Key Considerations for Vulnerability Management: Audit and Compliance October 5, 2005 2005 Altiris Inc. All rights reserved.
ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate via a common Web-based console and repository. For more information, visit www.altiris.com. NOTICE The content in this document represents the current view of Altiris as of the date of publication. Because Altiris responds continually to changing market conditions, this document should not be interpreted as a commitment on the part of Altiris. Altiris cannot guarantee the accuracy of any information presented after the date of publication. Copyright 2004, Altiris, Inc. All rights reserved. Altiris, Inc. 588 West 400 South Lindon, UT 84042 Phone: (801) 226-8500 Fax: (801) 226-8506 BootWorks U.S. Patent No. 5,764,593. RapiDeploy U.S. Patent No. 6,144,992. Altiris, BootWorks, Inventory Solution, PC Transplant, RapiDeploy, and RapidInstall are registered trademarks of Altiris, Inc. in the United States. Carbon Copy is a registered trademark licensed to Altiris, Inc. in the United States and a registered trademark of Altiris, Inc. in other countries. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other brands and names are the property of their respective owners. Information in this document is subject to change without notice. For the latest documentation, visit www.altiris.com. www.altiris.com
CONTENTS Considerations... 1 Consideration: Mix and match agent-based and agentless auditing technology on all desktops and servers for Windows, UNIX, and Linux to meet the needs of your environment, including remote sites 1 The best auditing solution matches the needs of your environment 1 Agent-based auditing technology is appropriate under certain circumstances 1 Agentless auditing technology requires no work and eliminates risk 1 Distributed proxies are necessary for remote and lowbandwidth sites 2 Consideration: Bandwidth utilization 2 Consideration: Customizable and flexible system security policies 2 Consideration: Industry regulations 3 Consideration: Patch management 3 Consideration: Multi-platform: Windows, UNIX, and Linux 4 Consideration: Software identification 4 Consideration: Hardware identification 4 Consideration: Reporting 4 Consideration: Price 5 Console pricing 5 UNIX vs. Windows pricing 5 Audit and Compliance Functionality... 6 www.altiris.com
www.altiris.com
CONSIDERATIONS Consideration: Mix and match agent-based and agentless auditing technology on all desktops and servers for Windows, UNIX, and Linux to meet the needs of your environment, including remote sites The best auditing solution matches the needs of your environment Agent-based and agentless auditing solutions both have their merits, and a system that fully supports both methods in a flexible, mix and match fashion will provide the best solution for a seamless integration into your current architecture. Agent-based auditing technology is appropriate under certain circumstances An agent-based approach is acceptable when there are a number of systems centrally located and highly secure, which is often the case with servers and machines that may be in a highly secured lock down state where all agentless communication protocols (such as Windows Networking and SSH) are shut off or when administrative credentials may not be shared. In addition, an agent-based solution should not require administrative credentials and should integrate with existing corporate directories to manage users and the level of auditing rights they have, and for which systems. Agent-based auditing solutions should offer three classes of users who are provided with the following audit capabilities: Limited audit with no scripts or executables Audit-only (no remediation) Audit and remediation Furthermore, agents should be available for every supported platform and should provide the means to be easily upgraded when new versions are available, with minimal management. Agentless auditing technology requires no work and eliminates risk Agentless technology allows an organization to audit, assess and comply with a system security policy for all systems (desktops and servers) in the network without the use of an agent on each system. Agentless technology uses the inherent facilities of the operating system. These facilities are part of the operating system and therefore no additional software needs to be added to the system, thereby reducing work and risk. To ensure that an audit and compliance solution is truly agentless, it should be agentless for all of the following: Auditing against system security policies Applying system security settings Auditing for OS and application patches www.altiris.com Key Considerations for Vulnerability Management: Audit and Compliance > 1
