vulnerability remediation is typically owned by IT operations. System Vulnerability Management Definitions > 1

6 System Security Audit and Compliance The security teams, under varying regulations, are required to determine a proactive system security stance. This includes a policy of how all systems should be configured from a security stand point. A complete audit and compliance program has the security team auditing the systems against the proactive system security policy and then reporting to operations where systems are out of compliance. The operations team then brings these systems into compliance. Most security teams begin with an industry best-practices policy from leading organizations such as the National Security Agency (NSA), National Institute of Standards (NIST), Center for Internet Security (CIS), SANS, Microsoft, IBM, and many others. Audit and compliance tools are also used to audit against DISA, the U.S. Army, and other DOD STIGS as outlined in the Security Technical Information Guide. Many of these policies include hundreds of system configuration settings such as: user and group setup, system audit settings, privileges, rights, password lengths, password aging, registry settings, registry keys, and hundreds of others. Audit and compliance tools audit the seven key audit areas: Antivirus status Check if antivirus software is on, if the latest version is installed with the latest definitions, and so on. Proactive policy checking against a modified or customized NSA, NIST, CIS policy Check for all system settings against the proactive system security policy. Security patches Check to verify that the operations teams have deployed all major security patches as a check and balance to the patch product used to deploy the software patch. Authorized software Check that only authorized software is present and that unauthorized software such as public instant messenger, Kazaa, MP3 players, keyboard access products, and so on are not present. Authorized hardware Check that only authorized hardware is present and that unauthorized hardware such as modems with auto answer on, enabled USB hard drives, wireless NIC cards, and so on are not present. 2 < System Vulnerability Management Definitions

7 Personal firewalls Check to see if personal firewalls are operational. Network Access Control Many notebook computer users are ad hoc users who periodically gain access to the network. These users consist of a mobile workforce, partners, suppliers, contractors, and so on. If their systems are infected with a worm or a virus, then once they are connected to the network it takes merely seconds for the infection to spread. Therefore, new generation network edge audit tools place systems in quarantine or a safe zone, audit for the presence of updated antivirus and security patches, and either allow or not allow systems onto the network based on the audit results. This is also called scan and block or enforcement. System Vulnerability Management Definitions > 3

8 SUMMARY 4 < System Vulnerability Management Definitions