Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

1. Introduction Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Enterprises need to protect a huge amount of critical information assets from misuse or corruption. During their effort to protect their critical information assets they struggle to keep up with the ever increasing number of known security vulnerabilities. What happens when they suffer from a lack of internal security skills but they need to: Ensure that security controls are working? Monitor and record system administrator activity? Detect unauthorized system changes? To make matters worse, large enterprises are experiencing an ever increasing burden of regulation and legislation against which they have to demonstrate compliance. There are several international security standards that they need to comply with, for example PCI DSS or ISO 27001. In use by hundreds of major financial, telecoms, pharmaceutical, federal, defense and other commercial enterprises around the world, Assuria Auditor has been providing vital protection for critical information assets by protecting business servers since the late 1990 s. As a critical element of the security infrastructure for these organizations, Assuria Auditor is a market leader in countering the insider threat to business integrity. Assuria Auditor measures and manages server security policies and configurations using a host- to- network view of critical systems and servers, assessing host security, detecting and reporting system security weaknesses, recommending corrections and alerting administrators to unauthorized changes to configurations an critical system and application components. Assuria Auditor s methodology simplifies the creation of system security baselines for users, groups, shares, services and critical system files, and easily fits in with existing business processes. Fully scalable for enterprise installations, Assuria Auditor manages large agent populations.

2. The Assuria Auditor Advantage Assuria Auditor is a market leader in countering the insider threat to business integrity and a key solution for managing compliance to international regulatory standards such as PCI DSS or ISO27001. Through a flexible, distributed management framework, Assuria Auditor measures, manages and enforces server security policies and configurations using a host-to-network view of critical systems and servers, assessing host security, detecting and reporting system security weaknesses and recommending corrections. System administrators and network management systems can also be alerted to unauthorized changes to configurations, critical system elements and application components. Powerful change detection management features allow rapid assessment and reporting of suspicious or potentially troublesome changes. Its key features that comprise the key benefits of Assuria Auditor are: Regulatory standards compliance. The comprehensive security database includes mappings of each of Assuria Auditor s 2500+ security configuration checks to appropriate references within international standards such as ISO 27001, ISO 17799, PCI and SOX. CVE and BID references are also provided, with CVSS scores where appropriate. Configuration Policy Compliance. As well as monitoring compliance with external standards and accepted best practice in security configuration, Assuria Auditor can be tailored to specific requirements, allowing users to adjust checks and policies and write new checks to match the specific requirements of an organization s security policy, thus ensuring full compliance. Change Detection. Assuria Auditor allows the creation of system baselines and to monitor for any changes to those baselines, including changes to executables, data files and registry keys. Vulnerability Assessment. Delivered with a comprehensive security knowledge base of more than 2500 checks and a library of best practice policies, Assuria Auditor detects potential vulnerabilities, assists with assessment of risk and recommends changes to mitigate those risks. Distributed Management Framework. This framework enables operational access to the Assuria Auditor agent community from anywhere on an enterprise network. Confidential Page 3 of 16

Fully Scalable. Large populations of agents can be managed from a single Assuria Auditor Console and agent-less scanning is available on some platforms, including MS Windows systems. Multi-layer management is also provided. Many Assuria Auditor installations comprise hundreds of servers. Powerful and flexible Reporting. Standard reports, designed for both technical and managerial audiences, identify areas of security weakness or misconfiguration, the security implications and the possible consequences of security breaches resulting from such weaknesses, and appropriate remedies and solutions in detail. Auto Updates Regular monthly security content updates ensure that hosts are protected from even the most recent vulnerabilities and exploits, also allowing rapid distribution of new product features. Customizable Checks. Although a huge number of vulnerability, misconfiguration and other best practice checks are delivered as part of the comprehensive Assuria Auditor Knowledge Base, additional custom checks can easily be added via the Tcl scripting language. Wide platform support Assuria Auditor supported operating systems are: Microsoft Windows Server 2008 & 2003 including SP1,SP2 and X64, Microsoft VISTA, Microsoft Windows 2000, Microsoft Windows Server 2003 R3, Solaris SPARC 7,8,9,10, AIX 4.3 and 5.1+, HP-UX-PA-RISC and ITANIUM 11+, Red Hat Enterprise Linux 3,4,5, SuSE Enterprise Linux 9, 10 on X86, SuSE Enterprise Linux 10 on IBM Z series, as well as VMware ESX 3.5 Agent or Agent-less - Hosts can be scanned by resident agent or over wire with Remote Adapter. The Assuria Remote Adapter (RA) technology enables remote agentless scanning by Assuria Auditor. The release of Assuria Auditor Remote Adapter (RA) is another significant step in the development and evolution of Assuria Auditor with this addition of agent-less operation. Virtualized environments - fully supported in Virtual Environments running on products such as VMware, HyperV or XEN. Confidential Page 4 of 16