Applying OS and application patches Auditing software inventory for security purposes Auditing hardware inventory for security purposes Querying against all systems Uninstalling software Disabling hardware Distributed proxies are necessary for remote and low-bandwidth sites Auditing solutions should also offer a distributed proxy that will enable system security functionality on the far side of firewalls at remote sites. Distributed proxies provide value when firewalls block the traditional communication protocols that agentless technology employs. The best audit and compliance solution offers agentless technology for all systems, a distributed proxy for remote sites (if required), an agent for systems that may exist in a highly secured locked down state, and a mix and match of these approaches. Consideration: Bandwidth utilization When deploying software within your network, it is important to understand the bandwidth utilization and the impact it may have on your network. An audit and compliance solution should provide the ability to throttle the bandwidth to user-defined limits. It must be possible to specify the bandwidth limits for the central console as well as for the remote sites (for example, WAN) and other low-bandwidth connected systems using a distributed proxy. Consideration: Customizable and flexible system security policies Every organization is unique. For audit and compliance, most start with a baseline best practices policy such as the Microsoft Security White Paper, SANS (SysAdmin, Audit, Network, Security) Step-by-Step, National Security Agency (NSA), National Institute of Standards and Technology (NIST), and others. However, each policy must be studied to determine exactly which system settings are both pertinent and applicable to a particular environment. Therefore, having an audit and compliance solution that allows for flexibility and customizability is key to both auditing and compliance success. Key customizable requirements include the ability to: Create expressions-based rules for intelligent actions Delete rules from best practices system security policies Edit values/settings from best practices system security policies 2 < Key Considerations for Vulnerability Management: Audit and Compliance www.altiris.com
Create new rules unique to particular systems Write queries against systems Launch scripts and programs as a part of the entire solution It is critical that an audit and compliance solution be able to both audit a system at any level of comprehensiveness, as well as fix a system at any level of comprehensiveness. The most powerful solutions allow you to create customized policies at a granular level and be able to both audit and remediate at that same level. Consideration: Industry regulations There are many governmental regulations in place that organizations must pay attention to such as Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), FDA 21 CFR Part 11, and many others. All of these regulations are guidelines and do not specify individual system settings or solutions required for compliance. However, they do recommend that a best practices system security policy be applied. Therefore, an audit and compliance solution should offer industry best practices system security policies such as Microsoft, SANS, NSA, NIST, Dept of the Navy, and so on in order to comply with governmental regulations. A five step process is required for audit and compliance with industry regulations: 1. Choose a best practices system security policy and edit as needed. 2. Document the reasons for that choice. 3. Audit and report on all systems. 4. Remediate instances of non-compliance. 5. Document instances where remediation was not performed. Consideration: Patch management Many security issues revolve around maintaining proper system settings, and industry best practices system security policies are designed to address this. However, a secondary security risk revolves around staying current with key patches. An audit and compliance solution must address both risks. It must audit and bring all systems into compliance with the system security policy, and it must also audit for all patches that are not up to-date, allowing for automatic patch application. Most companies audit against up-to-date patches, then perform an extensive lab test of all patches considered for application, and finally apply the approved patches to all systems. www.altiris.com Key Considerations for Vulnerability Management: Audit and Compliance > 3
Consideration: Multi-platform: Windows, UNIX, and Linux Most companies have a mixture of Windows XP, Windows NT, Windows 2000, Windows 2003, Solaris, Linux, AIX, and HP-UX. An audit and compliance solution must support the operating systems in an organization. Consideration: Software identification System settings and up-to-date patches solve a large percentage of system security problems, but other open doors still exist. Users could have rogue versions of software that open up file shares and back doors (such as Kazaa). An audit and compliance solution should identify all software that presents security risks on desktops and should offer the option of automatic deletion. This functionality also can be used for identifying software not authorized by the organization, such as Instant Messaging programs (Yahoo, MSN, AOL, and so on). The identification of services running on the system such as FTP, SNMP and others is as important as the identification of software applications. These services often expose vulnerabilities. Consideration: Hardware identification Unauthorized hardware on Windows desktops can create open communication paths to systems. One example is an unauthorized modem on a user s system, or a modem with auto-answer turned on. An audit and compliance solution should identify all unauthorized hardware devices that present security risks. It should also be capable of not only locating the hardware, but also disabling