BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Prioritizing Vulnerability Assessment and Remediation Steps: A New Users Guide to Getting Started – Part 1

Posted January 31, 2011    Morey Haber

New users to vulnerability assessment often ask the same question: “How do I get started”? While this may sound incredibly generic for a security engineer, many companies have never had a vulnerability management process in place and are trying to comprehend the problems of missing patches, remediation prioritization, and risk acceptance. As a basic recommendation, I put together these three examples for a conservative vulnerability assessment rollout that should help anyone with the potential challenges of a new process. The methodology takes into consideration the sensitivity of vulnerability information and the cautiousness of performing network scans on targets that may be susceptible to faults.

The examples in this blog outline three approaches to a deployment that can be cross implemented to discover the health of the environment in phases.

Example One – Critical Vulnerabilities Only

eEye Digital Security’s Retina Solution allows for the customization of scanning by Smart Groups and Report Templates. By managing Smart Groups and Templates, scan targets can be limited to testing of only critical vulnerabilities that can adversely affect the environment. This will reveal areas where sensitive data and system compromises could negatively affect the infrastructure.  This essentially looks for the “low hanging fruit” of critical vulnerabilities that should be remediated first.

Figure 1, Audit Groups Sorted by High Severity

This approach has several advantages over full audit scanning:

  • Vulnerabilities that could be exploited with little to no user intervention will be accurately identified
  • The volume of potential compliance data and information messages will be reduced
  • Business units and security teams can focus on the highest priority items that could interrupt normal business operations

This approach allows for targeted scanning of devices with only the highest severity items to identify:

  • How well patch management processes are functioning to meet regulatory requirements
  • Which devices with sensitive data can be comprised with minimal to no intervention
  • Devices that contain severe vulnerabilities and are potentially end of life can be identified for replacement

This approach has a few disadvantages:

  • Low severity compliance related audits will be missed
  • Basic audits for usernames, groups, rogue services and process will not be identified
  • Web application and database based vulnerabilities may be excluded

Example Two – Statistical Sampling

Many regulatory compliance initiatives including the PCI DSS allow for statistical sampling of assets to perform an effective vulnerability management strategy. In order for this approach to be successful, a sample of all types of devices must be represented in a group of approximately 10% of the environment. In addition, proof of image standardization for hosts like desktops is required to validate the statistical sampling approach.  Deviations in the standard build are not acceptable and must be locked down.

Please consider the following:

  • All operating systems in the environment
  • All applications in the infrastructure
  • All hardware and network devices and printers
  • The scope of the devices in the assessment sample

All of the devices type above must be included in the target group. No version or platform can be excluded. The sample can be scanned with all audits or targeted vulnerabilities to report on the trends within the environment.

Figure 2, Sample Set of Scanned Assets for Statistical Sampling, Desktops Only

Statistical Sampling has several advantages:

  • Limited targets and risk to production devices
  • Validation of compliance management initiatives and image standardization
  • Rapid scan times compared to evaluating the entire infrastructure
  • Consolidated reports based on samples

In contrast, the disadvantages to this approach:

  • No rogue asset identification
  • Bottom “n” vulnerabilities and “one offs” are not identified, but are still susceptible to an attack
  • If deviations do occur in the images, they will be missed and invalidate the premise for this type of assessment

Example Three – Targeted Scanning Based On Business Function

Many devices in an environment provide supporting functions to a business, but have no direct connectivity to critical information. Consider a web application. Only the web server and supporting infrastructure should have access to any middleware and databases. A web application vulnerability assessment scan will reveal any flaws and any users can only penetrate the target through this single entry point. Therefore, assessing every workstation that only interfaces with critical data via the web is overkill. A better approach follows the “where is the gold approach”.  The business must identify where all of the critical business systems are and group them accordingly. Scans of these devices will target all possible entry points and should only occur during a predefined and acceptable scan window.

This approach informs all parties that a network scan is going to occur (in case of a fault or outage) and that all critical systems are free from high rated risks.

Figure 3. Hosts Grouped by Domain and Displayed in a Topology View

Advantages to this approach:

  • Scans occur only at acceptable times
  • Systems housing sensitive data (in scope) are validated to be risk free

Disadvantages for targeted scanning:

  • Non critical systems are not assessed and could be used as a beach head to infiltrate an organization
  • The manual process of identifying hosts may lead to missing systems for targeted scans
  • No rogue asset detection

The examples in this blog  can be cross implemented to discover the health  and vulnerability status of the environment in phases and ensure that the information collected is actionable and manageable for any organization beginning a new vulnerability management process.

eEye Professional Services are available to assess the risk and compliance objectives with any of these processes, and can provide a phased rollout approach to meet your business requirements. Based on our experience with clients of a similar size, and the overall security and business goals of your organization, eEye is confident that our solutions and services can meet your needs.

>> To learn more about what the new Retina CS can do for you, please visit us eeye.com/new

>> If you are interested in upgrading to the new Retina CS, please contact your sales rep or email us at info@eeye.com

Tags:
, , ,

Leave a Reply

Additional articles

veritas-logo

BeyondTrust to be acquired by Veritas Capital

Posted September 2, 2014    Mike Yaffe

We’re pleased to announce that Veritas Capital plans to acquire BeyondTrust. This is positive news for everyone associated with BeyondTrust, as it will spur significant investments in our Privileged Account Management and Vulnerability Management solutions. Rest assured that the BeyondTrust management team will remain intact, and there will be no changes to the company name,…

Tags:
, ,
PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,