WHITE PAPER Proactive Vulnerability Management Using Rapid7 NeXpose RAPID7 Corporate Headquarters 545 Boylston Street Boston, MA 02116 617.247.1717 www.rapid7.com
Proactive Vulnerability Management Using Rapid7 NeXpose EXECUTIVE SUMMARY The volatile network environment of most organizations requires them to proactively identify and remediate network vulnerabilities regularly to prevent hackers or disgruntled insiders from exploiting these weaknesses. The process of identifying vulnerabilities, evaluating the risk they pose, remediating and reporting them is called vulnerability management. By using a formal vulnerability management process, an organization is able to more efficiently find and fix security vulnerabilities Start within their network. Vulnerability management is a measurable and proactive process which enables organizations to understand the risk of certain vulnerabilities in its IT environment and to ensure its network is not compromised. The process includes the following steps: Report Discover Audit Discover and categorize IT assets Audit to scan for vulnerabilities Delegate and prioritize effort based on risk Remediate by applying the patch, upgrade or workaround Confirm Delegate Confirm by rescanning to validate the fix applied Report risk assessment to management Remediate In the past, vulnerability assessment was performed manually for auditing purposes. This process would take up to several weeks, and the reports produced were out of date by the time they were delivered. Today, high-speed scanning software such as NeXpose Vulnerability Assessment and Risk Management software from Rapid7, allows these steps to be formalized and automated. With the threats facing IT infrastructure in this era, the process of vulnerability assessment, policy compliance and remediation has become part of the daily administrative process. Identifying and managing risk relating to vulnerabilities requires that an organization that understands both the cost and potential impact of a successful attack on their environment. Automating the vulnerability management process with NeXpose provides a cost effective way for organizations to quantify and qualify the security risks to business applications, and apply resources to remediate those risks in the most efficient manner. This formalization of the vulnerability management process satisfies regulatory and policy compliance issues and provides best practices for corporate governance of sensitive data. This paper addresses the methodology required for successfully conducting, reviewing, and maintaining an effective Enterprise Vulnerability Management program. 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 1
THE NEED FOR VULNERABILITY MANAGEMENT According to Forrester, a high profile, highly regulated company could face up to $9.2 million in damages as a result of computer crime perpetrated through insecure systems. 1 Fraud, identity theft, system repair downtime, lost employee productivity, lost customers, lost revenues, lost business opportunity costs, as well as both regulatory and legal fines are all intolerable business impediments associated with these threats. Cyber criminals are constantly scanning IP addresses looking for vulnerabilities that can be exploited. The goal of attackers is no longer just simple acts of site defacement for media attention. The last public nuisance worm to gain significant media attention was the famous Samy cross site scripting (XSS) worm released in 2005. The Samy worm simply defaced MySpace sites. However, it foreshadowed how effectively XSS exploits could be used in the future to reach a world-wide audience through the Web. Symantec reported in its 2008 Global Internet Security Threat Report that site-specific XSS vulnerabilities increased by 61%, but the average patch development time was 52 days, which further demonstrates how patch development is struggling to keep pace with the number of vulnerabilities being found. The new breed of exploit is designed to service organized crime rather than to simply embarrass an organization. These exploits are designed to work silently gathering data, and to go undetected while carrying out their goals silently on the systems of unsuspecting victims. The increasing sophistication of these exploits has left network administrators struggling to keep pace with the rapid pace of change. In addition businesses continue to face the devastating legal and financial repercussions of data theft from data breaches. The cost of data breaches continues to rise. The Ponemon Institute reported that the average cost of data breaches rose from $138 per record in 2005 to $202 per record in $2008, and the average total cost rose from $4.5 million in 2005 to $6.6 million in 2008. 