How To Use Qqsguard At The University Of Minneapolis

Transcription

1 Qualys is a vulnerability scanner that is used for critical servers and servers subject to compliance reporting. This scanner is not generally to be used for desktop or laptop scanning. OIT has purchased a limited number of licenses (licensed by IP address scanned) for scanning critical and other important servers. This document provides background and responsibilities for how QualysGuard scanning, mapping and ticket remediation tracking will be used at the University of Minnesota by departments. Qualys maintains more extensive documentation of their product under Help on the QualysGuard Enterprise Suite menu bar. Business Units Large/decentralized units (i.e., OIT) will have a Business Unit and an assigned Business Unit Manager. The Business Unit will be able to run discovery maps and vulnerability scans and run reports on the IP s assigned to their Business Unit. Priority must be given to critical servers and servers subject to compliance reporting. Business Unit Manager Responsibilities (BUM) Define responsibilities of the other unit managers, scanners and readers in your Business Unit. Manage users (other unit managers, scanners and readers) for your Business Unit. This includes set up and deletions. Assign the users to Asset Groups. Identify to University Information Security ( infosecurity@umn.edu) a list of subnets your area is responsible for. This will be used for discovery mapping your section of the network, similar to NMAP. Discovery maps are free. Identify to University Information Security ( infosecurity@umn.edu) a list of IP/IP Ranges for servers that your unit is responsible for scanning. Each IP scanned costs money, avoid scanning IP addresses not assigned to a host. Set up and maintain the list of IP addresses that should be included in the Critical Servers Reporting Asset Group for your Business Unit following the naming convention for Asset Groups using the corresponding Business Impact level 5 (critical). Manage the other Asset Groups that you create to meet your scanning/reporting needs, following the naming convention for Asset Groups. Use the Business Impact level that meets your reporting needs. Discovery map your section of the network at least monthly and review the Map reports for unknown devices. Scan all IP addresses in the Critical Server Reporting Asset Groups monthly. Review open ticket remediation for IP s assigned to your Business Unit or Asset group. Automated ticket generation will be turned on by Asset Group by the Business Unit Manager. In summary, maintain the following: IP addresses in the Critical Servers Reporting Asset Groups Review vulnerability management for servers scanned with priority for the Critical Servers Reporting Asset Groups, see separate document- Qualys Vulnerability Data Review for Audit Reporting. 3/23/2015 Page 1 of 8

2 User accounts for your Business Unit Optional: o Set up additional Remediation Policies for your area. o Set up additional report templates. o Maintain Host Asset Information. University Information Security will use the Function to track Solutionary/Seccuris OneStone Customer # (S- 1511) Critical Servers Reporting Asset Groups: These asset groups should contain the critical servers for your area and be assigned Business Impact=5 (critical). These Asset Groups will be used for reporting vulnerability management to the internal audits department. Critical Servers include: Security Level High or Medium per the Data Security Classification Policy. Naming Conventions Asset Groups: COLLEGE.DEPT.subgroup _??? (???-each area can define) Critical Servers Reporting Asset Groups: o CRITICAL.COLLEGE.DEPT Report Templates: COLLEGE.DEPT.??? (???-each area can define) See attached sheet for naming convention assigned for your unit. Vulnerabilities Qualys uses 3 categories for classifying vulnerabilities (confirmed, potential and information). Within the category, there are 5 levels for vulnerabilities. o Confirmed (red) Security weaknesses verified by an active test o Potential (yellow) Security weaknesses that need manual verification o Information (blue) Configuration data High Risk Vulnerabilities o Required: Fix Confirmed 4 & 5 (red) - must have the high severity vulnerability mitigated (i.e., patching/configuration, other compensating control or documented as a false positive) for internal audits reporting. o Hosts involved in credit card processing must also mitigate all vulnerabilities marked as PCI Failed. o Documentation of the mitigation plan for your high severity vulnerabilities must be in the Qualys Ticket Remediation. Tickets for unmitigated vulnerabilities need to be documented within 30 days of scan. Priorities for Other Vulnerabilities o Recommended: Review Potential 4 & 5 (yellow) and fix, if applicable o Recommended: Review Confirmed 1, 2 & 3 (red) and fix, if applicable o Recommended: Review & assess the risk with the other vulnerabilities and fix if applicable 3/23/2015 Page 2 of 8

