Vulnerability management is the embodiment of continuous process improvement in system security.
In a recent discussion in the Norwich University IS342 (Management of Information Assurance) course in the Bachelor of Science in Computer Security and Information Assurance, the class reviewed Rebecca Gurley Bace’s chapter 46, “Vulnerability Assessment” from the Computer Security Handbook, 5th Edition.
Bace explains that vulnerability management includes several phases:
- Assessing deployed information systems to determine their security status;
- Determining corrective measures
- Managing the appropriate application of the corrections.
The four basic functions of vulnerability management are
- Inventory: identify all systems in the domain of interest, including operating systems, platforms, and topology;
- Focus: determine the data required for assessment and tune vulnerability-assessment tools;
- Assess: run automated and manual tests, evaluate results to judge risk to the systems using security policy and best practices;
- Respond: execute changes as required by assessment and fix specific weaknesses.
Vulnerability assessment (VA) involves gathering sample data, organizing the data, comparing the current status with reference standards, and identifying discrepancies between the current state and recommended standards or goals. An example of a well-known VA tool is the Microsoft Baseline Security Analyzer v2.2 (MBSA) that “provides a streamlined method to identify missing security updates and common security misconfigurations.” The product has been updated over the years to support Windows 7 (32- and 64-bit) and Windows Server 2008 R2 as well as older operating systems back to Windows XP and Windows 2000. It also looks for documented weaknesses in “all versions of… Internet Information Server (IIS) 5.0, 6.0 and 6.1, SQL Server 2000 and 2005, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003 only.” Versions of the human interface are available in German, French, and Japanese in addition to English.
For an excellent overview of how a well-design VA tool can support security management, see the extensive set of white papers from StillSecure about their “VAM” product.
VA fits into security management in many ways:
- When systems are first deployed, VA can establish a baseline definition of the security state;
- When security breaches are suspected, VA users can focus on likely attack paths;
- VA may help administrators to see if vulnerabilities have been exploited;
- VA can identify areas where newly reported vulnerabilities should be patched;
- Records of VA scans can be archived and serve for audits or for compliance with certifications.
At a fundamental level, VA systems support auditability, which in turn supports incident handling and recovery. VA is an essential part of continuous process improvement for security policies to adapt to the constantly changing threat-and-vulnerability environment.
History and Directory of VA Tools
One of the earliest VA tools was COPS (Computer Oracle and Password System) developed by Eugene “Spaf” Spafford and Dan Farmer at Purdue University.
In the early 1990s, the Internet Security Scanner (ISS) was the subject of a Computer Emergency Response Team Coordination Center (CERT-CC) Advisory warning of “software that allows automated scanning of TCP/IP networked computers for security vulnerabilities.”
Dan Farmer & Wietse Venema developed SATAN (Security Administrator Tool for Analyzing Networks) in the early 1990s and posted the code in 1995. For an overview of the tool, see the page at the Center for Education and Research in Information Assurance and Security (CERIAS).
NESSUS from TENABLE Network Security is described by the company as “the world’s most widely-deployed vulnerability and configuration assessment product with more than five million downloads to date.” The product is freely available for individual, non-commercial use and has an evaluation version for use by organizations. The evaluation page includes a chart comparing features of the evaluation version and the professional version, which at the time of this writing (April 2012) costs U$1,500 per year.
NMAP (NetMAPper) is a widely used freeware “for Linux, Windows, and Mac OS X.” The home page boasts that “Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in eight movies, including The Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum.” [Perhaps other products should consider demonstrating their quality by appearing in popular movies. Imagine how popular MS Word could become if it appeared in Monty Python movies!]
One of the most useful tools for individual users as well as for network administrators is Steve Gibson’s ShieldsUP! service which provides a quick scan of the first 1056 ports of an individual computer. Ideally, every port will register as “Stealth” (not responding to probes) or at least as “Closed” (not accepting connections).
For links to more products, see the excellent “Alphabetical List of Vulnerability Assessment Products” maintained by Timeberline Technologies.
Concluding Remarks
One of the most important suggestions for effective penetration testing (pen testing) is that vulnerability analysis and vulnerability remediation must precede testing. It’s pointless to waste time and money on pen testing if we haven’t corrected everything we can find using scanners.
* * *
For study notes on vulnerability assessment, download the IS342 PPTX or PDF files.