2 1 to 3 Months 3 to 6 Months 4% 6% 6 to 12 Months 19% Less than 1 Month 0% Greater than 1 year 71% Figure 1 - Time between when patch became available and when breach occurred The number of discovered vulnerabilities continues to increase rapidly. As of September 2009, the National Institute of Standards and Technology (NIST) reported nearly 37,000 known CVE vulnerabilities as part of the National Vulnerability Database (NVD), which is nearly an eightfold increase from the 4,500 vulnerabilities reported five years earlier in 2004. The CVE publication rate is 20 new vulnerabilities a day. But it is not just the sheer number of vulnerabilities that is worrisome; it is also the speed at which the vulnerabilities are now being successfully exploited even when a vendor patch is available. For example, Microsoft released an emergency out-of-band patch on October 23, 2008 to address a particular Microsoft Windows operating system network service vulnerability (MS08-067). However, many network administrators failed to patch their systems in a timely manner, so a large number of Windows PCs remained unpatched and fell victim to the first variant of the Conficker worm detected in November 2008. The Conficker worm was designed to propagate through the Internet by exploiting the vulnerability that could have been easily patched with MS08-067. By January 2009, more than seven million government, business and home computers in over 200 countries were under the control of one of the many variants of Conficker, The ability of Conficker to combine many advanced malware techniques allowed it to spread quickly into what is now believed to be the one of the largest computer worm infections in history. The rapid spread of Conficker, even when a vendor security patch was already available, demonstrates the challenge that security managers face in keeping their systems up-to-date as part of on-going vulnerability management programs. According to the Verizon Business 2008 Data Breach Investigations Report, for over 70% of breaches, a patch had been available for more than a year. Without a systematic process to detect, prioritize, delegate and effectively remediate vulnerabilities, enterprises will continue to suffer from successful attacks. Firewalls, antivirus software, intrusion detection systems (IDS) and other security products can give IT administrators a false sense of security that leads them to believe that they are shielded from intrusion. Web-based attacks that target web and database servers can bypass firewalls and virus scanners using techniques such as SQL injection and buffer overflow opportunities. 1 Forrester, 2007 (based on 30,000 customer records) 2 Ponemon Institute 2008 Benchmark Study, Feb. 2009 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 2
Laptops that employees move from network-to-network are especially vulnerable to exploits that can enter the business environment, as well as be the catalyst for exploits entering the corporate network. Intrusion detection systems are installed at the network perimeter but don t usually detect internally generated threats. Those that can are often unable to stop the offending machine from infecting other machines, as they do not control the routers operating on the internal segments. With all these varying security threats, how does an enterprise secure its environment and ensure that the level of risk to their corporate assets is reduced? PROTECTING THE ENTERPRISE Over the past few years, the number and variety of network and system security tools has grown substantially. While some of these tools may be sufficient to address specific security concerns, the majority of these solutions are simply inadequate for protecting enterprise level infrastructures. In a large enterprise, centralized security practices and policies ensure corporate-wide network availability, integrity, and confidentiality. A formalized and centralized vulnerability management process that identifies and tests for policy violations is a required component in proactively securing network assets. Many enterprise vulnerability assessment and remediation initiatives fail. Disparate scan results on hundreds of systems yield thousands of identified vulnerabilities, challenging IT managers efforts to effectively consolidate network information, eliminate false positives, and efficiently delegate remediation tasks to their administrators. The US Computer Emergency Readiness Team (US-CERT) has reported that nearly 99% of all intrusions result from exploitation of known vulnerabilities or common configuration errors. In addition, 90% of all Internet attacks are imitations. Therefore, network intrusions can be essentially avoided if companies take the initiative to follow a strict policy of performing regular vulnerability assessment and proactive remediation across the entire enterprise. MORE THAN VULNERABILITY ASSESSMENT Rapid7 has developed an enterprise vulnerability assessment and remediation management solution that enables IT and security groups to implement an integrated and centralized approach to vulnerability management. Rapid7 s NeXpose features a collaborative workflow process consisting of six integrated steps: Discover Audit, Delegate, Remediate, Confirm, and Report. This process is continuous and creates a closed feedback loop for ongoing network threat management. NEXPOSE ENTERPRISE VULNERABILITY MANAGEMENT First and second generation scanning products are focused on 100% scanning systems against a list of known vulnerabilities. These 99.99% 95% tools are standalone implementations that lack the scalability, 89% 90% management, reporting, remediation, and advanced performance capabilities required for an enterprise-wide 85% 80% 81% deployment. NeXpose was designed for large-scale deployments 80% that support complex and distributed computing environments. 75% 73% NeXpose also offers unparalleled Web scanning to detect XSS and SQL injection vulnerabilities. Web scanning is critical for security systems now that 99.99% of all records in 2008 were 70% 65% 60% breached from Web assets. 3 NeXpose is the only vulnerability 2004 2005 2006 2007 2008 management solution that includes support for Web applications, databases, operating systems, and network devices in a single Figure 2 - Percentage of records breached from Web assets system. Combining NeXpose s proven vulnerability assessment power with an integrated ticketing and reporting system yields an effective solution for enterprises in which multiple parties are part of the security solution. 3 Verizon Business 2009 Data Breach Investigations Report 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 3
