BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Seizing Windows of Opportunity for Vulnerability Assessment

Posted April 1, 2014    Morey Haber

The change control process for many organizations dictates that vulnerability assessment scanning can only occur during predefined scan windows. During these times, teams are notified that an assessment will be conducted and that alerts from IDS/IPS sensors, SIEMS, and local AV agents should be ignored or whitelisted from the scanners. This is a very typical process.

The Window of Opportunity to perform vulnerability assessments also dictates that the scans must complete, be paused, or be aborted before the window ends. This ensures that scans only occur during the allotted time and not in production hours. In order to maintain these schedules, scan jobs need to be controlled centrally to maintain these windows. This implies the following characteristics:

  • Scan windows should permit jobs to be paused and resumed or aborted when the end of a scan window is reached.
  • Scan windows should be configurable per scan job, globally, or per scan engine to meet individual business requirements.
  • Scan windows should be calendar-based by time and day in order to enforce change control windows.
  • A methodology should be available for continuous scanning when assessments must adhere to strict change control windows.

The last bullet provides in an interesting dilemma for all that need to perform continuous monitoring. How do you scan frequently and not violate policies for scan windows?

The answer is only available from BeyondTrust. BeyondTrust provides the Retina Protection Agent, which is included with Retina CS Enterprise Vulnerability Management operating within the BeyondInsight IT Risk Management Platform. The Retina Protection Agent enables local vulnerability assessment on a host and returns the results to the BeyondInsight central management console. Scan windows typically dictate when network scanning can and cannot occur. With a local agent, the requirement is circumvented and can be scheduled as frequently as needed to achieve the desired results without impacting the host, network, and more importantly the people and policies that govern change control and scan windows.  Below is a diagram illustrating how this can be configured:

windows of opp-img1

Retina Protection Agents are located on systems that require periodic vulnerability assessment. In this case, scan windows are not applicable because the status and location of the assets is never fully known and cannot be scanned through the internet or made available reliably for change control windows. Therefore, the local Retina agent performs a scheduled assessment locally and, when it is connected to the Internet (or internal network), transmits the results to BeyondInsight for analytics and reporting. The results produce vulnerability data that meets continuous monitoring requirements and addresses any scan windows that may be in place by policy.

The Window of Opportunity for vulnerability assessment is changing. For example, PCI DSS 3.0 requires more continuous assessments and scans to be scheduled as a part of normal business practices versus just once per quarter. In order to meet these goals, vulnerability management tools need to manage scan windows with incredible flexibility and adhere to internal policies while allowing assessments to occur more frequently. BeyondInsight provides the features to control scan windows with incredible ease and exceed the requirements with localized agents when no Window of Opportunity can be established. Below is an example of how to perform scan window scheduling on a per job basis:

windows of opp-img2

For more information on how BeyondTrust can help you manage scan windows, please contact us at sales@beyondtrust.com. We look forward to helping your organization perform successful vulnerability assessments with the best reporting in the industry.

Tags:
, , , , ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,