3. The Assuria Auditor Capabilities Assuria Auditor and is a software product that is designed to be flexible, adaptable and easily extensible. Out of the box the product is pre-configured with checks, policies, standards and reports that can be used immediately. In addition it can be easily tailored to meet specific user requirements. Assuria Auditor s Architecture can be Agent or Agent-less. Assuria Auditor s key capabilities are: Regulatory and Standards Policy- Compliance: Examines system configuration settings and reports those not consistent with the requirements of a number of external security policies. For example PCI DSS, ISO 27001. Configuration assurance: Examines system configuration settings and reports those not consistent with security best practice / security policy. Vulnerability detection: Examines system reports known vulnerabilities and likely missing patches and fixes Change detection: Examines objects on systems that have been baselined and report any that have changed. Objects that are supported include: Files, Registry keys, Groups, Users, Services, Installed packages etc. System information and inventory: Examines and reports on system information including User and Groups and the rights and privileges assigned as well as system inventory including hardware, open ports, services, installed software. 3.1. Assuria Auditor Information Manager In the Assuria Auditor with Agents, the architecture is shown in the picture below: Confidential Page 5 of 16

Assuria Auditor - architecture Agent Agent Agent Agent Agent Agent Agent Database Information Manager Console Web Interface The Assuria Auditor Agents are installed in each host to be examined, with small footprint and low resource requirement on host system. They run checks and policies and send results to the Console via secure encrypted link. The Console has installed the Assuria Auditor Information Manager (AIM) provides views of the information held in the Assuria Auditor database. In the current AIM release five views are available: Changes: The Change Detection view is designed to help monitor and detect changes to systems in Assuria Auditor baselines. Patches: The Patches view gives information on which patches have already been applied, and which still need to be applied for each host. Users/Groups: The Users / Groups view lists the users existing on the hosts, and of which groups they are members. Packages: The Packages view shows the packages which have been installed on each host. Standards: The Standards view shows the vulnerabilities on Hosts, summarized and grouped by Standards. The Assuria Information Manager (AIM) views are designed to help in monitoring and managing hosts and are intended for security management and for ongoing operations use. Confidential Page 6 of 16

Figure 1. Assuria Auditor Information Manager-An overview The key features of the Assuria Auditor Information Manager are: Overview of all configured systems Changes, Patches, Users/Groups, Packages and Standards. Built-in Search facility to quickly find key data. Built in reporting for each view. Integrated with Assuria Auditor Console database. Rapid identification of key information. Rapid access to the details of those changes. Export to Excel / clipboard. Paste to Notepad for small quick report. Confidential Page 7 of 16

3.2. Assuria Auditor Remote Adapter In the Agent-less Assuria Auditor, called Assuria Auditor Remote Adapter the architecture is shown in the picture below: The Assuria Auditor Remote Adapter (RA) technology enables remote agent-less scanning by Assuria Auditor. Integrated with the Assuria Auditor Console, RA uses the same database, checks, policies and reporting as the current Assuria Auditor agents while RA a new dedicated user interface. The scan results from checks and policies run via RA are imported into the Assuria Auditor database and all existing Assuria Auditor reports are available. Reports combining both RA and agent based scan results can also be produced. The target systems or hosts, i.e. the computer systems to be scanned are known as Hosts and are configured via the User Interface. RA is configured with the name and / or IP address of each host to be scanned. Hosts can be collected into arbitrary groups for simpler management of similar systems. Credentials held in the credential store can be associated with a single Host, any number of Hosts or groups of Hosts. Confidential Page 8 of 16

Figure 2 Assuria Auditor Remote Adapter User Interface The Assuria Auditor Remote Adapter user interface enables the RA user to: Create and manage Credential Stores to securely store credentials required to access the target hosts. Add host or target system to be scanned. This can be a system with an Assuria Auditor agent currently installed Create RA sessions. A session is a mapping of Assuria Auditor Policies to target hosts. Run RA sessions. Scan configured hosts or target systems. View and monitor session progress. Report RA session. Report on scanned hosts or target systems. 3.3. Regulatory and Standards-Policy-Compliance Organisations of all sizes and in both the public and private sector are increasingly required to be in compliance with a number of legislative and industry regulations and standards. Compliance with these regulations should be seen as part of the Information Security Management System (ISMS) or process. Confidential Page 9 of 16

Most organizations subject to multiple regulations use controls from standards such as ISO 27001 and guidelines to achieve compliance. ISO 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems. AN ISMS is a frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations. Gartner Group represented (below) the relationship between regulations, control objectives and controls. Assuria Auditor is a software tool that supports the controls within an ISMS. A key issue with compliance is planning and measuring acceptable levels of compliance. With Assuria Auditor s unique mapping of Checks to controls, control objectives and regulations it delivers a powerful tool to help achieve compliance to appropriate and applicable standards. Assuria Auditor features regulatory and standards compliance reporting. The Assuria Auditor Console database includes, where appropriate, the mapping of each Assuria Auditor s thousands of checks to a specific reference within the standard. Currently available standards are: ISO 27001 ISO 27002 (formerly ISO 17799) PCI FISMA HIPAA SOX CVE BID Confidential Page 10 of 16

