Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Transcription

1 Vulnerability Audit: Why a Vulnerability Scan Isn t Enough White Paper May 10, 2005

2 TABLE OF CONTENTS Introduction: How Secure Are My Systems?... 3 Vulnerability: The Modern Meaning Of A Muddled Word... 4 Vulnerability Audits: How To Assess Your Actual Security Posture... 4 Reporting The Results Of A Vulnerability Audit: More Than Just A List!... 4 System-Based Vulnerability Audits Versus Network-Based Scans... 4 What A Vulnerability Audit Provides That A Traditional Vulnerability Scan Lacks... 5 Agentless Or Agent-Based Vulnerability Audits For Maximum Flexibility And Minimum Invasiveness... 6 Vulnerability Audit And Beyond: Evolving To A Full Audit & Compliance Solution... 6 Conclusion... 6 More Information > 2

3 INTRODUCTION: HOW SECURE ARE MY SYSTEMS? In today s world of computing with increased threats and vulnerabilities to your systems, it is essential to have an answer to the question How secure are my systems? To get this answer requires a complete system security assessment. Such an assessment must include all seven of the critical security areas. The seven areas of system security include the following: Antivirus status Security patches Industry-known vulnerabilities Personal firewall status System security configuration settings Unauthorized software Unauthorized hardware Each of the seven areas of system security is important in every enterprise environment, and every one must be addressed. A failure to assess any of the seven areas can result in security weaknesses that may be exploited. > 3

4 VULNERABILITY: THE MODERN MEANING OF A MUDDLED WORD An important ongoing trend in the IT security industry has been the evolution of the definition of the word vulnerability. No longer can vulnerabilities be defined as the result of a system vulnerability scan it is not enough. Deviation from good practice or company system security policy in any of the seven areas must be considered a vulnerability. Traditional vulnerability scanners cannot cover all seven system security areas since they operate at the network level, only probing for low level network responses. While this addresses the weaknesses exploited by worms, this does not address many issues exploited by Trojans, or simple local exploits such as weak passwords, storage devices, improper configurations, etc. Since traditional vulnerability scanners do not cover all the areas that should be considered vulnerabilities, they are inadequate for today s needs. The only way to ensure that your system is free of vulnerabilities is to perform a Vulnerability Audit that aligns with your IT system security goals. VULNERABILITY AUDITS: HOW TO ASSESS YOUR ACTUAL SECURITY POSTURE A Vulnerability Audit by definition is an audit that discovers potential vulnerabilities in your systems so that you may determine your security posture and where you are at risk or vulnerable. For most organizations, auditing against anything less than all seven system security areas leaves gaps under which your systems are vulnerable. Performing a Vulnerability Audit will help you answer the question How secure are my systems? REPORTING THE RESULTS OF A VULNERABILITY AUDIT: MORE THAN JUST A LIST! Assessing system security postures requires the ability to not only perform a Vulnerability Audit of the systems but also the ability to easily view the results of the audit. Traditionally, vulnerability scanners have been lacking in the reporting arena, merely dumping out a list of vulnerabilities that exist. A Vulnerability Audit solution should provide concise reporting that summarizes the results of a Vulnerability Audit, as well as detailed reporting that provides all of the information necessary to remediate any vulnerabilities and misconfigurations. In addition, it is necessary to demonstrate progress via trending and summary reports of multiple audits. It should be very easy to get the results that allow you to answer the question How secure are my systems? Ideally, a Vulnerability Audit tool will also allow you the flexibility to view the results of your audits in such a way that matches how all of the individuals within your organization prefer to work. In some instances it will be necessary to drill-down, or interactively browse, the audit data by system to isolate every vulnerability on that system. Other times it will be necessary to browse the data by vulnerability, so that an operations team may remediate said vulnerabilities across all affected systems. A Vulnerability Audit solution should provide the flexibility to browse the audit results either way. SYSTEM-BASED VULNERABILITY AUDITS VERSUS NETWORK-BASED SCANS System-based Vulnerability Audits audit systems to determine if vulnerabilities exist, as defined above by the seven areas of system security. Vulnerability Audits are system-based. They examine a system for vulnerability signatures, system configuration settings, patch status, registry keys, DLLs, unauthorized (and required) software and hardware, personal firewall status, and antivirus software status, including version and virus definition updates. This gives a view into each of the system endpoints on the network. > 4