VULNERABILITY MANAGEMENT PROCESS There are several steps required to perform regular vulnerability assessment tests in any environment, particularly in an enterprise where other variables, such as centralized management, efficient bandwidth utilization, and non-intrusiveness, must be considered. By consistently executing a sound vulnerability management process, an enterprise can ensure its environment is secure from those who are looking for an entrance into the corporate network. Start Discover Report Audit Confirm Delegate Remediate The remainder of this document describes each step in the vulnerability management process, and how NeXpose helps solve the distributed vulnerability assessment and remediation dilemma. 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 4
Discover and categorize IT assets The first step for an organization must take to assess their network for security vulnerabilities is to understand the assets that make up the network. This step, known as discovery, involves identifying all of the servers, workstations, devices, services, and applications running on the network. NeXpose completely automates the task of network discovery. By entering a specific IP address range, network administrators can quickly generate a comprehensive map of all the known and rogue assets in a centralized database, including: Servers Desktops and Laptops Operating Systems Firewalls Routers Switches and Hubs Wireless Access Points Network Services Applications The NeXpose home page offers a wealth of information about the networked environment 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 5
Audit to scan for vulnerabilities The vulnerability audit is the most important step in the vulnerability management process. It entails checking all operating systems, hardware vulnerabilities, application vulnerabilities, system mis-configurations, and policy infractions. In the past, manual network audits, usually performed by an external consultant, could take days or even weeks for large networks. Powerful software like NeXpose can automate the auditing process and reduce the time it takes to scan from weeks to hours. By deploying multiple NeXpose scanning engines at strategic network locations, users can reduce the time it takes to scan an entire enterprise network to under an hour. NeXpose allows your security staff to organize assets into sites for better assessment 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 6
Asset Groups allow non-administrative users the ability to view and report vulnerabilities An automated network audit is only as good as the comprehensiveness and accuracy of the scan. To ensure NeXpose maintains unrivaled vulnerability coverage and scan accuracy, Rapid7 maintains a dedicated staff of security engineers and analysts that conduct independent vulnerability research and constant monitoring of industry standard vulnerability lists such as CVE, CERT, and the SANS Top 20. These analysts maintain the extensive vulnerability database in NeXpose, which covers servers and workstations using Windows and UNIX based operating systems, network infrastructure devices such as routers and switches, and databases, web servers, email servers, and other network services and applications. The NeXpose security scanner can scan all of your IT assets against this up-to-date database, deeply examining an entire network infrastructure by probing for complex weaknesses that could lead to an intrusion. By leveraging artificial intelligence, NeXpose can virtually eliminate false positives by verifying the true existence of the vulnerability rather than the simple version check that is performed by most other vulnerability scanners. 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 7
Delegate and prioritize effort based on risk Once the vulnerability audit is complete, the next step is to prioritize the remediation effort and assign remediation tasks to individuals or teams. Most IT departments have limited personnel and a tight budget, making it important to prioritize discovered vulnerabilities such that resources are utilized in the optimum fashion to maximize efficiency. Remediation priority should be based on the criticality of the vulnerability, which takes into account the likelihood and difficulty of exploitation, and the business use and importance of the IT asset. The NeXpose interface visually displays vulnerability and risk information 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 8
NeXpose assists IT managers with the delegation and prioritization tasks by assigning a risk score to each asset discovered during an audit. The risk score takes into account many factors that weigh the relative risk of vulnerabilities. For example, a remotely exploitable buffer overflow vulnerability that gives root level access will have a higher risk score than a vulnerability that could lead to a denial of service attack under austere conditions. In addition, the internal risk score is weighted against a company-assigned risk factor, which conveys the relative importance of a system within the business operations. Delegation can be handled by the integrated ticket system in NeXpose. Security engineers and managers can delegate remediation tasks to the analysts and administrators responsible for individual systems. Optionally, NeXpose can integrate with many third-party enterprise ticketing systems such as Remedy and Peregrine. NeXpose offers an integrated ticket system to track the resolution of vulnerabilities 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 9