Figure 3 Assuria Auditor reporting includes options to report by the selected standard. 3.4. Configuration Assurance Apart from Regulatory and Standards Compliance Checks, Assuria Auditor provides a set of Compliance Checks that are a specific form of Check Config file that let you configure Assuria Auditor to enforce your security policy requirements to a very specific level. Compliance checks are checks that use Check Config files that have been designed for users to modify. The Check Config files are used by Assuria to fine tune the actions of various checks. Assuria Auditor Check Configuration (Check Config) files provide a very powerful mechanism for customizing checks to meet your precise requirements. The Check Config files contain information that is referenced by checks and policies. Assuria Auditor Check Configuration (Check Config) files provide a very powerful mechanism for customizing checks to meet your precise requirements. The Check Config files contain information that is referenced by checks and policies. The Check Config files can updated for each agent from the console. This means you can customize their content for each agent from a single location or for all agents or agents in a class. Confidential Page 11 of 16

Each compliance check has an associated configuration file which allows the check to be configured. The details of the parameters and capabilities of the Compliance checks are included in the Assuria Auditor Admin Guide. Some examples of the Compliance Check Configuration files are below: The antiviruskeys: This file lets you specify which anti-virus software should be installed on a computer. Assuria Auditor uses the contents of this file to ensure that at least one of the specified anti-virus products is installed on the computer. The Audit template: It contains specifications for the required audit policy of your system. The usertemplate: The User template allows the specification of the user configuration. The hotfixtemplate: The Hotfix template contains specifications for hotfixes which should be applied to your system. Figure 4 Check Configuration Files 3.5. Vulnerability Detection CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability. Confidential Page 12 of 16

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user's environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities. In Assuria Auditor CVSS scores and vectors for checks can be viewed in the Policy Navigators and all html based reports. Reports can be ordered in different combinations of risk level and/or CVSS score. Assuria Auditor reports include CVSS data in the Summary section and detail section of reports. A CVSS vector editor is provided as part of the Assuria Auditor Console, to allow customers to set their own vectors (and hence scores) for checks. Figure 5 CVSS Vector Modification Confidential Page 13 of 16

3.6. Change Detection Baselines are a vital step in the process of securing a system. When Auditor is first used a number of problems will be found, along with deviations from the security profile expected. Most of these deviations will be corrected, some will be accepted, but all will be dealt with in some way. Once this process is complete, a snapshot of the system can be taken, and any further analysis will be against this baseline. As an example, check user-guest-01 reports on a user named Guest being a member of the group Guest. This user should be renamed and disabled. A User Baseline can then be taken, and Auditor can report on any changes to this user, such as it being re-enabled. Assuria Auditor support a number of baselines, these include: File Registry File Associations Users Group Services Shares Packages Trusted Hosts Features Roles Brokers CPU Discs Model Adapters. The baselines available on any specific platform will vary from the list above. 3.7. Assuria Auditor Reporting Assuria Auditor reports are in 3 major groups: Administrative Reports Executive Reports Line Management and Technician Reports Confidential Page 14 of 16

3.7.1. Administrative Reports These reports help the user to manage their Assuria Auditor environment. Types of reports are: Agent AU Level. This report shows the AutoUpdate level for each agent. Agent Population by OS. This report shows graphically the agent population by Operating System. Last Agent Communications. This report shows the last recorded communications between each agent and the console. Most Recent Scan. This report show the most recent scan for each agent. 3.7.2. Executive Reports Executive reports are for use by managers responsible for systems. The Report type contents are: 10 Most Vulnerable Agents: A graphical representation of the ten most vulnerable agents. Latest State: Graphical representation and analysis of the vulnerabilities detected for selected agents and/or classes during the last scan within (or for) each session. Network Trends Analysis: This report displays a month by month comparison of vulnerabilities. Network Vulnerability Assessment Summary: This report is useful for assessing the organization s susceptibility to violation in relation to its policy and vulnerability conditions. Scan Differences: Information about vulnerabilities that are unique to a specific scan. The user selects a group of scans, and then specifies the ID of the scan he wants to report on. Scans Summary sorted by Host: Graphical representation sorted by host, of the number of vulnerabilities found and checks that were run during the selected scans. Scans Summary sorted by Vulnerability: This report is the same as the previous report, except it is sorted by vulnerability. Scorecard: A numerical representation of the vulnerabilities found, to allow a comparison of all agents in the system. Confidential Page 15 of 16

Figure 6 Compliance Report 3.7.3. Line Management and Technician Reports Both Line Management and Technician reports contain the information below. Technician reports also provide instructions for correcting vulnerabilities. Host Assessment: Detailed information about each vulnerability found in the selected scans. For each host included in the report, vulnerability information is presented in decreasing risk level order. Vulnerability Assessment: Descriptions of the vulnerabilities detected in selected scans. Vulnerabilities are presented in decreasing risk level order, with a list of each host affected. Confidential Page 16 of 16