5 A traditional network-based vulnerability provides a hacker s eye view from a single point on the network. Since some of the tests used may attempt to exploit a vulnerability, or connect to every port on each system. Such a scan can put systems at risk, overload a network, or light up IDS in the environment. Exploiting systems in this way not only puts them at risk but also makes it impossible to run a full scan of all of systems without putting production systems at risk, which is why traditional vulnerability scanners also have a safe mode which has less risk, but is much less effective. WHAT A VULNERABILITY AUDIT PROVIDES THAT A TRADITIONAL VULNERABILITY SCAN LACKS Other advantages of a Vulnerability Audit over a traditional, limited vulnerability scan are an assessment of your system s overall security posture. Information that can not be retrieved using a traditional vulnerability scanner includes many local system security configuration settings (minimum password length, locking screensaver configurations and time-outs, etc.), unauthorized hardware and software, antivirus software and signature status, personal firewall status, and operating system security patch status. See the chart below for some additional detail on the differences between a Vulnerability Audit and vulnerability scanners with and without credentials. AuditExpress Vulnerability Scanner without Credentials Vulnerability Scanner with Credentials Desktops, Laptops, Servers All IP Addresses Antivirus Software Status OS Security Patches Vulnerabilities Personal Firewall Status ~600 most recent and relevant Thousands Thousands Basic Security Configuration Settings Installed Software Installed Hardware Key: Full Coverage Partial Coverage, generally as related to specific vulnerability signatures > 5

6 AGENTLESS OR AGENT-BASED VULNERABILITY AUDITS FOR MAXIMUM FLEXIBILITY AND MINIMUM INVASIVENESS To be flexible enough for any environment, Vulnerability Audits should be able to be performed agentlessly or agent-based wherever possible. An agentless Vulnerability Audit ensures that there is no third party software on the system that may interfere with other applications or services. In addition, the lack of the need to deploy an agent means less to worry about managing. An agentless Vulnerability Audit should have the same depth and breadth of coverage that an agent-based solution has. In addition, agents should be available where required by the system architecture. VULNERABILITY AUDIT AND BEYOND: EVOLVING TO A FULL AUDIT & COMPLIANCE SOLUTION Another benefit of a true Vulnerability Audit solution over traditional vulnerability scanners is that there is a clear path to evolve to a system security best practice configuration Audit and Compliance solution. A configured Vulnerability Audit of the seven critical IT system security areas is the basic underpinning and a company s first step to creating a complete best practice based system security configuration policy. The Vulnerability Audit is the first step in fully understanding and assessing your systems security posture including antivirus status, security patches, industry-known vulnerabilities, personal firewall status, system security configuration settings, unauthorized software, and unauthorized hardware. Once an organization evolves to the point of requiring audits against a best practice system security policy such as those recommended by NSA, NIST, CIS or Microsoft, whether it be for regulatory reasons or simply because it is the right thing to do to secure the enterprise, there should be a clear upgrade path. The work you have done in defining and assessing your systems during a Vulnerability Audit should be reusable and directly translatable into the framework of a full Audit and Compliance Solution. CONCLUSION In order to answer the question How secure are my systems? you must ensure that all seven areas of system security are assessed. A Vulnerability Audit of your desktop, laptop, and server systems is required to thoroughly demonstrate and document the baseline security of your systems in all seven critical system security areas. > 6

7 MORE INFORMATION For more information on Altiris Security Management solutions visit the following link: Altiris website: > 7