or turning key features off. Consideration: Reporting Management needs to know the level of compliance and risk assessment of system settings against the system security policy, patch levels, rogue or unlicensed software, as well as unauthorized hardware. The reports need to show individual systems as well as trending and summary analysis for the consolidation of all systems. The reports also need to be able to provide a meaningful single measure of audit compliance status. An audit and compliance solution should offer standard key reporting templates. The system should also support ODBC, thereby allowing all data to be stored in an organization s central database such as Microsoft SQL Server, Oracle, IBM DB2, or any other ODBC-compliant database. ODBC support allows for standardized corporate reporting and correlation with other security data. 4 < Key Considerations for Vulnerability Management: Audit and Compliance www.altiris.com
Consideration: Price All IT budgets are tightly managed and price matters as much as functionality. Many solutions address only system settings or only patching. Even though separate groups within IT may be responsible for each, there is no need to pay two license fees per system. An audit and compliance solution with a single low license fee that addresses both system settings and patches, with no charge for the central console, can be used by multiple groups and therefore is the most cost effective solution. Console pricing In all audit and compliance solutions, the central console may be used by multiple system administrators, internal and external auditors, security staff, and others. Therefore, the price per central console can function as a hidden cost since it could be multiplied many times by many IT users. The most cost-effective audit and compliance solutions do not require an additional fee for the central console. UNIX vs. Windows pricing Some audit and compliance solutions are higher priced for UNIX than Windows. Be sure to ask the price of a Windows desktop versus a UNIX desktop and a Windows sever versus a UNIX server. Obtaining pricing for Windows only could result in a surprise when the final quote includes UNIX at a higher price per system. www.altiris.com Key Considerations for Vulnerability Management: Audit and Compliance > 5
AUDIT AND COMPLIANCE FUNCTIONALITY Audit and compliance solution functionality WINDOWS Does Altiris SecurityExpressions do this? Can Altiris SecurityExpressions do this agentlessly as well as via an agent? Auditing of system security policy settings Compliance with system security policy for system settings Auditing of patches (Microsoft hotfixes) for operating systems and applications Application of patches (Microsoft hotfixes) for operating systems and applications Auditing of software that presents system security risks Auditing of services that present system security risks Auditing of unauthorized hardware that presents system security risks Uninstall or disable software that presents system security risks Disable hardware that presents system security risks Query systems for property lists UNIX Auditing of system security policy settings Compliance with system security policy for system settings Auditing of patches 6 < Key Considerations for Vulnerability Management: Audit and Compliance www.altiris.com
Audit and compliance solution functionality UNIX Does Altiris SecurityExpressions do this? Can Altiris SecurityExpressions do this agentlessly as well as via an agent? Application of patches Auditing of software that presents system security risks Auditing of services that present system security risks SYSTEM SECURITY POLICY Easy management of audit tasks with scheduling and flexible notification Set bandwidth utilization limits for central console Set bandwidth utilization limits for distributed proxy Highly customizable to exact requirements Microsoft Security White Paper SANS (SysAdmin, Audit, Network, Security) Step-by-Step National Security Agency (NSA) Guidelines National Institute of Standards and Technology (NIST) Department of the Navy Best practices system security policies to meet industry regulations www.altiris.com Key Considerations for Vulnerability Management: Audit and Compliance > 7
Audit and compliance solution functionality MULTI-PLATFORM Does Altiris SecurityExpressions do this? Can Altiris SecurityExpressions do this agentlessly as well as via an agent? Microsoft Windows XP Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows 2003 Sun Solaris Red Hat Linux IBM AIX HP-UX REPORTING Includes Crystal reporting engine Includes standardized trend and summary reports ODBC to any ODBC compliant database (SQL, Oracle, DB2, etc.) Export reports to PDF, Word, Excel, HTML, etc. for management reporting Single measurement of audit compliance status 8 < Key Considerations for Vulnerability Management: Audit and Compliance www.altiris.com
Audit and compliance solution functionality PRICING Does Altiris SecurityExpressions do this? Can Altiris SecurityExpressions do this agentlessly as well as via an agent? License fee per Windows desktop Contact Altiris License fee per Windows server Contact Altiris License fee per UNIX server Same as Windows License fee per central administrators console No charge www.altiris.com Key Considerations for Vulnerability Management: Audit and Compliance > 9