Remediate by applying the patch, upgrade or workaround The task of remediating vulnerabilities is usually the most time consuming part of the vulnerability management process. Even with automated patch management tools, push failures, incompatibilities, and false positives can cause a network administrator to spend a great deal of time on the remediation effort. Without a clear and efficient remediation plan in place, security managers will waste time and money when patches are applied in the wrong order or critical legacy systems fail. NeXpose can efficiently guide IT administrators through the remediation process by generating a detailed remediation plan. The plan will specify each system to be patched, step-by-step instructions for applying upgrades and patches in the correct order, and the total time it should take to perform the required maintenance. Confirm by rescanning to validate the fix applied After a patch or fix has been applied, it is important to perform a follow-up scan to verify that the vulnerability has been properly mitigated. Human or machine error during the remediation phase is very common and proper verification can ensure that a false sense of security does not exist, whereby the network remains vulnerable to an issue that was thought to be fixed. Verification, with the resulting documentation, is an important step for compliance with many laws and regulations such as Sarbanes-Oxley, Gramm-Leach Bliley, and HIPAA. Using the integrated ticketing system in NeXpose ensures that the confirmation step is accomplished for all vulnerabilities assigned a ticket. NeXpose will automatically mark closed tickets related to a vulnerability as awaiting verification and will check for proper remediation on the next scan before the ticket is finally closed. Use NeXpose to view status of tickets and track vulnerabilities from discovery to resolution 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 10
Report risk assessment to management Proper reporting is a critical step in the vulnerability management process. Reporting can convey lower level tactical information to security administrators on vulnerability information, affected systems, external references, and remediation steps. NeXpose can generate reports based on predefined or custom templates that cover everything from low level remediation information to higher level compliance reports. These reports can be saved in a variety of formats such as HTML or PDF, or they can be exported to an external database using XML or CSV. NeXpose offers robust reporting capabilities that enable organizations to take control of their network security Proper reporting is also an important tool for managers and executives to allow them to gain a strategic understanding of the overall risk of a system. Business leaders rely on concise and relevant reports in order to have the required information to make rational business decisions. By leveraging the low-level scan results and transforming them into a useful format for high-level business decisions, NeXpose can deliver the relevant information to the proper audience. IT managers can examine trend analyses to ensure forward progress on initiatives and head off potential problems before they develop. Executives can be presented with a very high-level map of the overall risk across the entire enterprise. 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 11
SUMMARY NeXpose, through its design, facilitates adaptation as the company grows in size and as the vulnerability management process matures. A distributed architecture using multiple scan engines allows NeXpose to easily scale as the size of the network grows. The ability to modify scan parameters and create custom checks within NeXpose to enforce corporate IT security policy is a critical feature of any enterprise-level vulnerability management solution. ABOUT RAPID7 Rapid7 is the leading provider of unified vulnerability management, compliance and penetration testing solutions, delivering actionable intelligence about an organization s entire IT environment. Rapid7 offers the only integrated threat management solution that enables organizations to implement and maintain best practices and optimize their network security, Web application security and database security strategies. Recognized as the fastest growing vulnerability management company in the U.S. by Inc. Magazine, Rapid7 helps leading organizations such as Liz Claiborne, Southern Company, the United States Postal Service, the New York Times, Carnegie Mellon University and the National Nuclear Security Administration (NNSA) to mitigate risk and maintain compliance for regulations such as PCI, HIPAA, FISMA, SOX and NERC. Rapid7 also manages the Metasploit Project, the leading open-source penetration testing platform with the world s largest database of public, tested exploits. For more information, visit www.rapid7.com. 2009 Rapid7, Inc. Proactive Vulnerability Management Using Rapid7 NeXpose 12