Vulnerability is weakness which can be exploited in a system. To find all the weaknesses in a system, Vulnerability scanning is performed. It involves running a program on one machine and then connecting via a network to machines that you choose to check.
This would help to find and fix weaknesses in systems before someone else finds it and decides to break in.
Vulnerability scanning is a part of Defense in depth strategy and would lead to
• Asset discovery.
• Provides necessary information to ensure that hosts with an enterprise are safe from known attacks.
• Provides enough data for tracking internal security posture over time.
Hence it is a key part of managing risk and will identify the risk of every system, not just the ones we know about.
To know the state of systems, we need to understand the weakness we are trying to defend against and where possible, remove those weaknesses. For this we need a source of all known vulnerabilities and what patches are available to address these vulnerabilities. This can be done by monitoring individual software manufacturer or get consolidated notifications from provider such as http://securitytracker.com.
The scanning can be performed either by deploying Vulnerability scanning application in the enterprise or by using SAAS services by VAM service providers such as http://securityspace.com or http://www.qualys.com.
When ever new update is released, system administrator should evaluate and determine its application for the organization and then install it.
NIST has defined various SCAP (Security Content Automation Protocol)standards which provides standard format to collect application/system attributes, performing assessments using specific tests and displaying results. When vendors follow these standards in providing its output, the results can be easily consumed by other products.
Some of standards that can be used with VAM are
CPE - Common Platform Enumeration, format to be followed for providing platform specific details such as attributes of OS.
CVE - Common Vulnerabilities and Exposures, a way to provide vulnerability and exposure information by product vendors.
OVAL – Open vulnerability and assessment language, which is an open standard from MITRE. It Enables automated assessment and compliance checking.
It provides standard schema for entire Assessment process
1. Data collection
Collect data bout the system under test. This would have oval system characteristics. There are oval definitions available for this.
2. Analysis
Collect and organize results from assessment. Oval definitions are available for this.
3. Results
Arrange detected data against defined machine states. Oval results schema is available for this.
Once the scanning is performed, useful metrics should be derived and reported on. Some of the metrics like percentage of vulnerable systems, Time from discovery to remediate, will benefit custodians and updated required enterprise policy to improve compliance.
Vulnerability scanning on regular basis generates a lot of data. Only by demonstrating that the data collected can be of real benefit will the enterprise come forward to deploy Vulnerability and Asset Management (VAM) application in the enterprise. New deployments of VAM should use security products which are certified with NIST standards.
References:
http://oval.mitre.org
Articles/papers from SANS reading room http://www.sans.org/
