Organizations perform vulnerability assessments to locate computers, network devices, applications and other IT assets that have any security holes or other bugs that can be exploited by hackers. Open source applications like Nessus or commercial tools like Qualys scan the network for these vulnerabilities and report them to the end user.
Vulnerability assessment scans can have a significant impact on a network or on the performance of the systems being scanned. This leads many companies to only schedule scans once per quarter or only when demanded by an external agency. Examples of these external drivers are: the Sarbanes-Oxley Act which governs public companies, or the Payment Card Industry Data Security Standard which regulates companies that process credit cards.
Closing the gaps detected by a vulnerability assessment makes it more difficult for a hacker to break into the network.
What a Vulnerability Assessment Tool Does
Tools like Nessus or Qualys are quite literally self-contained hacker suites. When these applications perform their scans they often act as if they were a hacker trying to exploit a system. If it finds a database it can be told to attempt to perform a SQL Injection attack. When it locates a web server it may attempt a buffer overflow or cross-site scripting attack.
Each application has its own database of known attack signatures that the user can use to scan the network. These signatures are updated on a frequent basis to ensure that the latest known attack vectors are accounted for.
Planning the Vulnerability Scan
Special care must be taken when doing a vulnerability scan against production systems. Executive sign off at the highest level possible must be attained because performing a scan has the potential of disabling systems or causing severe network issues.
It may be necessary to disable or put other security tools into maintenance mode during the scan to avoid causing a flood of false positives or to prevent them from reporting on known activity.
Have a contingency plan to recover from outages that may be caused from the scan. This is particularly important when testing production systems where outages prevent the organization from doing business.
Setting Up the Vulnerability Scan
Selecting tests is a critical component in configuring the vulnerability scan. Only choose tests that are relevant to the operating systems, devices and applications in your network. It makes no sense to include scans for Linux vulnerabilities if your entire network is Windows based.
Most tools such as Nessus also allow you to configure the intrusiveness of the scan. Highly intrusive scans can prevent systems from performing their given tasks, but provide the user with the most information and detail about vulnerabilities. Less intrusive scans do not impact the network or system as much, but do not provide as much information.
Organizations generally perform the more intrusive scans on a quarterly or bi-annual basis for security audit purposes. Less intrusive scans can be run more frequently to monitor or maintain an overall level of confidence in security.
Running the Scan and Interpreting the Results
Vulnerability scans can be treated like a penetration test and run as a surprise, or they can be run inside an established window. Once the scan is completed each tool will present a report of its findings. Review the findings to determine the severity of the results. You may not be able to remediate some results due to the use of legacy applications or operating systems. The organization must document why it is necessary to carry these risks to continue to do business.
Other vulnerabilities must be addressed in a timely manner in order to satisfy internal or external security audits or regulatory requirements. Failure to close these gaps leave the business exposed to threats from malicious attackers and eventually consumer and/or share holder lawsuits when personal data is stolen.
For public companies, compliance with the Sarbane-Oxely Act requires that these scans be performed on a regular basis. The Payment Card Industry Data Security Standard requires companies that process credit cards do vulnerability assessments as well.
Alternate Methods of Looking for Vulnerabilities
Vulnerability assessment tools provide one means of automating the search for security gaps. Other applications known as “configuration assessment tools” provide another method of finding and closing vulnerabilities. Configuration assessment applications don’t scan the network looking for vulnerabilities. Instead they scan the configuration files of various systems and compare the results to known benchmarks provided by third parties such as the Center for Internet Security, or ISO 27001.
Companies such as McAfee and Tripwire both provide suites of products designed to perform these functions. While these tools do not actively scan or attempt to penetrate a network, they do provide an additional layer of assessment that can be performed more often as they do not have as high a performance cost on the host systems or the network itself.
- Image credit: chanpipat / FreeDigitalPhotos.net
- Tripwire Enteprise: http://www.tripwire.com/it-compliance-products/te/
- McAfee Configuration Management: http://www.mcafee.com/us/services/technology-consulting/infrastructure-assessments/host-security-configuration-assessment.aspx
- Skoudis, Ed, Computer and Network Hacker Exploits: Day 2, SANS Institute, 2011