3 Additional information on Set Up, Scans, Maps, Ticket Remediation & Reports Asset Groups (See Asset Group Image) o Follow the naming conventions for Asset Groups. o IPs, list all the IP addresses or IP ranges to be included in the Asset Group. o Scanner Appliances, select all listed. o Business/CVSS Information: o Critical Server Asset Groups- change the default Business Impact to 5 (critical). o Other Asset Groups - the information on this tab is optional Asset Group Business/CVSS Information o Division, Function, Location fields and Business Impact can be maintained for each Asset Group by the user creating the Asset Group. o Business Impact must be set to 5 for the Critical Servers Asset Groups. o CVSS Environmental Metric Info is not being used. Host Asset Information o Location, Function and Asset Tag fields are maintained on individual host IP s. o University Information Security will use the Function field to make notations (i.e., S-1511) related to Solutionary/Seccuris OneStone monitoring of an IP. User Accounts o General Information, all fields with an asterisk are required. o User role, select Scanner scan & map IP addresses in your assigned Asset Groups; create & run reports and manage tickets. Reader create & run reports for your assigned Asset Groups and manage tickets Unit Manager same privileges as Scanner with the exception, you manage user accounts for your unit o Asset Group, assign one or more Asset Groups to the user. o Advanced options, displays Permissions and Options tabs. Scans (See Scan Asset Group, Scan Host and Scheduled Scan images) o There are multiple scan policies and options for scheduling scans. Here are the basics. Schedule scan or scan immediately Option Profile: U of M Initial Options (default); PCI scans use Payment Card Industry Options PCI policy can be more aggressive Scanner Appliance: All Scanners in Asset Group; External for scan from outside the U network. 3/23/2015 Page 3 of 8

4 Select an internal scan appliance when listing IP addresses or ranges. If not scanning an entire asset group, the external scanner is used instead of internal. Scan by Asset Group, Select IPs or IP Range o When the scan is completed, users can view the scan report. Ticket Remediation o The main remediation policy will create tickets for all confirmed 4 & 5 vulnerabilities for the IP s in the Critical Servers Reporting Asset Groups. Tickets will be assigned to the user running the scan. Deadline date for determining overdue tickets will be 30 days. o Business Units can set up additional remediation policies for their area. Reports o Technical Report- Select Asset Group or IP Results as of the last scan Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o Technical Report-Select Scan Results Results from a specific scan Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o UMN-Summary Report Results as of the last scan Includes all vulnerabilities (confirmed, potential, info) at all levels (1-5) No detail on how to fix o UMN-High Severity Report Results as of the last scan Includes confirmed vulnerabilities at levels 4 & 5 Details on how to fix o UMN-High Severity Summary Report OIT Sec Reporting Results as of the last scan Includes confirmed vulnerabilities at levels 4 & 5 Sorted by vulnerability and lists the vulnerable hosts No detail on how to fix Maps o Similar to nmap o There are multiple discovery map policies and options for scheduling scans. Here are the basics. Schedule map or map immediately Option Profile: University of Minnesota Initial Options (default) 3/23/2015 Page 4 of 8

5 Scanner Appliance: All Scanners in Asset Group; External for scan from outside the U network Map by Asset Group, Select IPs or IP Range o When the map is completed, users can view the map report. 3/23/2015 Page 5 of 8

6 Images Asset Group 3/23/2015 Page 6 of 8

7 Scan Asset Group Scan Host 3/23/2015 Page 7 of 8

8 Scheduled Scan 3/23/2015 Page 8 of 8